Security fundamentals can be strong weapons against cyberattacks

Integrators need to be able to do more than just bring in the IT people
Wednesday, February 18, 2015

YARMOUTH, Maine—The recent security crisis at Anthem Blue Cross and Blue Shield reaffirms that the constant threat of cyber hacks is the new normal. Business as usual in the security industry doesn’t exist anymore. So what kinds of proactive steps are integrators and central stations taking to prevent cyberattacks?

Nothing esoteric or revolutionary, actually. But they may be doing things more important than that—reinforcing the fundamentals of cyberhygiene, working harder to improve communication between IT departments and physical security professionals, and making a relentless commitment to education.

Eric Yunag, CEO of Dakota Security Systems, said he has found many of his company’s clients “have a great deal of cyber tools, but they’re not utilized. The functionality is there, but they are not connecting the dots.” Dakota Security is an integration company based in Sioux Falls, S.D.

Christine Lanning, president of Integrated Security Technologies, in Honolulu, Hawaii, made a similar point. “A lot of companies are reluctant to use encryption because it slows down email, but it’s a good process,” she said.

Their comments speak to a couple of issues brought up during interviews with integrators: education and collaboration.

“There are plenty of people who are waiting to point the finger at the physical security industry,” Yunag said. “We don’t build infrastructure. We integrate our systems with others, which is one more click forward in the evolution [of a security apparatus]. We don’t need to be cyberexperts. We need to be able to speak the language of what goes where, why it goes there and how it fits.”

Helping clients’ security directors feel comfortable asking their own IT people clarifying and probing questions may seem like social work, but it is a critical step for tightening cybersecurity, integrators say.

Internal processes need to be reviewed by companies that contract with physical security firms and integrators, said Lanning.

“The security directors used to simply defer to the IT people” when technology infrastructure or even the language—goes above their heads, according to Lanning.

“We find that many of them are still not educated [to detect cyberthreats], and they rely on the IT department. … If you are going to sit at the decision-making table, you need to do more than bring in the IT people,” Lanning said. “Are you going to talk the talk? The integrators who have that blank stare [when IT people talk] are in trouble.”

To be fair, Lanning said, she has found that “IT people are learning that there’s more of a premium on them being more transparent, more user-friendly.”

“IT people understand organizational risk,” said Brad Wilson, president of RFI Communications and Security Systems. “Physical security people understand operational risk.” Traditionally, he said, “they have never played nice together.”

Wilson’s San Jose-based integration company, in the heart of Silicon Valley, has integration and central station services. Because his firm “is kind of a different beast” it is forced to solve a wide range of cybersecurity issues internally, which it can apply to its clients. While many start-up entrepreneurs are reluctant to purchase a wide range of cybersecurity products, his company has, by necessity, developed savvy in compartmentalizing their markets.

But in many cases, the best defense against cyberattacks is a good offense trained on fundamentals.

Glenn Schroeder, chief technology officer at NetOne, based in Southern Pines, N.C., said cyberthreats may seem overwhelming, but solutions boil down to basics and training.

NetOne is a network of 36 independent security companies providing services that include central stations and integration.

“As soon as you open up to the [online] world, you are open to hacking concerns,” Schroeder said. “Everything now runs through the Internet.

“One thing we do routinely is vulnerability testing,” Schroeder said. “We do an official test from the outside. It’s not a full-fledged attack, but we look for areas to exploit.”

It wasn’t that long ago, according to Schroeder, “when central stations had dial-up telephone lines and you didn’t have that much of a risk” of leaked information with the potential of crippling your technology infrastructure.

In terms of educating clients, Schroeder said he is no longer surprised when he finds a company that has a software system without proper updates for more than 20 years. “It still works for them, until someone finds a vulnerability,” he said. “They’re basically exposed. Cameras, video, alarm systems that report to central stations—they’re all connected to the Internet.”

Cybersecurity vulnerability, he said, cannot be separated from inherent risks created by “consumer demand and the needs of the customer.”

Internally, he said, control against cyberattacks may still be a leap of faith, but at least there is more opportunity in-house to be pro-active with policies.

“The systems we sell and install are secure,” he said. “Internally, we focus on the social engineering aspect.”

By social engineering, Schroeder is referring to picking up the phone and calling a receptionist “to find out who the guy is who takes care of this or that.”

His company tests how far someone can go to get access to anything that an employee touches. “It’s not direct, but it’s a way people can get in,” he said. “Some of the biggest hacks have their initial entry through social engineering, with an outsider given information, intentionally or unintentionally.”

Aside from process, sometimes finding a magic bullet helps. Tom Dallmann, CEO of Dallmann Systems, an integration company based in Jefferson, Ind., is hoping that a new program developed within the past year by Hirsch Access Control offers integrators a “unique” way to protect networks from the very source where hacks originate. It uses encrypted credentials on access control cards, equipped with a smart chip.

“They protect networks at the source,” he said. “You won’t be able to access from a remote location without certification, on a card or a mobile device.”

Dallmann, however, knows that the fundamentals of good cyberhygiene cannot be overestimated.

“A lot of companies without technological savvy open the barn door” with open ports, he said. “The best ounce of prevention has always been strong passwords.”

The warp speed at which cyberthreats have evolved into a mainstream issue began, in the assessment of Eric Yunag, with the breach at Target retail stores in 2013. He said the general public may finally have processed the magnitude of the problem in December 2014 when Sony Pictures computers were hacked.

It’s important to keep the fundamentals as simple as one-two-three, said Yunag.

First, there’s the physical security component of prevention: “Just orienting the conversation to talk about data center rooms and switches, things like that,” he said.

Secondly, he said, “There’s the [cyberhygiene] of the systems we deploy. … We have to understand our clients’ strategies first” before “aligning that strategy with vendors.”

Finally, Yunag said, integrators “need to make sure our internal systems are in order.” Critical to the process is “how we handle our own infrastructure.”