Mosaic451 - Experts & Thought Leaders

Cybersecurity has become a major element – and a major source of discussion – in the physical security marketplace as a result of the rise in networked systems. And we may still not be talking enough about cybersecurity. Here is part one of our Cybersecurity series. “Cybersecurity requires everyone in the security industry to be playing offense and defense at the same time, every single day,” says Bill Bozeman, President and CEO of PSA Security Network. “It needs to just become part of the standard conversation when we are talking about physical security because they are so intertwined.” Creating new industry leaders Cybersecurity and physical security can be seen as two parts of a single entity, and increasingly the two will be combined at the enterprise level over the next several years. “This convergence of physical security and cybersecurity will create new industry leaders that will emerge to lead a new segment of the combined market through strong investment and leadership,” says Rob Lydic of ISONAS, now part of Allegion. Data capture form to appear here! Cybersecurity issues dominate almost every discussion in today’s physical security industry, and the clear message is that “manufacturers and integrators must continue to create robust and scalable cybersecurity offerings to protect customer data and facilities,” says Lydic. He contends that cloud services providers (such as ISONAS) are more cybersecure and reliable ‘by orders of magnitude’ than non-cloud solutions. Cybersecurity is linked to cloud-based systems and managed security service provider models Cloud-based services The Security Industry Association (SIA) has listed cybersecurity as one of 2019’s ‘Top Megatrends’ in the physical security market. SIA says it is important to prioritise cybersecurity among security businesses, for customers’ businesses, and for vendors. The trend calls for continual process improvement and investment. Bill Bozeman of PSA Security Network agrees: “Cybersecurity has definitely taken a strong foothold in the industry.” With the continued expansion of cloud-based services, cybersecurity will be more important than ever to integrators, manufacturers and end users alike, he says. Notably, cybersecurity is directly linked to two other important industry trends listed by Bozeman: cloud-based systems and the rise in recurring monthly revenue (RMR) and managed security service provider (MSSP) models, whose focus will include cybersecurity. Loss prevention executives The days when cybersecurity was exclusively the domain of the information technology (IT) department are gone. “Cybercrime is one of the biggest threats organisations of all sizes and types face today,” says Michael Malone, CEO of ADT Cybersecurity (formerly known as Datashield). “Considering the magnitude of these crimes, it now falls on the entire organisation, including the traditional security or loss prevention executives, to band together to combat these threats.” Cybercrime is one of the biggest threats organisations of all sizes and types face today Malone favours (and his company offers) a managed detection and response (MDR) service, which combines advanced technology and human analysis. Using packet capture on the network, an MDR analyst can ‘replay’ a cyber security event and dig deeper into the incident and determine remediation steps. It’s an approach that significantly cuts through false positive ‘noise’ so security teams can focus on what matters. Helping security officers Interestingly, cybersecurity is poised to benefit from another major trend in the physical security market – the rise of artificial intelligence. Specifically, machine learning applications for cybersecurity include: detecting malicious activity, helping security officers determine what tasks they need to complete in an investigation process, analysing mobile endpoints, decreasing the number of false positive threats, automating repetitive tasks like interrupting ransomware, and potentially closing some zero-day vulnerabilities. But AI in this case is not a panacea. Christopher McDaniels of Mosaic451 recommends pairing human intellect with machine technology to sort through data faster and catch hackers before they do much damage. See part two of our Cybersecurity series here.

There are two types of people in the world as it relates to privacy. Those that care about their privacy and sadly, those that don't. This divide continues to be further separated with the constant flood of cyber security breaches that we hear about. We, as consumers, can no longer get a cheap hamburger without hearing that once again, the information we want to be kept secret, has been breached. The old phrase of "you can lead a horse to water but you cannot make him drink" rings true as we approach helping consumers take charge of their digital and personal privacy. Governmental regulations for privacy Law makers have started taking up the charge to help protect the privacy of consumers Law makers have started taking up the charge to help protect the privacy of consumers. This has been executed with the newly European General Data Protection Regulation (GDPR) which went into effect on May 25th, 2018. The core premise is the consumer owns their data. Despite any company which uses, stores, or profits from a consumer's data, the consumer still owns it. This is a major shift away from how businesses are forced to protect the consumer's data. Even though many of us have likely heard about GDPR, it is not the only privacy law that's taking the world's stage. In fact, in California there is a new law called the California Consumer Privacy Act of 2018 which is focused around the same principles GDPR. This new California law goes into effect in 2020 and goes one step further by considering privacy as an alienable right for all consumers. Encouragement for consumers to take charge of their digital and personal privacy is becoming ever more important  Taking ownership of privacy Despite the new regulations due to a corporation's lack of controls around consumer privacy data, the truth is that even though these regulations provide consumers with a mechanism to take ownership with how their personal data is used, doesn't mean they will. It's at this point we, as the security industry, need to step back to consider how we can improve the problem. Just because laws have paved a way, we still need to help consumers travel down the road to better privacy. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rightsThere are two further mechanisms that we still need, governmental social programs and continued passionate discussions from the security industry. Governmental social programs will help provide free or low-cost classes for consumers to learn about how they can protect their privacy. However, governmental programs can only go so far and this by itself will not be enough. History has shown that social progress is often accomplished by a passionate minority that stands up against the oppression of human rights. For the privacy of consumers to truly be considered an inalienable right, we need to stand up for our rights. Not only do we need to exercise the capabilities new GDPR laws has created for us, but we should tell the important people in our lives. We need to stand up for our privacy because if we don't, we'll end up losing even more of our privacy. 

By now your organisation should know the drill. To keep your enterprise safe from unauthorised access you take the basic precautions: create strong passwords that are not re-used and are updated frequently, use updated anti-virus software, employ host and network-based intrusion detection and prevention, data encryption, etc. etc. However, complacency has no place in cybersecurity. Hackers are working round-the-clock to outwit your most ardent security professionals. Here are a few specific vulnerabilities that require immediate and constant attention to stay safe in a hostile security world. Protect against burst attacks You may be aware of DDoS, or distributed denial of service attacks. In fact, Cisco writes that these online attacks — where high-volume traffic floods a system’s servers, making web traffic extremely slow — grew 172% in 2016. But in the last few years, Cisco documents how "burst attacks", a type of DDoS attack that floods traffic in short bursts at random times over a prolonged period, has skyrocketed. They claim that in one study, 42% of the companies faced a burst attack in 2017. Burst attacks change vectors throughout an attack, making it difficult to create a signature to block the attack According to Radware, on-premises DDoS protection needs to adapt to counter these often less than one-minute attacks. While the majority of these solutions detect burst attacks, they write that "most of them limit the rate of bad (and legitimate) traffic to a certain threshold, resulting in a high level of false positives." One big challenge is burst attacks change vectors throughout an attack, making it difficult to create a signature to block the attack. They recommend adopting two key solutions: 1) a behavioural DDoS protection system that utilises machine learning algorithms to identify the patterns of burst attacks, and 2) measuring the degree-of-attack (DoA) surface, which looks at the bandwidth or rate of a specific type of traffic and the percentage of a given type of traffic out of the entire distribution of traffic. If an attack rates high in both the bandwidth and percentage parameters, then it gets a high DoA surface score, showing that a burst attack likely occurred. Prioritise network infrastructure Nefarious actors have been exploiting both enterprise level and small/home office and residential routers For companies with in-house information technology staff, network infrastructure usually gets plenty of attention. Proper configuration, maintenance and security are often key considerations for infrastructure due to its importance to the business. What about smaller entities? Do you have a small switch or router you either purchased or leased from your internet service provider? If so, when was the last time you updated it? In Alert TA18-106A, the United States Computer Emergency Response Team (US-CERT) shares information dating all the way back to 2015 on how nefarious actors have been exploiting both enterprise level and small office/home office and residential routers and switches. If you haven’t changed passwords and updated the software/firmware on these devices yet it should be near the top of your priority list. Hide sensitive web pages from search engines Search engines are an easy first step for someone looking to exploit your environment. They can conduct searches of your known web presence, looking for pages which might not have been meant for the general public but are still accessible. Using robots.txt pages can be excluded from search engine crawlers. Entrepreneur.com suggests checking out a tutorial from SEObook.com to learn more about how you can do this. Keep in mind this will only deter the most basic attackers as more sophisticated attackers will conduct manual searches. Update passwords on your IoT devices Data at rest is important, but data in transit is just as important to encrypt, particularly sensitive information It is shocking how many IoT devices are used in our daily lives, such as security and video conference cameras, cars, and smart sensors, but also contraptions you probably forgot are now connected to the internet, such as garage doors, appliances, etc. Tom’s Guide gives a good list of the many things you should remember to update. Use encryption to protect data in transit Encryption your data at rest – when it is stored somewhere – is incredibly important. However, your encryption efforts should not stop there. Data in transit is just as important to encrypt, particularly sensitive information. This could include communication between your websites and applications or even just communications within your company. Unencrypted information is at risk to an eavesdropper on your network. To prevent the data from being usable to potential eavesdroppers, ensure you are using encrypted connections such as HTTPS, SSL, TLS, FTPS, etc.