“Cybersecurity is not a one-time con- sideration; it is an ongoing process, one that requires constant action to maintain network protection.”
bersecurity began with choosing products that can deliver a high level of protection for customers’ networks.
A primary factor when evaluating products is to identify a manufacturer that adheres to cybersecurity best practices such as strong encryption and a variety of additional security features that deliver the highest level of protection for devices.
Once the proper products have been selected, it is important to follow manufacturers’ recommendations for how they should be deployed. Many providers offer a hardening guide that details how best to secure their devices. This can be an invaluable tool for integrators and end users, but it cannot replace the need for an organization to have a security policy in place.
Then the integrator can use the hardening guide to determine which specific features can be implemented to fit into that policy. A list might include encryption, IP address filtering to restrict who and what can access a device, digitally signed firmware or secure booting, which will halt the boot process if foreign code is introduced to the device.
For example, if an IT department does not allow FTP or discovery services on its network, those capabilities need to be disabled.
In addition to services that are not permitted under IT policy, disabling any services that are not being used or that are not re- quired will reduce the footprint through which someone could compromise a device and, by extension, the overall network.
Therefore, when installing and deploying a device, it is not practical to simply turn on all the security features, drop it onto an enterprise network and hope it works. IoT relies on intercon- nectivity and communication between devices, so there needs to be coordination between solutions, and all communication be- tween devices and systems has to be encrypted.
Not all encryption is the same, meaning that whatever encryp- tion is running on the edge device must also be running on the server it’s connecting to. Otherwise, they simply cannot commu- nicate, which completely undermines the main benefit of the IoT.
Each end user will require some degree of customization in the configuration of devices, so integrators must ensure they and their staff have the right skills and that they are properly com- municating with the end user to make sure their security needs are addressed.
And finally, the level of customization required, as well as the end user’s cybersecurity needs, must be dictated by the organiza- tion’s established policies.
Updating and Patching
Similar to password management, another simple but often over- looked step in cybersecurity is keeping device firmware and soft- ware up to date.
In today’s ecosystem of connected and interdependent devices and solutions, proactive maintenance leads to a more stable and secure system.
In addition, responsible manufacturers constantly release firmware updates and security patches that address vulnerabili- ties in a consistent manner, while also fixing any bugs and other factors that affect performance over time.
Like any other software-based technology, security devices must be patched to prevent those with less-than-admirable in- tentions from exploiting known vulnerabilities. In addition, the VMS, which controls the overall system also must be regularly updated and patched along with the operating system on which it runs.
However, device patching and updating cannot simply be applied to one part of the overall system. To be effective, these processes need to be applied to all devices across the network, in- cluding IP cameras, switches, servers, video management systems and more.
Every one of these devices must be regularly updated, but it is not always necessary to do this immediately when a manufacturer issues a new update.
The reason is that a particular update, while important, may not yet be aligned between the camera, VMS and other manufac- turers. Instead, it is better to create a schedule that end users can adhere to, perhaps monthly, quarterly or twice a year depending on the size of the system, and the available time and resources.
While it is essential to update software when new firmware is available, the unfortunate reality is that many organizations fail to do so, mainly because of the time and effort involved in updat- ing each and every device on the network.
Integrators can offer scheduled updating and patching as part of an ongoing maintenance contract to generate additional RMR and ensure that customers’ updates actually do get applied on a regular basis.
Lifecycle Management
The first step in securing an enterprise network is to have a solid understanding and comprehensive inventory of the devices that are deployed on that network. This must include documentation about every device as any overlooked device can provide an entry point for attackers.
In particular, older technologies and devices present tremen- dous risk to an organization in many ways, including on the cy- bersecurity front.
Updates and patches are the best way to ensure cybersecurity, but many older technologies have little to no update capabilities and may not even be supported by the manufacturer anymore. Unpatched technology can leave your network vulnerable to a cyberattack.
While it probably is not the first thing that comes to mind in terms of cybersecurity, lifecycle management is a crucial compo- nent of ensuring networks and the critical data they contain are protected from threats and vulnerabilities.
In the IoT world, all devices and systems are part of an over- all ecosystem, so securing the network and everything that con- nects to it is another step toward maximizing cybersecurity. This includes software and firmware updates, adhering to manufac- turers’ best practices and following IT policies, but it also means regularly switching out devices and software.
If a device or software is no longer supported by a manufac- turer, its software can no longer be updated or patched to protect
14
JANUARY/FEBRUARY 2020 | SECURITY TODAY
INTERNET OF THINGS