Hikvision USA Head of Cybersecurity Exits

By Brian Karas, Published Jul 18, 2017, 08:28am EDT

Hikvision USA's Head of Cybersecurity has exited the company.

In this note, we review the move, share Hikvision's feedback and examine the company's efforts to improve their cybersecurity following numerous vulnerabilities and problems (e.g., 1, 2, 3, 4, 5) in the past few years.

Exit ********

**** ******* [**** ** longer *********] *** **** of ************* *** ********* USA *** **** * months, ***** ** ******** 2016 *** ****** ** May ****.

*******'* ********** ******** ******** roles ** * *********/***********-******** security ******* ** ******* companies, ** **** ** running * ***** ********** company ************ ** ***** security ********** *** **** analysis *** ******** ***************.

Hikvision ********

********* *********:

********* **** *** ******* on ******* *** *********’ departures. *** ******** ** being ********** *** ********** an ***********/******* ********** **** versus ** *********** ****.

*** ******* ******** ** comment ** ********** ********* asking *** ************* ** what ********* *** ** doing ** ***** ** enhancing *** ************* ** their ********.

Hikvision ************* ****** **********

***** **** *** ********* expertise ********* ** ********** in************* ********** *** ******* *** ****** ** **** more ******** *****, ***** typically **** ****** *** and **** ** * "*****-**" technical ****** **. ********* marketing ********* *** ******** webinars. ** *** ******* taken **** **** *** ********* to **** **** ****, which ****** * *** in ***** ************* ********* *** management ** *** *******.

*** *** ******* ***** an ******** ************* ** job ******/******, (*) "********** with ********* ********** ** develop ********* *********, **** as ******** ***** *****, external ** *************, ***. regarding *** ******** ******** in ********* ********" *** (2) "******* ** ***** of *********** ** *********** security ********** ** **********".

Series ** ************* ******

********* *** ***** * series ** ************* **********, ****** back ******* *****. ****** ones include:

*** ******* ******* ***** someone ** ******* ***** ongoing ************* ******, ****** **** do *** **** * history ** ****** **** ****** (e.g.: ********* ******* ******** ** Others, ****** **** **** DHS********* ******* ************** *** Hacked ********* *******). **** *** **** it **** *********** *** * person ** *** **** Hikvision ** ****** *** if *** ******* **** not **** ************** *** their ***************.

Heavy ********* ** *************

****** ********* ********* *** videos **** ***** ** focus ******* ** *********'* cybersecurity *******, ********** ***** efforts ** **** ******, but ****** ****** ******** information, ** ***** ** one ** *********'* **** recent ********* ******:

**** *** ***** ********* for **** ******* ** their ************* ******* *** improvements *** **** ****** with **** ** ** when ********.

Hikvision *** ****** ******* **** *************

* ***** ****** *** Hikvision ***, *** ****** who **** ** **** Vallejo's ****, ** ******* with *** **** **** Hikvision *&* ** ********* based ** ***** ** in *****. ******* ***** to ********* *** **** acknowledged **** *** ***** engineering ******, **** ** addressing ************* ******, ** handled ** *** ********* in *****, *** **** the ***** ****** ** not ****** ********* ** input *** *********** **** the ******* ***** *******.

Comments (8)

I can understand the importance of needing to work with marketing in such a role. I'm sure its tough to find a multi-faceted person that is an expert in both areas such as marketing and cyber security. Hope they find a rock star that will propel their cyber security to be the best in the industry. 

Anyone else catch that five syllable word thrown in (juxtaposition)? The sesquipedalian vocabulary of Brian Karas ladies and gentlemen.

I feel Brian described the complexities of this role eloquently. My brother Michael worked tirelessly to make the role successful. Although he keeps his business dealings confidential, I'm sure a lack of unified vision for the role from corporate made things difficult. As a professional in the industry for over 15 years I can't imagine any way he could have been successful in that environment. Good luck to the next individual that fills this role and to my brother as he looks for his next opportunity.

 

their biggest issue is lack of compute power

to encrypt video needs a reasonable processor 

hisilicon chips probably not enough to encrypt video

we use intel kabylake to achieve this but it makes a more expensive product

it allows us to put an encryption dongle between our nvr and ip camera allowing us to utilise onvif cameras already in situ

but it does mean replacing the nvr

 

All the modern SoC chips used for Video encoding (Ambarella, HiSilicon, etc) all have industry standard hardware encryption blocks that can easily encrypt video with very little performance hit. 

Encryption doesn't help with these types of security exploits.

That said, it would be outstanding if the industry finally cared about having end-end encryption.  The cameras aren't the limiting factor...  Even the sub $6 Video Encoders can now effortlessly AES encrypt every packet going over the wire.  The challenge is the archaic VMS / NVR systems that they're connecting to.

The security exploit problem will only be fixed when we have extremely ridged network protections and containment against these types of attacks.  

IP Cameras are effectively IoT devices... and as they say, the S in IoT stands for security. (i.e. there is none).

The network switch fabric should ONLY allow specific traffic to flow form one specific device to another specific device(s).  It shouldn't matter that a HikVision camera has more back doors than the Kardashians.  No unauthorized transmissions should be permitted to or from that device.  Period.

Until we have that structure in place, we'll continue to have exploit after exploit that is discovered, that no one ends up patching...  

Writing secure code is astonishingly difficult and expensive, even when written by experts that are wholly focused on these types of problems.  

The state of the union today code wise is simply horrific, and it's getting worse. Compounding the issue is the fact that these devices are increasingly becoming more powerful and dangerous to anything else on the network.  

They are astonishingly capable network attached compute engines. They're also twiddling their thumbs for the most part while happily serving out some meager H.264 RTSP streams.  Most IP cameras are running at 10-20% CPU utilization (unless analytics are running on the device as well).  In the case of analytics, soon quad core processors will become the norm... everything scales up in capabilities, and each of these software features/services typically only serve to increase the attack surface of these devices. 

The only solution for these increasingly toxic devices is containment.  Good fences really do make good neighbours.

 

 

  

 

UPDATE -

Hikvision has hired a new Director of Cyber Security, Chuck Davis.

His LinkedIn profile lists: "Specialties: Computer Forensics, Malware Analysis, Network Security, Intrusion Detection, UNIX Security", along with a CISSP-ISSAP, which gives him a strong technical background related to the role.

His previous role was at IBM, and he does not list any physical security industry experience specifically, which could make his transition into Hikvision a bit more challenging than someone coming from this industry.

We have made a request to Hikvision for an interview with him for a future post. 

Just saw this news in the HDP email. They also now have a 12 hour (5am-5pm PDT) cyber hotline.

Read this IPVM report for free.

This article is part of IPVM's 6,743 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports