IT, Physical Security and IoT - Layers of Convergence

Transcription

1 IT, Physical Security and IoT - Layers of Convergence Vince Ricco Business Development Manager, Technology Partners Axis Communications, Inc.

2

3 Tools help our partners sell the right product to the right customer

4 Axis Communications Academy > 10 years of empowering knowledge > Broad training portfolio to boost competence and confidence about Axis products and technology > 50,000 trained partners today > From 696 people in 2005, to 10,000 people in classroom training 10 years later > 4200 people have participated in Axis global certification program

5 Benefits of Axis network video Open platforms with easy integration Exceptional image quality (HDTV) Extreme light sensitivity Robustness and high quality standards Optimized ASIC platform development

6 The market s broadest portfolio Fixed dome cameras Fixed cameras PTZ cameras Onboard cameras Thermal cameras Accessories Software & recording Encoders/ decoders Physical access control

7 Axis Zipstream technology > Reduce storage and bandwidth by an average 50% or more Optimized for video surveillance Fully compatible with H.264 Keep the essence 50%

8 Huge savings in average file size (still images) Zipstream disabled: 2881 kbit/s Zipstream enabled: 1433 kbit/s

9 Axis Lightfinder technology Without Axis Lightfinder With Axis Lightfinder

10 Thermal network cameras 24/7 detection in tough conditions Thermal camera OFF > Bright lights > Deep shadows > Rain, snow and fog > Smoke Thermal camera ON

11 Exceptional solutions for different needs Proven solutions in the areas of > Banking and finance > Healthcare > Safe Cities > Industrial > Critical infrastructure > Retail > Government > Transportation > Education

12 Consolidation Gravity 80 s 90 s 2K s 1H-10 s 2H-10 s IP Access Control Dedicated Networks CCTV IP Video Converged Networks SIP Support Encoder IoT PC s LANs WANs Compliance VoIP Cloud Data Centers IoT Virtualization Directory Services Compliance Cyber Cyber Cyber Tighter Public Sector Regulation for Cyber Security

13

14 High-profile breaches continue to make headlines

15 Cybersecurity and Axis ( ) Physical Security > ASIS > ISC West / East > SIA IT Event Participation > Interop Las Vegas > IT Roadmap > RSA > Partner Events (HP Discover, EMC World, Aruba Airheads, Avaya Technology Forum) IoT Evolution > Cyber Security Panels

16 IT and Cybersecurity Hot Topics Regulated Agencies and Industries > Securing the Edge > Rigid Existing Methodology - Device and User Authentication Data Centers > Integrated Technologies (Sensor Integration) > Not creating new points of vulnerabilities PCI Compliance and Liabilities > Physical Security Components as a Pillar > Physical Security and a Compliance Audit Points > Not creating new points of liabilities

17 IoT and Cybersecurity Wild West of Cybersecurity Methodology > Crypto Key Encryption > Root of Trust (Processor, SIM Based, Onboard Application Based) > Traditional IT (PKI, Certificate Authority, HTTPS, Etc.) Edge Device (WiFi, Cellular, BYOD) to Local or Internet based server > Home Market Boom (NEST, etc.) > Smart Parking > Traffic Monitoring and Control Cost Sensitivity

18 IoT Situation Awareness DHS S+T defines the situational awareness of IoT industrial Applications and Devices as requiring three capabilities: DETECT, the ability to know what IoT devices and components are connected to a given network or system AUTHENTICATE, the ability to verify the provenance of IoT components and prevent and detect spoofing UPDATE, IoT security programs must include the ability to securely maintain and upgrade these components Image Credit: Steve Surfaro, Axis Communications Security Applied Sciences Council, ASIS International Video Quality in Public Safety Group, DHS S+T

19 Securing IT systems and their assets Protection against criminal and unauthorized use of electronic data Mitigating risks by reducing attack surface area Detecting and stopping attacks

20 The risk Observing operational patterns Stolen credit card info (either data or viewed via video) Social security numbers Intellectual property compromised Stolen intellectual property Denial of Service Attack Personal info stolen Website hacks

21 Realities Video is data and operational intelligence All video is susceptible to risk > Outside breaches, although rare, the potential exists > Internal breaches, more common, the potential exists IT policies exist but don t always get applied to surveillance networks

22 Cybersecurity vulnerability areas More than 90% of successful breaches are due to people mistakes, poor configuration & poor maintenance.

23

24 Why is Axis concerned about cybersecurity? Technologies operate on IT networks End users are concerned with how to protect their system and data IT has specific policies to protect infrastructure and data Education on cybersecurity is essential to business protection

25 Less secure data network including IP surveillance IP surveillance network resides on local area network Production and IP surveillance coexist What are the most exposed devices on this network?

26 More secure data network including IP surveillance Devices must have proper credentials to access data ports Data communication over the network to the VMS is encrypted Secure communications are maintained from the edge to the core

27 BYOD connecting to the network There is no access from the outside world to the IP Surveillance Network other than VPN BYOD Androids, iphones, ipads, etc. connect to corporate , Outlook Calendar, CRM, etc. They can also be used to connect via VPN and a VMS client to the VMS server BYOD

28 Basics A strong set of passwords stops the majority of breaches There are no secure systems, only more or less easily penetrable systems The goal for defenders is to make attacks expensive and difficult, rather than impossible Majority of breaches are due to people mistakes and misconfigurations We only hear about the successful breaches, but less so of the majority of attacks that were stopped!

29 Risk Reality If a risk cannot be mitigated, it needs to be accepted or the service must be removed/disabled. This is up to the system owner to decide Mitigating all risks is impossible. > Proper planning and solution partner selection is essential > Identify the crown jewels and focus your limited resources protecting them well You will not stop the Terminator by putting locks on your door. If he wants in HE WILL GET IN.

30 Threatscape Video Systems Camera sabotage, tampering and vandalism Denial of video service Leaking video (legal implications, YouTube, etc.) Stealing and streaming stolen video to observe operational patterns for high risk asset areas Economic disruption and catastrophic loss > Disabling entire video system to disrupt operations and create havoc

31

32 Possible camera vulnerabilities Bugs and flaws in proprietary code Bugs and flaws in open source code Bugs and flaws in standard protocols Weak product casing Connectors, mountings and SD card placement Insufficient Least privilege account Services others may see as capabilities

33 Possible system vulnerabilities Poor deployment (mounting & configuration) e.g. default passwords, leaving unused services enabled Physical protection of cabling, servers and network gear Not using latest software, firmware patches Weak passwords Flaws and weakness in standard network protocols Poor maintenance Poor monitoring Lack of processes No clear roles or ownership Human error: Posting passwords that are readable in live TV interview (French TV)

34

35 Available services & features Linux/open source Internal code review/auditing QA validation including penetration tests Responsive support, upgrades, patches

36 Available services & features HTTP digest authentication HTTPS (OpenSSL) Certificate Management 802.1x SNMP (events/traps)

37 Available services & features Least privileged accounts Enable/disable services Syslog, access log, remote syslog Detectors (tampering, temperature, shock detection, reboot, malfunctions)

38 Available services & features Edge Storage SD Card encrypting (fw. 5.80) Privacy masking

39

40 AXIS System protection levels Managed Enterprise Protection Level 3 Enterprise Protection Level 2 Standard Protection Level 1 Default Protection Level 0 Enterprise/ large corporations Small corporations Small office/ home office Small office/ home office

41 Default Protection (Level 0) Cameras are shipped with default settings > Common services are enabled > Default password Default settings exposes unnecessary risks

42 Standard Protection (Level 1) Check and install the latest Firmware Set the Root Password (hard-to-guess with at least 8 characters) Configure Basic Network Settings Set Time and Date with NTP sync Disable Audio if not used Mount cameras in a recommended way

43 Enterprise Protection (Level 2) Enable Encryption for all admin > Tunnel RTSP over HTTPS if video is sensitive (initiated by VMS/clients) Create a Backup Admin Account (common admin practice) Create Video Client Account (least privileged account) Disable all unused service (reduce exposure) Set IP Address Filter (only allow VMS and Admin PC)

44 Managed Enterprise Protection (Level 3) Optional system integration depending on site: > 802.1x network protection infrastructure > SNMP monitoring cameras and VMS (Axis Video MIB) > Remote syslog

45 Axis and the cybersecurity ecosystem ADP and TPP cyber collaboration - out of the box hardening Axis professional services (cyber hardening) Recommend third-party tools and solutions Partner and customer education - documentation and academy

46 Axis Hardening Guide Configuration guide providing advice for anyone involved in deploying Axis cameras Collaboration with ID Machines Baseline configuration and a hardening strategy Vulnerability Policy follows IT best practices

47 Our Alliance Partners / Why Market leader Edge intelligence Market trust ARTPEC Expertise FED / SLED focus Ecosystem-focused Industry leader in engagement, cloud, and fabric networking (audio/ video/ data) Extensible network infrastructure with enhanced capabilities FED / SLED focus Ecosystem-focus Industry leader Extensive scale out storage capabilities FED / SLED focus *RSA (potential added cyber protection capabilities) Ecosystem-focused Industry leader Competence in ingress and egress of secure video streams Ecosystem-focused

48 Introducing the Secure Surveillance Platform End-to-end validated solution Two completely separate Secure Networks Best of breed partners > AXIS: Cameras > Avaya: Network > EMC: Storage > Genetec: VMS Delivers secure, scalable surveillance

49

50