Security researchers at Check Point identified a critical vulnerability in Instagram, the popular photo and video sharing app with over 1 billion users worldwide. The vulnerability would have given an attacker the ability to take over a victim’s Instagram account and turn their phone into a spying tool, simply by sending them a malicious image file. When the image is saved and opened in the target’s Instagram app, the exploit would give the hacker full access to the victim’s Instagram messages and images, allowing them to post or delete images at will, as well as giving access to the phone’s contacts, camera and location data.
How the attack works
To exploit the vulnerability, the attacker would only need a single, malicious image. Check Point researchers summarised the attack method in three steps:
Attacker sends a malicious image to a target user’s email, WhatsApp or other media exchange platform.
Picture is saved to the user’s mobile phone. This is can be done automatically or manually depending on sending method, the mobile phone type, and configuration. A picture sent via WhatsApp for example will be saved to the phone automatically by default on all platforms.
Victim opens Instagram app, triggering the exploitation, giving the attacker full access for remote takeover.
Phone as spying tool using Instagram
At the most basic level, the exploitation could be used to crash a user’s Instagram app
The vulnerability gives the attacker full control over the Instagram app, enabling the hacker to take actions without the user’s consent, including reading all direct messages on the Instagram account, deleting or posting photos at will, or manipulating account profile details.
The Instagram application also has extensive permissions that are gateways to other functions on users’ phones, so an attacker could also use the vulnerability to access phone contacts, location data, phone camera and files stored on the device, turning the phone into a perfect spying tool.
At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data.
Danger in using 3rd party code
Check Point researchers found the vulnerability in Mozjpeg, an open source, JPEG decoder used by Instagram
Check Point researchers found the vulnerability in Mozjpeg, an open source, JPEG decoder which is used by Instagram to upload images to the application. As a result, researchers are warning app developers about the potential risks of using 3rd party code libraries in their apps without checking for security flaws.
Application developers frequently do not write the entire application on their own. Instead, developers save time by using 3rd party code to handle common tasks such as image and sound processing, network connectivity, and more.
However, 3rd party code often contains vulnerabilities which could lead to security flaws in the overall app, as in this case with Instagram.
Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram
Check Point researchers responsibly disclosed their findings to Facebook, the owner of Instagram. Facebook promptly acknowledged the issue, describing the vulnerability as an “Integer Overflow leading to Heap Buffer Overflow".
Facebook issued a patch to remediate the vulnerability on newer versions of the Instagram application on all platforms. To ensure enough Instagram users updated their applications, therefore significantly mitigating the security risk, Check Point researchers waited 6 months to publish these findings.
We strongly urge developers of software applications to vet the 3rd party code libraries they use"
Yaniv Balmas, Head of Cyber Research at Check Point said: “This research has two main takeaways. First, 3rd party code libraries can be a serious threat. We strongly urge developers of software applications to vet the 3rd party code libraries they use to build their application infrastructures and make sure their integration is done properly. 3rd party code is used in practically every single application out there, and it`s very easy to miss out on serious threats embedded in it. Today it’s Instagram, tomorrow – who knows?”
“Second, people need to take the time to check the permissions an application has on your device. This “application is asking for permission” message may seem like a burden, and it`s easy to just click ‘Yes’ and forget about it. But in practice this is one of the strongest lines of defence everyone has against mobile cyber-attacks, and I would advise everyone to take a minute and think, do I really want to give this application access to my camera my microphone, and so on?”
Facebook has issued the following comment: “We’ve fixed the issue and haven’t seen any evidence of abuse. We’re thankful for Check Point’s help in keeping Instagram safe.”
Check Point’s Yaniv Balmas provided the following safety tips for people:
Update! Update! Update! Make sure one regularly updates their mobile application, and the mobile operating systems. Dozens of critical security patches are being shipped out in these updates on a weekly basis, and each one can potentially have severe impact on one’s privacy.
Monitor permissions. Pay close attention to applications asking for permissions. It`s very easy for app developers to just ask the users for excessive permissions, and it’s very easy for users to just click 'Allow' without thinking twice.
Think twice for approvals. Take a few seconds to really think before one approves anything. Ask: “does one really want to give this application this kind of access, does one really need it?" if the answer is no, DO NOT APPROVE.
Hanwha Techwin America, a global supplier of IP and analogue video surveillance solutions, announced that it has received the UL CAP (Cybersecurity Assurance Program) certification for its recently-launched range of IP cameras featuring Wisenet 7 SoC (System on Chip). The UL Cybersecurity Assurance Program (UL CAP) aims to minimise risks by creating standardised, testable criteria for assessing software vulnerabilities and weaknesses in embedded products and systems.
This helps reduce exploitation, address known malware, enhance security controls, and expand security awareness. The programme evaluates the security of network-connectable products and vendor processes to help organisations manage their cyber security risks and validate their cyber security capabilities to the marketplace.
Physical security industry
A long standing and vocal advocate for cyber security best practices in the physical security industry, Hanwha is one of the few camera manufacturers in the world to be granted this certification. While the UL CAP certification typically takes 8 to 10 months, Hanwha Techwin was able to meet all of UL’s stringent evaluation criteria in just 3 months thanks to the well-established software development processes already put in place by its dedicated in-house cyber security department.
When firmware is installed and a certificate is verified, it uses these encryption keys which can never be reprogramed
Built on 30 years of innovation in video surveillance solutions, the Wisenet 7 custom-built SoCs are designed specifically to address the unique cyber security challenges of the security market. Wisenet 7 cameras offer end-to-end cyber security with high levels of protection including secure boot, OS, storage, and JTAG, plus a signed firmware/open platform app and more.
Critical infrastructure organisations
Hanwha Techwin established its own device certification issuing system to embed certificates and encryption keys into the product during the manufacturing process. When firmware is installed and a certificate is verified, it uses these encryption keys which can never be reprogramed. This creates a trusted platform module that separates the end-user side of the camera application from the network (Linux).
This OTP (One Time Program) feature provides a unique level of cyber security that is secure by default and only possible when utilising a custom chip. “UL CAP certification is quickly becoming a bidding requirement for both government and critical infrastructure organisations,” said Tom Cook, Senior Vice President at Hanwha Techwin America. “This certification reaffirms Hanwha’s position as a cyber security industry leader.”
Honeywell is adding to its video series line with the launch of the 30 Series Embedded Network Video Recorders (eNVR), the latest affordable and fully featured NVRs that offer 4K HD (UHD) video resolution. The Honeywell 30 Series eNVRs are designed for use as part of video systems which comply with the John S. McCain National Defense Authorization Act 2019 (NDAA), Section 889. They are also PCI-DSS compliant and include enhanced cybersecurity with a built-in FIPS chip set.
Users will also benefit from encrypted streaming between 30/60 Series cameras to 30 Series NVR and all the way to Honeywell Video Management Viewer (HVMV) and mobile apps. The 30 Series eNVR gives users the option to choose between 8 or 16 channels NVRs, with multiple hard drive options and up to 20 TB of internal storage.
Key benefits and features
Easy to use - Features plug and play installation with the Honeywell 30 and 60 Series cameras to make set up fast and easy to help reduce storage, installation, and configuration costs.
Create safety & security efficiency - Integrates the 30 Series IP camera motion, intrusion and advanced people detection analytics for improved effectiveness while using 265 HEVC Smart codec to reduce storage space.
Superior user experience - Includes simple remote configuration through HVMV, with a Global P2P Service with reliable connection anytime, anywhere through mobile access for both Apple® and Android™ devices.
With a user-friendly interface, HVMV can be deployed for device management and configuration, video live view and playback, smart search, event management, pan-tilt-zoom (PTZ) control, Fisheye camera de-warping and E-map.
HVMV also features multiple monitor support, multiple display layouts, customised views and tours and global P2P remote connection for efficient monitoring and operation. HVMV can support up to 2,048 cameras and multiple NVRs which is ideal for small to medium or multi-site video systems.
With HTTPS & TLS 1.2 encrypted streaming and communication between the 30 and 60 Series cameras, the 30 Series eNVR and HVMV, customers will benefit from an end-to-end encrypted and secure video surveillance solution.
Allied Universal, a globally renowned security and facility services company in North America, has announced that Forbes’ ‘America’s Best Employers by State Survey’, partnered with market research company, Statista, has ranked the company as the best employer in the US states of Georgia, New Jersey and Tennessee.
The Forbes’ list is divided into 51 rankings, one for each of the 50 states, plus the District of Columbia and was compiled by surveying 80,000 Americans working for businesses with at least 500 employees.
Surveys were conducted on a rolling basis from October 2019 to May 2020 and responses regarding the same employers were compared throughout the process, so as to account for any statistically significant variations in the results collected before and after the onset of the coronavirus pandemic.
Safe, conducive environment for employees
“Allied Universal is a great place to work because of our employees’ dedication to our shared mission and values,” said Steve Jones, Chairman & Chief Executive Officer, Allied Universal, adding “We are proud to be recognised by Forbes for creating a welcoming environment for our employees where they can focus on serving, securing and caring for people and businesses of our communities.”
As the media often reports, the world of cybersecurity can be seen like the ‘Wild West’. There’s now a wide range of Internet of Things (IoT) devices connected to the web, making this a hot topic. Among these devices are security cameras. IoT devices are computers that use software that makes them vulnerable. As the famous cybersecurity evangelist Mikko Hypponen says, "If a device is smart, it's vulnerable!"
Hypponen is right. On a daily basis, new vulnerabilities are found in software, regardless of the manufacturer. In 2019, more than 12,000 vulnerabilities worldwide were made public and reported as a CVE (Common Vulnerability and Exposure) in the National Vulnerability Database (NVD). Unfortunately, vulnerabilities are a given. What really matters is how a company deals with and resolves vulnerabilities.
Awareness of cybersecurity vulnerabilities is vitally important
Awareness of cybersecurity vulnerabilities is vitally important to protect you, your business and the Internet, but it’s also important to understand that a vulnerability is not synonymous with “backdoor”, and is not necessarily indicative of “cheap quality.”
But there are companies out there that are embedding safeguards into their development processes to reduce the risks. You could see them as ‘Sheriffs’, taking steps to make this Wild West a little safer.
Why Hikvision chooses ‘Secure-by-Design’
Security cameras, like all other IoT devices, are vulnerable to cyberattacks. Fortunately, manufacturers of IoT devices can significantly reduce these vulnerabilities during the production of devices, using a process called ‘Secure-by-Design’. Implementation of Secure-by-Design requires a commitment on the part of the manufacturer’s management team and a serious investment in resources and technology, which can result in a longer production process and a higher cost of the IoT device. Cost is often the reason why some IoT device manufacturers do not use Secure-by-Design (and are indeed cheaper).
Hikvision is a producer of IoT devices that takes security and privacy very seriously and has implemented Secure-by-Design in its production process. Management supports this process and has even set up a dedicated internal cybersecurity structure charged with product cybersecurity. This group is also the central point of contact for all other cybersecurity matters. The Hikvision Security Development Life Cycle (HSDLC) is an essential part of Hikvision's cybersecurity program. Cybersecurity checks take place at every stage of product development — from concept to delivery.
Cybersecurity checks take place at every stage of product development
For example, product testing takes place during the verification phase, the company also regularly invites well-known security companies and public testing platforms to conduct penetrating testing. Does this mean that all Hikvision products are immune to hacking? No, that guarantee cannot be given, but the HSDLC is a testament to a manufacturer that makes every effort to produce products that are as cyber secure as possible.
Source code transparcency centre
In addition to the Secure-by-Design process, Hikvision opened a Source Code Transparency Center (SCTC) lab in California in 2018, being the industry’s first-of-its-kind lab to open such a centre. At this centre, U.S., Canadian government and law enforcement agencies can view and evaluate the source code of Hikvision IoT devices (IP cameras and network video recorders). It’s important to emphasise that no product is 100 percent secure. Hikvision has a Vulnerability Management Program in place when a vulnerability is discovered in a product.
To date, vulnerabilities that have been reported to Hikvision and/or made publicly known, have been patched in the latest Hikvision firmware, and are readily available on the Hikvision website. In addition, Hikvision is a CVE CNA, and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch and publicly release updates to products in a timely manner. These vulnerabilities are collected in the National Vulnerability Database (NVD) and are public. Hikvision recommends that customers who are interested in purchasing security cameras inquire about a manufacturer’s cybersecurity practices and if they have an established Vulnerability Management Program.
Cybersecurity questions to consider
The cybersecurity of IoT devices is a topic that needs to be addressed in a serious way and it should play an essential role in the product development process, beginning at the concept phase of an IoT product. This requires time, investment and knowledge. Consider the following questions:
Do I trust the manufacturer of a low-cost security camera?
Does this manufacturer have a dedicated cybersecurity organisation?
How does this manufacturer handle vulnerabilities?
These are the questions that everyone should ask themselves when making a purchase, be it a camera or any other IoT product. There is no absolute 100% guarantee of security, but Hikvision has industry-leading practices to ensure the cybersecurity for its cameras. Cooperation, with its customers, installers, distributers and partners, and full transparency are key elements to successfully secure IoT devices. When you read cybersecurity news, we invite you to look beyond the headlines, and really get to know the companies that produce the IoT devices. Before you buy a security camera or any IoT device, check out the manufacturer’s cybersecurity practices, look for a company with a robust vulnerability management program, a company that aligns itself with Secure-by-Design and Privacy-by-Design and a company that employs cybersecurity professionals who are ready and eager to answer your questions. Remember, there are Sheriffs out there, as well as bandits.
IP cameras for video surveillance has been a trending topic amongst enterprises across the world due to rising concerns for security and safety. IP CCTV cameras are revolutionising security measures, and technology has evolved to allow for a more diverse security monitoring system through high resolution, larger digital storage options and compatibility for integrated analytical software.
According to Global CCTV Market Forecast 2022, analysts expect the market for global CCTV to grow at a CAGR of around 11% during 2018-2022.
Clearly, a successful hack of an enterprise security camera system could lead to a range of implications. Amongst the main ones is unauthorised access to video and audio streams of data, as well as to the archive, violation of confidentiality, HIPPA, PII and potential leaks of personal and corporate information, possible copying, unauthorised distribution and duplication of such data.
“Most Enterprise video surveillance systems are vulnerable to hackers. According to our studies, more than half of companies and organisations, both large and small, do not take sufficient precautions when it comes to preventing their security cameras from being hacked. Be it ignorance or just careless approach to security of their network in general, the results of hacking can be disastrous,” says Chris Ciabarra, the CTO and co-founder of Athena Security.
With the increasing number of surveillance cameras installed in homes, offices and public places, hacking incidents related to these devices happen more and more often.
The ease of hacking surveillance cameras
It’s not a secret that surveillance cameras, like many other Internet of things (IoT) devices, are full of vulnerabilities that can be exploited by hackers.
A hacker can find hundreds of potentially vulnerable IoT devices to hack into
Cameras, just like all other devices connected to the Internet, have IP addresses that are easy to find using Shodan, a search engine for Internet-connected devices. With this simple tool, a hacker can find hundreds of potentially vulnerable IoT devices to hack into, including cameras, especially when most companies use default passwords.
Below are basic recommendations on how to protect your camera network, and what actions you should take to minimise the chance of hacking.
Change the default username and password
You should start by changing the default password and username of your camera network. Even though this may seem obvious, not everyone does it, practically leaving the door for hackers wide open.
Use a strong password that is hard to guess. When setting up the password use numbers, symbols, both uppercase and lowercase letters. Do not use simple and commonly used passwords, such as the ones in SplashData's list of 100 worst passwords of the year.
Do not use the same password you are already using for other online accounts. According to a recent survey on data privacy conducted in May 2019, 13% of respondents with at least one online account say they use the same password for all their accounts. Using a password manager to generate a strong random password may be a good idea.
Update your camera firmware regularly
Keeping cameras firmware up-to-date is very important as it allows you to prevent hackers from exploiting vulnerabilities and bugs that are already patched by manufacturers in a new firmware update.
Despite the fact that most modern cameras will automatically download and install firmware updates, some require the user to check for updates and install them.
Set up two-factor authentication
Set up the two-factor authentication if your cameras support it. With two-factor authentication on, the camera manufacturer will send you a randomly generated passcode via text message or phone call, as an addition to username and password, during each log in to the account. Two-factor authentication prevents hackers from accessing the camera system even if they were able to crack username and password.
Not all surveillance camera systems support two-factor authentication, though.
Prevent cameras from sending information to third parties
Companies that use surveillance cameras very often do not put enough effort into protecting their cameras and the data they transmit, despite the fact that this footage is of great importance to many people.
The firmware of most cameras from different manufacturers is programmed in a way to keep a connection with the manufacturer’s server without knowledge of the end-user. Most users, both private and corporate, are not aware of this and therefore do not take any steps to protect themselves from this potential vulnerability, which could result in footage leak to a third party or a successful hacker attack.
To prevent your camera network from transmitting, the following steps should be taken.
Step 1: Statically assign an IP address
Statically assign IP address for each camera, subnet mask and leave gateway blank or 127.0.0.1, if this is allowed in gateway fields to be entered. If the firmware does not allow blank or 127 subnets, just point gateway to an unused dedicated IP address.
This way, cameras will not be able to send the information off the local company network.
Step 2: Assign DNS servers
Assign DNS servers that are local to cameras and force only your domain to be present with zero forwarding DNS servers.
This way, if a camera tries to do name resolution, it will come up blank. Not being able to find the IP address of the main server (mother ship), cameras won’t be able to connect to it.
To stay safe you can order your own DNS servers, locked down to your addresses only.
Block your camera network’s access to the Internet
Blocking your camera network’s access to the Internet is a good way to make sure hackers won’t be able to get access to the footage and other confidential data. Any dual-homed system touching your camera network should be blocked from Internet access. This way all systems in the same subnet won’t have access to the Internet from that box.
Always use DNS because firewall rules tend to be easy to hack, while DNS that is internal is not expected and stops systems from resolving names you do not wish to be translated, like talking back to the mothership of a bad program.
Monitor your system for traffic spikes
One of the tricky things about hacker attacks is that there are no warnings. In most cases hackers would penetrate your system without any signs or symptoms of an attack, and it isn’t until you face consequences (like leaked footage or hackers manipulating cameras) when you realise something is wrong. It may be days or even months between the hacker attack and the time you realise the system has been compromised.
Monitoring dual-homed systems for bandwidth spikes could be a good way to spot a hack resulting in the leakage of confidential data like images or video. There are a number of traffic monitoring tools available to private and corporate users that can manage and sniff the network or just monitor them.
Facial blur in archived footage
Blurring people’s faces when archiving in surveillance camera video streams is a great tool, allowing you to comply with privacy laws and make the footage useless to hackers even if they manage to successfully hack your system.
These recommendations will allow you to lower the risk of hackers breaking into your security camera network, detect the hack if it has occurred already, and to protect yourself from possible consequences if camera footage was stolen.
The modern working world has evolved dramatically over the last few decades - from how and when we work, to the places we work from. Widespread internet connection advances, alongside the growth of cloud-based shared working platforms, have not only created the possibility for increasingly flexible working arrangements, but also fuelled a desire to do so – particularly among millennials.
The preference for flexible working has now created a widespread need for more agile workforces, saddling IT departments around the world with the task to maintain ‘business as usual’ without compromising corporate privacy.
With flexible working forecasted to stay for the long haul and passwords increasingly under scrutiny, evaluating alternative secure authentication methods to keep companies’ data and networks safe is important to protect these ‘new normal’ ways of working.
The end of the humble password?
A recent report by Raconteur found that the most common method of authentication for securing the digital aspects of workplaces is passwords.
Unfortunately, however, between phishing, hacking and simple guesswork, passwords are easily compromised – a problem that is only getting worse, with IT professionals reporting an increase in phishing attacks in the last few years. Once compromised, passwords can be used to enter untrusted apps or websites and, worst and most commonly of all, give rise to even greater data breaches.
Between phishing, hacking and simple guesswork, passwords are easily compromised
Alongside security concerns, 6 in 10 people worry about forgetting their passwords and, according to a recent Balbix study, 99% of people reuse the same password across different work accounts. This, undoubtedly, is a side effect of the increasingly complex character requirements implemented by many enterprises. This stress and effort leads to frustrated employees, but, more worryingly, forgotten passwords can also cost IT departments millions of dollars a year.
In our flexible, hyper-connected world, it is clear then that the humble password is no longer effective. Additional or alternative layers of authentication are needed to help enterprises maintain their workplace security in a more convenient and cost-effective way.
Smarter workplace authentication with biometrics
Often, hacking incidents involve the use of stolen credentials. One authentication solution that could bring an end to these large-scale hacking attacks is biometrics, as unique biological traits are extremely hard to steal and spoof.
In addition to being a more secure method to authenticate users and prevent fraud in companies’ networks, it is also possible to layer biometric modalities to create a highly convenient and secure multi-modal authentication solution for sensitive areas or information. Spoofing two biometric modalities, such as fingerprint and iris, in the same attack is virtually impossible, but that doesn’t mean this level of security needs to impair the UX. After all, you can put your finger on a touch sensor, while at the same time glancing at a sensor.
For businesses, biometrics can be used in a wide variety of use cases, from securing laptops and applications to authenticating employees at secured access and entry points. It can also be used to add frictionless layers of additional security to any aspect of current security systems, such as key fobs or USB sticks, or to access personalized settings or employee accounts when using shared devices, such as a printer system. This way, beyond playing a role in securing the modern workplace, biometrics can also give employees greater flexibility and convenience over how, when and where they work.
Privacy and biometrics - explained
Many employers and employees worry about safeguarding privacy in the workplace. Considering biometric data is highly personal, it is no wonder, then, that many are concerned about collecting this data for the purpose of workplace security and what liabilities this may expose them to.
For businesses, biometrics can be used in a wide variety of use cases, from securing laptops and applications to authenticating employees
Employers must adhere to the relevant workplace privacy laws, such Europe’s GDPR, and this duty extends to biometrics, of course. But, providing biometrics is implemented in line with best practice, it can actually protect employees’ privacy far more effectively than its predecessor, passwords.
When employers use an on-device approach, their employees can rest assured no one will be able to access or steal their biometric data, as all biometric data is stored and processed on the device - whether that is a laptop, smartphone, USB stick or key fob. Removing the need for data to ever enter the cloud, this also removes the technical and legal complexities of managing a biometric database and, if a key fob is lost for example, all parties can rest assured there is no chance of anyone else being able to use it. A win-win.
Precisely because biometric data is so difficult to steal and spoof, adding biometric authentication to end-point devices can considerably reduce data breaches to keep both sensitive employee and corporate data safe and secure.
Reimagining workplace security
As people work more flexibly, systems are shared more frequently, and attacks get smarter, it is clear to see that passwords alone are no longer enough to secure the modern-day workplace.
Adding biometric authentication to end-point devices can considerably reduce data breaches
Now is the time to reassess the physical and logical access control infrastructure. To keep personal and corporate data safe, it is crucial to add new and additional authentication methods to the security infrastructure. Luckily, the benefits of biometrics are often far simpler to realize than many enterprises imagine.
The beauty of biometrics is its combination of both security and convenience. Compared to other forms of authentication, biometrics offers considerably stronger protection and an enhanced UX that can easily be integrated into existing enterprise security infrastructure – without the need for huge biometric databases to manage or fear.
So, whether to replace outdated passwords or as part of a multi-modal authentication system, biometrics can play an important role in pushing workplace security into a new era for both physical and logical access control.
Within days, a rule will take effect that bans from U.S. government contracts any companies that “use” video products from Chinese companies Hikvision and Dahua. The Federal Acquisition Regulation (FAR) rule implements the “blacklist” (or “Part B”) provision of the National Defense Authorization Act (NDAA), which is understood in the security industry as prohibiting dealers and integrators that do business with the federal government from selling Chinese-made video products to any of their customers (even for non-government projects).
The rule, which is officially still interim, states: “On or after August 13, 2020, [federal] agencies are prohibited from entering into a contract, or extending or renewing a contract, with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”
Within days, a rule will take effect that bans U.S. government contracts any companies that “use” video products from Chinese companies Hikvision and DahuaFederal agencies issuing the rule are the Department of Defense (DoD), the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA). GSA provides centralized procurement for the federal government.
Because the COVID-13 crisis delayed issuance of the rule, the usual 60 days will not be allowed for public comment before the rule is implemented. However, public comments are welcome and will be addressed in subsequent rulemaking.
“Telecommunications equipment” refers to equipment or services provided by Huawei Technology or ZTE Corp, both Chinese telecommunications giants. The rule also specifies that it applies to “certain video surveillance products or telecommunications equipment and services produced or provided by Hytera Communications Corp., Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of those entities).” Hytera is a Chinese manufacturer of radio systems. Hikvision and Dahua are major international manufacturers of video surveillance equipment.
Limits and prohibitions
The rule states: “This prohibition applies to the use of … equipment or services, regardless of whether that use is in performance of work under a Federal contract.” In the industry, this clause is taken to mean that integrators that “use” any of the covered equipment are prohibited from selling to the government. “Use” presumably covers an integrator deploying the equipment in their own facilities and/or selling it to other customers. The rule also prohibits “service … related to item maintenance,” which in the case of a security integrator would include providing service contracts on previously installed systems.
Security Industry Association (SIA)
The Security Industry Association (SIA) comments: “Due to applicability [of the rule] to uses by entities with federal contracts even unrelated to their federal work, this broad interpretation is expected to have widespread impact on the contracting community across many sectors, as covered video surveillance equipment is some of the most commonly used in the commercial sector in the United States.”
Security integrators that do business with the federal government have largely anticipated the new rule and already switched their Chinese camera lines for NDAA-compliant competitors. However, as SIA points out, extensive common uses of the Chinese equipment in various commercial sectors raises additional concerns.
Easing compliance burdens
The interim rule adopts a “reasonable inquiry” standard when an offeror (government contractor) represents whether it uses covered equipment. “A reasonable As SIA points out, extensive common uses of the Chinese equipment in various commercial sectors raises additional concerns. inquiry is an inquiry designed to uncover any information in the entity’s possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity. A reasonable inquiry need not include an internal or third-party audit.” SIA notes that this provision may be aimed at easing the compliance burden by suggesting that contractors only need to inquire based on what information they already possess.
The new rule covers Paragraph (a)(1)(B), which has informally been referred to as the “blacklist” provision of the NDAA, the John S. McCain National Defense Authorization Act for fiscal year 2019. However, the “Chinese ban” provision [Paragraph (a)(1)(A)] already went into effect a year after the law was signed by President Trump (August 13, 2018). “Part A” covers use of Chinese-made products in fulfilling government contracts.
A growing threat
Seeking to justify the new restrictions, the FAR rule states: “Foreign intelligence actors are employing innovative combinations of traditional spying, economic espionage, and supply chain and cyber operations to gain access to critical infrastructure and steal sensitive information and industrial secrets. The exploitation of “Telecommunications equipment” refers to equipment or services provided by Huawei Technology or ZTE Corp, both Chinese telecommunications giantskey supply chains by foreign adversaries represents a complex and growing threat to strategically important U.S. economic sectors and critical infrastructure.”
SIA has urged a delay in implementing the “Part B” provision, stating: “The federal government estimates that it will cost contractors well over $80 billion to fully implement this prohibition on the use of certain Chinese telecommunications and video surveillance equipment, yet endless delays in publishing the rule now mean that federal suppliers have just weeks to understand and comply with the new rule, which raises as many questions as it answers.”
SIA continues: “Federal suppliers across a wide range of industries have increasingly concluded that Part B is unworkable without clarification of the scope and meaning of key terms in the provision, which the rule does not do enough to define. For example, Part B bans agencies from contracting with a provider that “uses” any covered equipment or service. This term is not clearly defined in law or regulation, yet contractors must certify compliance beginning Aug. 13, 2020.”
The Part B rule, which only applies to prime contractors, enables agency heads to grant a one-time waiver on a case-by-case basis, expiring before Aug. 13, 2022.
The global pandemic caused by the novel coronavirus is changing work environments to an unprecedented degree. More employees than ever are being asked to work remotely from home. Along with the new work practices comes a variety of security challenges.
Without the proper precautions, working from home could become a cybersecurity nightmare, says Purdue University professor Marcus Rogers. “Criminals will use the crisis to scam people for money, account information and more,” he says. “With more people working from home, people need to make sure they are practicing good cybersecurity hygiene, just like they would at work. There is also a big risk that infrastructures will become overwhelmed, resulting in communication outages, both internet and cell.”
Concerns about the coronavirus have increased the business world’s dependence on teleworking. According to Cisco Systems, WebEx meeting traffic connecting Chinese users to global workplaces has increased by a factor of 22 since the outbreak began. Traffic in other countries is up 400% or more, and specialist video conferencing businesses have seen a near doubling in share value (as the rest of the stock market shrinks).
Basic email security has remained unchanged for 30 years
Email is a core element of business communications, yet basic email security has remained unchanged for 30 years. Many smaller businesses are likely to still be using outdated Simple Mail Transfer Protocol (SMTP) when sending and receiving email. “The default state of all email services is unencrypted, unsecure and open to attack, putting crucial information at risk,” says Paul Holland, CEO of secure email systems provider Beyond Encryption.
“With remote working a likely outcome for many of us in the coming weeks, the security and reliability of our electronic communication will be a high priority,” says Holland. The company’s Mailock system allows employees to work from any device at home or in the office without concerns about data compromise or cybersecurity issues.
Acting quickly and effectively
As the virus spreads, businesses and organisations will need to act quickly to establish relevant communication with their employees, partners and customers surrounding key coronavirus messages, says Heinan Landa, CEO and Founder of IT services firm Optimal Networks. Employers should also enact proper security training to make sure everyone is up to speed with what’s happening and can report any suspicious online activity.
Reviewing and updating telework policies to allow people to work from home will also provide flexibility for medical care for employees and their families as needed.
Scammers, phishing, and fraud
An additional factor in the confusing environment created by the coronavirus is growth in phishing emails and creation of domains for fraud. Phishing is an attempt to fraudulently obtain sensitive information such as passwords or credit card information by disguising oneself as a trusted entity. Landa says homebound workers should understand that phishing can come from a text, a phone call, or an email. “Be wary of any form of communication that requires you to click on a link, download an attachment, or provide any kind of personal information,” says Landa.
Homebound workers should understand that phishing can come from a text, a phone call, or an email
Email scammers often try to elicit a sense of fear and urgency in their victims – emotions that are more common in the climate of a global pandemic. Attackers may disseminate malicious links and PDFs that claim to contain information on how to protect oneself from the spread of the disease, says Landa.
Ron Culler, Senior Director of Technology and Solutions at ADT Cybersecurity, offers some cyber and home security tips for remote workers and their employers:
When working from home, workers should treat their home security just as they would if working from the office. This includes arming their home security system and leveraging smart home devices such as outdoor and doorbell cameras and motion detectors. More than 88% of burglaries happen in residential areas.
When possible, it’s best to use work laptops instead of personal equipment, which may not have adequate antivirus software and monitoring systems in place. Workers should adhere to corporate-approved protocols, hardware and software, from firewalls to VPNs.
Keep data on corporate systems and channels, whether it’s over email or in the cloud. The cyber-protections that employees depended on in the office might not carry over to an at-home work environment.
Schedule more video conferences to keep communication flowing in a controlled, private environment.
Avoid public WiFi networks, which are not secure and run the risk of remote eavesdropping and hacking by third parties.
In addition to work-from-home strategies, companies should consider ways to ensure business cyber-resilience and continuity, says Tim Rawlins, Director and Senior Adviser for risk mitigation firm NCC Group. “Given that cyber-resilience always relies on people, process and technology, you really need to consider these three elements,” he says. “And your plan will need to be adaptable as the situation can change very quickly.”
Employees and their employers
Self-isolation and enforced quarantine can impact both office staff and business travelers
Self-isolation and enforced quarantine can impact both office staff and business travelers, and the situation can change rapidly as the virus spreads, says Rawlins.
Employees should be cautious about being overseen or overheard outside of work environments when working on sensitive matters. The physical security of a laptop or other equipment is paramount. “It’s also important to look at how material is going to be backed up if it’s not connected to the office network while working offline,” says Rawlins.
It’s also a good time to test the internal contact plan or “call tree” to ensure messages get through to everyone at the right time, he adds.
HID Global is introducing a new “flagship” line of access control readers as successors to the iCLASS line. The new HID Signo readers will support 15 different credentialing formats and communicate using the latest NFC (near field communication), BLE (Bluetooth Low Energy) and OSDP (Open Supervised Device Protocol) standards. HID Global says the new readers will simplify integration to more secure and mobile credentials.
HID Global has invested in a “future-proof” approach that both accommodates a variety of current market needs and can adapt to embrace new technologies as they come onto the market. The new line incorporates “all the hardware you need,” combining the capabilities of older generations of readers into a single product.
Simplifying the choice of readers
The new reader line seeks to simplify the choice of readers in a time when a variety of trends is complicating the access control market, from cloud systems to mobile access to identity management.
“We are simplifying the way we bring our products to market, and baking it all into our readers,” says Harm Radstaak, HID Global Vice President and Managing Director. “If an installer takes a reader out of the box and mounts it on the wall, it just works.”
We are simplifying the way we bring our products to market"
In designing the product, HID sought feedback from channel partners, installers, consultants and end users on how the new readers would function. In addition, the company sought advice from architects on the design of the product. Aesthetics and industrial design elements were a priority because they ideally reflect the quality and “promise” of how the product will perform.
Cybersecurity is another emphasis. The readers store cryptographic keys and process cryptographic operations on certified EAL6+ secure element hardware, and custom authentication keys can be used for organisations who prefer that level of control. EAL6+ certification is a designation of the Evaluation Assurance Level of an IT product or system (the highest score is EAL7). Signo also includes a velocity checking feature designed to mitigate and thwart brute force attacks.
“The new Signo line is a continuation of the journey we have been on,” says Radstaak. “It is the natural succession of what we have been doing for years, and it underlines our position in the market.” By natively supporting mobile credentials, the new product line reinforces HID’s commitment to mobile systems, which the company first brought to market in 2014. Signo readers also include Enhanced Contactless polling to support mobile credentials in Apple Wallet.
Embracing the OSDP standard, which was created in 2008, also addresses the growing customer need for bi-directional, secure communications. There is built-in support for OSDP Secure Channel as well as legacy Wiegand communication for organisations seeking to transition.
Signo incorporates support for most credential technologies globally, including Seos, credentials with HID’s Secure Identity Object, and a variety of 125kHz legacy technologies such as Indala and Prox.
The flexibility and openness of Signo is a response to the acceleration of new technologies entering the access control market. “If you look at new technologies in general, our market has been slow in adopting them,” says Radstaak. “However, with new entrants in the market, new technologies, new device manufacturers and artificial intelligence (AI), I believe the market is adopting new technologies much faster than before. Users are much savvier.”
Administrators will be able to remotely configure and diagnose readers
Radstaak says he expects market adoption of the new readers will be fast. “Customers have been waiting for this platform,” he says. “This has been a tremendous investment for HID Global, and it underlines our position in the market with its open platform, simplicity and future-proofing. We are prepared for whatever comes next technology-wise.”
With Signo readers, administrators will be able to remotely configure and diagnose readers as well as monitor status through a centrally managed and connected reader ecosystem.
As a member of the FiRA Consortium, HID Global has advocated bringing new technology to market based on the “fine ranging” capabilities of ultra-wideband (UWB) technology, which has applications in detection of the precise location or presence of a connected device or object. It’s the kind of technology that Signo platform’s “future-proofing” approach is geared to accommodate. “As the capability unfolds, we will be there to adapt,” says Radstaak.
Gough & Kelly, a provider of security products and services across the north of England, has expanded the use of SmartTask to enhance its patrol monitoring and performance reporting capabilities at a second office in Yorkshire. The company has rolled out the workforce management software to its operation in Leeds, having already achieved significant operational improvements at its York business.
“SmartTask has proved to be an invaluable tool across our manned guard, keyholding and alarm response services, especially on our contract with City of York Council, so our aim is to replicate this success at our Leeds operation,” explains Richard Cuff, Senior Operations Manager at Gough & Kelly. “When the roll-out is complete, we will be using the software for a team of 150 static and mobile security officers working across 100s of private and public sector locations. This will enable us to further streamline administrative processes, while enhancing the customer experience.”
Simplicity of the software
Initially, Gough & Kelly adopted SmartTask following a request from a customer, a boarding school in Yorkshire, for a patrol management system that would provide peace of mind that security activity was taking place. The company previously used a system that was not cloud-based and required the use of heavy and cumbersome data collectors, so they took the decision to explore alternative app-based options. SmartTask was selected because of the simplicity of the software and the breadth of information it provides.
The use of the software has since been expanded to cover the entire York operation, providing an essential tool to its main contract with City of York Council.
In 2018, Gough & Kelly secured a 10-year extension for the provision of security services covering almost 100 Council sites, made up of a diverse range of locations including offices, commercial buildings, libraries, hostels, museums, recycling centres and vacant properties. SmartTask was an important part of the retender process due to its responsive, evidence-based and KPI reporting functionality.
Electronic incident report
An electronic incident report can be submitted with additional details of identified damage and photo evidence
Using a SmartTask-enabled smartphone, static security officers scan a tag at the start and end of each patrol to capture the length and time, while an electronic incident report can be submitted with additional details of identified damage and photo evidence.
Meanwhile, mobile supervisors, responsible for alarm response and keyholding services, scan a tag to confirm proof of attendance. This creates a GPS location and timestamp, so Gough & Kelly can monitor response times and ensure they are meeting customer KPIs.
Weekly and monthly reports
Typically, Gough & Kelly is measured on completion of tasks, attendance and response times, so SmartTask generates weekly and monthly reports that are tailored to individual customer requirements. Incident reports are also supplied by 10 am the next-day, having previously been issued next-day by close of business, representing an improvement of up to eight hours.
In addition, the centralised reporting system via SmartTask enables the company to compare performance levels at different sites, identifying operational trends and areas of improvement.
Single software platform
“SmartTask has certainly made our lives easier because of all the key information that is available within a single software platform. Not only does it give us added visibility and control centrally, but also simplifies operational processes for our remote workforce, removing previous paper-based systems. It has also allowed us to enhance our staff welfare checks, providing an added layer of protection and an effective way of addressing issues,” concludes Cuff.
Paul Ridden, CEO of SmartTask commented: “We have developed a highly advanced, configurable and easy-to-use guard management, monitoring and reporting solution that puts our customers in complete control. The software can be tailored to meet individual requirements and achieve a host of efficiency, performance and compliance benefits, generating proven value and creating a point of differentiation.”
March Networks, a globally renowned company in video security and video-based business intelligence solutions, is proud to announce that one of the world’s largest oil companies will deploy its cloud-based Searchlight solution at more than 300 c-store locations.
The Fortune 500 Company is currently rolling out March Networks Searchlight for Retail as a Service at all of its U.S. corporate-owned stores. The company’s branded fuel products are sold at nearly 8,000 service stations in the U.S., providing a future platform for March Networks to continue to grow its c-store customer base.
Cloud-based Searchlight solution
By choosing March Networks’ cloud-based Searchlight, the oil company can deploy a powerful loss prevention and data analytics solution in a shorter timeframe and with less upfront cost than a traditional video surveillance deployment.
The subscription-based service, combining high-definition video, transaction data and analytics, is managed by March Networks from its secure Network Operations Centre (NOC). This eliminates the need for the company to purchase and maintain servers within its own IT infrastructure, and leaves it free to focus on its business, while March Networks handles all the software upgrades and maintenance of the application.
With the addition of the oil company, nearly 15,000 business locations worldwide are now using the March Networks Searchlight solution.
Security and transformational business insights
“Leading banks, retailers and restaurant chains are choosing March Networks Searchlight for its unique ability to deliver both security and transformational business insights,” said Peter Strom, President and Chief Executive Officer (CEO), March Networks.
He adds, “Organisations can not only reduce theft, fraud and shrink, but gather operational and business intelligence to boost performance and profitability. By offering Searchlight’s video insights in a monthly subscription model, March Networks is meeting increased demand for cloud-based video surveillance-as-a-service (VSaaS), and rapidly growing the services part of our business.”
Convenient managed services
Searchlight for Retail as a Service includes March Networks’ convenient managed services
Searchlight for Retail as a Service includes March Networks’ convenient managed services, where trained professionals monitor each customer’s video network system health and performance, ensuring maximum uptime.
Using the March Networks Insight platform, customers gain access to their network information, including device health and warranty information, through a secure web browser. Searchlight and Insight are part of the oil company’s complete end-to-end solution.
Command Enterprise Software
The end-to-end solution also includes March Networks’ highly reliable hybrid recorders, supporting analog and IP cameras, its Command Enterprise Software for advanced system management and administration, and its SE2 and SE4 Series IP Cameras for crystal-clear video capture.
March Networks is partnering with NAVCO, a national electronic security systems integrator and long-time March Networks Certified Solution Partner (CSP), to complete the company’s deployment and provide seamless support for the solution moving forward.
Sonitrol, the globally renowned provider of verified electronic security solutions, has announced that CMS Corporation, an award-winning construction contractor, relies on one of Sonitrol’s newest offerings, Sonitrol Network Protection.
CMS Corporation’s scope of services encompasses new construction, renovations, fueling systems, and energy and sustainability projects for a wide range of commercial and federal government clients. The company’s projects are approximately 70% Federal and 30% civilian undertakings.
Upgrading network security
According to CSO Online, the average small business loss when a network has been breached is US$ 170,000
According to CSO Online, the average small business loss when a network has been breached is US$ 170,000. CMS Corporation’s management knew that they needed to upgrade their network security in an effective, comprehensive and cost-effective manner.
Matthew Wilson, Director of Information Technology at CMS Corporation, was impressed with Cisco’s reputation, and he was aware of their Cisco Meraki software. He chose Sonitrol Network Protection as the preferred network security solution because it offered a world-class solution provided by a known and trusted provider, Sonitrol.
SB/MBEs more vulnerable to cyber-attacks
The company, CMS Corporation’s Bargersville, Indiana Office is a two-story administrative space with a large workshop and fabrication area, and a large detached workshop/storage area. Small Business and Minority-Business Enterprises (SB/MBEs), like CMS Corporation, are particularly vulnerable to cyber-attacks, because their relatively small size means that they have a lower IT budget and resources.
Furthermore, with CMS Corporation’s large number of federal government contracts, effective cyber security is essential to the company’s continued growth and success.
Cybersecurity Maturity Model Certification compliance
Due to upcoming Cybersecurity Maturity Model Certification (CMMC) compliance, federal contractors are required to tighten their network security to protect Controlled Unclassified Information (CUI).
“Cisco Meraki products enable us to have proactive insight into our network activity to help ensure compliance with current and new federal regulations,” Matthew Wilson explained.
Sonitrol Network Protection
Wilson was attracted to Sonitrol Network Protection’s ease of deployment, auto mesh VPN and seamless scalability
Wilson was attracted to Sonitrol Network Protection’s ease of deployment, single pane of glass administration, auto mesh VPN, and seamless scalability. These features are powered by the Cisco Meraki products and solutions, installed by CMS Corporation, which include: MX68CW, MS120-8 FP switch, and four MR36 access points. They also have a handful of Z1 and Z3 devices in remote construction trailers that are able to support the software.
In addition to topline network protection from potentially daily cyber-attacks and ransom-ware attacks, Wilson and his colleagues are now learning post-deployment that Sonitrol Network Protection offers a host of additional security features and benefits.
Cisco Meraki and Sonitrol intregation
Wilson noted, “Cisco Meraki and Sonitrol are a winning combination and Sonitrol’s knowledgeable, courteous installation staff made the transition to our powerful, new network protection quick and easy.”
Sonitrol Network Protection, powered by Cisco Meraki, can protect any size company’s network, devices, and data from daily cyber-threats and attacks.
Firewall and intrusion protection
The solution provides firewall protection, intrusion protection and prevention, ransom-ware protection, anti-phishing, malicious file scanning and more, thereby protecting businesses from huge monetary and data losses. It is cloud-based and managed from a single dashboard GUI, making managing ones network easy.
Sonitrol Network Protection solution also provides robust business management tools: content/URL filtering, application-aware traffic control, guest WIFI access, analytics and heat mapping, and custom reporting options. The technology stays current with automatic firmware and security patches, and it works within a connected ecosystem, delivering security on Day 1 of implementation.
Global professional services provider Equiom has 14+ offices across the globe with more than 600 employees. In 2014, Equiom employed just 200 people across two offices in two jurisdictions and had ambitious plans to grow into a global business.
But while the business had plans to scale, its infrastructure was that of a small business and not able to support its ambitions. As such, the company undertook a review of its entire IT infrastructure, including the network, software, and servers, with a key focus on cybersecurity, to develop systems that could support the business’ growth strategy.
External vulnerability testing
Furthermore, Equiom believed its security had to be robust enough to provide peace of mind to regulators, investors, and shareholders. To address this challenge Equiom wanted to work with a specialist cybersecurity partner that could both help identify any weaknesses and vulnerabilities within the infrastructure and provide recommendations and training for improving its security posture.
Equiom selected SureCloud to provide services globally including cybersecurity penetration testing services
Following a competitive process Equiom selected SureCloud to provide services globally including cybersecurity penetration testing services, internal and external vulnerability testing and management, social engineering including simulated phishing exercises and simulated ransomware attacks and physical social engineering. All services were delivered as part of our Pentest-as-a-Service, which provides a centralised platform for managing of all elements of the projects, including Equiom’s vulnerability remediation programme.
Stephen Roberts, Global Chief Information Officer for Equiom Group, commented: “SureCloud was the obvious choice as the team is extremely knowledgeable, and the company had invested heavily in its cloud-based platform to create a technical solution that is far more developed than anything else in the marketplace.”
“We felt working with SureCloud would enable us to provide a single snapshot of our security posture at any given time. Ultimately, the platform offered us the ability to simplify the overall management process, which was a key differentiator for us. SureCloud takes what is, in reality, a highly complex set of requirements and makes it as simple as possible.”
Accurately monitor progress
“Through centralisation of all reports and data, including output from penetration tests, vulnerability scans and social engineering exercises, we have complete visibility over our infrastructure and can develop remediation action plans and accurately monitor progress in real time,” said Roberts.
SureCloud provides peace of mind to our stakeholders and customers"
“As we continue to grow, SureCloud provides peace of mind to our stakeholders and customers. When we compare new acquisitions to those parts of our business that have gone through the SureCloud process, we can see a very clear difference in the respective postures. This is a testament to SureCloud’s success in keeping our security posture in excellent health,” commented Roberts.
Overall security posture
“We have also worked with SureCloud to address additional challenges in the business. We are currently using its GDPR application, which feeds data back into the platform enabling us to assess our compliance status against our overall security posture. Now we have complete oversight of our infrastructure,” said Roberts.
“The fact that SureCloud is easy to use and highly scalable means that as we work to triple the size of the business over the next four years, we can do so while confidently relying on the platform to ensure that security is not compromised during that process. Through SureCloud we have raised our security posture to a level where our systems can help detect threats so that we can prevent attacks before they impact the business”, concluded Roberts.
Protecting the oil and gas market is key to a thriving economy. The list of security challenges for oil and gas requires the best technology solutions our industry has to offer, from physical barriers to video systems to cybersecurity. We asked this week’s Expert Panel Roundtable: what are the security challenges of the oil and gas market?
We are all more aware than ever of the need for cybersecurity. The Internet of Things is a scary place when you think about all the potential for various cyber-attacks that can disrupt system operation and negatively impact a customer’s business. Because most physical security systems today are IP-based, the two formerly separate disciplines are more intertwined than ever. We asked this week’s Expert Panel Roundtable: How can cybersecurity challenges impact the physical security of a company (and vice versa)?
Cloud systems are among the fastest-growing segments of the physical security industry. The fortunes of integrators can improve when they embrace a recurring monthly revenue (RMR) model, and cloud systems are expanding the services and features manufacturers can provide, from remote diagnostics to simplified system design. But for all the success of cloud systems, there remains confusion in the market about the exact definition of “cloud”. Or does there? We asked this week’s Expert Panel Roundtable: what is “the cloud”? Is there agreement in the market about what the term means?