Download PDF version Contact company

Security vulnerability in any network can be found and exploited by hackers and others in no time. The only questions are when this will happen and how much damage an individual could do once they’ve gained access to the network.

Recognising this reality, most organisations test their own networks for security weaknesses, whether to meet compliance requirements or simply as a best practice. Those that aren’t doing this now should start—the sooner, the better.

There are a variety of methods that can be used for these tests, each of which has its strengths and weaknesses. For example, some can be performed relatively quickly and easily, while others are more complex and exhaustive. Determining which method is right for a particular organisation or situation can be overwhelming to say the least, particularly for those lacking advanced IT skills. The below overview of the most common testing practices will help make sense of the often-confusing array of options to help organisations ensure the highest level of network security and protection.

Vulnerability scans

When run on a regular basis,
vulnerability scans can serve
as an early warning that software
is out of date or patches are
missing or misconfigured

Vulnerability scans rely on mostly automated tools to find potential vulnerabilities at either the network or application level. Of the two, network scans are the more basic, looking for known common vulnerabilities in widely used commercial and open source software and reporting any that are found with ratings that identify the level of severity.

The advantages of network vulnerability scans lie in their speed, cost efficiency, and safety, which make them ideal for ensuring that the latest system patches and updates have been deployed and that security configurations are as stringent as possible. When run on a regular basis, these scans can serve as an early warning that software is out of date or patches are missing or misconfigured.

Many organisations only test their networks from the Internet. It’s true that Internet facing-vulnerabilities are the most well-known and well-publicised and may seem like the easiest for an attacker to exploit, but there’s much more to the story. Specifically, by limiting scans only to external threats, organisations remain unaware of exactly what an attacker could accomplish once the network has been breached, for example by tricking a user into installing a backdoor via a phishing email. What internal network vulnerabilities could an attacker exploit to move between systems once they’ve gained a foothold? Without testing internally, there’s no way to know the answer to this question until it’s too late.

Attackers regularly target and leverage vulnerabilities in custom applications to access the data they contain or breach the underlying network
Organisations must also test from inside the firewall to discover what an attacker could accomplish once the network has been breached

Internal network scans

Therefore, in addition to network vulnerability scans, organisations must also test from inside the firewall. But it’s important to note that even internal network scans can leave blind spots since, by default, scanners only check services that listen for network communications. Unfortunately, many attacks are made possible by phishing, drive-by-downloads, and other campaigns which target web browsers, PDF viewers and other client software that a network scan will skip over. Using these tactics, attackers can then exploit vulnerabilities in other local operating systems to gain administrator privileges.

There is a way to eliminate these blind spots by configuring scanning tools with authentication credentials that enable them to log in to their targets during internal scans, allowing them to check local software as well. This approach will give the most complete view of the status of an organisation’s patches and configurations.

Even internal network scans
can leave blind spots since,
by default, scanners only
check services that listen for
network communications

The other main shortcoming of network vulnerability scanners is that they are only as good as their vulnerability signatures, which are based on existing databases of known vulnerabilities. This means they cannot identify flaws that haven’t yet been reported publicly, including those found in more obscure or custom applications. This can present significant risk, as attackers regularly target and leverage vulnerabilities in custom applications to access the data they contain or breach the underlying network. This is where application vulnerability scans come in.

Application scanners

Application scanners are designed specifically to identify these previously undocumented vulnerabilities found in custom applications. Unlike network scanners, these tools exercise all of an application’s functionality to find common types of flaws, rather than looking for a list of known vulnerabilities. However, because of the amount of data these scanners send to an application, they must be used very carefully. No organisation wants to become another entry on the long list of stories about application scanners dumping garbage data into a database or triggering thousands of emails.

That said, regardless of how advanced application scanners may be, they are still incapable of catching a number of vulnerabilities, especially those that are too subtle for the scanner to pick up on but which would be obvious to a human observer. As is the case with network scans, a clean report by an application scanner is a good start but is no guarantee that there are no problems. Organisations should build on these scans with deeper, more complex and thorough methods, such as penetration testing.

Each of these network vulnerability testing methods brings its own strengths and weaknesses to the overall security equation
Penetration testing brings skilled, "white hat" hackers into the mix to simulate real-world attacks

Real-world testing

Organisations often make the mistake of concentrating their network security efforts on fixing only those vulnerabilities identified by scans as being critical or high-severity in nature, which is a highly ineffective practice. Why? Because real-world breaches are rarely perpetrated on the basis of a single critical network vulnerability. Instead, attackers recognise the tendency to focus on only “serious” problems and often chain together multiple low- to medium-severity network vulnerabilities or combine them with “local” vulnerabilities that are invisible from the network.

Building on network and application vulnerability scanning, penetration testing brings skilled, “white hat” hackers into the mix to simulate the kind of real-world attacks against an organisation’s network services, applications, or even both simultaneously. Like malicious attackers, these testers attempt to combine vulnerabilities uncovered by scanners while also looking for those that the scanners are incapable of detecting. While this process is more time-consuming and costly than deploying scanning tools alone, it provides a more realistic assessment of just how much effort an actual attacker would need to put forth to breach an organisation’s network and data.

No matter how careful penetration
testers are in their efforts, it is
always possible that a host would
be knocked offline temporarily or
data in a database altered

Potential unintended consequences

Each of these network vulnerability testing methods brings its own strengths and weaknesses to the overall security equation, underscoring the reality that no testing— regardless of how important or critical it may be—comes without risk. For example, no matter how careful penetration testers are in their efforts to exploit flaws and vulnerabilities without causing damage, it is always possible that a host would be knocked offline temporarily or data in a database altered.

Organisations need to be aware of these potential unintended consequences. It is important to understand that the skill level of the testers will largely determine the success of testing, so organisations should seek out testers with strong experience and skillsets. One final note is that regardless of how tempting it may be to cut costs by limiting the scope of testing, the potential long-term costs—network disruption, data theft, damage to reputation, etc.—could be far greater than today’s savings. For this reason alone, the higher cost to an organisation of having an established, experienced team perform exhaustive testing can actually turn out to be a tremendous bargain.

Save

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Christopher Camejo Director of US Threat and Vulnerability Analysis, NTT Security (US) Inc

In case you missed it

Hikvision provides their HikCentral video management software to enhance real-time monitoring at Care Protect’s office in Belfast
Hikvision provides their HikCentral video management software to enhance real-time monitoring at Care Protect’s office in Belfast

When Care Protect wanted to upscale its operations in healthcare safety and monitoring services to a large private provider, it turned to Hikvision’s HikCentral video management software, in combination with offsite cloud video storage from Manything Pro. Care Protect is an innovative organisation. It was created to promote excellent, sustainable and consistent care delivery in health and social care settings. That innovation is reflected in the way the company integrates technology into the very heart of its care provision services. It uses the latest camera and audio technology, alongside the latest secure cloud-based video storage services, with a team of health and social care professionals reviewing and assessing around the clock. Social care environments Because of this diligence in monitoring, high levels of independent scrutiny can be guaranteed. The result is that through this transparency, reassurance is available for residents and their families, knowing that vulnerable adults and children are better safeguarded and protected. In all cases, system use is with the prior consent of residents and relatives or next of kin only. Care Protect was established to help address public concerns over incidents of poor care or malpractice Care Protect’s independent monitors are very well qualified, with years of relevant health and social care experience, together with all necessary Disclosure and Barring Service (DBS) checks and Security Industry Authority (SIA) licencing. Collectively they offer a high level of sector knowledge and expertise essential to assist and advise those with responsibility for safeguarding and quality and clinical governance. One of the key reasons that Care Protect was established to help address public concerns over incidents of poor care or malpractice in health and social care environments, some of which have seen wide media coverage. Private healthcare provider As a result, sound and motion detection alarms and infrared filming is utilised so immediate alerts can be raised if an incident is seen or heard or there is a connectivity or maintenance issue. Video recordings also include the use of privacy settings to block any agreed zones or areas of view as required. With video footage playing such a crucial role in Care Protect’s service, it is of pivotal importance that the system in place to manage the viewing of that video is stable, reliable and effective. One of Care Protect’s clients is a large private healthcare provider, for which Care Protect monitors bedrooms and communal areas of child and adult wards in hospitals nationwide throughout England. Care Protect also monitors elderly care homes for several different providers. Offsite video storage Care Protect also monitors elderly care homes for several different providers Care Protect’s IT & Systems Director, Andy Johnson, said Care Protect Directors have a background in the care industry, which has informed the monitoring system the company utilises. “We’ve developed a system based on the reviewing of recorded footage by social workers and nurses to advise, initially, on the quality of practice,” Johnson explains. “The contract with the large private healthcare company saw our operation change to caring for patients who pose a high risk to themselves for self-harm. Because of the importance of this monitoring in ensuring the patients’ wellbeing, it was critical that we were able to efficiently manage that video, both in terms of live monitoring and offsite video storage.” Cloud video storage The new focus required an upscaling of Care Protect’s operational office in Belfast (the company’s head office is in Yarm, Cleveland). A key element of this upscaling was the use of Hikvision’s HikCentral video management software, which needed to be able to deliver high quality images to a Samsung multi-screen video wall for real-time monitoring. Resident and patient rights to privacy remain at the core of Care Protect’s operations Video management via HikCentral at Belfast is critical, as is the offsite cloud video storage provided by Manything Pro, as Care Protect is careful to ensure there is no local recording of video onsite at the customer’s facilities so that it cannot be tampered with. Resident and patient rights to privacy remain at the core of Care Protect’s operations, and they ensure they comply with and exceed all relevant legislation and guidelines, including the Data Privacy Act and Surveillance Camera Code of Practice. Intelligent surveillance platform HikCentral is a comprehensive, intelligent surveillance platform. The newly improved HikCentral delivers data and intelligence via a pre-installed VMS on standard, off-the-shelf servers, and contains advanced functions including advanced live view and playback, thermal imaging, queue detection, low bandwidth adaptability, video linkage with access control, enhanced alarm management and smart wall operation – as in use at Care Protect. HikCentral manages the cameras, the smart wall monitors, and the video decoders that drive the images to the multiple screens in the Belfast hub. These screens cover 21 separate hospital sites for Care Protect’s private health provider customer. “One of the key features of HikCentral for us was the new smart wall functionality,” Johnson says, “Allowing us to manage multiple screens from the one place, rather than having software to run an application to then put it on the screens.” Network mini domes We use Smart Maps within HikCentral for interactive floor plans for the hospitals we monitor" Care Protect also makes good use of HikCentral’s Smart Maps function. “We use Smart Maps within HikCentral for interactive floor plans for the hospitals we monitor,” Johnson explains. “We have a selection of the communal cameras live on the maps, and our reviewers can click into the relevant area and get an overview without having to further interrogate those floor plans.” The appeal of this VMS, he says, was down to both the newly mature and advanced functions of the latest version of HikCentral, as well as its very competitive pricing compared to its rivals. Care Protect uses 500 HikCentral licences and a variety of Hikvision cameras are deployed across the customer’s facilities, predominantly unobtrusive 4MP and 6MP high resolution network mini domes. Hikvision Smart functionality on those cameras also proves extremely useful, Johnson says. Smart camera functions “The use of Hikvision Smart events on the cameras helps our reviewers to know how many people are in a room or a designated zone at a particular time,” he says. “These sorts of Smart features can greatly assist our reviewers, allowing us to be more efficient and effective in responding to the needs of patients.” Those in-built Smart camera functions are complemented by the use of audio analytics Those in-built Smart camera functions are complemented by the use of audio analytics. In some cases this audio software is used to trigger cameras so that potential incidents can be automatically viewed and assessed by a Care Protect reviewer. The results of utilising this technology, according to Johnson, have been highly successful. “We have been able to upscale our operation to 27 screens, to accommodate 21 hospital sites for our biggest customer, to great satisfaction from their end as it is safeguarding the vulnerable patients that they care for,” he says. Poor network conditions In addition to monitoring the live streams for certain hospitals, Care Protect’s independent monitors are tasked with reviewing all recorded video to ensure that the quality of care provided meets the required standards. For this they utilise the services of Hikvision cloud video technology partner, Manything Pro. Care Protect have almost 3,000 cameras recording video to the Manything Pro platform. All video is stored offsite in the secure Manything Pro cloud and can be accessed via the Manything Pro app and website. Manything Pro software runs on Hikvision cameras and is constantly monitoring the bandwidth conditions on each site. If necessary, the software will dynamically adjust the video bit rate to ensure recorded events are sent to the cloud even in poor network conditions. “We use Manything Pro for our cloud storage, so any recorded footage goes up to them, and we review through their website,” he says. “Some providers that we work with aren’t part of the live streaming through HikCentral in our Belfast monitoring centre. For these sites we also use the Manything Pro app and website to view the camera live streams.”

How smart technology is simplifying safety and security in retirement villages
How smart technology is simplifying safety and security in retirement villages

James Twigg is the Managing Director of Total Integrated Solutions (TIS), an independent life safety, security and communication systems integrator, specialising in design & consultancy, technology and regulatory compliance. Total Integrated Solutions work primarily with retirement villages, helping to ensure the safety of residents in numerous retirement villages across the country. In this opinion piece, James shares how smart technology is helping security teams and care staff alike in ensuring the safety and security of their spaces, amid the COVID-19 pandemic and beyond. Impact of smart technology Smart technology is having an impact on pretty much every aspect of our lives Smart technology is having an impact on pretty much every aspect of our lives. From how we travel, to how we work, to how we run our homes. It’s not unusual to have Alexa waking us up and ordering our groceries or Nest to be regulating the temperature and energy in our homes. And while there’s a popular misconception that people in their later years are allergic to technology, retirement villages and care homes are experiencing significant innovation too. And the result is not only improved quality of life for residents, but also improved safety and security systems for management teams. Switching to converged IP systems I’ve been working in the life safety and security industry for over fifteen years. When I first joined TIS, much of the sector was still very analogue, in terms of the technology being installed and maintained. Slowly but surely, we’ve been consulting and advising customers on how to design, install and maintain converged IP systems that all talk to each other and work in tandem. I'm excited to say retirement villages are some of the top spaces leading the way, in terms of technological advancement. Improving the quality of life for residents A move into a retirement village can be daunting and one of the key concerns that we hear about is the loss of independence. No one wants to feel like they are being monitored or to have someone constantly hovering over them. One of the ways we’ve used smart technology to maintain residents' independence is through devices, such as health monitors and motion sensors. For example, instead of having a member of staff check-in on residents every morning, to ensure they are well, sensors and analytics can automatically detect changes in routine and alert staff to possible problems. Similarly, wearable tech, such as smart watches give residents a chance to let staff know they are okay, without having to tell them face-to-face. As our retirement village customers have told us, a simple ‘I’m okay’ command can be the difference between someone feeling independent versus someone feeling monitored. Simplifying and improving security systems Smart technology gives care staff and security oversight of the needs of residents For the teams responsible for the safety of the people, places and spaces within retirement villages, smart technology is helping to improve and simplify their jobs. Smart technology gives care staff and security oversight of the needs of residents, and ensures rapid response if notified by an emergency alert, ensuring they know the exact location of the resident in need. And without the need to go and physically check-in on every resident, staff and management can ensure staff time is being used effectively. Resources can be distributed where they are needed to ensure the safety and wellbeing of those residents who need extra consideration. 24/7 surveillance When planning the safety and security for retirement villages, and other residential spaces, it’s no use having traditional systems that only work effectively for 12 hours a day or need to update during the evening. Surveillance needs to be 24/7 and smart technology allows that without the physical intrusion into people’s spaces and daily lives. Smart technology ensures that systems speak to each other and are easily and effectively managed on one integrated system. This includes video surveillance, which has also become much more effective as a result of advanced video analytics, which automatically warn staff of suspicious behaviour. Securing spaces amid COVID-19 This year has, of course, brought new challenges for safety. COVID-19 hit the retirement and residential care sectors hard, first with the initial wave of infections in mid-2020 and then, with the subsequent loneliness caused by the necessary separation of families. As essential workers, we worked closely with our customers to make sure they had everything they needed As essential workers, we worked closely with our customers to make sure they had everything they needed during this time, equipping residents with tablet devices to ensure they could stay connected with their families and friends. It allowed residents to keep in touch without risking transferring the virus. Thermal cameras and mask detection And now that we’re emerging out of COVID-19 restrictions and most residents can see their families again, we’re installing systems like thermal cameras and mask detection, so as to ensure that security will be alerted to anyone in the space experiencing a high temperature or not wearing proper PPE. Such steps give staff and families alike, the peace-of-mind that operational teams will be alerted at the earliest possible moment, should a COVID-19 risk appear. Thinking ahead to the next fifteen years, I’m excited at the prospect of further technological advancements in this space. Because at the end of the day, it’s not about how complex your security system is or how you compete in the industry. It’s about helping teams to protect the people, spaces and places that matter. I see smart technology playing a huge role in that for years to come.

Climax releases the GX-Cubic2 Series Smart Care Medical Alarm for the healthcare industry
Climax releases the GX-Cubic2 Series Smart Care Medical Alarm for the healthcare industry

Rapid aging population, high healthcare costs, and physician shortages are creating an increasing demand for care at home, especially for seniors with long-term health conditions. The GX-Cubic2 Series Smart Care Medical Alarm from Climax Technology Co., Ltd. (Climax), features an LCD display that shows clock time, temperature, GSM signal strength and sensor faults, to keep users fully informed at all times. GX Smart Care Medical Alarm GX Smart Care Medical Alarm is an all-in-one wellness and personal safety medical alarm solution GX Smart Care Medical Alarm is an all-in-one wellness and personal safety medical alarm solution, bridging medical health monitoring and emergency alarm, to keep seniors safe in their own homes. GX is compatible with Bluetooth medical devices, like blood glucose/blood pressure monitors, pulse oximeters, etc., to track medical data and remote monitoring directly from caregivers/physicians, and also has telecare alarm features, including voice recognition, emergency monitoring, inactivity monitoring, voice control, and home automation capabilities, in order to assist seniors to have a more secure and healthy living. Some of the major features of the GX-Cubic2 Series include: Bluetooth Medical Device Pairing GX is compatible with Bluetooth Medical devices, like blood pressure/blood glucose monitors, pulse oximeters, thermometers, etc., to track health and medical data, and allow care-givers/physicians to remote monitor and provide treatment as needed. Smart Home Automation ZigBee, Z-Wave, and/or Bluetooth automation devices incorporated into GX creates a smarter and safer home, by auto-turning on hallway lights at night, to decrease the chance of a fall, or auto turn on the heater, if there is a sudden temperature drop. Voice Recognition GX has built-in voice recognition and can activate an emergency all to CMS by preset vocal commands or keywords. Allowing seniors to receive emergency attention even in situations where they are unable to seek help manually. Location Tracking GX can be paired with BRPD-1 Bluetooth pendant, a small wearable panic button that partners with a smartphone application for GPS location reporting and trigger help alarm with one button press, whether the user is at home or out for a walk. Voice Control GX is compatible with Google Home and Amazon Alexa voice control to control home electronic devices, allowing seniors to use their voice to make their environment more suitable without lifting a finger. Visual Monitoring and Verification GX can integrate Camera PIR Motion Sensors to deliver real-time visual monitoring and verification. When an emergency occurs, alerts are immediately sent to family members and Monitoring Centre to verify the event and sending immediate assistance as required. Pivotell Advance Automatic Pill Dispenser GX is compatible with Pivotell Advance Automatic Pill Dispenser, keeping secure of all pills, remind users to take their medication, keep track of their medicine intake, and allow caregiver/physician to monitor pill taking results/record and keep an eye on user’s needs. Safety & Inactivity Monitoring GX can support wireless sensor devices, allowing users to add in smoke detectors, water leakage sensors, and gas sensors to monitor emergencies, and motion sensors, door contacts, sensor pad transmitters for inactivity monitoring, to build a healthier, safer independent living. Voice over Internet Protocol (VoIP) & DECT GX’s built-in VOIP function allows users to initiate two-way voice calls to contact CMS and family members during alarms and emergency. With the optional add-on of DECT, GX can pair with voice extenders, talking pendants, call points, etc. placed around the home, to create a safety net and peace of mind. Colour Lighting Function GX also has an LED nightlight featuring both multi-colour adjustment and light level button control for a pleasant ambiance.