Educating integrators about cybersecurity for work on college campuses and elsewhere

IST’s Andrew Lanning: ‘It's incumbent upon us to elevate our game’
Thursday, March 17, 2016

YARMOUTH, Maine—Andrew Lanning enjoys visiting college campuses and “the ubiquity of their Wi-Fi access.” But the reason he is on campus, usually, is that easy Wi-Fi access means easy prey for hackers and cyberthreats.

Lanning is the co-founder of Integrated Security Technologies in Wai Pahu, Hawaii. Like other security experts charged with tackling cyberthreats in educational settings, his main job is to remind integrators, manufacturers and end users that while no system is immune to hacking, all problems can be addressed through education, collaboration and attention to detail.

“The best way to teach is to learn,” Lanning said. “We distill it down to people, process and products.”

In the worlds of cybersecurity, college campuses look and feel different than government offices and large businesses in many obvious ways. Less obvious to laymen may be the approach and adjustments that security manufacturers and integrators must make when their end users of security products and services are institutions of higher learning.

When Duane Djie, sales engineer at Hikvision USA, compares the cybersecurity needs of corporations, the U.S. Defense Department and a large university, he sees three different worlds and knows there’s a decent chance hackers see more vulnerabilities than his experts do.

At a military base or within the Department of Defense, the primary threat is obviously terrorism and public safety. In the private sector, the threat is corporate espionage. At a college campus, Djie said, “A disgruntled student can do a lot of damage.”

“It’s more about protection of data for their students,” Djie said. “University protection is more about protecting individual identity and property.” This is especially true in research labs, where graduate students need to protect their work with vigilance.

Cybersecurity in education settings demands an ongoing, two-way teaching and learning progression between manufacturers and integrators. The providers of products include prevention and “hardening” techniques into their training for integrators. The integrator, from the field, alerts manufacturers to vulnerabilities that the best engineers may not have considered.

Nobody points fingers. “No system is 100-percent protected from cyberthreats,” said Djie.“When an integrator finds a security threat, we have a response team activated to shoot it up the chain of command.”

For many security experts, Lanning said, that means “humbling yourself before you go to the IT community to figure out how to engage in the conversation.”

John Bartolac, senior manager of industry standards and government programs at Axis Communications, concurred, noting that problems arise “if integrators aren't aware of different IT policies” at their end user's campus setting.

Bartolac's people deploy of a variation of Lanning's “people, process and product” mantra. Axis' education efforts focus on “policies, procedures and products,” Bartolac said. Integrators can add more value to the end user by learning as much as possible about internal IT policies on various college campuses, he said.

Kimberly Roberts, director of education and training at the Security Industry Association, stressed the critical role integrators assume in discovering and sharing information on cyberthreats on college campuses.

“Obviously because of how closely they work with the end user, integrators have more information about the ‘in production’ cybersecurity issues that may arise when the products are installed,” Roberts stated in an email.

“Manufacturers should leverage the collective knowledge of their integrators, and make it easy for integrators to pass on information about these breaches in order to harden their products and disseminate patches for these products in a more effective way.”

“Education is really the responsibility of all parties,” said Jacob Hauzen, regional sales manager for education at Genetec. “Campus security has to stay on top of things. Integrators have to stay on top of encryption mechanisms. … It’s the responsibility of all parties to manage software or hardening.”

From the manufacturers’ end, Hauzen said, that means offering webinars to end users or integrators, as well as newsletters, social media and training workshops.

“What seems to be a trend in the security industry is that previously (two or three years ago) we would address encryption data from the server side, whereas now it seems to be addressed at the edge devices, such as card readers or cameras,” he said.

“Manufacturers have to take responsibility for authentication. Software designers have to take responsibility for authentication. IT must put in its own security authentication. We emphasize strong passwords.”

Passwords are so embedded into the routines and thinking of everyday life that their critical role in cybersecurity may be underestimated, say security experts. Unchanged passwords can become serious security threats.

In the not-too-distant past, said Djie of Hikvision, “mom-and-pop integrators that were set up didn’t bother to change their default passwords. We force integrators to use complex passwords at every step, down to the camera level … We said, ‘They may not like it, [but they couldn’t deny that the changes made sense.]’”

Policies on passwords and aggressive preventative maintenance by integrators “to make sure the system is up and running and up-to-date on a regular basis” are examples of “day in, day out” strategies and routines for beefing up cybersecurity for end users, Hauzen said.

Attention to fundamentals goes a long way, said Bartolac. The most seasoned veterans in the security industry need reminders of basics that they probably learned early in their careers. “Video is data. The integrator needs to work with end users to understand the value of that data,” Bartolac said.

Security insiders agree that no system is 100-percent safe from a breach, and that vulnerabilities on college campuses include variables not seen in private industry or government offices. “Let's face it, if I want, for five dollars I can find out everything about you on the 'dark web' and maybe sell that information for 10 dollars,” said Lanning.

“You have to decide if you can live with risks … it's incumbent upon us to elevate our game.”