Cyber security concerns regularly top the list of things that keep business leaders up at night. The threat landscape is constantly shifting and evolving, as determined malicious actors launch new attacks and exploit vulnerabilities. Defending against threats and protecting company data can feel like a never-ending game where it’s impossible to stay one step ahead.
To counteract this, Axis Communications (Axis) leads a collaborative effort with system integrators, security experts and end users. Here we explore the processes in place to ensure the highest-levels of surveillance system cyber security.
Cyber security threat analysis
A strategic approach to cyber security starts with an understanding of what common industry-specific threats an organisation is likely to face, existing vulnerabilities in their defence and industry regulation. Axis recognises this and proactively works with partners and customers to ensure they are equipped with the right knowledge and protocols to help defend against attacks.
Unfortunately, security threats don’t fit into specific and well-defined boxes. They vary in terms of sophistication and impact. Highly complex attacks with the biggest impact to businesses and their customers tend to steal the most column inches and awareness, but these aren’t the most common.
User error, a key factor in cyber-attacks
User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked
Rather, the threats that organisations need to worry most about arise far more frequently from lapses in protocol and what is often referred to as ‘deliberate or accidental misuse of the system’. User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked. This is something that Fred Juhlin, Global Senior Consultant at Axis Communications believes is one of the greatest misconceptions when it comes to threats.
Fred Juhlin comments, “Many organisations mistakenly focus on protecting their businesses from the high profile threats, instead of getting the basics right. User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked when putting measures in place to improve cyber security.”
Addressing cyber security vulnerabilities
Vulnerabilities are weaknesses or opportunities for different threats to impact the system negatively and are a part of every system: no solution exists which is completely free from vulnerabilities. Rather than focus solely on the vulnerability itself, it’s important to quantify the potential impact on the organisation if it is exploited.
This will help qualify the associated risk and whether addressing the vulnerability should be prioritised. Axis Communications strives to apply cyber security best practices in the design, development, and testing of devices, so as to minimise the risk of flaws that could be exploited in cyber-attacks. However, securing a network, its devices, and the services it supports relies on active participation by the entire vendor supply chain, as well as the end-user organisation.
Axis Hardening Guide
The Axis Hardening Guide describes each security control that can be applied with the device and recommends when, where and why it should be used when securing the network, devices, and services.
From a vendor perspective, developing software products with security built in throughout the development lifecycle requires experience and maturity in secure software design and coding. In addition, these products must comply with prevailing legislation (for example, GDPR, CCPA for privacy and NDAA, DoD CCMC for secure supply chains and the UK Secure by Default legislation), and many more.
Cyber security legislation and standards
Wayne Dorris, CISSP, Business Development Manager – Cyber Security at Axis commented, “We dedicate a significant portion of our time to examining laws, legislation and standards for cyber security requirements to see where these may impact Axis.”
He adds, “These regulations may differ according to geographical location, which presents a challenge to customers who need to deploy products across multiple markets. For example, it’s counterproductive to install one version of firmware for the Americas, when they need another version for EMEA.”
Security Development Model
Axis Communications approaches this challenge through its Security Development Model
Axis Communications approaches this challenge through its Security Development Model, which is based on several cyber security industry best practices. The model defines the processes and tools used to build software with security built-in throughout the development lifecycle, spanning initial requirements, design, implementation, verification and deployment.
Even with the best processes in place to prevent critical vulnerabilities being designed into a product, the threat landscape is in a continual state of change. Communicating information about these vulnerabilities to customers and partners as soon as they are discovered is the key. This will allow them to undertake risk assessments and take an action, such as patching, to rectify.
Employing independent scanning tools
Sometimes customers choose to take assessment into their own hands, employing independent scanning tools which report current vulnerabilities in the solution. These can be invaluable to keeping a system secure, but must be given right context and associated risk assessment. Without this, there is the chance that the wrong conclusions are drawn, leading to expensive and unnecessary actions.
Without the right context and risk assessment, it’s easy to go down a rabbit hole. Steven Kenny, Industry Liaison Manager at Axis commented, “It’s great when customers take such a proactive stance to understanding the vulnerabilities that exist within their systems, but these reports can include many false positives. Without the right context and risk assessment, it’s easy to go down a rabbit hole, dedicating resources towards fixing a problem that has very little impact on the business.”
Axis works closely with customers and partners regarding interpreting and prioritising vulnerabilities, and developing a strategic and informed plan of action.
Cyber security best practice education and training
Education plays an important role in informing the development of security policies
As part of this guidance on the latest vulnerabilities, education plays an important role in informing the development of security policies. One of the greatest cyber security weaknesses in an organisation can be its staff. It is critical that they are made aware of how they can be targeted and the potential impact of failing to comply with security practices. Axis helps to deliver cyber awareness training and establish best practice guides for end users.
Security personnel can also be a weak point in an organisation’s cyber security, given their responsibility for managing security controls. This includes maintaining an up-to-date device inventory, secure deployment, patching and device account management. Keeping on top of this can be difficult, and Axis Device Manager (ADM) can support security personnel in this endeavour.
However, customer needs are changing and demand for capabilities such as multi-site management and improved monitoring is increasing. To meet this demand, Axis has launched ADM Extend which enables a more flexible deployment which allows personnel to support multiple sites. Although ADM Extend is currently focusing on the common operations, it will include more policies, security automation, and integration with other systems in the near future.
Moving towards a ‘zero trust’ approach
Threat actors often work in collaboration, sharing information on the latest vulnerabilities, tactics and associated rewards. Faced with such a determined and often well-funded foe, organisations should not attempt to go into battle without the right armor and support. New threats continuously emerge a multi-layered approach, which is underpinned with cyber security education being essential to an organisation’s defence.
As the industry moves to a ‘zero trust’ approach to security where every entity is identified and defined by its risk profile, it is important to choose products which are designed with security in mind. Axis leverages over 30 years of experience to create robust products and employs a collaborative approach to ensure that partners and customers are armed with the key information and tools needed to react to changing threats.