Maintaining Strength

A strong physical security system is technology based and covers the gaps

Security professionals are faced with several challenges in today’s highly technical environment on campuses. Issues such as system architecture fragmentation, cybersecurity and regulatory compliance are not only critical risks, but also open significant gaps in the overall security mission to safeguard life safety, privacy, intellectual property and business continuity.

Through strategic system planning and proactive maintenance methodologies, security professionals can close the gap on negligent vulnerabilities and move their programs forward from a reactive mode to serving the businesses effectively.

A PATCHWORK CONFIGURATION

“Design fatigue” sets in on many campuses over the years by way of acquisition and rapid technological advancement. Eventually, many security teams are faced with numerous brands, all varying in functionality and updated features. A patchwork quilt configuration begins to form consisting of older, outdated systems that are mission-critical and often too expensive or complex to outright replace without a major capital project.

However, the extreme risk within these fragments are failure to alert on specific events, porous data security and unmanaged surreptitious access to video, records and location access. Often, the procurement and deployment processes miss the big picture five-year plan; solving smaller issues piece by piece. More clearly, physical security and IT should co-plan master platform investing and data ownership to ensure uptime, security and efficient spending.

Cybersecurity has been an issue on many campuses for decades. However, today’s Internet of Things (IoT) revolution allows a smartphone to connect to almost anything with an IP address including: other smart devices, security cameras, databases, lab equipment, vehicles, door controllers, etc.

A two-fold approach to shoring up this security gap is: first, to ensure all selected manufacturers abide by current IT best practices for patching and logical permission management, and the second is to ensure that selected products connect to the approved IT governance platforms.

Often, IT manages anything on the network that can be identified. However, many physical security devices have been deployed on the campus network being neither identified nor maintained, resulting in outdated devices susceptible to malware or unauthorized access. Devices compatible with IT SIEM, Directory Services or other management tools bring visibility and management to the system and can mitigate cyber-attack considerably.

Current system monitoring can have a significant gap where many IT systems watch the status of the IP address of a camera, for example; but are not configured to ensure the manufacturer firmware is up-to-date and that the hard drive is properly capturing usable video in the case of a forensic investigation. Platforms dubbed “service assurance” have emerged that have developed their feature set to explicitly monitor all network elements involved in reproducing the archived video.

A typical recording path for security video may include camera, network switch, server, operating system and hard drive (cloud or clustered storage). Again, the gap is that many IT systems are set to monitor the uptime of an IP address on the network, but cannot warn the security department that recording latency may crash the NVRs, resulting in a life safety gap in lost video. Service Assurance products are poignantly developed to greatly strengthen resource usability.

SYSTEM FAILURE

What can happen in the case of these systems both life safety and business continuity. Incidents can occur with no useable video or proper alerting to notify security until after the event has transpired. Physical and logical security response teams are robbed of their opportunity to intervene on behalf of the corporate charter to ensure safety and operations.

One evening in September 2017, a man was assaulted in downtown Petaluma, Calif., in a pedestrian walkway and later died of his wounds. There were surveillance cameras where the attack occurred, however, the cameras were not working.1 Many campuses have had security incidents transpire in areas technically covered by video cameras that were assumed to be recording. Through construction damage, uncoordinated network changes, unmaintained equipment or blatantly malicious alteration, video footage can be missing when called on—causing not only unnecessary delays in investigations, but embarrassment for security departments spending considerable amounts on equipment budgets.

On a purely logical surface, private data is at risk through unmanaged peripherals on any network. Current internet hacking threats to IoT devices often begin by simply trying the default name and password on devices such as cameras and recorders.2 Other exploits are based on operating systems and known exploits are posted clearly on the internet for malicious actors to leverage.3 Numerous physical security devices have been deployed on campus networks over previous decades; many of which never made it onto the IT watch lists and maintenance plans.

Customers today are aggressively scanning their networks for rogue devices to ensure legitimate items are properly updated and maintained while unneeded devices are removed. These processes are time intensive, especially when thousands of devices require constant monitoring and prompt security fix updates. Automated update and monitoring dashboard tools are essential. These tools with fully developed filters for specific security products are uniquely powerful.

STRATEGIC PLANNING

Short-term planning for campuses should entail identifying what is on the network. Security partners should be on hand to ferret out all devices and provide an inventory report with IP addresses to IT and security leadership. Once items have been identified, they should be categorized for action plans: old systems should be updated or hardened to meet standards and newer technologies should be registered in Active Directory, LDAP, SIEMs and other primary IT governance platforms. The ongoing maintenance plan should be scripted for the different device categories and implemented. These plans and documentation will help IT survive their next audit and make physical security a true team player.

Long-term strategies should take advantage of the recent trend in hybrid physical & logical security product platforms. Physical Identity and Access Management (PIAM) engines as well as Service Assurance products help tighten software and firmware updates and logical access control to security devices, allowing a single dashboard to report on and alert key stakeholders within the campus.

When selecting newer converged governance platforms, a few overriding considerations should help narrow down the many options available.

API. The product’s Application Product Interface (API) should be current and best in class. The overall library of connecting products should already be a strong mix of existing integrations to avoid experimental products (mature product with committed developer updates).

Data Security. Data management is crucial in today’s Business Intelligence (BI) environment. With possibly terabytes of information available from various systems around the campus, it is possible to artfully piece together significant discoveries about how the business operates and how to improve not only security, but the overall customer experience.

Reporting. Articulate reporting is a make or break facet of system planning. Filtering out and ensuring the right message gets to the expert at the right time is the goal. Most systems, unfortunately, are deployed with a data glacier—a massive wall of raw information that is unusable to most colleagues. This often-overlooked aspect of security architecture frequently fails to engage stakeholder interest from the various departments who would otherwise become champions for the program. Safety data, certification and compliance dashboards, as well as facility utilization reports are of immediate value to other departments across the campus.

Policies. IT internal controls define how the overall business should run to ensure who can go where and when on the network. Security systems should natively bridge with IT platforms to allow these network control policies to naturally inherit within the physical security systems. Many systems today are an honor system spread sheet process rife with errancy and costly delays in shutting down security privileges. These should be automated and transparently documented to the central reporting dashboards.

IoT. Broad patching functionality is required for today’s IoT management strategy. Where IT typically has a comfort level in patching all Windows computers on the campus, most IoT devices do not have a Windows operating system and may require a unique tool to ensure firmware is updated to address new vulnerabilities. Service Assurance platforms do just this; they connect hundreds or thousands of devices and monitor firmware and password settings to ensure alerts arise when a newer version is available or changes are recommended. This is as well automated in a best-case scenario.

Command Center. Command Center design is an art form. Just as popular cable television providers organize content intuitively for consumers, the aggregated information head end should be easily understood as well, and draw the stakeholders in for deeper discoveries and readily processed actionable updates. Raw data is present in most systems. Data science makes it possible to process these massive stores of information. A truly powerful security partner will help the campus departments discover how to leverage these platforms and insights.

Such strategic conversations are critical when validating budgets and operational policies to ensure our campuses remain the preferred centers of learning and healing. The intangible result of the right security program and systems are the genuine fruit of the overall strategy: a trusted environment for opportunity, prolific collaboration and business efficacy. Security plays a significant role in strengthening today’s businesses, now more than ever.

This article originally appeared in the April 2018 issue of CSLS.

Digital Edition

  • Campus Security & Life Safety Magazine - April 2018

    April 2018

    Featuring:

    • Creating A Camera Use Policy
    • Getting The High Marks
    • Campus Survival
    • Spanning The District
    • Vehicle Alert

    View This Issue