Tag Archives: Cybersecurity

Cyber Security in the Workplace

As National Cyber Security Awareness Month (NCSAM) moves into week two, Johnson Controls, through the Cyber Protection Program for security products, turns from last week’s post on staying safe online to this week’s theme, focusing on cybersecurity in the workplace.

Wherever you are in the hierarchy, and no matter the size of your organization, you have an important role to play in keeping your business cyber-safe.

How can you protect yourself and your workplace, and strengthen your cyber resilience? It’s a matter of simple vigilance, and good cyber hygiene. Start with these four principles:

  • Keep your software and operating systems up-to-date. System and software version updates are there for a reason. Beyond giving you access to additional functionality, keeping your operating system and software applications up-to-date is an effective way to fix known vulnerabilities so hackers can’t take advantage of them. If you can’t always keep the software up-to-date because of dependencies, consider putting in other controls to mitigate the vulnerabilities that were discovered and fixed in the updated versions.
  • Backup everything, and do a test restore. Yes, you’ve heard this a hundred times. But it is that important! There are so many ways data can be lost, including malware, viruses, theft, computer malfunctions and accidental deletion. That’s why you should always make electronic and physical copies of all your important work and system data, and make sure there is a copy stored in a safe place. For critical business data, backups should be stored at a separate location. If you store your backup data online, make sure it is not normally accessible from your current network, so that ransomware or other malware can’t get to it.
  • Disable any protocols for remote connectivity, unless constantly required for day-to-day operations. This includes protocols such as Telnet, SSH, FTP, SFTP, RDP/XRDP, ONVIF, UPnP, and VNC. Even if the protocols are used for occasional remote support or troubleshooting, it’s better to keep them disabled and only activate them when needed.
  • Periodically review accounts and privileges, and update them accordingly. Each system user’s privileges or roles should be defined as what they need to get their job done, no more. It’s not uncommon for there to be “privilege creep” for accounts, where additional privileges are granted for a specific one-time task and then never removed. Similarly, accounts for users who no longer need access should be dealt with according to your company’s policy.

In a nutshell: Cybersecurity at work is a shared responsibility to help reduce susceptibility to threats and attacks.

In next week’s post we will move on to smart use of smart devices. Until then, make sure to visit the Cyber Protection Program for security products website for product advisories and resources on matters related to your cybersecurity.

Seven Simple Steps to Staying Safe Online

Throughout the month of October, Johnson Controls, through the Cyber Protection Program for security products, is supporting the National Cyber Security Awareness Month (NCSAM) mission to raise awareness about the importance of cybersecurity, and individual cyber posture. NCSAM is an initiative of the U.S. Department of Homeland Security, together with the National Cyber Security Alliance and other public and private partners.

Each week the NCSAM will highlight a different theme – beginning with Simple Steps to Online Safety. In line with this, the following are some practical tips for simple things everyone can do protect themselves online.

While some of this is likely familiar to you, it’s always worth refreshing.

Practice good password hygiene

All of your online accounts – including your work email, online shopping, and social media accounts – contain more personal data than you may think. It’s worth a small amount of effort to help keep them secure.

  • Make sure your passwords are long and strong. Length is more important than complexity, long passphrases are better than short and complicated passwords. Even better, use a password manager to generate a strong password and store them securely.
  • Use a unique password for each account; and change a password if you even think it’s been compromised.
  • Use long and complex answers to forgot password questions and memorize them or store them in a password manager.
  • Never share your username or password. Anyone who needs access to the system should have their own account details.

Lock your devices

  • Always keep your mobile device and workstation locked. Even better, have an automatic lock go into effect after a couple of minutes of inactivity. You never know who is around the corner, waiting to steal, destroy or upload malware.

Surf and click cautiously

Both at home and in the office, you need to be wary of emails, websites and associated links that may contain malicious content that can compromise your system.

  • Only open emails or attachments from people you know. Hackers will also use know contacts for phishing, so when in doubt call the person to confirm the email is from them.
  • When in doubt, throw it out, even if you know the source. If it’s something you think may be legitimate, then go to the website directly rather than clicking on the link. Also keep in mind that if you receive an email from a familiar source asking for personal details, especially details they should already have, it may be a phishing ploy.

Bottom line, stay aware to stay cyber-safe

As security professionals, we all share a joint responsibility to protect devices, systems and networks, and help others do the same.

We recommend sharing these tips with your employees and colleagues, your customers – and your friends and family too.

Next week we’ll continue our National Cyber Security Awareness Month initiative, with a post focusing on cybersecurity in the workplace.

In the meantime, make sure to visit the Cyber Protection Program for security products website for product advisories and resources on matters related to your cybersecurity.

Security Practices

Video Management Systems play an integral role in tracking down perpetrators of all types as well as preventing criminal incidents in general. You need to protect the integrity of your camera’s and the information it collects by making sure your security practices minimize unauthorized access .  Here are some practices that you can follow to help manage the overall security of your cameras:

  1. Create an inventory of all the cameras on your network, including the information for the primary and secondary contact person who manages the cameras, the camera manufacturer, model, location, IP address, current firmware version.
  2. Ensure that there is no physical access to the cameras, the supporting network equipment, the server and video storage for your system (i.e. cables, switches, etc.). These should all be in located in access-controlled areas.
  3. Ensure that there are no default passwords used by any of the cameras and operating system if they are accessible to the administrator or user accounts. If there is a need to update a password, use a complex and lengthy password for each individual camera.
  4. Set the idle session timeout for your camera’s interface to ensure that the web session is terminated even for those users who don’t log off of the camera.
  5. Place your camera system on a separate network from your operational network. This helps to reduce the impact of camera traffic on your operational network, and makes it harder for an attacker on one network to gain access to the other.

Periodically reviewing and updating your practices and settings will provide you an opportunity to make you camera still meets your security needs.  To learn more about the Cyber Protection Program visit our website at tycosecurityproducts.com/CyberProtection.aspx. For any questions you may have on the Cyber Protection Program, email jeffbarkley@tycoint.com

Camera Auditing and Back-Up

Video Management Systems play an integral role in tracking down perpetrators of all types as well as preventing criminal incidents in general. Given the broad base of applications for video management systems, there are many instances of large quantities of useless footage due to poor quality recording.  Regular audits and evaluations are to ensure that the best possible procedures are being followed can cut down on time wasted by sifting through unusable footage.

Consider the following best practices around logging, auditing and back-up processes to guarantee the most secure results:

  • Security Event Log – Supports reliable, fine-grained, and configurable logging of a variety of security relevant system events. This includes logins, configuration changes, and file and networks access.
  • Log Security – A log should be protected from unintentional and malicious. Limited access and proper authentication are required for good security.
  • Date and Time – Accurate date and times are extremely important for auditing and backup as this information will enable auditors and investigators to know exactly when specific events have occurred. During device set up, it is required that the date and time is either automatically set to the workstation or that the device uses Network Time Protocol (NTP) to synchronize the camera to the Coordinated Universal Time (UTC).
  • Logs by Default – Logs should not be optional, but created by default as a part of the device setup since they are the essence of detecting and uncovering malicious activity.
  • Backup/Restore – Maintaining your security position is very important as it is critical to quickly restoring the system to operation after an incident. There needs to be a method to back up a working camera and then to restore the data on the current or replacement camera.

Reviewing your camera’s logging and backup setting will provide you an opportunity to make sure it meets your site’s needs.  You should also verify that you can successfully restore a camera to ensure that your backups are not corrupt.  To learn more about the Cyber Protection Program visit our website at tycosecurityproducts.com/CyberProtection.aspx. For any questions you may have on the Cyber Protection Program, email jeffbarkley@tycoint.com.

Cyber Security in the News

Cyber security breaches aren’t limited to high profile incidents such as credit card information theft from retail companies or personal information theft from government organizations. As recently reported by Reuters, ThyssenKrupp AG (TKAG.DE) was subject to various cyber attacks in their steel production and manufacturing plant design divisions earlier this year, resulting in loss of technical trade secrets and project data (http://www.reuters.com/article/us-thyssenkrupp-cyber-idUSKBN13X0VW) .

cyber protection

The gravity of these incidents serve as a reminder of the importance of Cyber Security.  To help better protect your organization from similar attacks, Tyco Security Products has developed a Six Part Approach to Cyber Protection of Physical Security Products. Read about cyber security best practices for physical security on our Cyber Protection webpage and sign up to receive cyber security advisories.

Many Cyber Attacks Are Preventable

In a recent article published by eSecurity Planet, 43 percent of IT professionals admit that cyber-attacks could be prevented with better policies around potential vulnerabilities such as weak passwords; 58 percent prioritize heightened capabilities in perimeter-based controls such as ensuring that devices are properly configured and are running the most up-to-date software. (Read the Article)

cyber awareness

Tyco Security Products has developed a Six Part Approach to Cyber Protection of Physical Security Products. Read about it and other cyber security best practices on our Cyber Protection webpage and sign up to receive cyber security advisories.

Cyber Protection Program – Security Features

What Comes After Device Hardening?

It’s common knowledge that encrypted communication and other device hardening features are necessary for cybersecurity, but it’s vitally important to think beyond hardening.  Now that the security industry has adopted IP technology, manufacturers and integrators must consider not only the security operator’s needs, but also those of the IT manager.

An unsecured device can be the target of a cyber attack that might affect the entire network. While IT managers in government agencies, utilities, transportation, retail operations and financial enterprises are most acutely aware of the dire consequences of a successful hack, IT managers in all sectors are demanding security measures that go well beyond hardening before accepting devices onto their networks.

Here are four features that Tyco Security Products offers to achieve network acceptance for our Software House C•CURE 9000 Access Control Systems and American Dynamics victor Unified Video Management Systems that incorporate iSTAR controllers:

 

  1. Archive and Failover featuresto ensure continual operation and fast recovery

 

  1. LDAP Support to manage credentials.

 

  1. FIPS 140-2, Level 2, end-to-end validated encryption

 

  1. Network Storm Protection that ensures an iSTAR controller continues to operate during a denial of service attack.

 

Not every industry or enterprise requires the same security features for network acceptance. Our application specialists are available to advise which features are relevant to a specific application.

Learn more about our Cyber Protection Program and how we’re working to protect our physical security products from attacks, damage, disruptions and misuse.

Responding Rapidly to Security Vulnerabilities

While hardening is important, it does not guarantee that the device you install today will be secure tomorrow. Potential problems can lie dormant for years and then provide easy access for hackers when uncovered. For example, Shellshock was actually introduced as a product feature in 1989. Its vulnerability existed undetected in numerous products — including “hardened” versions of Linux and Unix operating systems — for 25 years. But within a single day of the vulnerability announcement in 2014, hackers reportedly were taking advantage of this critical bug.

At Tyco Security Products, we understand that a vulnerability discovered in one of our security products could potentially put your entire business at risk. That’s why we’ve put a team and process in place designed to deliver a fast, actionable response to help protect your investments from harm.

Our Cyber Protection Team continuously monitors for vulnerabilities using multiple resources. When a new bug is discovered, the Cyber Protection Team and key product engineers work quickly to tackle and resolve security concerns before they become critical to your operation.

This dedicated response enables us to create a security advisory, typically within 24 hours. The notification includes information about which products are vulnerable along with mitigation steps. It also lists products that we have confirmed are not vulnerable for greater peace of mind.

In the case of significant vulnerabilities, advisories are updated as needed until the issues are resolved. Quality engineers ensure that software patches are fully tested and validated. While we cannot predict how long it will take to resolve an issue, it took the team just two weeks to deliver patches for ShellShock and Heartbleed, both critical vulnerabilities.

BugHeart

Learn more about our Cyber Protection Program and how we’re working to protect our physical security products from attacks, damages, disruptions and misuse. You can also sign up to receive security advisories.

Cybersecurity Acronyms

As with any industry, there are a slew of acronyms that are used. Cybersecurity is no different. To completely understand the standards and best practices for cybersecurity, you must understand the various groups and terminology being used.

Tyco Security Products Cyber Protection Program

Developed over five years from providing critical solutions to the U.S. Government and other multi-national customers, Tyco Security Products Cyber Protection Program is one of the first in the industry to offer a holistic, six-part approach to cyber security for physical security products. We have effectively worked with government agencies to meet the appropriate standards and validations. Below is an explanation of many of the various cyber security groups and common terminology used.

FIPS

Federal information Processing Standards (FIPS) are a set of standards that describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with agencies.

Having a FIPS validation ensures that encryption completed properly. Test results are validated by the United States National Institute of Standards and Technology (NIST), yet another acronym.

FISMA

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against threats.  View the Tyco Security Products FISMA-ready configuration guidelines. These guidelines apply to Software House CCURE 9000 and American Dynamics victor video management system (VMS) software and VideoEdge network video recorders.

NERC

The North American Electric Reliabilty Corporation (NERC) is a non-profit organization that works with all stakeholders to develop standards for power system operation, monitoring and enforcing compliance with those standards.

NERC CIP

NERC Critical Infrastructure Protection (CIP) is 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. View the Tyco NERC-CIP V5 ready configuration guidelines for Software House CCURE and iStar.

DISA

The Defense Information Systems Agency (DISA) is a United States Department of Defense (DoD) agency that provides information technology (IT) and communications support to any individual or system contributing to the defense of the United States.

SRG

Security Requirement Guide (SRG) is compilation of singular, actionable statements that comprise a security control or security best. An SRG is used by DISA field security operations and vendor guide developers to build security technical implementation guides (STIGs). I know we cannot stop with the acronyms. A STIG is a guide for implementing IT systems within the DoD. View the Tyco DISA security requirements for VideoEdge using the General Purpose Operating System SRG.

SANS

System Administration Networking and Security (SANS) released Top 20 security vulnerabilities. These are security controls for protecting a network. VideoEdge and victor have been designed and have had the necessary features implemented to assist our installers and users with configuring their networks in the manner they need to implement the SANS controls they elect.

Learn more about our cyber protection program.