Posted on Thu, Dec 22, 2011 @ 01:27 PM
Right on the heels of last week’s fake story about Russian hackers comes a real story about Chinese hackers. As reported in the Wall Street Journal, the US Chamber of Commerce was compromised by a spearfishing attack that apparently originated in China. The findings suggest that the attack began with one or more employee email accounts, then spread to infect other servers and resources on the network. An indeterminate amount of data was stolen or compromised.
Spearfishing and other email-borne attacks illustrate the dangers of allowing end users to operate on the same local area network as production server systems. In this setting, a malware infection that originates on one laptop or PC can easily spread to mission critical application servers that run physical security and other building management services. When local security servers share a network with email, one careless mistake by an employee can compromise access control and video systems long before anyone detects the breach. In the case of the US Chamber of Commerce, researchers estimate that the hackers had access to the network for more than a year.
Cloud computing guards against this type of attack by keeping production systems on completely separate networks from end user computers. Software as a Service (SaaS), for example, is an outsourced solution that needs no computing infrastructure on the user’s local area network. Malware and other infections that occur within a corporate LAN therefore have no easy path to the cloud services provider. True SaaS providers operate isolated production networks at dedicated facilities that contain no personal laptops or PCs for just that reason. Administrative personnel access these systems through secure channels that don’t readily propagate malware.
In the ongoing discussion of the relative cyber security of cloud versus enterprise, we think that this immunity to email-borne malware is a clear win for the cloud computing argument.
- Steve Van Till
Posted on Fri, Dec 16, 2011 @ 02:22 PM
It's widely reported that the initial reports of Russians hacking into an Illinois municipal water system are entirely false. The allegation was that they had compromised the SCADA system that controls the infrastructure, and caused a pump to malfunction, thereby depriving the good people of Illinois of drinking water, if not actually invading their bodily fluids. As it turns out, it was just a contractor logging into the system while on vacation in Russia.
The fact that this story was false makes it no less interesting from the perspective of trying to understand the vulnerabilities of the information systems that manage our infrastructure, including physical security.
The first set of questions concern prevention. Have you actually done anything to prevent hackers from being able to gain access to your security systems? If so, when was the last time those measures were validated or audited? Have you ever had any professional “white hat” hackers actually test the information security around your access or video system? If not, what makes you so sure they are safe?
A second set of questions concerns detection. How would you know if a spy or hacker logged onto your security system? Does your system keep any evidence of who logged in, or where they were when they did so? Or would they be able to cover their tracks? Does your staff regularly monitor access to your control systems?
Finally, what’s the extent of damage that someone could cause by hacking into your security system? Could they get into your building? Could they lock people out? Could they cause a life hazard? How quickly would be able to recover? Do you have backup systems?
We’ve written before in this space of the need for auditing, geographic redundancy, continuous penetration testing, and avoiding any system architecture that requires you to increase your network exposure by opening ports in your firewall. The potential threat illustrated by foreign hackers has been discussed extensively in connection with our utility grid, but I’m not sure we’ve really taken stock of it in the physical security industry. It’s probably time we did.
The amazing thing about the alleged case in Illinois is that the organization actually detected access to the system from a Russian IP address, and was able to react to it as quickly as they did. My hat’s off to them. It’s a good lesson for us all.
- Steve Van Till
Posted on Thu, Nov 10, 2011 @ 12:32 PM
Is your security infrastructure prepared for the worst?
It’s a distressing feeling when you’re in the middle of an unfolding disaster, and suddenly it hits you—your plans and resources are being overwhelmed by the event. At this point, you’ll need to ask yourself: How and when will we re-establish services for customers and employees? What will this disaster cost us in terms of revenue, reputation, and recovery expenses? How can we avoid being in this position again?
As a SaaS provider of security management systems, our business is based on the availability of our services around the clock. Failure of a disaster backup or recovery plan has a direct, immediate impact on our ability to deliver the services our customers depend on. We are continuously evaluating and upgrading our contingency plans, but there is nothing like a real emergency to put those theoretical plans to the test.
Earthquakes and Hurricanes
In August, we were presented with the unusual opportunity to test our plans against two very different types of emergencies: the kind you can only anticipate and the ones you know are coming. The earthquake of August 23rd was an example of the former. Other such examples are technological failures, terrorist incidents, hacking events, fires, and loss of key personnel. These events occur without warning and test your processes as they exist. Different from an earthquake, Hurricane Irene falls into the second category where we have some advance warning, such as blizzards, tornadoes, work stoppages, planned technical work, or large disruptive public gatherings..
Both types of disasters can have significant, even disastrous, impacts on providers who have the responsibility to deliver their services around the clock. Let’s examine some factors we have found important in managing each type of event;
Unannounced events: These events are a demanding test of your plans, and advance planning is critical advance planning. Your contingency plan should consider the following;
-
Who is responsible for what aspects of ensuring continuity and recovery?
-
How will the team communicate internally and with customers?
-
What happens if normal communication paths are disrupted?
-
Who takes over if we lose access to key personnel?
-
What happens if you lose key assets expected to be available for recovery--people, facilities, communication methods, etc.?
Forecast events: These disasters should be simpler to manage since you have a reasonable amount of information ahead of time. In addition to the key elements in place for unannounced events you now can focus on additional elements such as;
-
Ensuring availability of key employees by staggering shifts and dispersing locations
-
Plan for accommodations, food, and communication in case of extended events
-
Check with partners on the status of their preparation
-
Communicate what is expected of your employees and customers to assist with the preparation and what communication to expect during and after the event
Getting Ready for Our Disaster Close-up
Both events this past August necessitated activation of our emergency response plans. For the earthquake, we were forced to evacuate our building and re-establish essential services from alternate locations. Our plan had anticipated this occurrence, so we had the infrastructure and procedures in place. Our biggest challenge was communication. Phones, cell phones, and some Internet providers were down, so access to multiple, redundant communications paths was essential.
Our data centers remained operational after the earthquake, but we prepared for a full switch-over to our disaster recovery center in case aftershocks affected the primary sites. Our data center personnel assisted the decision-making by immediate proactive communication on their operational status directly following the earthquake and until normal operations resumed.
As hurricane Irene barreled up the east coast, we were afforded the opportunity to coordinate back-up plans in advance of the event. Our operations team staged technical support and data center resources and prepared to switch operations to our data center across the country, if necessary. Fortunately, Irene passed over and our operations were not impacted at all.
These events provided valuable, live tests of our emergency preparedness and disaster recovery plans. Continuous upgrading and evaluation of these plans are essential in helping you avoid that queasy feeling that an unfolding disaster just got the better of you.
- John Szczygiel
Posted on Thu, Oct 27, 2011 @ 11:36 AM
Kudos to Brad Nieman of Aol Government for writing the pithiest catch-phrase for the Amazon Gov Cloud Summit, held on October 18 in Washington, DC, which I’ve paraphrased as the title of this blog entry. I attended the event virtually, from my desktop, and thought that he captured the spirit of the event just right.
The central idea is that federal buyers no longer need to procure massive systems for every IT need. Instead, they can simply provision the pieces they require—they can “pay by the drink” rather than “ buy the whole enchilada” (if you’ll pardon the mixed metaphor).
Among other things, provisioning is much easier and less expensive than procurement. With today’s cloud services, provisioning usually means nothing more than an e-commerce transaction where you select the services you want from a Web storefront, and just order them. In a mature cloud environment, they should be available immediately.
At Brivo we’ve believed for many years that this is the right way to provide physical security services as well as general IT services. Our customers understand that they do not need to purchase an expensive computer system for every building they wish to secure. All they need to do is provision an online account with the services they need, and it’s available immediately.
And the business model follows suit. If you want access control for three doors or surveillance video from three cameras, then that’s all you pay for—by the drink, and by the month or by the year, depending on how your budgets work.
That’s provisioning, not procurement.
- Steve Van Till
Posted on Tue, Oct 18, 2011 @ 12:19 PM
We’re all familiar with that one scene in practically every crime show these days that makes anyone remotely familiar with the security industry roll their eyes - the classic “Zoom and Enhance.” The typical scene starts with surveillance footage shot from 500 feet in the air and a couple detectives determined to solve a heinous crime with less than 15 seconds of grainy black and white footage. One detective catches a reflection in the corner of a pedestrian’s sunglasses and instructs his “video” team to “enhance” the frame, leading to an image clear as day, and effortlessly solving the crime. You may have asked yourself, can this really be done?
Zoom
Today’s PTZ cameras are indeed capable of “CSI” style optical zoom with cameras ranging from 1x to 32x zoom and beyond. The demand for higher resolution video has caught up to the security industry (for the most part) with many manufacturers offering “HD” and megapixel video images. In the video link below, we have an AXIS P553 PTZ Camera in operation – look what it can do zooming in at only 18x!
The optical zoom function is only available live, so there isn’t much you can do if your hardware wasn’t at your intended zoom level. If you want to “zoom” in on a still picture or frame, you’re still limited to your hardware specifications. In the picture below, there is an example of the “zoom” capabilities available today. With the higher resolutions available on cameras, you can capture video and a larger area (16:9) without compromising detail.
Enhance
We can enhance… kind of. Enhancement of a still picture can be accomplished using compressed sensing (CS). It’s a mathematical tool capable of creating high-resolution photos from low-resolution shots. At the very basic level, it works by repeatedly layering colored shapes into the areas where there are missing pixels to achieve what’s called sparsity, a measure of image simplicity. In the far right part of the image below, 10% of the pixels exist and CS is used to make a sensible image. Currently, this technology is being researched for medical (MRI) and military (radar) applications.
Fortunately, if you just have noisy or grainy video (not incomplete like the example above) there is help available today. Thanks to products like Adobe Photoshop and Adobe Premier with plug-ins like Neat Video and Topaz Enhance, we can easily remove the noise and produce a usable clip. While many ways to remove or reduce noise exist, the most common method of noise reduction is to apply noise reduction to each frame. If you have more than one image of the same item (video frames), you can layer the two and apply image de-noising to both images and then combine them. The more technical names of these methods are Spatial (noise reduction in each frame), Temporal (noise reduction between frames), and Spatial-Temporal (a combination of both).
Topaz enhance is a plug-in that uses Temporal video de-noising. Watch the whole video, or skip over to 3:55 to watch it process each frame, and then produce a before and after clip.
So, yes, we are able to zoom, and we’re able to enhance. But, as you’ve seen above, don’t count on CSI’s pseudo-scientific enhancement to be available any time soon.
- Joelle Katz
Posted on Thu, Sep 08, 2011 @ 10:24 AM
How tight markets can be good for those who are savvy in services
So let’s continue the investigation of where to find opportunities in the market by looking at another potential indicator … employment growth.
While Moody’s Economy.com projects an overall growth rate of just 1.5% in employment for 2011, there are sectors that are projected to form the leading edge of the upward curve.
The hottest sectors are Mining, Professional Services, Leisure & Lodging, Healthcare, and Education. You’ll notice here that Lodging tops the list of largest construction decline and yet is high on the list for job growth. In this case you won’t find new construction, but you may find more security opportunities generated by a growing work-force.
The moral of the story is simply that as times change, your targets move and you must adjust your tactics to match the opportunities that exist. This probably includes adjusting your sales targets and even the way that you sell. In a down economy, cash is king and customers are probably less interested in capital expenditures. What a great time to be providing leased systems, managed services, and any product that helps your customer avoid capital expenses or lower their overall cost of doing business.
It reminds me of the final scene in the movie “Tin Men” about two guys selling aluminum siding during 1963 in Baltimore. As the two lead characters walk off into the sunset lamenting the lack economic opportunities, you see a VW bug pass by and a McDonald’s sign being hoisted in the air.
To quote Winston Churchill ….
“A pessimist sees the difficulty in every opportunity.
An optimist sees the opportunity in every difficulty”.
For me this economy looks like an opportunity.
- John Szczygiel
Posted on Wed, Aug 24, 2011 @ 09:05 AM
How tight markets can be good for those who are savvy in services
It’s no secret that the US economy has been stumbling along for most of the past three years. The road to recovery has been bumpy at best. However, if you can clear away the fog of bad news you will discover sectors of the economy that are actually performing quite well.
Since much of the growth in the security industry is tied to new construction, the current situation represents a distinct challenge. According to statistics from the US Census Bureau (see first chart below) construction spending today is roughly equal to the levels we observed in the year 2000. We ascended the mountain of growth from 2003 to 2008 only to now have been hurled back onto the valley floor.
So where do you look for new business when there are few contruction cranes in the air?
For Integrators looking to sustain or increase relative growth rates (which I hope is everyone) this represents a large obstacle that requires real thought to overcome. One way to sustain growth in this low construction environment is to focus on those industries that are in fact growing. Yes, some industries are actually still growing. To find them let’s look at two indicators of potential opportunity.
Construction & employment as indicators of potential opportunity
Organizations that are building new facilities or moving into new office space in completed facilities are usually growing and probably have new needs for physical security. According to the US Department of Commerce, overall construction in the first half of 2011 was 5.4% below the same period in 2010. So, we’re not off to a good start. However, if we peel back the data and check individual industry sectors we see a slightly more attractive environment. Take a look at the data below which was extracted from the June 2011 Department of Commerce report on construction.
You can see here that some traditional hot targets for security spending like Public Education and Manufacturing are showing rapidly slowing construction rates in the first half of 2011. Meanwhile, Commercial, Healthcare, and Utilities are all generating substantial new construction projects. If you haven’t changed your vertical marketing focus from three or four years ago, you may be targeting markets that represent very thin opportunities.
One great resource to slice through this data is the USA Today's money page where you can sort the data by industry, state and even by major metro area. This is a good place to start if you are interested in understanding your local market conditions a bit better.
But new construction is not the only measure of growth or indicator of potential opportunity. Many organizations have plenty of space and don’t need to make large investments in new construction.
In part two of this blog I’ll take a look at another potential indicator of opportunity, namely, the growth in employment.
- John Szczygiel
Posted on Thu, Jul 14, 2011 @ 08:25 AM
Every so often you have a real-life experience that perfectly encapsulates a much bigger theme. Last week was such a week, and theme was cloud computing and the reliability of our nation’s security infrastructure.
It all started when I went to my local airport to board a flight to Chicago. As usual, I had used my airline’s option to have an electronic boarding pass sent to my mobile phone, rather than using the traditional paper boarding pass. This spares me the trouble of printing one out, and it’s actually a more secure document than its paper equivalent. I win, the environment wins, and the traveling public wins.
The trouble began when I presented my phone to the TSA agent at the security checkpoint. “Sorry,” he said, “our whole system is down and we can’t scan electronic passes. You’re going to have to go back and get paper.”
I had never seen this happen before, so I was a bit surprised and had to ask why. The TSA agent was very helpful: “It’s because they upgraded the operating system on the local servers. It took the whole network down. They’re hoping to have it fixed later today.”
I got my paper pass easily enough and went back through security, but the thought that a local server upgrade could take down a critical national security function was deeply troubling. I wondered if the software vendor had done enough testing, or if perhaps the local server environment was just different than what they had tested on. I wondered if the technicians who installed it had made a mistake, or if the application software just wasn’t compatible with that new operating system patch.
And, of course, I wondered if this whole unfortunate episode could have been avoided with a cloud solution. In that case, there would have been no local server that needed upgrading. There would have been no waiting for technicians to come back and fix the problem. There would have been no need to roll back to older software. And there would have been no breach in security.
I made it to Chicago just fine, but only because there was a paper alternative. Unfortunately, for most security systems, there is no such thing as a paper backup solution. When local systems fail, bad things happen.
In the larger discussion about how reliant we’ve become on the cloud and the Internet, this whole traditional systems failure—due to nothing more technically challenging than upgrading an operating system on a local server—is a reminder of just how far the cloud has taken us.
Up, up, and away, friends.
- Steve Van Till
Posted on Fri, Jun 10, 2011 @ 10:32 AM
Spending the last two days at the ESX show in Charlotte and talking to a number of integrators, central station operators, and service vendors of all types got me thinking about the road to building a successful recurring revenue program.
At this point most integrators have gotten the message that product and installation revenues alone are not sufficient to support a healthy organization in the long term. It’s also clear that the enterprise value of an integrator can be exponentially increased if they derive significant revenue from recurring sources. As a result, many integrators are searching for avenues that will open up increased RMR. Naturally, many vendors are lined up to offer them a variety of solutions that promise to drive RMR.
At the ESX show a great proportion of the booths offered solutions to “build your RMR”. The verb “build” is essential here because that’s what it takes. RMR must be built. However, it is important to recognize that any technology solution on its own won’t build much RMR unless your organization has taken some basic steps to ensure success.
Building RMR takes organizational commitment and execution of a long term plan. There are no “get rich quick” programs in recurring revenue growth. Why? Because a service business requires significant initial investments that gradually show results over a period of years. Consider the recent public offering of LinkedIn. Organizations that jump on the RMR bandwagon without proper planning and intense commitment will jump off as soon as the investments get too high or when another transactional opportunity appears.
When speaking with organizations in the process of building significant recurring revenue streams you hear a number of consistent statements such as “We don’t sell any product without service” or “We have a dedicated sales force for our service products” or “We focus on service X because it’s the one that has the most value for our clients”. Many also describe changes they made in financial systems, incentive plans, and the allocation of resources to support their RMR growth strategy.
The really successful companies don’t just tack an RMR option on to their other offerings. They’ve figured out that selling services 
requires a different approach. To really drive RMR you must have a paradigm shift and focus your organization on this goal from the executive suite on down. There is a reason for this: the pot of gold is at the END of the rainbow. It takes skill and perseverance to get to the end of rainbow.
If you’re an Integrator trying to determine how to move your business from a transactional model to a recurring model you should consider the following key success factors:
- A realistic self-assessment: Look in the mirror and determine what your company is really about. What types of customers do you service? What types of services do your customers want from you? What would it take for you to offer those services? What investments are required in infrastructure, organization, and financial assets? Do you have the right people in your organization that can sell services and solutions vs. technology? Are you willing to make the initial investments? Are you willing to stick with the strategy?
- A 5-year RMR business plan: Once you have evaluated your current situation you are ready to create a business plan. I suggest looking at this program over a five-year horizon. In year one you will be making investments and climbing the learning curve for selling and delivering services. In years two and three you will be perfecting your training, market focus, and service levels. In years 4-5 you are driving real revenue and preparing to evaluate what growth strategies to pursue in your next five year horizon. Having a five-year plan will help you to maintain focus on your goal.
- Strong Partners: Once you know what services you want to sell and have a general plan for implementation, it’s time to look for partners. Fortunately there plenty of firms who are creating products and services that will help you implement your RMR strategy. Like any vendor evaluation you want to look for those with successful track records. Also look for companies that derive most of their revenue from RMR. You cannot afford to partner with a company that is just experimenting with a new RMR model. Successfully driving RMR means building long-term relationships with your customers. You can’t base long-term customer relationships on short-term supplier relationships. The key suppliers for your RMR solution need to be just as invested in your RMR as are you.
- Discipline of focus: Wanting to be in the RMR business will not lead to overnight success. It will take continuous effort, focus, and discipline. There will be times when transactional opportunities distract you and your team. You have to keep your eye on the five-year plan. There is a reason that RMR companies are valued at high multiples. Selling services and gaining the ongoing respect from your customers is hard work.
But it’s definitely worth it.
- John Szczygiel
Posted on Fri, Jun 03, 2011 @ 09:24 AM
The federal government has long advocated the benefits of cloud computing, and just last month NIST published the much-anticipated Cloud Computing Synopsis and Recommendations, or SP 800-146.
First and foremost, it provides a lot of the practical guidance that agencies have been seeking for years. More to the point for the vendor community—integrators, manufacturers, service providers, consultants—it explains exactly what federal buyers will be looking for. As physical security is increasingly driven by cloud solutions, this is timely guidance for the industry.
The document covers more facets of cloud procurement than we could possibly discuss here—including a highly readable expansion of the oft-cited NIST cloud definition—but there are at least three relevant three take-aways for physical security providers.
Purchasing Terms Are Different for Cloud Services
The core difference between traditional software systems sales and cloud-based offerings is the Service Level Agreement, which defines the service relationship between buyer and seller.
NIST identifies several key aspects that should be included in any SLA:
- Availability Requirements, which typically are promised to be in the range of 99.5% to 100%, depending on how “uptime” is measured.
- Remedies for Failures, which include service credits and corrective requirements, and can range from 10% to 100% of the cost of service affected.
- Data Preservation, which specifies how data will be stored and returned to the customer in the event that parties terminate their agreement.
For security systems integrators, these are new elements of the customer relationship to be incorporated into commercial practices.
Not All Cloud Solutions Are Created Equal
We’ve talked about the ‘hide-the-box’ charade and ‘pseudo-clouds’ in earlier posts, but NIST effectively makes the point as follows:
It is important to understand…that the term "cloud computing" encompasses a variety of systems and technologies as well as service and deployment models, and business models. A number of claims that are sometimes made about cloud computing, e.g., that it "scales", or that it converts capital expenses to operational expenses, are only true for some kinds of cloud systems. [emphasis added]
This is one of several passages that urges due diligence on the part of the buyer, and provides some practical advice on how to go about it.
Five Key Benefits for SaaS Buyers
Software-as-a-Service (SaaS) is just one of three delivery models for cloud computing, but for buyers who want a complete turn-key application, it’s the only one that matters. NIST points out five key benefits for the federal buyer:
- Very Modest Software Tool Footprint
- Efficient Use of Software Licenses
- Centralized Data Management
- Platform Managed by Providers
- Savings in Up-Front Costs
Our Take
As the industry’s first provider of turnkey SaaS applications for physical security, we applaud the work that NIST has done it this area. We think it’s a big step forward, and expect that it will be a useful framework for buyers and sellers alike.
- Steve Van Till