That physical security has long passed the point of no return on its transition to being IP network-based is generally accepted in the industry. One can argue that a critical mass of designers, engineers and technicians (if not the salespeople) in the industry has been reached, to the point where most IP-based security systems generally work - streaming, displaying and recording video, locking and unlocking doors, providing audio over intercom, etc.
Granted, the industry has a long ways to go in creating a set of generally recognized certification credentials which bridge IT and physical security. So, now that the industry has more or less stumbled its way through this first "phase" of the technology shift, we must turn our attention to the next challenge - security of these physical security networks.
IP device manufacturers worth their salt will tell you about the (network) security features built into their products. If they can't, think twice about using them. Over the last year, I have looked at the security features of a number of CCTV manufacturers and have been pleasantly surprised. These features include password protection, IP address filtering, secure shell (SSH) in lieu of Telnet, secure access via SSL/TLS, 802.1x authentication and encryption options. Axis cameras, for example, allow initial password configuration over a secure connection. How often are these features taken advantage of? Probably not often enough. For example, are your default passwords changed as a matter of policy? Google "Hack CCTV" and see what you find!
Obviously, securing components of the system from unauthorized access is a critical area for the physical security professional to address. Network infrastructure components - cabling, patch panels and equipment racks, switches, routers, servers, storage devices and the rooms that house them - should clearly be secured. Controlling outside access should come naturally to security professionals, but the process assumes another dimension when you realize that access to a network port or to a PC creates a potential opportunity to intrude on the security network. With this, the urgency of properly training those people who are in a position to allow physical access - receptionists, security guards, physical plant personnel, etc. - is heightened. The physical security manager should clearly take a lead role in providing protection against threats of a physical and social nature.
Unsecured switch ports are like unlocked doors. Access to ports can occur in unintended ways, such as by guests in a conference room or a reception area. Port security starts with disabling unsecure parts, ideally putting them in an unused VLAN. Operational ports need the right security controls - including 802.1x authentication - before network access is granted.
Wireless technology creates additional portals into the network, and security concerns take on a new dimension. Making recognition of the networks difficult (disabling SSID broadcast, for example) as well as secure communications (WPA2) are baseline procedures. Also, the organization must be on guard against the installation of unauthorized wireless access points. Check networks on a regular basis for wireless vulnerabilities, including mobile devices. Companies increasingly need to be concerned about the interaction of users' mobile devices with their networks. A recent study by Frost & Sullivan cited encryption, network access control, mobile virtual private networks (VPN's), mobile device management and remote lock-and-wipe functionality as the most popular tools IT professionals were employing for mobile devices.
Even when the network infrastructure has been secured, PCs, servers and their applications remain vulnerable to the expanding array of threats. Besides the usual list of suspects - worms, viruses, etc. - serious threats exist from malware injected from even legitimate sites or installed via malicious Java scripts, Website redirection and phony e-mail links. Anti-virus is not enough - multiple layers of defense are needed including end-user education about what is acceptable and limits on who has access to the security network.