Cyber security concerns regularly top the list of things that keep business leaders up at night. The threat landscape is constantly shifting and evolving, as determined malicious actors launch new attacks and exploit vulnerabilities. Defending against threats and protecting company data can feel like a never-ending game where it’s impossible to stay one step ahead.

To counteract this, Axis Communications (Axis) leads a collaborative effort with system integrators, security experts and end users. Here we explore the processes in place to ensure the highest-levels of surveillance system cyber security.

Cyber security threat analysis

A strategic approach to cyber security starts with an understanding of what common industry-specific threats an organisation is likely to face, existing vulnerabilities in their defence and industry regulation. Axis recognises this and proactively works with partners and customers to ensure they are equipped with the right knowledge and protocols to help defend against attacks.

Unfortunately, security threats don’t fit into specific and well-defined boxes. They vary in terms of sophistication and impact. Highly complex attacks with the biggest impact to businesses and their customers tend to steal the most column inches and awareness, but these aren’t the most common.

User error, a key factor in cyber-attacks

User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked

Rather, the threats that organisations need to worry most about arise far more frequently from lapses in protocol and what is often referred to as ‘deliberate or accidental misuse of the system’. User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked. This is something that Fred Juhlin, Global Senior Consultant at Axis Communications believes is one of the greatest misconceptions when it comes to threats.

Fred Juhlin comments, “Many organisations mistakenly focus on protecting their businesses from the high profile threats, instead of getting the basics right. User error is a top factor when it comes to successful cyber-attacks and shouldn’t be overlooked when putting measures in place to improve cyber security.

Addressing cyber security vulnerabilities

Vulnerabilities are weaknesses or opportunities for different threats to impact the system negatively and are a part of every system: no solution exists which is completely free from vulnerabilities. Rather than focus solely on the vulnerability itself, it’s important to quantify the potential impact on the organisation if it is exploited.

This will help qualify the associated risk and whether addressing the vulnerability should be prioritised. Axis Communications strives to apply cyber security best practices in the design, development, and testing of devices, so as to minimise the risk of flaws that could be exploited in cyber-attacks. However, securing a network, its devices, and the services it supports relies on active participation by the entire vendor supply chain, as well as the end-user organisation.

Axis Hardening Guide

The Axis Hardening Guide describes each security control that can be applied with the device and recommends when, where and why it should be used when securing the network, devices, and services.

From a vendor perspective, developing software products with security built in throughout the development lifecycle requires experience and maturity in secure software design and coding. In addition, these products must comply with prevailing legislation (for example, GDPR, CCPA for privacy and NDAA, DoD CCMC for secure supply chains and the UK Secure by Default legislation), and many more.

Cyber security legislation and standards

Wayne Dorris, CISSP, Business Development Manager – Cyber Security at Axis commented, “We dedicate a significant portion of our time to examining laws, legislation and standards for cyber security requirements to see where these may impact Axis.

He adds, “These regulations may differ according to geographical location, which presents a challenge to customers who need to deploy products across multiple markets. For example, it’s counterproductive to install one version of firmware for the Americas, when they need another version for EMEA.

Security Development Model

Axis Communications approaches this challenge through its Security Development Model

Axis Communications approaches this challenge through its Security Development Model, which is based on several cyber security industry best practices. The model defines the processes and tools used to build software with security built-in throughout the development lifecycle, spanning initial requirements, design, implementation, verification and deployment.

Even with the best processes in place to prevent critical vulnerabilities being designed into a product, the threat landscape is in a continual state of change. Communicating information about these vulnerabilities to customers and partners as soon as they are discovered is the key. This will allow them to undertake risk assessments and take an action, such as patching, to rectify.

Employing independent scanning tools

Sometimes customers choose to take assessment into their own hands, employing independent scanning tools which report current vulnerabilities in the solution. These can be invaluable to keeping a system secure, but must be given right context and associated risk assessment. Without this, there is the chance that the wrong conclusions are drawn, leading to expensive and unnecessary actions.

Without the right context and risk assessment, it’s easy to go down a rabbit hole. Steven Kenny, Industry Liaison Manager at Axis commented, “It’s great when customers take such a proactive stance to understanding the vulnerabilities that exist within their systems, but these reports can include many false positives. Without the right context and risk assessment, it’s easy to go down a rabbit hole, dedicating resources towards fixing a problem that has very little impact on the business.

Axis works closely with customers and partners regarding interpreting and prioritising vulnerabilities, and developing a strategic and informed plan of action.

Cyber security best practice education and training

Education plays an important role in informing the development of security policies

As part of this guidance on the latest vulnerabilities, education plays an important role in informing the development of security policies. One of the greatest cyber security weaknesses in an organisation can be its staff. It is critical that they are made aware of how they can be targeted and the potential impact of failing to comply with security practices. Axis helps to deliver cyber awareness training and establish best practice guides for end users.

Security personnel can also be a weak point in an organisation’s cyber security, given their responsibility for managing security controls. This includes maintaining an up-to-date device inventory, secure deployment, patching and device account management. Keeping on top of this can be difficult, and Axis Device Manager (ADM) can support security personnel in this endeavour.

However, customer needs are changing and demand for capabilities such as multi-site management and improved monitoring is increasing. To meet this demand, Axis has launched ADM Extend which enables a more flexible deployment which allows personnel to support multiple sites. Although ADM Extend is currently focusing on the common operations, it will include more policies, security automation, and integration with other systems in the near future. 

Moving towards a ‘zero trust’ approach

Threat actors often work in collaboration, sharing information on the latest vulnerabilities, tactics and associated rewards. Faced with such a determined and often well-funded foe, organisations should not attempt to go into battle without the right armor and support. New threats continuously emerge a multi-layered approach, which is underpinned with cyber security education being essential to an organisation’s defence.

As the industry moves to a ‘zero trust’ approach to security where every entity is identified and defined by its risk profile, it is important to choose products which are designed with security in mind. Axis leverages over 30 years of experience to create robust products and employs a collaborative approach to ensure that partners and customers are armed with the key information and tools needed to react to changing threats.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

Smart Offices: How is mobile ID changing the way we access the office?
Smart Offices: How is mobile ID changing the way we access the office?

If you’re a security or facilities manager, you may already be aware of the quiet revolution that’s taking place across businesses and organisations up and down the country. By the end of 2020, 20% of all ID and access control systems featured mobile capability, and this is set to increase by a further 34% over the next three years. There’s no doubt that using a smartphone or mobile device in place of traditional credential and access control is a growing trend that’s only been sped up by the pandemic. It’s true that many businesses are still very much focused on remote working, although many are now starting to implement new-and-improved strategies that are better suited to protect the workforce moving forward. Mobile ID systems As the next normal becomes clearer, businesses will be reviewing procedures such as access control, occupancy monitoring, reducing touch points and tracking visitors. Mobile ID systems are ideally suited to this task. But what are the key reasons for considering such a setup in 2021? But why is this new technology so well-suited to future-proof your physical access system, and why is it becoming so popular? Eradicating outdated legacy credentials Have you seen just how vulnerable outdated Proximity card technology can be? Low-frequency 125kHz cards can be cloned in a matter of seconds with the use of cheap, readily available tools. Despite their weaknesses, they are still used by a huge majority of businesses – big and small. All smartphones include two industry-standard features that make them perfect for operating a secure, contactless credential Replacing such a system with a mobile-enabled system is one of the best ways to increase security ten-fold. Thanks to a cloud-based infrastructure, mobile ID offers best-in-class security and cryptography. All smartphones include two industry-standard features that make them perfect for operating a secure, contactless credential. Bluetooth Smart and NFC (Near Field Communication) make them the best product to operate such a credential via a secure app. If you’re looking for best-in-class security in 2021, mobile access is most definitely the way forward. Removing touch points across the business Reducing touch points and the adoption of touchless facilities has become a key priority for businesses in the wake of COVID-19. Even as businesses start to return to the office and operate a home/office split, it will be imperative that unnecessary contact is kept to an absolute minimum between staff. The traditional issuance of identification and access control credentials can pose problems in this regard. Facility and security managers who are responsible for onboarding and processing ID have done the process face to face. Mobile access makes it possible to carry this process out without people coming into direct content. First, the security manager has access to a secure portal, allowing them to create, manage and edit credentials anywhere. They can upload and remotely transfer mobile ID and access control credentials directly to users’ smartphones over the air. Via the secure app, users can view and see their credentials and immediately begin using it for ID and access control by simply placing their smartphone over card readers. Enabling a more flexible way of working The way in which we work has changed for good. Even as people more people return to the office in 2021, a majority of businesses will be operating a home/office split indefinitely. This once again reinforces the need for a smarter, more adaptable onboarding system. Implementing mobile ID is the perfect way of doing this: over-the-air delivery of credentials and security data is now a given, helping businesses create the perfect balance between the home and the office. No longer do people have to come into the office for the onboarding process. Increasing convenience and user experience More often businesses are realising the value mobile ID can have for enhancing the work experience as well as security Ok, so mobile ID is the perfect way of increasing security and adapting workplaces to a post-COVID way of working. And we’ve not even touched on the most obvious advantage yet: Convenience. How many times have you forgotten your ID card? We’re sure it’s more times than you forget your smartphone. These powerful processors have become intertwined with the way we carry out tasks on a daily basis. They’re so vital that people will soon notice if they’ve forgotten it. From an employee’s perspective, mobile ID and access control is simple, convenient and extremely user-friendly. More and more businesses are realising the value mobile ID can have for enhancing the work experience as well as security. From the employer’s perspective, mobile ID means it’s easier for administrators to manage access and credentials. Future-proofing access control now will ensure that in the longer term, mobile ID is well worth the investment. The annual expenditure of printing ID cards and purchasing credentials can be vast, while reissuance costs can also quickly add up for larger organisations. These issues are a thing of the past for businesses using mobile ID. Mobile ID perfect tool for 2021 and beyond Until mobile ID, new and improved credentials’ main focus was on increasing security. Mobile ID not only delivers that, but it also provides a more convenient way of accessing the office in a way that’s perfectly suited to returning to the office in 2021. If there was ever a time to upgrade, now is the time. Summing up, mobile access is changing the way we access the office by: Eliminating weak links in security systems such as outdated legacy card technologies Eradicating the need for touch points across multiple areas of the workplace Enabling a smarter, more flexible approach to onboarding Increasing convenience – for both employers and employees.

Remote Monitoring technology: Tackling South Africa’s cable theft problem
Remote Monitoring technology: Tackling South Africa’s cable theft problem

For decades, cable theft has caused disruption to infrastructure across South Africa, and an issue that permeates the whole supply chain. Here, Ian Loudon, international sales and marketing manager at remote monitoring specialist Omniflex, explains how new cable-alarm technology is making life difficult for criminals and giving hope to businesses. In November 2020, Nasdaq reported that, “When South Africa shut large parts of its economy and transport network during its COVID-19 lockdown, organised, sometimes armed, gangs moved into its crumbling stations to steal the valuable copper from the lines. Now, more than two months after that lockdown ended, the commuter rail system, relied on by millions of commuters, is barely operational.” Private security firm Despite this most recent incident, cable theft is not a new phenomenon to sweep South Africa Despite this most recent incident, cable theft is not a new phenomenon to sweep South Africa. In 2001, SABC TV broadcast a story following two members of a private security firm working for Telkom, a major telecoms provider. In the segment, the two guards, working in Amanzimtoti on the south coast of KwaZulu-Natal, head out to investigate a nearby alarm that has been triggered. They reach a telecoms cabinet and discover that it has been compromised, with the copper cable cut and telephone handsets strewn across the ground. In the dark, they continue to search the area when one of the guards discovers the problem: 500 metres of copper wire has been ripped out. In their haste, the thieves have dropped their loot and fled. Widespread cable theft Had they managed to get away, they would have melted the cable to remove the plastic insulation and sold the copper to a local scrap dealer for around 900 Rand, about $50 US dollars. For the company whose infrastructure has been compromised, it may cost ten times that amount to replace and repair the critical infrastructure. The disappointing takeaway from this story is that two decades on from this incident the country still faces widespread cable theft, whether it’s copper cables from mines, pipelines, railways, telecoms or electrical utilities. In fact, the South African Chamber of Commerce and Industry estimates that cable theft costs the economy between R5–7 billion a year. The answer to the problem must go further than the existing measures used by companies. Detect power failure Most businesses already invest in CCTV, fences, barriers and even patrol guards, but this is not enough. Take the mining sector, for example. These sites can be vast, spanning dozens of kilometres - it’s simply not cost effective to install enough fences or employ enough guards or camera operators. As monitoring technology gets better, the company has seen site managers increasingly use cable alarms in recent years that detect when a power failure occurs. The idea is that, if one can detect a power failure, they can detect whether the cable has been cut The idea is that, if one can detect a power failure, they can detect whether the cable has been cut. The problem is though: how does one distinguish the difference between a situation where a cable has been cut intentionally and a genuine power outage? Power outages in South Africa are an ongoing problem, with the country contending with an energy deficit since late 2005, leading to around 6,000 MW of power cuts in 2019. Remote terminal units Eskom Holdings SOC Ltd., the company that generates around 95 per cent of South Africa’s power has already warned of further blackouts as the company works to carry out repairs to its power plants. According to a statement on the company’s website, “Eskom spends in the region of R2 billion a year replacing stolen copper cables." The result is that criminals take advantage of the gaps in power to steal cable, timing their robberies to coincide with the published load shedding schedules. The basic alarms used to detect power outage won’t recognise the theft because they register a false-positive during a power cut. By the time the power comes back on, the deed has been done and the criminals have gotten away with the cable. The good news is that recent breakthroughs in cable monitoring technology are helping tackle just this problem. New alarms on the market now combine sophisticated GSM-based monitoring systems that use battery powered remote terminal units. Legitimate supply chain Unlike the basic alarms that look for the presence or absence of power, these new systems monitor whether the cable circuit is in an open or closed state. In the event of a power outage, the unit continues to run on battery power and can detect if a cable has been cut, sending a priority SMS alert to the site manager immediately, giving them a fighting chance to prevent a robbery in progress. Beyond the opportunistic theft carried out by petty criminals, the theft of copper cables forms a wider problem Beyond the opportunistic theft carried out by petty criminals, the theft of copper cables forms a wider problem across the supply chain in South Africa. In recent years, the combination of unscrupulous scrap dealers, the alleged involvement of large scrap processing companies and lax penalties meant that much of the stolen copper ended up back in the legitimate supply chain. However, recent changes in the law have sought to take a tougher stance on copper theft. Alarm monitoring technology According to the Western Cape Government, “The Criminal Matters Amendment Act, regulates bail and imposes minimum offences for essential infrastructure-related offences." The act, which came into effect in 2018, recommends sentencing for cable theft, with the minimum sentence for first-time offenders being three years and for those who are involved in instigating or causing damage to infrastructure, the maximum sentence is thirty years. It seems to be working too. In January 2021, the South African reported that a Johannesburg man was sentenced to eight years behind bars for cable theft in Turffontein. While the longer-term outlook is a positive one for industry, the best advice for businesses seeking to alleviate the problem of cable theft in the immediate future is to invest in the latest cable-theft alarm monitoring technology to tackle the problem and make life difficult for criminals.

What are the positive and negative effects of COVID-19 to security?
What are the positive and negative effects of COVID-19 to security?

The COVID-19 global pandemic had a life-changing impact on all of us in 2020, including a multi-faceted jolt on the physical security industry. With the benefit of hindsight, we can now see more clearly the exact nature and extent of that impact. And it’s not over yet: The pandemic will continue to be top-of-mind in 2021. We asked this week’s Expert Panel Roundtable: What have been the positive and negative effects of Covid-19 on the physical security industry in 2020? What impact will it have on 2021?