LP Magazine

SEP-OCT 2017

LP magazine publishes articles for loss prevention, asset protection, and retail professionals covering shrinkage, investigations, shoplifting, internal theft, fraud, technology, best practices, and career development.

Issue link: http://digital.lpportal.com/i/874445

Contents of this Issue

Navigation

Page 15 of 79

T here may be no better symbol of the nation's modern, high-tech military—not to mention US military might—as its fleet of predator drones. So it surely caused a few red faces at the Pentagon when it was discovered that insurgents in both Afghanistan and Iraq had used $26 software to intercept live video feeds from the unmanned planes. Oops. Or consider a story relayed by the Alliance for Enterprise Security Risk Management about an interruption to an organization's computer network. Initially thought to be a server crash, it turned out to be the result of RAM being physically stolen from servers in the data center by thieves who couldn't be identified because building surveillance cameras were malfunctioning. The organization in question? A police department. Again, oops. All industries have had similar oops moments. Security experienced one in October 2016 when network-connected surveillance cameras and DVRs were implicated as a primary distributor of the Mirai botnet, which enabled DDoS attacks on eighteen data centers around the world and disrupted activities at some of the Internet's biggest names, including Amazon, Spotify, and Twitter. Securing Loss Prevention Technology The cyber vulnerability of security devices is a hot topic at security conference roundtables and in industry webinars these days. It's not hard to see why. There is growing pressure on loss prevention to enhance store operations and boost sales. We're in an environment of high—and growing—expectations. So a security device that doesn't clear an even lower bar—by failing to provide payback as promised—is not likely to go over well with the senior team. And a security investment that doesn't actually deliver security or, worse, a security device that actually introduces security risk? Well, that seems like a career killer. LP executives must ensure that connected security devices do not provide hackers a new way to enter the company network. "You can't allow your security solution to become a threat vector," warned Gavin Bortles, president of Kepler Networks, a network engineering services provider. David Tyburski, chief information security officer for Wynn Resorts, echoed that view. "We can't be injecting risk—we are supposed to be about reducing risk," he said. As for why it does happen, why at any given time you can monitor nearly a million private security cameras online, or why a recent multimillion-dollar security install at a massive theme park had IP addresses written right on the security cameras, there is blame to go around. It's wrong to assume just because they are security systems that manufacturers have made them secure, according to a study by the Government Accountability Office (GAO) on vulnerabilities in federal facilities. It noted, "Cyber-security experts that we interviewed generally said that building and access-control systems are vulnerable to cyber attacks. One expert, for example, noted that control systems were not designed with cyber security in mind." The US government has said connected devices pose "substantial safety and economic risks" and has called for immediate action to improve the security of Internet of Things (IoT) devices—but has proposed no specific penalties for manufacturers that fail to comply. Bill Bozeman, president and CEO of PSA Network, an organization of 200-plus electronic security systems integrators, thinks manufacturers of security products need to do a better job of ensuring their safety. "They get a D in my book," he said in a recent conference address. The security marketplace is crowded with vendors hoping to take advantage of a hot market, and not all of them do proper due diligence with respect to the security and safety of their products, warn experts. Even product testing can't always offer the same safety assurance it used to, a representative from Underwriters Laboratories told LP Magazine, because today's software-driven products are dynamic and update functions and features on the fly. Roger Johnston, PhD, founder and CEO of Right Brain Sekurity, a firm that conducts vulnerability assessments, believes that vulnerabilities—in the very security devices that are designed to offer a company protection—are more common than security and LP practitioners think. According to Johnston, engineers and manufacturers focus on simplifying user operation and the service of devices. These very conveniences, however, often make it simple to tamper with them. Vendors aren't the only ones criticized of cutting corners. Integrators have also been in the hot seat for, among other things, calling a system install complete with default passwords still in place. Joe McDonald, chief security officer for Switch, an information technology and services firm, said "integrators have to do a better job" to ask clients about their password protocol and to not leave a project until it's secure. The risk from SECURITY'S SECURITY Roger Johnston The security marketplace is crowded with vendors hoping to take advantage of a hot market, and not all of them do proper due diligence with respect to the security and safety of their products, warn experts. 16 SEPTEMBER-OCTOBER 2017 | LOSSPREVENTIONMEDIA.COM

Articles in this issue

Links on this page

Archives of this issue

view archives of LP Magazine - SEP-OCT 2017