Bringing IT and Physical Security Together

August 2016www.securitytoday.com

NETWORKING SECURITYTHE RISK PROFILEDoes your surveillance system fit the proper cyber profile?NS4

A Special Section to Security Products

Bringing IT and Physical Security Together

WHO IS THE NEXT GEN WORKER?New workers must be agile and be able to adapt quickly

NS8

FOCUS ON THE DOCUMENTCustomers should not have to worry about a possible data security risk

NS12See our ad

on page NS3

Discover the Power of PoEwith IN220 Locks

0816nws_NS01_v3.indd 1 7/5/16 2:12 PM

EDITORIAL STAFFEditor-in-Chief/Associate Publisher Ralph C. JensenSenior Editor Lindsay PageE-news Editor Brent Dirks

ART STAFFArt Director Dale Chinn

PRODUCTION STAFFProduction Coordinator Teresa Antonio

EDITORIAL ADVISORY BOARDDan Chmielewski, principal, Madison Alexander Public Relations; Irvine, Calif.Scott Sims, Buzzlogix; Dallas, Texas

SALESSam Baird +44 1883 715 697Randy Easton 904-261-5584Brian Rendine 972-687-6761

SECURITY, SAFETY, HEALTH & FACILITIES GROUPPresident & Group Publisher Kevin O’Grady Group Circulation Director Margaret PerryGroup Marketing Director Susan MayGroup Website Manager Scott NewhouseGroup Webinar Administrator Tammy RenneGroup Social Media Editor Matt Holden

Chief Executive Officer Rajeev Kapur

Chief Operating Officer Henry Allain

Chief Financial Officer Michael Rafter

Chief Technology Officer Erik A. Lindgren

Executive Vice President Michael J. Valenti

Executive Chairman Jeffrey S. Klein

REACHING THE STAFF Staff may be reached via email, telephone, fax or mail. A list of editors and contact information also is available online at www.securitytoday.com.E-mail: To e-mail any member of the staff, please use the following form: FirstinitialLastname@1105media.com

Dallas Office (weekdays, 8:30 a.m. – 5:30 p.m. CT) Telephone (972) 687-6700; Fax (972) 687-6799 14901 Quorum Dr., Suite 425, Dallas, TX 75254

Corporate Office (weekdays, 8:30 a.m. – 5:30 p.m. PT) Telephone (818) 814-5200; Fax (818) 734-1522 9201 Oakdale Avenue, Suite 101, Chatsworth, CA 91311

www.securitytoday.com August 2016 | Volume 10, No. 3

NS2 0 8 1 6 | N E T W O R K I N G S E C U R I T Y

Features

NETWORKING SECURITYBr i ng i ng I T a n d Ph ys i c a l S ecu r i t y T oge t he r

© Copyright 2016, all rights reserved. Networking Security is a supplement to Security Products, an 1105 Media Inc. publication, and is published four times a year: February, May, August, and November.

The information in this magazine has not undergone any formal testing by 1105 Media Inc. and is distributed without any warranty expressed or implied. Implementation or use of any information contained herein is the reader’s sole responsibility. While the information has been reviewed for accuracy, there is no guarantee that the same or similar results may be achieved in all environments. Technical inaccuracies may result from printing errors and/or new developments in the industry.

Networking Security welcomes vendor information and briefings. To arrange a briefing, please contact our editor-in-chief, Ralph C. Jensen, via email at rjensen@1105media.com. Our agreement to accept or review product material or backgrounders is not a guarantee of publication.

NS6 Awareness and TrainingHELLO INTERNET

Acknowledging the role of the end user in critical infrastructure security

By Trevor Hawthorn

NS4 Cyber SecurityTHE RISK PROFILEDoes your surveillance system fit the proper cyber profile?

By Ron Grinfeld

NS8 Security StaffWHO IS THE NEXT GEN WORKER?New workers must be agile and be able to adapt quickly

By Adam Jaques

NS12 Data SecurityFOCUS ON THE DOCUMENT

Customers should not have to worry about a possible data security risk

By Mia Papanicolaou

NS14 Cyber SecurityA PRACTICAL DEFENSEEnergy and electric utilities need realistic security resources

By Katherine Brocklehurst

0816nws_NS02_TOC_v2.indd 2 7/5/16 2:19 PM

Copyright © 2016, ASSA ABLOY, Inc. All rights reserved.

The Power of PoEIN220 Power over Ethernet Access Control Lock

The IN220 combines superior aesthetics with the energy efficiency and streamlined architecture ofPower-over-Ethernet (PoE) access control to:

• Maximize energy efficiency • Reduce the need for panels and traditional power supplies • Significantly decrease components and materials• Re-use a building’s structured cabling infrastructure• Provide online access control at a fraction of the cost

Leverage existing network infrastructure for enhanced security and easier, more cost-effective installations.

IntelligentOpenings.com/IN220

Available from ASSA ABLOY Group brands:CORBIN RUSSWIN | SARGENT

Go to http://sp.hotims.com and enter 202 for product information.

Untitled-4 1 3/30/16 11:51 AM

C Y B E R S E C U R I T Y

NS4 0 8 1 6 | N E T W O R K I N G S E C U R I T Y

s surveillance system technologies advance, so do the technologies employed by hackers. Increasingly sophisticated cyber criminals, whether working for criminal enterprises or for foreign governments, are developing not just better, but entirely different, ways

to enter and manipulate or undercut the protection of surveil-lance systems.

What are some of these emerging threats and how can you protect against them?

New Kinds of ThreatsExtortion hacks break into sensitive company or customer data and threaten to release it unless the victim pays a ransom. This increasingly popular threat is different than merely encrypting or locking access to the data until a ransom is paid.

Last year there were two known such cases of extortion, the

first was an attack on the AshleyMadison.com site. The result-ing data dump cost the CEO his job, and it exposed millions of would-be marital cheaters. A second case involved the hacking of InvestBank in the United Arab Emirates and the exposure of customer account information.

Data sabotage will, in all likelihood, be more difficult to detect than simple theft. Since very slight data alterations could result in enormous changes, hackers to the financial and stock-trading systems could create havoc to—and take advantage of—the ma-nipulated rise and fall of stock prices.

A potentially devastating type of data sabotage could result from the insertion of or alteration of code to a country’s weapon systems to change how they operate.

Another threat will come about as the Internet of Things (IoT) spreads to many appliances and other devices. How will anyone be sure their toaster isn’t part of a menacing bot army?

THE RISK PROFILEDoes your surveillance system fit the proper cyber profile?By Ron Grinfeld

Alexander Supertramp/Shutterstock.com

0816nws_NS04_05_Grinfeld_v2.indd 4 6/29/16 3:26 PM

W W W . S E C U R I T Y T O D A Y . C O M NS5

How can we ensure that our connected car won’t be susceptible to hacking? How about life-saving medical devices? Or so-phisticated hackers who install back doors to enable access a system whenever the hackers want?

It’s become clear that the likelihood of cyber attacks isn’t a question of “if,” but rather a question of “when.” Now is the time to examine your own surveillance system to identify the inherent weaknesses and cyber vulnerabilities within it, and then develop a strategy to take action and mitigate your risk to exposure and loss.

The Challenges of Advanced TechnologySurveillance VMS make up one of the key elements of today’s security systems, whether monitoring a small private com-pany or a sprawling enterprise. Though the ability to monitor and control loca-tions has never been more important, many systems are migrating from analog to an IP-based or cloud-managed system for the promise of better image resolu-tion, remote access and monitoring, and accompanying analytic software packages.

Unfortunately, better technology may also represent a greater exposure to cy-ber attacks, as such systems can offer a number of easily accessible entry points for hackers that could compromise entire systems. Just last year there were several notable cyber attacks on both government and private organizations.• The Office of Personnel Management

was hacked and the addresses, health and financial information of 19.7 mil-lion people who had undergone back-ground checks was stolen;

• The well-publicized breach of the Ash-ley Madison site last summer resulted in the theft of personal information and credit card information on more than 11 million users;

• Last fall, it was learned that healthcare insurance company Anthem had been hacked by the Chinese, who were seek-ing to learn how medical coverage in the United States is managed.

3 Questions to Ask YourselfIn order to ensure that your organization’s

security is up to today’s cyber warfare chal-lenges, ask yourself these three questions.

Is cyber defense a priority? As physical security systems continue to merge with the world of IP, it is helpful to start by declaring that cybersecurity is truly a pri-ority for the organization. Cyber attacks continue to grow in both range and sever-ity, and from all accounts it appears they will continue to do so. In today’s world, to not declare that cyber defense is a priority is, in effect, inviting attack. And sooner or later, it will come.

Has my installer or integrator “hard-ened” my system? To harden a system against intrusion means to heighten its security by reducing the number of poten-tial breach points that could be exploited by hackers. Some installers and integra-tors are cutting prices in order to remain “competitive,” but if they don’t reduce the number of potential breach points, they are doing you no favors.

Today’s systems are increasingly so-phisticated and require a high level of IT experience and knowledge in order to implement them effectively. Also, make sure your system manufacturer didn’t cut any corners by failing to run a full range of testing to determine all software and hardware vulnerabilities of their products.

Are my users a weak link in my security chain? Your own users can become enablers to cyber hacking through the use of weak or default passwords, or through requesting unnecessary remote access privileges to the network. Rest assured that hackers will find the weak links in your security chain, so it’s important to demand that all users accept cyber security as the priority that it is.

6 Steps to Developing a Strategy to Mitigate RiskEveryone in both government and indus-try agrees that cyber threats are one of the nation’s gravest threats. Mitigating those threats has attracted both media attention and budget dollars to the tune of $90 bil-lion or more. Yet the threat continues, not just for small companies, but also for Sony, the State Department, and healthcare com-panies like CareFirst. The truth is that there is no silver bullet that will eliminate all risk, and it takes a concerted effort to develop a strategy that will mitigate the risk.

Here are six steps that can point you in the direction of developing an effec-tive strategy to mitigate the risk to your organization.• Realize that your organization has cy-

ber risks. Hackers hack for as many reasons as there are types of victims of hacking: including healthcare compa-nies, credit card companies, manufac-turers, and government agencies. The list goes on. Don’t be surprised if your organization is hacked one day.

• Determine your biggest risks. You’re not going to prevent every single at-tack, so a good place to start is by de-termining your most valuable assets: what systems are the most valuable, what information is most sensitive. Tap your key managers to conduct a discovery process across the organiza-tion.

• Put together a cyber risk leadership team. Good governance requires lead-ership and effective decision-making. Don’t wait until the first attack before assembling your team.

• Involve your entire organization. As noted earlier, any user who doesn’t un-derstand that cyber security is a prior-ity may inadvertently assist the hackers trying to gain admittance to your sys-tems. Get everyone on board.

• Don’t protect only the perimeter. Bud-gets today are still skewed towards perimeter-protecting tools like firewalls and anti-virus programs, but it’s impor-tant to have a plan of action for when those perimeters are breached.

• Practice dry run responses. Don’t let your first attack be a real one. Practice a response ahead of time. It may mean the difference between a contained in-cident and a disastrous loss.A mitigation strategy is also important

as a tool to help the organization better distinguish between a threat and a genuine loss. Experiencing a breach but contain-ing the damage may, in that case, be considered a success, and help pro-tect the company’s bot-tom line.

Ron Grinfeld is the di-rector of global vertical marketing at FLIR.

0816nws_NS04_05_Grinfeld_v2.indd 5 6/29/16 3:26 PM

A W A R E N E S S A N D T R A I N I N G

NS6 0 8 1 6 | N E T W O R K I N G S E C U R I T Y

n 1999, I moved out of my parents’ house in California to take a job with an Inter-net company in Virginia. The move was a big deal—as was the job. The company I was

crossing the country to work for was spe-cial because (at the time) it moved 80 per-cent of the world’s Internet traffic.

It was like an information highway rail-road, a railroad that I helped to build and defend. It’s an infrastructure that is still in place today. In fact, text you read ev-ery day in an Internet browser was likely transferred via the fiber-optic “halls” of that old network.

It Started HereThe company I’m referring to is UUNET Technologies. Now a part of Verizon En-terprise, it followed an acquisition path that included telecom giants like World-Com, MCI WorldCom, MCI, and Verizon Business. Despite the fact that UUNET as a brand has not officially existed since 2001, mentioning its name to InfoSec pro-fessionals with wisps of gray in their hair and/or beards usually draws something akin to, “Ah, yes UUNET, AS701. I re-member them.”

During its formative years, UUNET was one of the most critical parts of the In-ternet’s infrastructure. UUNET boasted a number of prestigious customers, including many of the largest financial institutions, the NASDAQ, and other domestic and foreign exchanges. In these early days of commercial Internet usage, there were also connections to the federal government. Pre-9/11, a colleague and I would train agents with the National Infrastructure Protec-tion Center (NIPC) about DDoS attacks at the FBI Academy at Quantico, VA. This experience gave me a good appreciation for critical infrastructure.

In relatively short order, Internet access

has become the red thread of daily busi-ness operations across all markets. As in the enterprise, the various sectors within the critical infrastructure space rely on ef-ficient, reliable connectivity. And like the enterprise, organizations in these sectors have recognized the importance of cyber security, and they have made great strides in safeguarding their infrastructures. But challenges remain.

One of the prime issues any organiza-tion will face with regard to security is up-time. This can be of particular concern for critical infrastructure sectors like energy, water, and emergency services. For one, se-curing network-enabled devices that can’t be swapped out or upgraded (because they are doing something important like regu-lating water flow, power levels, etc.) is far from trivial. One approach that we’ve seen

in use within these industries is to place something between SCADA devices and IP networks. In some cases this is middle-ware. In other cases it is an air gap.

From an attacker’s standpoint, there is little advantage to attempting to infil-trate embedded devices that may be out of reach, slow, underpowered, or running software that is difficult to understand. Rather than crafting an exotic exploit for a hard-to-reach device, attackers prefer to target low-hanging fruit. More and more, they are turning to a low-cost, high-return method: Social engineering, but more specifically, phishing.

Social Engineering and Critical Infrastructure: An Elevated ThreatPhishing is a problem for everyone from

HELLO INTERNETAcknowledging the role of the end user in critical infrastructure securityBy Trevor Hawthorn

wk1003m

ike/Shutterstock.com

0816nws_NS06_07_Hawthorn_v3.indd 6 6/29/16 3:28 PM

W W W . S E C U R I T Y T O D A Y . C O M NS7

consumers to businesses to governments. But critical infrastructure is unique in that an attacker’s ultimate goal doesn’t always end when he completes a large transfer of cash, withdraws product designs, steals in-tellectual property, or downloads a data-base full of credit card numbers. Many in the security industry believe that the lon-ger-term objective in critical infrastructure intrusions is for the attacker to get into the position to cause damage or disruption upon request.

The early stages of a critical infrastruc-ture attack are no doubt similar to other targeted cyber attacks. First, a desire to find out how the network is laid out, the gaps that have been implemented between IP networks and controller devices, the makes and models of the gear being used, etc. Then the attacker will need to figure out how to persist access back into the network by stealing credentials, installing a remote access tool or other back door, or another method.

As cyber criminals get ready to execute their attacks, social engineering is likely to take center stage. Rather than digging deep to find pieces of information that are needed to successfully infiltrate the network, they will take advantage of the broadest attack surface available: an orga-nization’s end users. Each connected user represents a potential penetration point, which means one thing: lots of opportuni-ties for success.

In targeted attack scenarios, we’ve seen any variety of social engineering techniques used, as well as multiple meth-ods combined together to improve chanc-es of success. We’ve mentioned phishing, but other social engineering attacks often precede email contact. An organization might experience a series of unsolicited vishing calls, with individuals attempt-ing to get information (about equipment, people or places) over the phone. Em-ployees might be approached via social media and asked to participate in an in-dustry survey or encouraged to download an application or video. Or an attacker might visit a physical location posing as a delivery person, service provider, or even an employee in order to get an inside view of operations.

In many cases, the bits of information gained in these early quests are put to use to make follow-up phishing messages more believable. And, again, a multifaceted at-tack is not unusual. An attacker might first send an organization- or department-wide email that phishes for login credentials of an internal system. While response teams are dealing with that, a more sophisticated spear phishing or whaling attack could be launched, with targeted emails requesting special access, reconfiguration of a con-troller, or even changes to the network to gain access to a specific device.

In these sophisticated attacks, cyber criminals generally create contingency plans. They know that the longer they dwell within the network, the higher the likeli-hood that they will be detected and evicted. Because they know they may have to re-establish access at some point, they identify multiple inroads before they begin.

So, how is any of this more threaten-ing for critical infrastructure sectors than for enterprise organizations? It’s relatively simple: The impact and reach of a mali-cious event within a critical infrastruc-ture organization has the potential to be massive. As such, these sectors are being increasingly targeted by cyber criminals, particularly in “hackers for hire” scenarios that involve nation-state attacks.

Elevate Your Security Awareness Training to Match the ThreatWith all the day-to-day activities within the critical infrastructure space, it can be daunting to think about adding a pro-gram that, on the surface, is something that takes end users away from doing their jobs. But this is really the wrong mindset and one that will not help improve security postures. Security awareness and training exercises simply must become more valued within the critical infrastructure space. Technical safeguards will only go so far. End users have to know how to identify and respond to social engineering attacks and other threats that present themselves. Knowing how to do that should be con-sidered part of the job, not superfluous to the job.

A good example of how to do this

can be seen with one of our energy cus-tomers, who runs their security awareness and training program like they run their worker safety program. The same job safety approach they take to keeping peo-ple from getting electrocuted, falling off of ladders, or tripping over power cords is used in their cyber security education program. In addition to using simulated phishing attacks and follow-up training, they communicate the sobering message that a breach of their security could result in real-world impacts. The kinetic effects of power outages, explosions, and other implications would have an impact that would reach far beyond a simple website defacement (remember those days?).

The fact is much of improving secu-rity is about mindset. One of our utility customers emphasized the importance of a top-down approach in a recent case study. In their organization, high-level ex-ecutives are not only vocal advocates of the security awareness and training pro-gram, they are participants. The train-ing manager includes simulated whaling attacks and spear phishing attacks into her assessment schedule, and ongoing training and reinforcement exercises keep best practices top-of-mind across the or-ganization. A 67 percent reduction in vul-nerability to phishing attacks is just one of the benefits this critical infrastructure organization has realized during the past two years.

Bottom line: If you are in critical in-frastructure, you need to ensure that your users apply safety measures when using their computers just as they would up on the pole, down in the manhole, or during any other interaction with mission-critical equipment and systems. You wouldn’t minimize the impact of a breach, so don’t minimize the impact of breach-preven-tion measures. By elevating cyber secu-rity education, you will elevate awareness, change behaviors and reduce risk.

Trevor Hawthorn is the CTO of Wombat Securi-ty Technologies, a SaaS-based security awareness and training company.

0816nws_NS06_07_Hawthorn_v3.indd 7 6/29/16 3:28 PM

S E C U R I T Y S T A F F

NS8 0 8 1 6 | N E T W O R K I N G S E C U R I T Y

WHO IS THE NEXT GEN WORKER?New workers must be agile and be able to adapt quicklyBy Adam Jaques

oday’s workplace is far different from 15, five, even two years ago. Employees are expected to get more done, in a shorter amount of time, with more distractions than ever before. In today’s business environment, workers are inundated with a con-stant barrage of emails, calls, video conferencing

requests and group chats. As such, employees are expected to un-derstand all different types of technologies, devices, applications and platforms.

As the workplace has evolved, so have the employees that sup-port it. This new breed of employee is what we like to call the “the next generation of workers.” The next-gen worker needs to be agile and adapt more quickly to different types of tools and de-vices, which means successful employers are those that prioritize

seamless tools, training, integration and connectivity for this new workforce. As one can imagine, this can lead to some interesting security challenges and even more creative solutions.

Who Exactly is the Next-gen Worker?Unlike previous generations, this new class of workers are tech-savvy digital-natives that are increasingly on the go and always connected. Having grown up with a constant stream of techno-logical innovations, they know exactly what they do and don’t like in tech. This new labor force is quick to decide what type of technology works best for them, whether they’re at work, home or somewhere in between. Although these next-gen workers are fast to decide what type of tech they prefer, employees lack an in-depth understanding of the security vulnerabilities that each

Ollyy/Shutterstock.com

0816nws_NS08_10_Jaques_v3.indd 8 7/5/16 2:14 PM

NOW YOU’LL KNOW.

Quantum Secure’s SAFE software suite streamlines and automates secure

identity management, compliance and operational analytics across multiple

sites and systems in a single, fully interoperable platform—allowing you real

time visibility into your entire security infrastructure. Already the leader in

physical identity and access management software, we are now partnered

with HID Global, meaning your investment in best-in-class technology

can be made with confidence. Find out how to lower your risk profile and

operational costs by visiting quantumsecure.com/know.

NOW YOU’LL KNOW.quantumsecure.com/know

Go to http://sp.hotims.com and enter 204 for product information.

Untitled-2 1Untitled-2 1 7/6/16 11:28 AM7/6/16 11:28 AM

NS10 0 8 1 6 | N E T W O R K I N G S E C U R I T Y

and every device and application presents.As employers begin to embrace trends

like the virtual office, the next generation of workers are no longer chained to their desk and able to work from home, on the plane or half way around the world. Ac-cording to the Bureau of Labor Statistics, 23 percent of employees reported doing some of their work remotely in 2015, up from 19 percent in 2003 – and that number only continues to grow.  These employees no longer subscribe to the notion that be-ing in the office from 9 to 5 every day is necessary or produces a better quality of work. With more employees working from home and on-the-go, the next-generation workforce needs reliable and secure access to the network and corporate resources from any location.

Connect from Anything…Along with the uptick in folks working re-motely, employees now rely on their own devices, like laptops, mobile phones and tablets, to do much of their work. As such, the “bring your own device” (BYOD) movement has become the norm with 60 percent of companies already implement-ing a BYOD policy in 2016, according to recent reports, with estimates from Gart-ner suggesting that half of all employees will be using their own devices by 2017. Trends like BYOD support the demands of next gen workers, enabling them to re-duce the overall number of devices they use and also allow them to choose the devices that will make them happiest and most productive. They can use their own devices to check work email, download documents and access the corporate VPN and SaaS applications. Employees also regularly switch from iOS to Windows operating systems and need the ability to easily alternate between the two.

…To AnythingThese days, the next-generation workforce relies more heavily on cloud-based appli-cations, for their ease of use and consis-tency across devices. In addition to the VPN, enterprise workers need fast and secure access to regularly used cloud ap-plications like Office 365 and other non-Microsoft services such as Salesforce and Dropbox. Workers want to enjoy and le-verage the apps that they know and love,

all while integrating with the traditional apps that IT provides. Even with these cloud applications, it’s important for en-terprise IT to implement strong network access control (NAC) policies, which al-low the right user with the right device permission to get on the network. This is not typically considered for cloud based applications, but is just as relevant as it is for datacenter access.

If done well, your employees shouldn’t even be able to tell the difference. Addi-tionally, a wide variety of apps that work-ers use in their personal lives now have a utility for work, Evernote, being a great example. Applications like this let indi-viduals and teams share and collaborate on content from anywhere, on any device.

As workers take advantage of cloud-based applications and platforms, they will also need access to their organization’s corporate data centers. Many businesses continue to employ some legacy IT archi-tectures, and employees continue to need to access these systems quickly and effi-ciently. Workers need to seamlessly access important data, media and documents, re-gardless of whether it’s on premise, in the cloud or a hybrid environment.

Keep it Secure Don’t leave security up to the workers. In the past, a lot of IT departments sanc-tioned uses for personal devices in the workplace but put the onus on the user to keep the device secure and current with all of the necessary updates. But it should ac-tually be the employer’s responsibility to provide workers with safe and secure ac-cess to the cloud, the corporate data center and various applications.

Also, organizations should educate workers on the various security policies, procedures and products that have been put in place to protect employees and cor-porate data. Typically, organizations will deploy corporate workspace solutions to user’s devices which will ensure a level of IT control without impeding a worker’s privacy. Rolling reminders and training should also be put in place to keep infor-mation security top of mind for new and existing staff.

Keep it SimpleIn addition to providing your employees

with secure access, it’s imperative to make things easy for this new breed of work-ers. Across all devices and applications, workers today want fast and intuitive ac-cess. Employees simply don’t have time to download separate applications and set up complicated logins. They demand uninter-rupted, intuitive and secure access.

The minute things get too complicated is the minute you risk having an employee take a shortcut and jeopardize the security of their device and potentially the entire company’s infrastructure. Historically, things like passwords have been a huge pain point for employees. These days, au-thentication to devices should be some-thing simple and local like a fingerprint. Identity is quickly becoming the new password and can lead to a better user ex-perience for employees. Other small steps like single sign-on for laptops with device identity and device compliance will allow workers to quickly access their devices in the most secure way possible.

What’s in it for You?Why take these extra steps to ensure secure access for your workers? Simple offerings like seamless VPN connectivity create a more productive workforce, ensuring that employees aren’t wasting valuable time unsuccessfully trying to connect to the network. Additionally, sophisticated BYOD policies improve employee satis-faction, enabling workers to feel secure, all while knowing their privacy is respected. Workers are able to balance the ability to use the device of their choosing with the security necessary to keep corporate assets safe and worker’s data private.

Taking the time to better understand next generation of workers and their needs is vital to ensuring the security and productivity of today’s businesses. The modern enterprise worker needs access to corporate resources, from any location and any device. And employers must give their workers the ability to access these or lose employees to other companies that will.

Adam Jaques is the se-nior director of corpo-rate Marketing at Pulse Secure.

0816nws_NS08_10_Jaques_v3.indd 10 7/5/16 2:14 PM

The Speco Connect O2C1 is the perfect camera for residential and small businesses. It features: 1080p video, IR LEDs, a wide angle lens, built-in microphone and speaker, and a magnetic base. Unlike other residential WiFi cameras on the market, the O2C1 can record to an NVR or hybrid unit, eliminating the need for recurring storage fees!

Features O2C1 Other

H.265 Compression xExternal Storage

x

EZ Setup x

Go to http://sp.hotims.com and enter 205 for product information.

Untitled-1 1Untitled-1 1 7/5/16 11:25 AM7/5/16 11:25 AM

NS12 0 8 1 6 | N E T W O R K I N G S E C U R I T Y

espite years of breaking news stories on security breaches and the resulting reputational damage, many businesses are still under protected when it comes to data security. With 2016 promising to surpass 2015 in both number of data breaches and records exposed (4.3 million records so far), it’s vi-tal that organizations address the technology and

process gaps that may put customer data at risk. Digital transformation is accelerating and as information

becomes far more accessible and valuable, data security needs to be a top priority and not only within the IT department. Ac-

cording to a February 2016 report published by IBM, “Finan-cial losses, reputational damage, national security concerns, to name a few, characterize some of the core risks the C-suite is taking serious notice of. Historically considered a technical is-sue within the domain of the IT department, security is now a central topic within operations, across the C-suite and elevated at the board level.”

As data security receives the right level of attention, companies all over the globe continue to adopt digital communication technol-ogies as a means to engage with customers. Part of the engagement transformation includes digital access to customer documents.

FOCUS ON THE DOCUMENTCustomers should not have to worry about a possible data security riskBy Mia Papanicolaou

megainarm

y/Shutterstock.com

D A T A S E C U R I T Y

0816nws_NS12_13_Papanicolaou_v4.indd 12 7/5/16 2:18 PM

W W W . S E C U R I T Y T O D A Y . C O M NS13

So, what is driving this digital transformation? Businesses need digital communication technologies to ad-

dress customers’ demands for instant access to documents, wher-ever they are, whenever they need them. These technologies also offer a more cost-effective and efficient way to communicate, enabling companies to provide the information that customers want, when they want it; much faster and cheaper than print-ing and mailing. Digital correspondence offers opportunities to interactively engage with customers via the channel that the cus-tomer prefer—email, web portal or mobile app.

However, providing ‘anytime, anywhere’ access to customer documents, carries inherent data security risks. According to another IBM report: “Forty-seven percent of incidents involve a malicious or criminal attack, 25 percent concern a negligent em-ployee or contractor (human factor), and 29 percent involve sys-tem glitches that include both IT and business process failures.”

To mitigate the risk of unauthorized access to your customer documents, a business must address all of the above threats by safeguarding the document itself from any type of breach inci-dent, be it a malicious attack, a human error or a process failure.

Documents Stored in a RepositoryOne of the most vulnerable points in a document’s lifecycle is when it is stored alongside millions of other customer documents also containing information that is valuable to a criminal. A document repository containing identity information, financial accounts, even healthcare information, is a tempting target for hackers.

Despite the risks, an organization is compelled to make these documents available to all customer service channels (email, web, mobile apps), and to do so, must store documents in a secure, yet accessible vault.

One or two layers of protection in today’s digital world are simply not enough—having multiple layers of security is criti-cal. A document management solution must provide protection beyond network and database level security, so that even if the document itself gets compromised, the data contained therein is safe.

Documents Traveling Via the InternetConfidential documents travel via the Internet all the time, but should never be transferred “in the clear.” Although a single doc-ument sent by email or downloaded from a web portal is not as attractive a target for criminals as a repository, documents should always be encrypted and password protected while in transit.

This not only protects the contents from an attack, but also mitigates a human or system error in which a confidential docu-ment is sent to the wrong recipient.

Documents Saved on a Customer’s Own ComputerLikewise, providing only encrypted and protected documents will assist consumers with safeguarding their information when it resides on their own devices. An emailed document gets saved automatically on different devices and would be vulnerable if the device was hacked, unless saved in its protect-ed format.

The good news is that there are new and in-novative solutions in the marketplace that can help companies to better fortify their customer documents.

Mia Papanicolaou is the COO for Striata, Inc.

Ad IndexAdvertiser ........................................... Circle # ...........Page .........URL

ASSA ABLOY ................................................ 202 ...................... NS3 ..............www.assaabloy.com

Quantum Secure ........................................... 204 ...................... NS9 ..............www.quantumsecure.com

Speco Technologies ...................................... 205 ...................... NS11 ............www.specotech.com

Minuteman UPS ............................................ 203 ...................... NS15 ............www.minutemanups.com

DSX Access Systems, Inc. ............................ 201 ...................... NS16 ............www.dsxinc.com

0816nws_NS12_13_Papanicolaou_v4.indd 13 7/5/16 2:14 PM

C Y B E R S E C U R I T Y

NS14 0 8 1 6 | N E T W O R K I N G S E C U R I T Y

A PRACTICAL DEFENSEEnergy and electric utilities need realistic security resourcesBy Katherine Brocklehurst

resilient electric power grid is critical to a wide range of essential services and is a highly complex mosaic of technologies. These electrical power grids are ex-tremely complex and effectively defend against ex-ternal cyber threats, malicious insiders and human

error from employees or contractors.General Keith Alexander, former director of the National

Security Agency, has cited that 41 percent of cyber attacks are targeting energy enterprises, including oil and gas. Even though cyber attacks targeting power grids are on the rise, cyber security is rarely a top priority for these organizations. This is not to say that energy organizations are unaware of increasing cyber securi-ty risks; they are. However, these organizations are built on aging and fragile infrastructures that contain many vulnerable points. There is a perception by energy organizations that addressing cy-ber security concerns will come at the expense of their primary mission: the reliable and safe delivery of energy service.

What if there were a cost-effective way to improve cyber security while improving reliability, availability and safety for the industry?

Why is Industrial Automation Cyber Security so Hard?Legacy and equipment age. In 2016, the American Society of Civil Engineers (ASCE) determined that the U.S. electric energy infrastructure is a patchwork of equipment that has widely dif-fering ages and capabilities. Nationally, more than 70 percent of transmission lines and power transformers are 25 years or older. Many devices cannot withstand heavy traffic or unexpected func-tion codes, and can’t manage the complex password hygiene re-quired by cyber security best practices. In spite of these problems, the systems may be performing beautifully, therefore, “rip and replace” is not an option from an ICS Operations perspective.

Vulnerable industrial protocols. TCP/IP is widely used on busi-ness networks and vulnerabilities in this protocol and has been used effectively for years by outside attackers. Using specially-constructed protocol frames designed to take normal protocol communications off track, attacks such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) and Man-in-the-Middle (MiTM) have created havoc within many industries. Protocol weaknesses exist in many industrial protocols, including Modbus, OPC, EtherNet/IP, DNP3, and IEC-60870-5-104.

In many cases, the relative obscurity of these protocols has provided energy organizations a false sense of security. In fact, details about these protocols and their vulnerabilities are publicly available.

Industrial connectivity. New Industrial Internet of Things (IIoT) devices provide a whole new range of potential cyber se-curity attack points, and many operations professionals are sur-

prised to learn that their ICS/SCADA devices are connected to the Internet and potentially vulnerable. Further, many business models within industrial critical infrastructure require connectiv-ity with suppliers, vendors, and partners who may pass on vulner-abilities or viruses from their own insecure infrastructure.

Lack of network segmentation. Energy and electric utility or-ganizations often run portions of their networks with a “flat” ar-chitecture. This often means that key assets for both corporate IT and ICS Operations organizations are shared across a common LAN. This network architecture allows attackers to quickly move throughout the organization regardless of where they start, put-ting both industrial assets and corporate resources at risk. Indus-trial standards, such as ANSI/ISA-62443-3-2, require network segmentation that creates smaller and controllable secure zones, and secure conduits between them.

Skills shortage. Although ICS organizations realize that cyber security risks are rising, often the teams that operate the equip-ment are not cyber security experts. These teams usually don’t know how to mitigate these risks without affecting reliability and availability of their systems and services.

IT Security Solutions Aren’t Designed for Industrial RequirementsMany IT cyber security solutions aren’t suited to the unique needs of industrial automation networks and have risk charac-teristics that make them unacceptable to industrial control en-vironments. Energy and electric utilities need to take immediate steps to reduce risk and increase power grid resilience given all the points of vulnerability and lack of adequate cyber security. Tofino Security is the first appliance specifically designed to pro-tect industrial control systems and critical infrastructure, while addressing all of the challenges previously listed. It’s easy for ICS operations to install and requires no pre-configuration, network changes, or downtime and disruption to operations.

Tofino Xenon for Energy is available for order and supports two of the most widely utilized protocols within energy and electric utilities: the Distributed Network Protocol (DNP3) and its international twin, IEC-60870-5-104. The appliance also enforces security for other common industrial protocols, such as Modbus, EtherNet/IP, and OPC. Energy and electric utilities need low-cost, effective industrial cy-ber security solutions like Tofino Xenon for Energy to increase power grid resilience to cyber attacks.

Katherine Brocklehurst is the director of seg-ment line marketing in the industrial cyber security division at Beldon.

0816nws_NS14_Brocklehurst_v4.indd 14 7/5/16 2:15 PM

this is BIG

Minuteman Endeavor 5-10kVA Online UPS

Learn more about Endeavor 5-10 at minutemanups.com

Your new go-to for mission-critical backup is here. Minuteman’s Endeavor Series UPSs have long been a favorite thanks to their unbeatable combination of features and price. The newest addition to the line, the 5-10kVA Series, takes Endeavor’s value to a whole new range of large applications.Multiple accessories are available, and all are contained in single, easy to order bundled part numbers. These

include 120V isolation stepdown transformers, maintenance transfer bypass switches, and automatically switching parallel installation capability to ensure the proper solution for your appli-cation, no matter how difficult the requirements may be.Minuteman value: now available from 400VA to 160kVA.

Unmatched VersatilityEndeavor 5-10kVA is available in 24 base configura-tions, in 5, 6, 8, and 10kVA capacities. Endeavor can also be installed in parallel up to 20kVA, switching automatically for capacity or N+1 redundancy, making it our most advanced and user friendly online UPS to date.

Stay up-to-date with the informative front panel display

True sine wave output replicates utility power for sensitive equipment

Configurations from 5 to 20kVA in 120/208/240V ensure an ideal solution for any application

Add hours of runtime by utilizing multiple external battery packs

Data Center servers and network systems

Large-scale telecommunications Enterprise-level security and camera systems

Ideal backup for:

Your Partner in Power Protection800.238.7272 | minutemanups.com | sizemyups.comPara Systems, Inc. | 1455 LeMay Dr. Carrollton, TX 75007

LCD Status DisplayTake the guesswork out of UPS & power status monitoring with the Endeavor’s new LCD display, including unit status indicators, load & battery meters, power status, runtime, error codes, & more!

Go to http://sp.hotims.com and enter 203 for product information.

Untitled-1 1 6/29/16 12:29 PM

10731 Rockwall Road | Dallas, TX USA 75238-1219| | sales@dsxinc.com

www.dsxinc.com

CREATING THE FUTUREOF SECURITY . . . TODAY

Go to http://sp.hotims.com and enter 201 for product information.

Untitled-10 1Untitled-10 1 1/2/13 4:21 PM1/2/13 4:21 PM