Security Sales & Integration April 2021 - 43

with a default password. Most vendors have
removed those default passwords because end
users were not changing the default password
and their cameras were getting hacked.
Here's a little secret: Criminal hackers love default settings. They search for default passwords,
default ports and default settings. Then, they focus attacks on all those default settings because
they know that many people will not change from
the default. Eventually vendors learned to make
changes to better protect their customers, like
forcing end users to create a password when they
set up their device. While this is positive progress,
it is much better to be proactive than reactive.
We know how to secure a computer, now
we need to adopt those standards and requirements for IoT devices.

Early Stages: Where We Are Today
As recently as 2017, observing physical security
from the computing world it was readily apparent that the former had not adopted some
of the basic cybersecurity controls used by the
latter. However, there was a lot of talk about
cybersecurity in the industry because just a year
earlier, thousands of IP video cameras, NVRs
and home routers all over the world were used
as part of an Internet weapon, the Mirai botnet.
The Mirai botnet was used in a number of
Distributed Denial of Service (DDoS) attacks
that took down or slowed down large portions
of the Internet, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The
New York Times.
Since then, cybersecurity has become not
only a talking point in the security industry,
but also a concern. End users are rightly concerned that a vulnerable camera or NVR will be
the vector by which an attacker breaches their
network. This is a valid concern, but they need
to realize that their cameras, recorders and all of
their IoT devices are computers and technically,
they are likely all Linux web servers.
The good news is that simple network segmentation can greatly reduce the risk of an IoT
device being the entryway for an attacker to
gain access to sensitive systems and data. So,
what role do the different parties play in the
securing a device? Who's responsible for what?
First, manufacturers need to build security
into their products; that's a given. But manufacturers can only do so much when it comes to
securing a device. If the end user places a camera directly on the Internet, that device will be
securitysales.com  	

SS2104 pp42-44 Standards CyberSecurity.indd 43

attacked. If the device has a weak password or
unpatched vulnerabilities, that device will not
only be attacked, it will likely be compromised.
The bottom line is this: Everyone has responsibility when it comes to cybersecurity and the
challenge is making sure that everyone knows
what their role is in securing a device.

Baking in Cybersecurity
Vendors need to build cybersecurity into products, dealers and integrators need to install devices
in a secure manner and advise end users on how
to securely manage their devices, and end users
need to maintain the device and patch it when
needed. If everyone knows and executes their
roles, the threat of cyberattack is greatly reduced.
Vendors compete against each other in the
marketplace but the only way to defend against
a common threat, like cyber-attackers, is to
work together. The good news is that organizations like the Security Industry Association
(SIA) have created working groups such as its
Cybersecurity Advisory Board, to bring together industry experts, vendors and stakeholders,
to discuss and solve the challenges of securing
the products sold in the security industry.
Another example of vendors working together
is the 2019 efforts coming from the U.K.'s Sur-

Everyone has responsibility when it comes
to cybersecurity and the challenge is making
sure that everyone knows what their role is in
securing a device.
veillance Camera Commissioner, who coordinated video camera vendors to work together to
create the Secure by Default program for video
surveillance cameras. This groundbreaking work
established a set of basic cybersecurity standards
for vendors to support in their products. While
the first iteration of this program addressed some
of the more basic cybersecurity controls, the plan
was to add more controls over time. This allows
the vendors to bake security into their products
instead of trying to bolt them on all at once.

Some Progress in Washington
Fortunately, there are reasons to be optimistic
about progress in cybersecurity in the IoT space.
In December H.R. 1668: The IoT Cybersecurity Improvement Act of 2020 became law. This
APRIL 2021 Security Sales & Integration	

43

3/22/21 10:31 AM
http://www.securitysales.com
Security Sales & Integration April 2021

Table of Contents for the Digital Edition of Security Sales & Integration April 2021
