The Dumb Ones: PSA's Bozeman On CybersecurityBy: John Honovich, Published on Jun 15, 2018
The smart ones are the hundred people who flew to Denver and spent $500+ on a 1.5-day conference featuring (now US government banned) Dahua as a 'cyber responsible partner', as PSA President Bill Bozeman declared:
The rest of you, well...
A few problems here:
This is literally (cyber) security theater. Get in a room, congratulate each other on being so smart, while the industry's worst cybersecurity offender headlines the event. And then showcase how out of touch these 'thought leaders' are:
The only thing fast about the worst vulnerabilities in our industry is how fast companies like Dahua, Hikvision, and Xiongmai push cheap products with little regard for cybersecurity.
Now, surely this makes the event's sponsors feel good but it undermines real problems in this industry.
Making Manufacturers Take Responsibility
The reality is most manufacturers have taken cybersecurity far too lightly. And, worse, like Dahua, think they can pay to sponsor an event to buy that credibility back or falsely claim cybersecurity compliance.
But the manufacturers need to be responsible and need to improve their cybersecurity. The more manufacturers understand they have to lose by bad cybersecurity, the more they will put engineering resources (and not just press releases) into improving their products.
Stop Port Forwarding
While these conferences talk about Bitcoin and other such speculative, far-removed, topics, there is something much more fundamental that we all need to convince integrators to do. Stop port forwarding.
Why did all those Dahua recorders get hacked last year? Not just the backdoor but because Dahua directed their integrators to port forward. And port forwarding exposes one's video surveillance devices to the entire world so that any vulnerability found becomes a gold mine for hackers.
Worse, manufacturers like Hikvision continue to endorse port forwarding, even in their own hardening guides.
Doing Something To Help Integrators
Rather than sit around conference rooms and congratulate ourselves, IPVM has been hard at work building a tool to help integrators. We have released new software that allows video surveillance professionals to quickly and easily identify known vulnerabilities of products deployed in their systems.