May 2015www.security-today.com

NETWORKINGNETWORKINGNETWORKINGNETWORKINGNETWORKINGNETWORKING SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY SECURITY

HOW CYBER-SECURE ARE YOUR PHYSICAL SECURITY DEVICES?

Protecting the network with your sensitive business data

NS6

A Special Section to Security Products

0515nws_NS01_v1.indd 1 4/6/15 10:04 AM

EDITORIAL STAFFEditor-in-Chief/Associate Publisher Ralph C. JensenSenior Editor Lindsay PageE-news Editor Brent Dirks

ART STAFFArt Director Dale Chinn

PRODUCTION STAFFDirector, Print and Online Production David SeymourProduction Coordinator Teresa Antonio

EDITORIAL ADVISORY BOARDSteve Collen, Cisco Physical Security, San Jose, Calif.Charlie Howell, Division 28 Consulting, San Antonio, TexasJeff Lemoine, General Mills, Minneapolis, Minn.Fredrik Nilsson, Axis Communications, Chelmsford, Mass.Dick O’Leary, EMC, Hopkinton, Mass.

SALESSam Baird +44 1883 715 697Randy Easton 904-261-5584Brian Rendine 972-687-6761

SECURITY, SAFETY, AND HEALTH GROUPPresident & Group Publisher Kevin O’Grady Group Circulation Director Margaret PerryGroup Marketing Director Susan MayGroup Website Manager Scott NewhouseGroup Webinar Administrator Tammy RenneGroup Social Media Editor Ginger Hill

Chief Executive Officer Rajeev Kapur

Senior Vice President & Chief Financial Officer Richard Vitale

Chief Operating Officer Henry Allain

Executive Vice President Michael J. Valenti

Vice President, Information Technology & Application Development Erik A. Lindgren

Chairman of the Board Jeffrey S. Klein

REACHING THE STAFF Staff may be reached via email, telephone, fax or mail. A list of editors and contact information also is available online at www.security-today.com.E-mail: To e-mail any member of the staff, please use the following form: FirstinitialLastname@1105media.com

Dallas Office (weekdays, 8:30 a.m. – 5:30 p.m. CT) Telephone (972) 687-6700; Fax (972) 687-6799 14901 Quorum Dr., Suite 425, Dallas, TX 75254

Corporate Office (weekdays, 8:30 a.m. – 5:30 p.m. PT) Telephone (818) 814-5200; Fax (818) 734-1522 9201 Oakdale Avenue, Suite 101, Chatsworth, CA 91311© Copyright 2015, all rights reserved. Networking Security is a supplement to Security Products, an 1105 Media Inc. publication, and is published

four times a year: February, May, August, and November.The information in this magazine has not undergone any formal testing by 1105 Media Inc. and is distributed without any warranty expressed

or implied. Implementation or use of any information contained herein is the reader’s sole responsibility. While the information has been reviewed for accuracy, there is no guarantee that the same or similar results may be achieved in all environments. Technical inaccuracies may result from printing errors and/or new developments in the industry.

Networking Security welcomes vendor information and briefings. To arrange a briefing, please contact our editor-in-chief, Ralph C. Jensen, via email at rjensen@1105media.com. Our agreement to accept or review product material or backgrounders is not a guarantee of publication.

www.security-today.com May 2015 | Volume 9, No. 2

NS2 0 5 1 5 | N E T W O R K I N G S E C U R I T Y

NETWORKING SECURITYNETWORKING SECURITYNETWORKING SECURITYWhere IT Security and Physical Security ConvergeWhere IT Security and Physical Security ConvergeWhere IT Security and Physical Security ConvergeWhere IT Security and Physical Security ConvergeWhere IT Security and Physical Security ConvergeWhere IT Security and Physical Security Converge

Features

NS14Exitby Michael GallantCOLLABORATION IS KEY IN THE VIDEO VORTEX

NS4Enterby Ralph C. JensenHOW SECURE ARE YOUR DEVICES?

NS6 Healthcare Campus SecurityHOW CYBER-SECURE ARE YOUR PHYSICAL SECURITY DEVICES?Protecting the network with your sensitive business data

By Vince Ricco

NS10 Vulnerability ManagementBUILDING A FOUNDATIONTaking a look at a holistic information security perspective

By Madeline Domma

NS12 Network SecurityAN ELEPHANT IN THE LIVING ROOMDon’t forget to lock the obvious front door to your network

By Julie Olenski

Departments

0515nws_NS02_TOC_v1.indd 2 4/6/15 10:06 AM

Go to http://sp.hotims.com and enter 203 for product information.

Untitled-10 1 4/1/15 3:53 PM

ENTERBy Ralph C. Jensen

NS4 0 5 1 5 | N E T W O R K I N G S E C U R I T Y

HOW SECURE ARE YOUR DEVICES?Whenever I receive a cover story from Vince Ricco I listen, and I learn. I’ve known Vince for quite a while, and when he asks if your security devices are connected to your sensi-tive business data, it really makes you think.

He writes that any network node left unpro-tected… well, you can read about it in the cover

story, but get it in your mind that if you’re doing this, you’re at risk. Threats abound in the networking world; first and foremost, you must harden your connections.

There are so many new technologies available today, and most are on the same network structure. This is probably not a good idea, and besides, it puts undue burdens on the IT staff to pay attention to cyber security.

Ricco makes a compelling argument of strategies for protect-ing network ports. He says it’s important to protect yourself, pay particular attention to the user/administrator credential manage-ment, physical port security, and video and data flow protection.

Our other editorial contributors, such as Julie Olenski, write about locking the obvious front door to your network and what digital defenses might work best for you. Madeline Domma writes about building a foundation as part of a vulnerability manage-ment plan. I’m sure you know and understand that problems can emerge without a proper plan.

While it seems that physical security depends upon the IT in-frastructure, the reverse also is true. It makes a lot of sense for everyone to pull together in their commitment of the security infrastructure.

Untitled-2 1 4/1/15 12:52 PM

Go to sp.hotims.com and enter 202 for product information.

0515nws_NS04_Enter_v2.indd 4 4/6/15 10:07 AM

Surveillance - Audio - Accessories

SEE COLOR IN LOW LIGHT IN FULL HD 1080p WITHOUT IRs

Intensifier IP®

Provides crisp, detailed images in full HD resolution. ®

» Supports Full HD resolution @ 30fps

» Built-in standard PoE (IEEE 802.3af)

» No problems caused by objects that reflect or absorb IR light sources

» Presets for different scenarios: Indoor, Outdoor, Elevator, Lobby, Hallway & Low Light

» Wide dynamic range (WDR) operation

» Supports H.264 and MJPEG codecs

» 2-way audio communication

» Sensor input and relay output

» IP66 compliant (outdoor models)

O2iBD1O2iB3M O2iMD1O2iD4M O2iMT61

Works seamlessly with our Free SecureGuard™ Plus Video Management Software & our NS NVRs.

Go to http://sp.hotims.com and enter 205 for product information.

Untitled-3 1 4/2/15 1:19 PM

H E A LT H C A R E C A M P U S S E C U R I T Y

NS6 0 5 1 5 | N E T W O R K I N G S E C U R I T Y

HOW CYBER-SECURE ARE YOUR PHYSICAL SECURITY DEVICES?Protecting the network with your sensitive business dataBy Vince Ricco

Are your physical security devices attached to the same network as your sensitive business data? Then, you had better take as much care to cyber secure those devices as you do your wireless access points, printer connec-tions, scanners and other traditional network-

attached technology. Any network node left unprotected could become a potential threat to overall network security.

What you need to do to harden your network connections de-pends on your risk assessment. First identify what assets need protection. Then investigate what threats or vulnerabilities pose a risk to those assets. Once you have that information in hand you can decide whether those risks are worth mitigating. For or-ganizations handling credit card payments and/or patient data, the physical security of stored data—whether in the cloud or an in-house data center—is mandated by law and the financial pen-alties for non-compliance are significant. For some business own-ers, the consequences of unauthorized system breaches might be minimal which would influence how much they spend on protec-tion technology.

Sometimes, the solution is as simple as network segmentation either through physical wiring or a VLAN. Separating network resources that shouldn’t interact or have no need to interact with each other increases overall network protection levels and assists in optimizing resource management.

Breaches Aren’t Always the Result of a Frontal AttackThe convergence of so many new technologies on the same net-work infrastructure has placed an enormous burden on IT de-partments to pay particular attention to the cyber security of a plethora of non-traditional network-attached devices. Due dili-gence must be paid to the security configuration of these devices to eliminate exploitation—whether the devices are heating, ven-tilation and air conditioning (HVAC) controls and monitors; in-telligent building automation devices such as smart thermostats, Smart Grid power monitoring and control devices; or networked

surveillance cameras and IP-based access control systems.One recent, highly publicized and massive retail customer data

breach stemmed from the hijacked login credentials of a third-party HVAC service provider. Typically the HVAC services com-pany would remotely log into the retail stores’ HVAC monitoring systems for maintenance. Cyber hackers followed the same pro-tocol, logging into the system using the stolen services company’s login credentials to gain access to the network. From there they were able to tap into the retailer’s point of sale systems which

0515nws_NS06_08_Ricco_v2.indd 6 4/6/15 10:13 AM

Go to http://sp.hotims.com and enter 204 for product information.

Untitled-3 1 4/2/15 11:24 AM

NS8 0 5 1 5 | N E T W O R K I N G S E C U R I T Y

resided on the same physical network in-frastructure. As a result confidential cus-tomer data was compromised.

The moral of the story? Keep a close eye on all network connected systems. They could be your Achilles Heel when it comes to securing sensitive corporate and client data. Once you understand what impact a successful breach might have on your business—financial penalties, loss of company reputation and market share, or perhaps negligible repercussions—you can plan your security spending accordingly.

Strategies for Protecting Network Ports With more companies migrating to IP-based video surveillance and access con-trol systems, both IT and physical security departments need to educate themselves on best practices for protecting these po-tentially vulnerable network nodes. To help you decide which security mecha-nisms, policies and procedures to deploy let’s look at how a typical IP-based video system is configured.

Video cameras and access control de-vices attach over the network to a video and/or access control server. Or, the sys-tem can contain multiple servers for load sharing and redundancy. The video can be stored to a local hard drive, a network-attached storage device (NAS), or a server storage array located at a remote data center or in the cloud. The network can also contain video viewing clients that can access video directly from the cameras or through a VMS.

To cyber-harden these physical security component, you need to focus on three areas: user/administrator credential man-agement, physical port security, and video and data flow protection.

User/Administrator credential manage-ment: Credential management can be as simple as making sure that default logins and passwords are changed from factory defaults. IT professionals already do this as a default installation and maintenance best practice for networking hardware and attached devices. You can add another lay-er of protection by creating separate user and administrative logins, passwords and privileges.

IT can install other credential security

measures such as multi-factor authentica-tion if the camera/access control manu-facturer supports this feature. Many of the major VMS application platforms can help you automate the setup and maintain those attached device credentials.

Physical port security: There are a num-ber of measures you can employ to pre-vent a device’s removal from the network and the attachment of a laptop or other device configured to spoof the MAC or IP address of the camera or access control pad in order to gain access to the network and network assets. Depending on the ca-pabilities of your network hardware man-agement software, this can be as simple as a port-based MAC address lockdown that requires manual provisioning when a port link is lost and then recovered. This does not address cable tapping, however. In that case more rigorous measures are needed such as onboard credential au-thentication.

When it comes to defending against network port hijacking, there are a num-ber of network standard authentication measures you can deploy. It all depends on which ones are supported by the cameras and access control devices you’ve installed. For instance, many cameras support basic .X or RADIUS client for edge device au-thentication. Some camera manufactures support PKI or token-based resident cer-tificate authentication.

The bottom line is that you should in-clude port-based/edge-connection cyber security on all your network edge devices no matter what they are. And the cyber se-curity of those devices should align with the high security standards your company already has in place to protect other de-vices and data residing on the network.

Video and data flow protection: Pro-tecting the transmission of video or data focuses on preventing the wrong people from putting eyes on or having access to your organization’s video. You can just imagine how tactical it can be for “bad guys” to have visibility inside the walls of your business or what a PR or legal nightmare you’d have on your hands if certain sensitive video footage showed up on YouTube.

The goal is to protect the data flowing from end to end: from the camera or ac-

cess control device through the network to the server and ultimately the storage device. To achieve that, your first step would be to define the protection scheme you want to deploy and then search out components that can readily integrate into that scheme. For instance, some video sys-tem manufacturers support a variety of encryption schemes from edge devices to servers. Other system components support encryption from the servers to the viewing client PCs, laptops and smartphones.

Network camera and access control system encryption generally adhere to IT methodologies standards such as .x, SSL/TLS, HTTPS, and PKI certificates. There are also appliance-based heavier encryp-tion methods available. But because video transmissions are extremely sensitive to transmission latency, anything short of zero latency encryption will likely disrupt recoding capabilities.

Before you make any decisions about encryption, research what your camera and VMS suppliers recommend. Then, to ensure compatibility across the board, surveillance and physical security decision makers should closely align themselves with IT to confirm that the hardware and software products they plan on deploying will meet IT standards for cyber security.

Know What Security Options are Out ThereTo keep abreast of what encryption and other physical security technologies are on the horizon and what are currently avail-able on the market, you can surf online content from camera and server manufac-turers, participate in physical security sem-inars and trade shows held in the US and around the world, as well as attend tradi-tional IT tradeshows and events where a sizable number of physical security com-panies participate as well.

The point is to educate yourself and get involved in cyber-security issues early in the vendor selection process whether you own the solution or are supporting the solution on your company’s network infrastructure.

Vince Ricco is the business development manager for Axis Communications Tech-nology Partner Program in North America.

0515nws_NS06_08_Ricco_v2.indd 8 4/6/15 10:13 AM

quantumsecure.com • info@quantumsecure.com

seamless identity management and physical access … in one solution

SAFE is an innovative software solution that integrates diverse security systems with identity management onto a unified policy-based platform. SAFE ensures that every employee, contractor, vendor and visitor has clearly defined and controlled access privileges. And SAFE is fully automated with comprehensive management and reporting features. It’s the most efficient way to manage the lifecycle of identities and their access across your enterprise in order to maintain compliance 24/7. Make your world SAFE with Quantum Secure.

AUTOMATEDPHYSICALIDENTITY

MANAGEMENT

CENTRALID

REPOSITORY

AUTOMATEDWORK FLOW

REAL-TIMECOMPLIANCE

INTEGRATESWITH

EXISTINGINFRASTRUCTURE

INTEGRATESWITH HR,ACCESS

CONTROL & IT SYSTEMS AUTHENTICATE

IDENTITIES

Go to http://sp.hotims.com and enter 206 for product information.

Untitled-3 1 4/2/15 2:47 PM

V U L N E R A B I L I T Y M A N A G E M E N T

NS10 0 5 1 5 | N E T W O R K I N G S E C U R I T Y

BUILDING A FOUNDATIONTaking a look at a holistic information security perspectiveBy Madeline Domma

Now more than ever, major network vulner-abilities are making national and interna-tional news headlines. Heartbleed, Shellshock

and POODLE are considered by many to be among the worst bugs present on the Internet and, in recent months, have all formed their own unique paths of de-struction across networks everywhere. These vulnerabilities, as well as count-less others, are extremely harmful when used to attack companies and can be detrimental to a company’s future suc-cess if not addressed properly.

Although understanding the global im-pact of these vulnerabilities can be both interesting and useful, the primary concern for network security professionals must be the impact of these vulnerabilities on the specific IT environments that they oversee. At some point, all companies—regardless of size or industry—must develop infor-mation security programs to protect both themselves and their customers from these vulnerabilities and other IT-related threats. From creating policies and vendor con-tracts to performing risk assessments and audits, organizations are recurrently faced with the challenge of securing their data from internal and external exploitation.

Additionally, most company security practices may need to comply with the standards of different governing bod-ies, authorities, or regulations, depending upon the industry. This requirement for the synchronization of a company’s se-curity efforts has made way for the emer-gence of the information security model known as IT GRC (Governance, Risk and Compliance).

One of the best strategies by which companies can develop a secure and com-

prehensive IT GRC program begins with a thorough and vigilant vulnerability man-agement process. Network vulnerability scans and the results that they yield offer a plethora of information about network de-vices and can be employed in many different ways. Leveraging vulnerability data when creating IT GRC practices is crucial to de-veloping a comprehensive, consistent, and sustainable information security program.

Problems Emerge Without Proper Vulnerability ManagementAttempting to mature an information secu-rity program without integrating vulnera-bility data can cause several different prob-lems over time. Without an understanding of the vulnerabilities of a network’s de-vices, network oversight becomes limited. If network oversight does not include

vulnerability management, those making security-related decisions cannot cultivate best practices to combat the specific vulner-abilities that pose the greatest threats to the organization’s unique environment.

Without incorporating well-managed vulnerability data to improve upon a com-pany’s security program, inconsistencies in security posturing will inevitably oc-cur. For instance, an IT audit of company systems may verify that the configuration settings of workstations or servers do not reflect those defined in the security policy. While this inconsistency may result in a citation or fine in the context of an audit, it may be discovered and mitigated before-hand if the company is utilizing a vulner-ability management tool or software.

Contrastingly, vulnerability manage-ment can validate claims made in com-pany policies, during risk assessments and

ww

webm

eister/Shutterstock.com

0515nws_NS10_11_Domma_v3.indd 10 4/6/15 10:14 AM

W W W . S E C U R I T Y - T O D A Y . C O M NS11

audits, or when verifying compliance with a given authority. If the vulnerability data is consistent with the claims made in other areas of the company’s IT GRC program, vulnerability data serves as context to the other areas of the information security program. Problems that result from the absence of vulnerability management in an organization’s IT GRC program prove that vulnerability management is not only beneficial but also critical to a holistic and viable information security program.

Vulnerability Management is the Cornerstone for a Consistent IT GRC PracticeProper vulnerability management gener-ates a database of information about the hardware and software of devices that comprise a network. The types of infor-mation gathered from a vulnerability scan vary greatly from hardware manufacturer information to software versioning data and even serious exploitable settings of devices on a network.

Vulnerability management efforts not only verify areas of the network that are secure but, more importantly, highlight potential threats to network security before the threats escalate to major company-wide incidents or issues. Making use of vulner-ability data when executing security-related tasks, such as completing a risk assessment or compliance assessment, creating vendor or third party contracts, or performing an audit or training course allows for consis-tent, company-wide security posturing. Once network devices are scanned, vulnera-bility data as well as software and hardware versioning are populated into a centralized location. This data can then be applied in several different aspects of both network and operations management:• Patch management: Vulnerability man-

agement will identify the weak aspects of network devices and provides infor-mation on which devices need to be patched. Patch management practices can then be established based on the frequency with which different types of systems require patches as reported by vulnerability data.

• Asset management: Vulnerability data will provide details as to which types and versions of hardware and software are active on the network. Vulnerabili-ty data managers are then able to iden-

tify the devices that are outdated and can eliminate potential problems with these devices before they cause serious issues if otherwise unnoticed or un-addressed. For example, vulnerability data can deliver password configura-tion information, minimum password requirements, and versioning informa-tion of device operating systems, ap-plications, and programs before weak-nesses to the devices are exploited and cause harm to a network.

• Vendor management: Vulnerability scans may be run on network equipment that is either owned or maintained by a third party. Vulnerability management pro-vides insight to network administrators as to whether or not a vendor is main-taining their systems on your network and will alert administrators if vendor systems are forming weaknesses in the company’s network.

• Policy management: Vulnerability scan data and management offers context to claims made within company policies and can prove that requirements de-fined in a company’s policies are being implemented properly. For instance, if an organization’s configuration man-agement policy states that certain con-figuration standards must be adhered to on all company equipment but vul-nerability scan results indicate that the devices do not meet the described stan-dards, these inconsistencies can be ad-dressed (either by adjusting the policy to accurately outline the configurations of company systems or by updating the devices to meet the standards pre-scribed in the policy). This consistency creates a well-defined configuration management policy that can be more easily adhered to and maintained.

• Risk assessment: Vulnerability manage-ment proves most valuable when con-ducting IT risk assessments because the data provided may then be utilized to identify, prioritize, and implement security controls to minimize the over-all risk of an organization.

• Verifying compliance: Data provided through fastidious vulnerability man-agement may also provide useful in-formation when an organization must adhere to different compliance regula-tions for their industry. For example, outdated JBoss versions on network

systems will cause a company to be out of compliance with today’s PCI standards. Most regulating bodies clearly define the versions of software that networked systems must maintain and, if outdated versions are found on company systems, the company can-not be considered in compliance with the authority. While companies who do not fully integrate vulnerability management information into other aspects of their information security program will be either fined or repri-manded by regulators, network ad-ministrators and security profession-als who manage vulnerability data on a regular basis will recognize the need to update their systems and will initi-ate a process to accomplish the task and remain in compliance when re-viewed by regulators.

• Audit: Finally, vulnerability manage-ment data can be utilized during an audit to verify security controls, poli-cies, and practices of an organization. Maintaining a structured and well-defined IT GRC program based on vulnerability management will result in shorter audits that require fewer com-pany resources to perform and yield positive findings and results.

Sustainable Information Security Programs for Continued Company SuccessVulnerability management is a core prac-tice of a well-maintained IT GRC space. Identification, prioritization, and mitiga-tion of vulnerabilities dictate how infor-mation security processes flow throughout a company and create viable processes for secure and efficient IT environments.

The results of a vulnerability scan re-veal potential flaws in the network as well as a plethora of other information about the different devices connected to an or-ganization’s network. This information should be applied to other key areas of an information security program to stan-dardize the data that is used throughout the company and establish a holistic, well-managed, and sustainable IT GRC and security program.

Madeline Domma is the product design specialist at TraceSecurity.

0515nws_NS10_11_Domma_v3.indd 11 4/6/15 10:55 AM

N E T W O R K S E C U R I T Y

NS12 0 5 1 5 | N E T W O R K I N G S E C U R I T Y

AN ELEPHANT IN THE LIVING ROOMDon’t forget to lock the obvious front door to your networkBy Julie Olenski

Security managers are more aware than ever that information security requires a layered approach with components ad-dressing every point of intrusion on the cor-porate network. Yet with an estimated 196 billion emails to be sent daily worldwide in

2015 and email continuing to dominate internal network traffic at most organizations, a network security plan that fails to address the risks posed by email is like leaving the front door unlocked.

Data loss or breach is arguably the largest risk of email com-munication. The concern is just as great among unregulated in-dustries as it is in sectors where privacy is of heightened concern such as in financial services and healthcare. Here are a few facts that illustrate the urgency: • 53percentofemployeeshavereceivedunencrypted,riskycor-

porate data via emails or email attachments.• 21percentofemployeesreportsendingsensitiveinformation

without encryption.The costs of data loss are staggering, not to mention the

damage it does to a company’s reputation (who can forget the contents of those Sony emails?) and any legal repercussions for violating regulations regarding the transmission and storage of sensitiveinformationsuchas,HIPAA,FIPPAorPCI.• 22percentofcompaniesexperiencedata loss throughemail

each year.• Theaveragecorporatedatabreachcosts$3.5million.

Agrowingthreattocorporateemailusersisphishing.Send-ingemailsfromaforgedsenderaddress,calledspoofing,isonewayofcarryingoutaphishingattack,withthegoaloftrickingthe unsuspecting recipient into downloading malware or entering confidential information into a fake web site where it is accessible to the hacker. Though it’s often viewed as a consumer problem—it seems every week there’s a new attack targeting customers of retail sites or online services—hackers have started to set their sights on corporate users by impersonating the company and tar-geting employees. • Anestimated1outof392emailsispartofaphishingattack.• 300percentgrowthinphishingemailsinthepastyear.• 33percentofFortune500executivesfallforphishingbait.

Digitally Signed and Encrypted Email: Network DefensesNotsurprisingly35percentoforganizationsnowuseencryptedemail,upfrom29percentaccordingtoaPonemonInstitutere-port.As of thisFebruary,Google reported that 78 percent ofoutboundGmailmessagesareencrypted.

The most common approaches to email encryption are based onpublickeycryptography.GoogleusesTLS,thesametechnol-ogy that secures your connection to websites (as indicated by the httpsandpadlockintheaddressbar).Fordesktopemailclients(e.g.,MicrosoftOutlook,AppleMail,Thunderbird),whichareoftenmorecommonincorporateenvironments,S/MIMEisthemost popular option.

S/MIME,orSecure/MultipurposeInternetMailExtensions,is the industry standard for public key encryption forMIME-based(message-based)data.S/MIMEofferstwokeyemailsecu-rity functions:• DigitalSignature• Encryption

Todigitallysignandencryptemails,youwillneedanS/MIMEdigitalcertificate.Adigitalcertificateisavirtualpassport;awayof proving your identity in online transactions. Just as a local governmentneedstoverifyanidentitybeforeissuingapassport,athirdpartyverificationentityknownasaCertificateAuthority(CA)needstovetanindividualbeforeissuingadigitalcertificate.Sincethecertificateisuniquetotheindividual,usingittosignanemailisawaytoprove,“yes,it’sreallymesendingthisemail.”

Digitally Signed Emails Mitigate PhishingDigitally signing your emails is a way to assure recipients that the email is legitimate and actually came from you. You can see how this mitigates the corporate phishing risks discussed above. If yourcompanystandardizesondigitallysigningallemailcom-munication,anyspoofedemails fromphisherswill immediatelyraise a red flag since they aren’t signed.

Encrypted Emails Prevent Sensitive Data from Falling into the Wrong HandsEncryptinganemailensuresonlytheintendedrecipientcanac-cess the contents. This is because the encryption process requires information from your recipient’s digital certificate. Unless some-one has access to the certificate (and only the individual should haveaccess),hewon’tbeabletoreadthecontentsoftheemail.

0515nws_NS12_13_Olenski_v3.indd 12 4/6/15 10:56 AM

W W W . S E C U R I T Y - T O D A Y . C O M NS13

One erroneous perception is that digital signatures and en-cryptionaddtime.Infact,digitallysigninganemailisassimpleasclickingabutton,withmanyemailclientsenablingtheusertoset digital signatures as a default on all outgoing messages.

A Red-Ribbon Badge of AuthenticityDigitally signed and encrypted emails literally wear an emblem oftheiraddedsecurity.InMicrosoftOutlook,aredribbonin-dicates that the email was digitally signed and the identity of the signerislistedunderthesubjectline.Encryptedemailsdisplaya padlock.

Clicking on the red ribbon or padlock verifies the identityof the sender and offers more details about the signature. These clear trust indicators mean the recipient of the email can instantly see that the emailwasdigitally signedor encrypted,bywhom,andknowthattheemailactuallycamefromthecorrectperson,hasnotbeenforged,andthatthecontentsoftheemailhavenotbeen changed since it was sent.

Is It Best for Me?Determining if an email security solution is the best fit for a given

organizationrequiresathoughtfulreviewofmanyfactors:• Doyouneedtosendsensitiveinformationviaemail?• Whattypesofregulationsdoyouneedtomeet?(Forinstance,

HIPAA,FIPPA,PCIregulationsregardingthetransmissionof sensitive information)

• Hasyourorganizationbeenvictimtoemailspoofingorotherphishing threats?

• Howdoesthesolutionauthenticatetheemailsender?• Doesthesolutionensurethecontentsofemailsarenotaltered

after they’re sent?• Whatistheimplementationprocesslike?Willtherebeabur-

denonIT?• Willthissolutionbeeasyforyouandotherenduserstoadopt?• Whatemailclientsdoyouneedtosupport?

Withhacks,breachesand information theft rampantoncor-poratenetworkstoday,anyapproachthatpromisestolessenthelikelihood of information loss—with minimal if any impact on end user ease and workday efficiency—is an important step toward controlling those digital assets within the corporate perimeter.

Julie Olenski is enterprise product manager at GlobalSign.

0515nws_NS12_13_Olenski_v3.indd 13 4/6/15 10:15 AM

EXIT

NS14 0 5 1 5 | N E T W O R K I N G S E C U R I T Y

COLLABORATION IS KEY IN THE VIDEO VORTEXBy Michael Gallant

Increased security concerns, availability of IP networks, camera sprawl and im-provement in video content analytics are all contributing to a rapid growth in the amount of video surveillance data that federal agencies are gathering today. By 2018, the video surveillance equipment market is forecast to reach $25.6 billion,

and by 2020, video surveillance data is expected to reach approximately 3.3 trillion hours globally.

From facial recognition to instant event search and inter-agency real-time surveillance, the benefits of video surveillance data are numerous. The surveillance data enables significant op-portunities for Big Data analysis critical to our nation’s security, such as monitoring suspicious behavior, object recognition, in-cident detection, face matching, safety alerts and anomaly de-tection. It’s no secret that federal video surveillance data is an important component to improved security across the federal government—but only if that data is safely captured, stored, and effectively analyzed.

So, Where Do We Stand?MeriTalk’s new report, “The Video Vortex,” found that although 99 percent of feds believe that video surveillance technology will play a significant role in their ability to prevent crime, theft, and terrorism over the next five years, 54 percent of federal video sur-veillance data goes unanalyzed. This study sponsored by EMC Corp., a global IT and security leader, is based on a survey of 151 federal decision makers—evenly split between physical security and IT managers.

As the amount of video surveillance data grows rapidly, so does the potential for improved security—as long as the data is fully examined. But, since over half of video surveillance data goes unanalyzed, we must figure out how to harness its full po-tential in order to succeed.

According to the study, one answer lies in collaboration be-tween physical security and IT. Seventy-nine percent of feds be-lieve their agency needs to improve collaboration between the departments in order to be successful. A more collaborative ap-proach will make agencies more prepared for the video surveil-lance data deluge, and more likely to analyze video surveillance data to derive actionable insights. The study found that agencies who implement collaboration between the two are significantly ahead of agencies that do not.

Agencies that have departmental collaboration are:• Morepreparedfortheinfluxofvideosurveillancedata—

81 percent versus 24 percent;• morelikelytoanalyzeatleast50percentofthedata—

63 percent versus 47 percent;• andmorethantwiceaslikelytooperateedge-to-core

platform architecture for surveillance—92 percent versus 44 percent

How Do We Get There?In order to work together successfully, there must be a consensus between physical security and IT managers to determine who has primary responsibility for managing their agency’s video surveil-lance infrastructure. The study revealed there is confusion over to whom that responsibility belongs—76 percent of physical secu-rity managers vs. 33 percent of IT managers believe the responsi-bility is shared between the two departments.

Looking at infrastructure, the need for improvement is evi-dent. While agencies recognize the potential that video surveil-lance holds, approximately nine in ten believe their infrastruc-turesarecurrentlyunpreparedforthevideodatainflux.Overthenext five years, 91 percent believe storage needs to increase, 89

0515nws_NS14_15_Exit_v2.indd 14 4/6/15 10:48 AM

W W W . S E C U R I T Y - T O D A Y . C O M NS15

percent believe computing power needs to increase, and 84 per-cent believe personnel needs to increase, in order to adapt and handle the oncoming growth.

As a step in the right direction, three-quarters of respondents say their agency’s IT department is currently working on integrat-ing video surveillance data into a central repository for analysis.

The Where and HowTo accurately understand how to handle video surveillance data and maximize insights, we must understand how this technology is used today. In what ways do Feds collect video surveillance data? How are surveillance cameras distributed? Where are they located, and are they fixed or mobile? Today’s video surveillance solutions are characterized by a combination of distributed tech-nologies also known as centralized technologies or the core.

According to the study, 74 percent of survey respondents op-erate an enterprise approach, including an edge-to-core architec-ture for video surveillance.

Feds collect video surveillance data through a variety of sen-sors. The study found that 88 percent collect the data through stationarycameras,and80percentusescanningcameras—bothmonitoring a fixed location. Although cameras at fixed locations have become one standard approach to collecting data, mobile camera usage is becoming more popular, especially across the De-fense Department. The study found that in Defense agencies, 77 percent use cameras on vehicles (vs. 53 percent of Civilian), 75 percent use cameras on people (vs. 44 percent of Civilian), and 78 percent use cameras on drones (vs. 17 percent of Civilian).

Additionally, to optimize video surveillance effective-ness, the feds are looking into advanced solutions to add to their video strategy—92 percent are looking into Machine-to-Machine (M2M) technology, and 93 percent are looking into intelligent data storage. Each brings their own benefits to the table—M2M enables both wireless and wired devices to automatically communicate via a network, and intelligent datastorageflexestooptimizestoragecapacity,backuptimes,costs, and performance.

The TakeawayNow that everything has been laid out on the table, the following question must be addressed:

Are the feds ready for the massive increase in video surveil-lance data?

Onethingisclear—thereiscertainlyroomforadvancement.With nearly all feds identifying necessary increases in storage, computing power, and personnel, these are important areas for investment today.

Another focus for agencies needs to be the collaboration piece of the puzzle—physical security and IT managers need to join forces in order to handle the oncoming growth in video surveil-lancedata.Oncefederalagenciestackletheircurrenthurdles—from edge to core—the potential of video surveillance data will hold limitless possibilities for better protecting our nation.

Michael Gallant is the senior director for global surveillance & security practice at EMC Corp.

Ad IndexAdvertiser ........................................... Circle # ...........Page .........URL

Open Options, Inc. ........................................ 203 ...................... NS3 ..............www.ooinc.com

McGard Security Products ............................ 202 ...................... NS4 ..............www.mcgard.com

Speco Technologies ...................................... 205 ...................... NS5 ..............www.specotech.com

Middle Atlantic Products ............................... 204 ...................... NS7 ..............www.middleatlantic.com

Quantum Secure ........................................... 206 ...................... NS9 ..............www.quantumsecure.com

DSX Access Systems .................................... 201 ...................... NS16 ............www.dsxinc.com

0515nws_NS14_15_Exit_v2.indd 15 4/6/15 10:48 AM

10731 Rockwall Road | Dallas, TX USA 75238-1219| | sales@dsxinc.com

www.dsxinc.com

CREATING THE FUTUREOF SECURITY . . . TODAY

Go to http://sp.hotims.com and enter 201 for product information.

Untitled-10 1 1/2/13 4:21 PM