I Hacked Your Network: Assessing I Hacked Your Network

I Hacked Your Network: Assessing
Risks and Applying Standards
Steve Surfaro
Axis Communications
www.axis.com
Perspective.
www.axis.com
2
If you had one choice for security…
REACTIVE?
PROACTIVE?
Typical
yp
unanimous
reply by N.A. Public
Safetyy and Securityy
Typical unanimous
reply by N.A.
Campus Safety
Security
www.axis.com
3
Physical and Cyber Security are related
Intel from physical
site vulnerabilities
www.axis.com
4
E l it ffrom
Exploits
within!
Physical and Cyber Security are related
www.axis.com
5
Top Ten.
www.axis.com
6
Top Trends in Physical and Cyber Security
www.axis.com
7
Trend
Process, Examples
Edge Devices
In-Camera Recording, PACS
Video Content Anal
Analysis
sis
Abnormal Detection,
Detection Synopsis
S nopsis
Device Authentication
Security at Edge Devices
Video Verification
Event Clips, Video with PERS
Clo d Computing
Cloud
Comp ting
Managed Services
Ser ices
Efficient Video Compression
h.264, sophisticated encoding
Low Light Imaging
Real Time Image Processing, Thermal
Imaging IR LED
Imaging,
High Definition Imaging
HDTV, Video Quality for Real Time
Viewing and Forensics
Wireless Networks
LTE, MESH MIMO, FCC Spectrum
Reallocation
Mobile Devices
Display Video, Info, Location
Top Trends: Standards Progress and Cloud Impact
Trend
Edge Devices
Video Content Analysis
Device Authentication
Emergency Comm/Mass Notification/Health IT
Cloud Computing/Managed Services
Efficient Video Compression
Low Light Imaging
Hi h Definition
High
D fi iti IImaging
i
Infrastructure/Broadband/Wireless Networks
Mobile Devices/NFC/
www.axis.com
8
Standards Progress Cloud Impact
Top Cloud-based Physical and Cyber Security Apps
www.axis.com
9
Top Cloud-based Physical and Cyber Security Apps
Trend
Physical Access Control (PACS)
Visitor Management
g
Managed Video as a Service
Identity Management / Logical Access Control (LACS)
Intercommunication/Mass Notification/Emergency Comm
Storage/Backup/Lifecycle Management/Upgrade
Activity Tracking/Security Force Management
Video Content Analysis
Business Intelligence / BIG (Meta, Feature) Data Search
www.axis.com
10
Network Device Provisioning and Monitoring
PHYS
CYBER
View 24 hrs in 2 minutes: Video Synopsis in the Cloud
www.axis.com
11
Analyze Scene; detect Abnormalities
www.axis.com
6 12
11/16/11
Analysis Maturation: People counting, Trip Wire, LPR, ANPR
• LPR/LPC
• Utilize LPR or
vehicle counting for
access / gate
control
• Greet and speed
transaction times for
known vehicles
• Track offenders to
vehicle – provide
greater information
to law enforcement
Threats.
www.axis.com
14
www.axis.com
15
16
17
•
•
2011 Security Breaches
xxx
Litany
y of significant,
g
widely
y
reported breaches in first
half
– Most victims presumed
operationally
ti
ll competent
t t
•
Boundaries of infrastructure
are being extended and
obliterated
– Cloud, mobility, social
business big data
business,
data,
more
•
Attacks
ac s a
are
e ge
getting
g more
oe
and more sophisticated.
Trojan Creator Kits
 Remote Desktop
 Webcam Streaming
 Audio Streaming
 Remote passwords
 MSN Sniffer
 Remote Shell
 Advanced File Manager
 Online & Offline keylogger
 Information about remote
computer
19
Security Top Ten
#8 Device Authentication, Credentialing
of non
non-person
person entities
•
Maximum endpoint security
•
Reduce
R
d
possibility
ibilit off exploits
l it off cameras
on public networks
www.axis.com
21
C d ti li
Credentialing
Authority
Credentialed High Assurance Video Encryption
(CHAVE)
Problem Statement
Today, Federal agencies are struggling to
Today
comply with agency mandates for the use of
Personal Identity Verification (PIV) and strong
multi-factor authentication, especially in access
control areas such as IT based surveillance
solutions that have not fully matured.
Currently, the Federal Government does not
Currently
have a mature understanding of non-person
entities like secure video surveillance
applications for secure Homeland Security and
public safety Operations.
23
:
Opportunity
Enhance
E
h
the
h operational
i
l ffeatures off existing
i i NPE
NPEs
to meet the most stringent IT security capabilities.
introduce a standard based approach to meet
Federal ICAM objectives.
j
Meet Authentication, Credentials validation,
revocation,
ti
D t att Rest,
Data
R t Data
D t in
i Motion,
M ti
Nonrepudiation, and Audit.
24
Use case applications for Secure Remote
Monitoring/Surveillance
Facilities Protection
Perimeter Protection
Executive Protection
Aerial Observation
Mobile Communications
Law Enforcement Tactical Operations
Military Operations
Emergency Management
P bli Safety
Public
S f t
Secure Covert/Overt Wireless Deployments
CHAVE Technical Diagram (Simplified Workflow)
•
•
•
•
•
•
•
•
•
User inserts PIV Card
Certificate checked for valid expiration
p
date
Certificate checked against CA Server
IF CA not present, establish indicator flag in camera
to accept or reject access
PIV uses PKI to establish and decrypt kerberos
session key
Session key used to obtain client/server ticket to
access Active Directoryy using
g LDAP
User attributes to camera is parsed from AD
User provided with web link containing attributes
linked to ADFS
Kerberos Pkinit used with extended key attributes to
provide information beyond client name and realm
CHAVE Back Office Architecture
CRL Update Path
(ldap/ ldaps
http/https)
Credential
Validation
Service
Validation Paths
(OCSP/SCVP)
20 + Federally
50 + Federally
Compliant PKI
Compliant CRLs
Directories
Cloud Storage
3. Authenticated SSL VPN
Inside and/or
Outside the LAN
Video Server
Farms
1 Authenticated https
1.
Client/WS
Mobile
2. OCSP/SCVP
Repeater
2/4. OCSP/SCVP
6
Mobility.
www.axis.com
29
Access Mobility at work!
NFC enabled Mobile Keys Platform
Video Mobility …at work!
Mobile Viewer for local NVRs, Servers and Hosted Services
• Hi
Higher
h compression
i
• Lower bandwidth
• Lower
L
fframe rate
required for observation
REQ’D F
FRAME
RATE FO
OR HQ
• Image quality
requirements
i
t decrease
d
with screen size:
SCREE
EN
RESOL
LUTION
Video Mobility
Top Platforms, user behavior
> Android continues to
over 51%, up 3.7%
> 74.3
74 3 percent of U
U.S.
S
mobile subscribers used
text messaging
> Downloaded Apps used
by 50 percent of
subscribers,, while
browsers were used by
49.3 percent (up 1.8
percentage points)
Connected Health ~ MPERS
> Wearable sensors become a lifestyle accessory
> Smartphones can be the initiating device
> Applications can gather basic location information to vital
signs, use network video in the cloud for better diagnoses
What’s next for mobile devices?
> Near field communications
– Physical Access Control transactions
– Campus pilots: NFC-enabled mobile devices in
place of smartcards
– Financial transactions
– Ex.
Ex Google Wallet,
Wallet which allows users to store
credit and loyalty cards on their mobile device
– A phone equipped with an NFC chip can be
pp on any
y PayPass-enabled
y
terminal at
tapped
checkout to make a purchase.
> Trend towards financial instrument in the cloud,
with mobile device providing simple accessibility
Community.
www.axis.com
37
Community Cyber Security Maturity Model
> Developed by the CIAS
– Based on our experience across the nation
– Development supported by Congress and DHS
> Multi-dimensional
– Collaboration is key
> Phases connect levels
> Provides
– Common reference
– Roadmap
© Center for Infrastructure Assurance and Security
www.axis.com
A Framework for Cyber Security
© Center for
Infrastructure
Assurance and Security
www.axis.com
A Framework for Cyber Security
© Center for
Infrastructure
Assurance and Security
www.axis.com
A Framework for Cyber Security
© Center for
Infrastructure
Assurance and Security
www.axis.com
A Framework for Cyber Security
© Center for
Infrastructure
Assurance and Security
www.axis.com
www.axis.com
megapixel
camera
innovation
environment
protect
leader
globa
al
safe
thermall
Thank you!
image usability
www.axis.com
easy installation
focus
inttellig
gent
open
lleader
d
network video
worldwide
co
onvergence
A i
Axis
competence
HDTV
parrtner n
netwo
ork
Get the Axis picture. Stay one step ahead.
outdoor
ease of use
H.264
integration
video
id encoder
d