By Emanuel Stafilidis.
Security systems are designed to protect assets from threats. The first key point to successfully implementing an electronic security system is to successfully secure the system itself. If the system is easily defeated from internal and/or external threats, then it is not a successfully implemented security system.
When an organisation decides to implement an integrated security system solution, or a dedicated integration platform, such as a physical security information management (PSIM), how does the organisation’s security manager ensure the solution is protected from internal and external threats?
Modern solutions are Internet Protocol (IP) based and hosted on IP network infrastructure. Steps must be taken to design and maintain secure infrastructure to achieve a successful solution. In this scenario, who is responsible for ensuring the network infrastructure that hosts the integration platform is secure? The answer is everyone, and they must all understand their contribution to achieving an acceptable level of security.
It is important that all stakeholders have an understanding of what measures should be taken to secure the security solutions and the commitment required to maintain the ongoing security of the system. These stakeholders include solution owners, security managers, users, designers, consultants and the integrators responsible for installation. It is also probable that there will be heavy involvement from the end users’ IT department, as their infrastructure is likely to be utilised for delivery of parts of the security solution.
It is therefore important that security managers have an understanding of what questions to ask of their team to ensure that the system is properly secured. These questions are likely to generate the discussion required to inform decisions and also provide guidance for those who will ultimately be responsible for securing the system. The answers to these questions will act as input to assessing the operational needs to ensure the system remains secure against attack.
In order to formulate these questions, a security manager needs to identify the priority and criticality of the data, systems and infrastructure that are to be protected and should also obtain a basic understanding of the fundamentals in achieving a secure solution.
The design should ensure physical separation between in-band and out-of-band networks, and ensure there is no default routing between them and that it is appropriately locked down to control configuration changes.
A password management policy is needed that requires setup and communication with users to ensure all aspects of the system are managed appropriately through the policy, with minimal or no duplication of data entry. All default passwords are to be identified and changed.
There are a number of items that typically need security attention, including:
- Windows server and workstations, including guest access
- Windows shares
- basic input/output system (BIOS)
- server/workstation out-of-band management
- database servers (Structured Query Language [SQL], Oracle and so on)
- backup software
- camera web pages
- switch web /Telnet/file transfer protocol passwords
- input/output (I/O) and USB/serial device servers
- hardware time servers
The structure of the network requires careful planning, including the use of virtual local area networks (VLANs), firewalls and fault tolerance handling. Stringent intrusion detection and reporting is an essential tool in defeating intrusions alongside forensic investigation of the target and scope of attacks.
Equipment lockdown is an important aspect of controlling general user access to functions and software that can lead to unauthorised system changes or interactions. Lockdown should include managing the connection of new equipment or devices, such as USB devices to the computing hardware. Virus and Trojan management are critical factors in the system’s defence to minimise the risk posed by malicious software.
It is commonplace that software manufacturers frequently release upgrades and patches for differing reasons, including addressing latent defects or identified security risks. Procedures for the management of these patches are needed to ensure the integrity of the security systems. It is important that these procedures include the practice of monitoring available updates and assessing the criticality of system updates in order to manage the ongoing support of the system.
As a general rule, default operating system settings often present a soft security posture. Dedicated analysis of these configuration settings should be conducted with the focus of hardened security to assist with solution protection.
Irrespective of the measures taken to secure the system, network and infrastructure, it is vital to ensure a suitable system backup strategy is in place and that a proven disaster recovery plan is established. Monitored archiving of progressive backups should be performed regularly.
The physical security design must extend to control access to all the physical hardware, including servers, switches and other infrastructure devices. The threat of the insertion of unauthorised devices and loggers should not be underestimated. Example mitigation strategies for this category of this risk include:
- disabling network ports not in use to avoid the addition of devices
- tamper detection on critical networks and hardware access points
- certificate-based authentication
- detection of link up/link down activity on the network to alert operators of new devices added to the network
- appropriate handling procedures for the events to allow execution of an appropriate response
All workstations should be thoroughly scanned and cleaned prior to adding them to the network. Further, the workstations should be configured as desired and have adequate control over what software can be installed. Configuration and version controls should be managed through the life of the machine.
Users need to be educated and regularly reminded about the risks and methods of phishing, social engineering and human-in-the-loop failures. There is a need to follow security protocols and procedures at all times, with no exceptions. All system users need to be informed, including supervisors and managers, so that they understand the potential consequences of overriding security procedures and are able to correctly evaluate the risks involved.
The ISO/IEC 27002 standard can be referenced for new systems and this standard can be used to develop a point of audit for ongoing management.
In summary, the security manager should ask the following questions of their team to ensure that the system is properly secured:
- What is the priority and criticality of the data, systems and infrastructure the system is protecting?
- How are different priority data categories handled?
- What threats is the system endeavouring to combat?
- What level of risk is acceptable?
- What assumptions have been made in the hardening of infrastructure security?
- How frequently will the security and threat assessment be revisited?
- What training needs to be provided to system users?
- What ongoing activities need to occur as preventative security maintenance of the system?
- How will security breaches be detected?
- What steps need to be taken in the event of a breach?
- What level of disaster recovery is supported?
Emanuel Stafilidis has worked in the electronic security industry since 1988 as a security systems integrator and a security consultant. Emanuel is an independent security advisor and can be contact at firstname.lastname@example.org