Your Risk Tolerance and Current Security Profile Probably Stinks
DNA Security Services provides video security, access control, alarm monitoring, managed IT services, corporate mobile device management, digital forensics, mobile device forensics, investigations, security consulting and cyber solutions for small businesses.
In today’s business climate protecting your company is not just about alarm monitoring and a half-baked video security system in each location. Insider threats, digital threats, external theft, day to day problems/emergencies, fraud, workplace accidents and workplace violence are all problems that need to be planned for and addressed. Proper security frameworks, processes, and hardware need to be put into place to help in preventing, mitigating, logging, and investigating cases as they pop up. Relying on management and ill-equipped security vendors to be over-watch is not ideal. When companies are producing at the highest levels management tends to overlook security frameworks - processes and become reactionary. Ill-equipped security vendors have no vested interest in truly solving day to day issues. Their services are recurring revenue driven. There is generally no concern for frameworks or processes. Its all about selling hardware and collecting monthly services.
DNA Security provides security solutions that lend companies an opportunity to an ecosystem that covers all of the potential threats a corporation might encounter.
Companies believe that acquiring a (1) alarm system, (2) access control system and a (3) video security system will be the end of their punch list regarding security. When in fact it should only be seen as the beginning stages of securing the facility. The desired outcome with these investments is ongoing and so are the processes needed to stay in front of any threat to the bottom line.
The process and frameworks must drive the human element, The human element cannot drive the process and framework. The human element eventually fails the systems.
Secondarily companies need to be aware of the technology they are bringing into the building and how to protect the other systems and devices around these devices. We participated in a program with the NSA and found that 98% of the security technology the program tested was found to have chipsets manufactured in China. You could also say that the number would also hold true with most of the electronics in America.
Not to be political or a pessimist but I’m going to give a quick opinion based on my 25 years as a security consultant dealing with imported technology. I’ve also had several conversations with people who actively deal with China as an insider threat. Simply put. We are behind the curve with manufacturing, insider threat and espionage. We have become too dependent on China. So much so, our national security is fatally flawed.
This in my findings, is the number one detrimental threat to our business infrastructure, critical infrastructure, and to every home in the United States that has any form of technology that is connected to WIFI or hardwired into a network switch. Just about everything has a backdoor and is capable of being compromised. Xi Jinping President of the People's Republic of China says, “a nation that does not manufacturer its own chipsets and network switches is like a nation without an army.” Scary, but I have found this to be a true statement.
So, what is the solution you ask? There is no “one” fix but there are several counter surveillance measures that can be taken. I will list the measures in regard to our services offered below.
1. video security – almost every system and camera are sourced from China.
Solutions: a. Use a separate internet connection for remote viewing.
b. local viewing stations equipped with HDMI extenders. To eliminate network connections.
c. You can potentially create a zero trust VLAN for internal and external connections.
d. Do not connect to your network.
Any of these solutions would help further secure any outside threat within your CCTV equipment. ***Remember to also change all of the default passwords and ports used for remote connectivity. Convenience, aesthetics, and being fully secured never align. Some of those convenience features people love may just be an open pathway for the bad actors.
2. access control – The same measures for video security would apply to the access control scenario as well.
3. alarm – Alarm systems can be defeated in a simple manner. RF signals can be intercepted and recorded with devices purchased on amazon for under $200. War driving kits are used to steal signals for gates, garages, door contacts, Wi-Fi signals, car alarm key fobs etc.
a. A fully hardwired alarm system with cellular communications.
b. If a wireless device is absolutely necessary make sure the device signaling is encrypted.
4. network devices, IT, cyber – Most small to midmarket businesses use their local phone and internet providers hardware for internet service with no firewalls or local protections. This is a dangerous game to play. Malware, spyware, phishing scams, loaded emails, and ransomware all are viable threats to any business. Independent WIFI and access points are also not covered under these potential threats and breaches. Our ethical hacking department has successfully attacked and shut down WIFI devices during penetration testing in our facility.
a. Firewall hardware that eliminates contact to or from nation states notorious for cyber-attacks.
B. Devices with WPA3 capabilities.
C. Device redundancy. Layers.
D. Sticky ports.
E. Zero Trust VLAN per department.
F. Educating employees and management on the latest threats.
G. A true framework and protocol for cyber protections. A security profile.
5. corporate mobile device management – Bring your own device policies are economical but they are not secure. They are as safe as the individual’s device. This can also become problematic when an employee is terminated or released. Sensitive information, images and client contact information leaves with the employee. From a privacy perspective, the information on the device is owned by the owner of the device. This is a huge liability. Device and information seizure is almost impossible to perform if the device is not owned by the company.
Solutions: a. Mobile device management and device dispersal allows companies to create security protocols that would protect the devices from external security breaches. It would also disallow for passcodes and passwords to be changed within devices by the employee. This allows the employer to seize the phone and maintain all images, location services, texts messages, voicemails, and other data in the device. This data would also be automatically backed up on the cloud for retrieval if the device should be destroyed.
As you can see in today’s business climate many of these silos are interconnected and they should be handled in that manner. Selecting a provider that can handle all of these areas can be a task. It is vital to make sure all of these pieces are covered to have optimal protections in place. If you have any questions and are looking to review your current security profile please reach out to me at 469-275-9660 or firstname.lastname@example.org.
Ian S. Mason
DNA Security Services #C16265
DSMO, Privacy Analyst, Investigator, Security Consultant
469-275-9660 Dallas Office