In Campus Safety’s last interview with Chuck Davis, who is the director of cyber security at Hikvision, he explained that physical security professionals need to care about cyber security because most physical security and life safety systems are now connected to the Internet, making them vulnerable to being hacked by cyber criminals. Davis, who is also an adjunct professor on cyber security at the University of Denver, also discussed the specific vulnerabilities that campuses must address.
In our second interview with Davis, he describes some of the steps campus security technicians can do right now to limit their physical security systems’ vulnerability to hacking.
Chuck Davis: The first thing you need to do is apply something called “defense in-depth.” Make sure that you’ve got firewalls and different network controls in place to keep systems that don’t need access to the internet away from the internet.
Also, network segmentation inside of organizations. A lot of organizations create a flat network, which means that all devices are on the same network… they can communicate and talk to each other. You don’t need your HR department having access to the finance servers and vice versa. So creating network segmentation is very important. That not only goes with your highly sensitive data, but also things like video surveillance and internet of things (IoT) devices. We need to put those on separate networks so that they can be appropriately monitored and controlled.
Campus Safety: And what about passwords? I know there are a lot of default passwords and settings out there. What should our readers do about those?
Davis: Defaults are really bad. Hackers love to focus on defaults because they realize a lot of people don’t change defaults, whether it’s default passwords or ports or different configurations. So, always make sure you’re changing those defaults. When it comes to passwords, you want to make sure you’re creating strong passwords, and there’s been a lot of talk over the years about what a strong password is. The National Institute of Standards and Technologies has some recommendations, and they’ve actually changed them over the past year or so from what they used to be from many years ago.
But really, I would say if you’re able to create a strong password, which includes multiple character sets: uppercase, lowercase, numbers and special characters, and make it long, that’s the most important piece. The longer the password, the better.
You might ask, “How am I supposed to remember all of these passwords?” The best practice nowadays is to use something called a “password management tool.” There are a number of them out there. Some are free, some of them cost a bit of money, but for the most part, you’re able to have those tools create passwords for you. I actually don’t know what most of my passwords are. I’ve got a password management tool that when I log into a website, it just puts the username and password in there for me.
CS: Also, I’ve heard good things about two-factor authentication.
Davis: Two-factor authentication is very important. I would say from a personal level and even into an enterprise level. So any place you’re able to implement two-factor authentication for your enterprise, for your students or the people who work in your enterprise, that’s important. Especially when that access is coming from the internet. So if your VPN-ing in a virtual private network into the network, using just a username and password means that if someone gets one of those passwords, they’re able to get inside of your network. If you have two-factor or multi-factor authentication, it makes it much more difficult because they would need to know the username and password, and then have the token, whether it’s a text message or an app on your phone. There are a number of apps like Google Authenticator, which is free, and you’re able to set that up.
[promo_content slug=”smart-card-migration-for-colleges-and-universities”]
I would also say that for social media and a lot of the tools and websites that we use today offer two-factor authentication, and a lot of people don’t know that. So go look at Facebook, LinkedIn, Twitter and all of those, and you’ll find you’ll be able to turn on two-factor authentication.
CS: And all these best practices, they don’t just apply to security cameras or access control systems, they apply to practically everything on the internet, right?
Davis: They really do, because they’re all computers. When we talk about video surveillance or any IoT devices again, those are computers that are sitting on the internet, and we have to get in the mindset where we understand that these are computers with operating systems, and we’ve got to treat them that way.
CS: I want to talk a little bit about vendors and how they manage their cyber security vulnerabilities. What should our readers look for in a vendor so they know that the vendors that they’re working with manage their cyber security vulnerabilities correctly?
Davis: That’s a really good question, and I think the first thing they need to do is reach out to those vendors. See if they have a vulnerability management program, ask some questions. A little bit of research goes a long way though. So I would recommend going to cve.mitre.org and look at the Common Vulnerabilities and Exposures database. You can do a quick search in there for any company, and if they have CVEs, that means that they have vulnerabilities that have been discovered and responsibly reported into the CVE database. If they don’t, that’s a little suspicious because either, A: they don’t know they have vulnerabilities and they’re not fixing them, or B: they know that they have them, but they’re not responsibly disclosing them to the public.
So it’s a very important piece and something I’d recommend that everybody do when they are talking about looking at new vendors.