Securing Security

It's inescapable. From local home burglar alarms and nanny-cams, to post-9/11-driven airport scrutiny-our society has become ever more dependent on the feelings of safety and comfort derived from the protective forces of security devices, systems and services.
This added sense of need for security certainly is derived more from particularly fantastic and gruesome worldwide events than from home-grown statistics, as total violent crime rates have steadily declined in the U.S. since 1994, reaching their lowest levels ever recorded in 2004. This doesn't mean that we are completely safe and that security systems should be abandoned. If you look at property crime victimizations, the decrease-steady for many years-stabilized in 2002 and has been relatively consistent since then.
Interestingly, perception of crime rates and the associated sense of need for security surpass reality, not just in the U.S., but also as delivered to us via our cyber-connected world, wherein the events and beliefs of other nations add to our collective cultural psyche. Take the U.K. as an example. In 2001/02, two-thirds of people interviewed said that they believed that the national crime rate over the last two years rose a "lot" or "little more." Very few, just 6 percent, said that they believed crime rates were falling.
Given the high-profile coverage of terrorist events around the world, the seepage of terrorist-inspired fears into everyday security concerns, real or not, is understandable. Given that security is so imbued into our public discourse and experiences, it's easy to understand why the security business is booming.
But how safe are we really, even with "advanced" security systems, which use computer network technologies as the basis for technical operation? The answer is resoundingly clear-we are safer, as long as the systems don't fail us. In the London subway bombings, security cameras picked up the terrorists on their way to the detonation sites. Post-event, these images became fundamental forensic data to help quickly identify the attackers, something that most likely wouldn't have been available if London hadn't embarked on becoming "the most observed" city in the world.
What would have happened to the investigation if those cameras failed for some reason? Say the terrorists were smart enough to know the cameras were watching and knew how to disable them? Not such a far-fetched concept, given that many modern security devices and systems are now highly dependent on the underlying transport, privacy, resiliency and survivability of relatively easy to hack packet-switched communications/data networks.
The trend toward convergence of data networks with just about anything that can be placed upon them, and the attending skills needed to support converged systems, is a powerful driving differentiator allowing equipment manufacturers and service providers to offer new and sometimes more capable products. In the business world, this ability to create a "technical moat" around newer technologies pressures incumbent suppliers and provides an opportunity to displace entrenched technologies, services and service providers, all helping to drive new sales and capture market share.
There are also very real advantages that technical convergence creates. Digital video recorders, as an example, are displacing tape-based security recording machines for capturing and archiving images. Unlike the physical medium of tape, which typically has to be viewed on a local machine (or, in more complex systems, like military or government, ported over to secure traditional transmission schemes for remote viewing), DVRs allow for local and remote viewing or storage of content by pushing images to a network, which are then viewed, stored or retrieved by devices attached to the network. This extensibility of content is breaking down the barriers of time and distance, adding to the value of security systems.
There is, however, an intrinsic Achilles' heel with computer networks-security. Computer networks are notoriously famous as targets for hackers, most of whom just want to prove that they can "beat the Man." Iconic targets like Microsoft have been low-hanging fruit for hackers to try and take a bite out of them, but the skills they hone by birthing pernicious e-mail bombs and denial of service Trojans, are solid conditioning to attempt larger and ultimately more deadly network attacks.
This is not news, but the idea of preventing hacking or unintentional damage to a networked-based security system is many times not on the front burner of discussion. The managers who have burgeoning dominion over all that resides on the network, are not necessarily in tune with the criticality of some of the services that reside on their network, whether it be security or other converged services like VoIP.
Every day, technology weaves itself deeper into the fabric of our existence. If we let either perceived fears or real statistics drive our needs to utilize networked-based security systems, be it a remote IP camera connected to a Slingbox to watch the grandchildren sleeping peacefully in a smart house in a gated community, or an on-guard security agent using facial recognition software to deter a determined terrorist, then reserving more space in our minds to think seriously about the reliability of the systems we are trusting, makes sense.Forethought For System Security
In many cases, security devices are just plopped onto a network, with the goal being to just make it work-considered a success in an industry that is still trying to understand the paradigm shift-while leaving the concerns of security of the system itself to the IT staff. At one small international airport near the Canadian border, IP-based security cameras were recently installed and connected to data switches residing on the same core network as a wide variety of non-security services, including internet access.
In addition, the camera transport switching equipment was located in a very non-secure room, along with telephone systems and other user equipment, all outside of the "red-zone" of TSA protection. A moderately determined individual or terrorist group could easily obtain unattended access to this room, not to mention the possibilities of a legitimate technician just unplugging the wrong cable by accident. It's clear that there are many things that could be damaged besides the security system within this room, but the security system was probably placed there mainly because it was convenient and thought of as just another part of the network. Focused thought, time and planning for surviving attacks on system vulnerabilities, along with a deeper understanding of the critical nature of the systems, might have led to a more secure physical and logical implementation.
Add to this the pressing need to just make general computer networks safer and more secure from hackers, and you have a strong case to bring added general awareness of the "security of security" to the forefront. Most professional managers are dealing with security, and top-notch firms have already embraced the issues fully, as have an ever-increasing number of everyday people. If we fail to continue efforts to improve the reliability and security of network systems and the services they provide, we will continue to hear stories about how systems were compromised, not by failure of the components that drive them, but from lack of attention to protecting vulnerabilities, that could have been seen and addressed before a failure.