Additionally, the computer and network security of the security systems and devices must meet or exceed the minimum standards of the network. This prevents situations that have plagued some enterprise IT departments. For example, DVRs that buyers thought were "recording devices" turned out to be Windows-based computers with no anti-virus software and unpatched older versions of the operating system - making excellent sites for virus infections that then spread from the DVRs throughout the enterprise network, disabling the video systems in the process. Download a study from Cisco about its reaction to such an experience with DVRs: http://www.bpforip.com/downloads/Cisco_IT_Case_Study_CCTV.pdf.
Finally, security systems and devices should support network management by incorporating appropriate network management features, such as syslog and simple network management protocol (SNMP), to name just two.
Assessing Systems and Devices
IT evaluators are personnel assigned the responsibility of evaluating systems and devices, for approval to be placed on the enterprise network. Since most currently available security systems and devices were not specifically designed to be installed and operated in a managed network environment, many products would fail such an evaluation unless an appropriate set of deployment recommendations were also developed and provided.
Following ISC West 2010, the authors assessed a number of access control and video surveillance products (some equipment provided directly by vendors, and some currently deployed in field installations). The purpose was to establish what would be needed - be it product configuration tuning, compensating controls or workaround procedures - to enable the products to be soundly deployed in an enterprise network environment. The assessment criteria were selected to cover a reasonable but broad sample of enterprise-class networking features and practices that can be judiciously utilized (or their absence worked around) for physical security solutions. General recommendations were developed that can be fine-tuned based on the specifics of any particular technology being considered for deployment.
The basic assessment criteria the author's applied are listed below. Note that some of the assessment criteria require thinking about the use to which the security system or device will be put, as well as consideration of the network environment in which the products will be deployed.
- Authentication. What does it take to connect to the device? Can you set the password? Can you use a secure password (such as a password longer than 8 characters, and with non-alphabetical characters in it)? Can you use two-factor authentication, Windows authentication, network authentication or other mechanisms?
- Telemetry. (Telemetry as used here means the reporting of status information and critical events over the network.) Does it generate logs visible to external log-collection mechanisms? Can you save the logs? Does it generate events? Can you integrate it with some general-use infrastructure such as syslog or SNMP?
- Network Use. What kind of network usage does it create? Is it a heavy load because it's a high resolution camera at a high frame rate? Is it priority traffic because it is an alarm or a PTZ control command? Should Quality of Service (QoS) be used to guarantee priority? What ports and protocols does it use? What firewall rules or intrusion detection system (IDS) profiles should be applied to support this traffic?
- Network Policy. What kind of data is this and what is its criticality? Is it casual "in-store customer traffic past the cookie display," or is it the door to a corporate data center room that should never be accessed at this time of day? Is it confidential information on who is in the doctor's office? Should the day shift manager really be allowed to access that data from a home laptop on the weekend? What organizational network policies cover this type of data?
- Business Continuity. What's the backup scheme? Is there/should there be redundant power or network access? Is there a disaster recovery (DR) plan to recover the infrastructure from configuration backups? Are there redundant systems that should be tested periodically? Are there single points of failure?
- Data at Rest. What kinds of video data are being stored? What data is stored in the employee access card database? Is there PII (Personally Identifiable Information)? Is there historical security-event or another type of information that might be used some day in an HR action and therefore has to be defensible in a formal corporate review or in a court?
- Infrastructure Defense. Would the system or device be an attractive target for hackers? Are encrypted connections in use? Should VPN's and/or virtual LAN's be used? Are firewall rules needed? What infrastructure services are required to securely support this mission-critical system or component?
- Network Testing. How does the device respond to network scans and penetration testing?
- Updates. What is the vendor's update policy? How are bug fixes provided? Does updating require physically touching the device, or can it be handled completely via the network?
- Hardening. What known computer or network vulnerabilities does the system or device have? What disclosure information has the vendor provided? (See the June/July Convergence Q&A Column titled, "Responsible Disclosure and Physical Security Risk" for details on vulnerability information disclosure.) Does the vendor provide hardening instructions? If not, what controls and measures should be applied?
Summary of Assessment Findings and Recommendations