Now that electronic security systems are IT systems and require computer and network security, it is important to have a grasp of the concepts involved and the roles that the various security devices play. Some security practitioners hold the idea that as long as the security systems are on an independent network (i.e. not connected to the corporate network), concerns about computer and network security do not apply.
Such thinking misses a key point of the situation: today’s networked security systems are vulnerable in ways that previous technologies were not. Those vulnerabilities do not go away simply by installing the security systems as a standalone network. That eliminates some of the threats (such as Internet-based hackers) but it does not fix the vulnerabilities of the systems. That is a distinction that we as security professionals have long been familiar with.
Why Bother?
Just as closing down a business as a means of eliminating all threats and vulnerabilities is a wrong-headed security strategy, closing off security networks from the communications lifeline of the business (its networks) is similarly incorrect thinking from a security perspective. The aspects of networked security systems that make them vulnerable (such as common network communications protocols) are also the aspects that make them more affordable and enable a more widespread deployment of security technology than would otherwise be possible. They allow us to significantly extend security to protect business assets and operations, at the same time making security operations easier. Those are very desirable benefits.
As security professionals, the risk-benefit tradeoff is central to our thinking. Our job is to help the business affordably reduce certain operational risks while still keeping the desired business benefits. We simply need to apply some of our traditional security thinking to our deployment of security technology. What do we tell our organizations and our management about security? We correctly assert that a better understanding of the risk picture will enable better security-related business decisions. It is time that we started taking our own advice.
Our Problem
When it comes to deploying physical security systems, we security practitioners have been like the proverbial plumber who has a leaky faucet at home. We have security gaps in our own security systems! Surely we should take a little time to fix them, right?
The problem is, unlike the plumber’s situation, the technology of our security systems is now foreign to us. We cannot wrap our wits around the issues because when we start looking at the computer and network aspects of our systems, we are bombarded by technological complexities and strange terminology. Additionally, from our own personal perspective as computer users, there are frustrations with using the technologies that have already put us at a distance. (Where did that darn e-mail go? I know that file is here somewhere. Wait a minute, I have to reboot…)
Industry guru Steve Hunt is fond of highlighting one of our basic complaints as security practitioners: that management wrongly considers security as “an annoying layer of cost and inconvenience.” We are frustrated if management will not make any effort to understand and think about the basics of security. But now the shoe is on the other foot, as we have been ignoring computer and network security for our systems and refusing to address their vulnerabilities for almost a decade.
We correctly assert that management needs to pay attention to security because ultimately, management is responsible for the welfare of the business. In the same vein, we ourselves need to pay attention to computer and network security because ultimately, we are responsible for the welfare and sound operation of our systems. Our security operations depend on them. There is also another consideration, which is the career benefit (our value to our organization) of having a basic understanding of IT security.
Our Solution
We need to obtain for ourselves what we provide for the decision-makers of our business: a basic understanding of the issues involved, and enough information to enable us to perform sound planning and budgeting. This is a road that our IT counterparts have been walking for more than a decade. They can help us out.
It would be wise on our part to enable productive discussions by taking a little time to understand some of the basics of computer and network security. We need to be able to stay awake during those discussions without having to prop our eyelids open or drink five gallons of coffee.
The purpose of this article, and those that will follow on this subject, is to provide us with a comfortable familiarity with key aspects of computer and network security. Sound good? Let’s get started.
Network Communications
A network is a group of two or more computers linked together so that information and requests can be passed between the computers. Information can be text, programs, audio, video, spreadsheets, databases, files, etc. Requests can be you (the computer user) asking for information, calling up a Web page, sending an e-mail, etc. Requests can also be the computers coordinating between themselves, like this:
“What is your status?”
“Fully operational!”
“Do you have this file?”
“Yes!”
“Can you send it to me?”
“Yes!”
“How long is it?”
“20,000 bytes!”
“Are you ready?”
“Yes!”
“Did you get it?”
“Yes, got 20,000 bytes!”
“Great!”
Computers are very efficient and fast, and do a lot of coordinating as we operate them, but as they have lots of bandwidth and speed, we hardly notice most of the time.
Computers send information and requests over a network in packets. There is a limit on how much information the computers can put in each type of packet, just like we have varying sizes of FedEx envelopes and boxes. Only so much information can fit in each.
Because there is a limit, the computer may have to break up large quantities of information and send them in several packets. Each of these packets is marked as “1 of X packets” — just like in our shipping procedures we would mark a set of packages that go together. This enables the destination computer to know if all the packets were received, and it also enables the computer to reassemble the total information in the correct order.
Some of the communication procedures that computers follow enable the transmission of information to be well-controlled, and other procedures enable the communication to take place over the Internet. Thus, those procedures are called Transmission Control Protocol and Internet Protocol, or TCP/IP for short, and simply IP for even shorter. An IP-enabled security system is one whose communications can be handled by standard networks, because the computers and security devices follow the right communications procedures.
Standards-Based Networks Are Affordable
This is where economics enters the picture. Our computers and security devices do not have to manage how they communicate with one another over distances large and small. They let the network perform that job, and the job is performed well because the network consists of devices that are dedicated to nothing but handling the communications in a fast and robust manner. Using common technology for communications lowers the cost of our security systems. This approach is what enables our businesses to have a proliferation of different information systems working together affordably to support the business. It is a good strategy, and now our security systems can take advantage of it, too.
Everything is a Computer
Here is a little secret that IT knows. It is not really a secret, but it is so basic to everything “IT” that they simply do not think to tell us about it. So as far as we are concerned, it has been a secret. When it comes to the network, everything is a computer. Every device that is part of a network is a computer of one kind or another. These devices may be called a something else (i.e. router, switch, server, host, firewall, etc.), but they are still just computers. They are built with computer chips.
Some of the chips have computer instructions on them and are called firmware chips. This is to distinguish them from software instructions — which are called “soft” because they are easily erasable and changeable while on a tape or a disk drive.
Once put in a chip, the instructions cannot be changed or can only be changed in limited ways, which makes them more “firm” than software.
Firmware chips hold the instructions of what to do. Other chips are memory chips that store the information being handled. A few of the chips are processing chips (like the familiar Pentium chip, which is a CPU or central processing unit chip). The processing chips perform the work according to the instructions in the firmware.
Other chips handle the input and output of information, called I/O chips. Put them all together and you have a computer — a device that can send and receive information, and can process and store that information according to the instructions on its chips.
That is what all the network devices do. Each type of device has a dedicated function with regard to handling the information on the network. We do not call the network devices “computers” even though they are, just like we do not refer to the individuals who run a train system as “people” — we call them conductors, brakemen, switchmen and engineers. Similarly, we call the network devices by specific names based on the roles that they perform.
This is the first of a series of articles designed to de-mystify network and IT security for physical security directors. The next article in the series will take a closer look at network devices and their roles, including security roles.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS) (www.go-rbcs.com).
Jim Litchko, CAS, is a senior information systems security author and strategic advisor. He has more than 25 years experience assessing and developing information technology (IT) security solutions. He has held senior executive positions and advised executives at several of the largest commercial IT security companies. During his 20-year Navy career as a surface warfare and cryptographic officer, he lead efforts supporting military actions in the Atlantic, Pacific, European, Mediterranean, African, and Middle East Theaters of Operations. Since 1988, he has been an instructor for computer and network security at Johns Hopkins University, the MIS Training Institute, and the National Cryptologic School. Mr. Litchko has authored or co-authored the following books: “KNOW Your Life,” “KNOW IT Security,” “KNOW Cyber Risk,” and “Cyber Threat Levels Response Handbook.”
