Cyber security on a security platform

What does cyber security mean? Cyber security is a set of measures taken to protect a computer, equipment, system or a platform from unauthorized access or attacks.

It is a widely discussed theme in worldwide and in Brazil it is not different. After the episode of ransonware WannaCry in 2017, it exploits the hijacking of data from the infected computer, encrypting the data and requiring payment to decrypt and release the data from the infected equipment. WannaCry has also affected smartphones.

This same ransonware infected 8.000 traffic cameras in Australia in June 2017. The news were released worldwide in The Guardian, The Verge and various portals in the technology and security area.

Other news about security vulnerabilities or attacks on security systems has been widely publicized in newspapers and portals that can be found on the Internet. Here are some examples:

• Hackers attack transportation system and release turnstiles in San Francisco.
• Hackers lock hotel rooms and require bitcoin rescue.
• New hacker attack sends sensitive data through cameras without internet access.
• Brazil is the second country most contaminated by viruses that attack cameras.
• One of the largest DDoS attacks in history was made with security cameras.

DDoS is an acronym for distributed denial of service. This type of attack, when performed successfully makes the attacked equipment or system unavailable. This equipment can be a camera, server, switch or a controller, for example.

In the face of numerous incidents of attacks and vulnerabilities in security cameras, manufacturers has developed cameras with antivirus, intrusion detection system (IDS) and protection against brute force login embedded in their IP cameras with the objective of offering a safer product for your partners and customers.

After several instances of detected and published vulnerabilities for some camera models, software developers were on the alert. Currently a security software developer ranks some security camera manufacturers on their site in restricted licensing mode due to vulnerabilities detected and not solved by their manufacturers.

If on an Ethernet network there are cameras installed with vulnerable firmware, there is a risk that images or videos leak internally in the company, as well as on the internet, as has happened lately and has effect worldwide, as reported in security portals.

However, the cyber security theme is being highlighted worldwide, alerting users of computers, portable devices, and security systems, especially professionals and executives in the area of ICT (Information and Communication Technology), who are constantly working in the background of ICT infrastructure and security, as well as the management and maintenance of automation systems, security and unified security platform.

# Recommendations

It is relevant to list some recommendations that can help companies to avoid attacks and vulnerabilities to a security platform, which depends on a robust network infrastructure. The more secure and well-configured the network, the better.

Some practices are well known by professionals in the area of technology or security, but it is important to mention them. They follow:Avoid using standard passwords on devices and equipment, such as: cameras, controllers, fire panels, intrusion panels, sensors, intercoms, switches, routers, servers, workstations, among other products. There are models of ip cameras, which on the first access that requires the professional that is configuring, to change the default password of the device on the first access. This is important to prevent the machine from remaining with the factory access credentials;

• Use IP cameras and software that support encrypted video stream protocol;
• Avoid storing access credentials in worksheets on the network and seek to centralize them on AES 256-bit encryption with secure, managed access, accessible only to professionals who really need it, observing the principles of integrity, confidentiality and authenticity from the area of information security;
• Avoid using the number of standard ports on security devices that are connected to the network;
• Avoid using old authentication patterns whose encryption has already been broken, enabling the cloning of proximity cards, which in turn represent a vulnerability and risk in door or vehicle access control systems;
• Segregate the network in virtual local networks, denominated: virtual local area network (VLANs) by discipline or service, like video, access control, intrusion, among others, allowing greater control and optimization segregating the flow of the network;
• Configure network access lists (ACLs) where applicable to restrict access to VLANs that must be restricted, such as VLANs where there are security equipment;
• Use firewall and proxy servers, when applicable; 
• Keep the firmware of cameras, controllers, switches and all equipment connected to network updated. 
• Keep updated operational systems in the latest versions with the appropriate security patches; 
• Keep updated security software with the latest patches; 
• Integrate the security platform with the company's corporate directory service, such as Microsoft Active Directory or LDAP in a Linux / Unix environment to centralize access credentials in the same database, with group policies applied (GPOs) and mandatory change of passwords, periodically;
• Integrate network assets with corporate directory service through protocols such as TACACS+ (Terminal Access Controller Access Control System Plus) or RADIUS, preventing network assets from having independent access credentials, making management of access credentials more secure , automated and centralized
• Implement information security policies;
• Develop usage rules for computers and portable devices, emphasizing the importance of not sharing the individual access credentials;
• Check if the company ICT (Information and Communication Technology) professionals are involved in security projects, as well as in system management or in the control of maintenance contracts. It is important that this work is carried out jointly between ICT professionals and the business and/or operational security area;

# GDPR

In face of several cases of vulnerabilities in equipment, devices and data leakage as well as in the area of security systems, as previously mentioned, a new European law called GDPR (General Data Protection Regulation) came into force in May 25 of this year.

GDPR regulates all companies processing personal data in the European Union, regardless of where the company is based. The videos or images generated by the security cameras are considered data, even if the equipment that stores the data is a computer, camera, DVR, NVR, panel, server or storage.

Since the data is traveling on the network or stored in equipment, represented by bits and bytes, they are part of this context, as are the fully analog systems because, even when disconnected from the network, the data is processed in one or more devices. Details of this regulation, as well as the timeline up to the date of entry into force, can be found on the eugdpr.org website.

GDPR provides fines for companies responsible for data evidence cases, such as personal data, bank information and, consequently, images, audio or videos from security systems or a unified security platform. The fines can reach up to € 20 million, equivalent to more than $ 24 million dollars, more than R$ 83 million in reais or 4% of the company's overall turnover.

Companies that can be fined may be manufacturers, integrators or companies responsible for operating the system, for example, by bringing the context to the security area.

# Conclusions

Therefore, the video surveillance sector can be affected as a whole, directly by GDPR, as well as: access control, intrusion, people counting, facial recognition, reading boards, softwares, among other items that make up one security system, automation or a unified security platform. According to GDPR, the company responsible for the data exposed should immediately publish the information. Some manufacturers are already adjusting to comply the GDPR guidelines and to avoid risk of fines.

Since many standards and regulations begin in Europe or the United States, it should not take long to Brazilian companies require products that follow GDPR guidelines, even if it is a European regulation.

By analogy with technical specifications of cameras, fire panels and controllers, which has to meet international quality standards worldwide, they must have different international certifications from different countries. In some cases, manufacturers develop different products and in other situations, the same product is suitable to receive diverse certifications from different countries and continents.

There is a law project 5.276 / 2016 in the Chamber of Deputies, drawn up on the basis of the European GDPR regulation, which regulates the protection of personal data in Brazil.

In view of the above, some questions should be considered:

• How much does it cost to a school or university a video of some internal episode leaked in the social media?
• How much does it cost a video leaked from a classified event in an industry?
• How much does it cost a video of an incident occurring in a public agency, leaked to the media, or released to malicious people?
• What is the value of privacy?

It is well known that many manufacturer of hardware or software is subject to vulnerabilities. It is important to evaluate how each manufacturer of hardware or software acts when vulnerabilities of its products are detected and published.

When a vendor identifies and recognizes vulnerabilities in their products, consequences will be inevitable, but it is important to keep track of what the vendor is doing to develop patches or firmware updates to solve identified vulnerabilities, as well as publishing. Accredited professional and partners must be informed quickly of their respective procedures to solve the vulnerabilities in question.

These points are important to credibility of the brand and reliability of its products. Even more in an important global context that there is a tendency for equipment and devices to be connected to the internet, with the growth and diffusion of the internet of things (ioT).

In this way, it is essential to select the right manufacturers and integrators for designing or delivering solutions. It is not only to evaluate prices, but other important factors, such as: technical qualifications, value added, quality, product reliability and brand credibility, with the aim of minimizing risks, avoiding future disruptions for all parties involved.

This article was published in Security Journal, 285, April/2018, S?o Paulo, Brazil. You can click here to access the complete digital version in portuguese. The article was featured on the cover page and copywriter's page. Article starts on page 20.

This printed edition was distributed at the International Security Expo EXPOSEC - May / 2018 - S?o Paulo. This newspaper has 10,000 monthly impressions.

the article was featured on the cover page and copywriter's page. Article starts on page 20.

# Who Am I?

Thiago Vasconcelos is a Solutions Consultant, with a bachelor’s degree in Information System by Estácio de Sá University, has 17 international certifications, with a large background on Information and Communication Technologies (ICT) since 2004. Since 2011, Thiago has been working with unified security platforms, with experiences on Petrobras’s ITIL, working as a technical support for levels 1, 2, 3, supervision, consultant and projects.

Thiago is also an expert on security projects and solutions. International certifications: Axis, Bosch Security Systems, Cisco, Dell, Genetec Security Center, Hikvision, ISS SecurOS, ITIL, Kiper, Legrand and Microsoft. Thiago is Microsoft Charter Member (MCM).

Thiago has already received awards for recognition from Petrobras and Microsoft. More details can be verified on LinkedIn full profile.

Professional web site: www.thiagovasconcelos.net

E-mail: [email protected]