Joe Harris

http://www.computerweekly.com/news/2240175468/UK-to-launch-public-cyber-security-awareness-campaign 93% of large corporations and 76% of small businesses experienced a cyber security breach in 2012

http://www.linkedin.com/today/post/article/20121211151616-458190-hackers-show-how-to-break-into-leading-finance-and-accounting-software-system-programs Have you considered the potential impact and risk exposure of your accounting software? Do you take stateful snapshot backups which can be queried in a standalone format as well as provably restorable on demand?

http://www.professionalsecurity.co.uk/news/training/espionage-films/ UK seen as a priority target for espionage

Thanks for the info Nexlar, though at the same time CSL & NSI among others are busy canvassing insurers to 'advise caution regarding the use of LPS1277'. This is public not trade so I will not go into detail on the subjet

Collaboration Our current generation is without doubt the most "connected" generation yet. We have numerous tools available which allow us to convey our thoughts instantly in every possible media format and yet we still occasionally struggle to communicate with each other effectively. I want to look at some specific examples of platforms for collaboration and see how our industry might be able to put them into useful practice as well as considering our motivation for contributing towards a collaborative approach. Documentation Creating standards and policy documents is a very difficult and often thankless task which must be carried out in order for our industry to continue to progress. If we were to sit everyone around a table to try and agree the wording of an important document then we could be there for a very long time (if indeed we were able to sit down in the first place). Using free, secure applications such as Google Drive (formerly Google Docs) means that a collective of people could all work on a single document as and when they have time to do so, and at a pace that suited them. All changes would be audited, commented upon and can be discussed in an easy manner alongside the document so that people can find a way to reach an agreement. At any stage people can look at who has edited what and why and a final draft document would be the output of the process. People may be hesitant at the idea of putting content out securely into ‘the cloud’. To those people I ask one simple question: "Realistically, whose servers are more secure? Is it Googles data centres or your own servers?" What would an independent auditor say if comparing the two options on a like for like basis? The primary consideration will always be one of risk versus reward. The opportunity to encourage engagement from an occasionally apathetic and yet well informed industry is one which we should strive to grasp. Impact & Opinion I recently had the pleasure of contacting representatives of all NSI Gold and SSAIB accredited ARCs. It was quickly apparent that across a broad spectrum of different types of alarm receiving centres, that the people I was talking to were all well informed, had a great deal of experience in their particular disciplines and were passionately interested in the industry on the whole moving forward and progressing. They all had something useful and positive and unique to contribute. This is a valuable resource which our industry ought to be taking the fullest possible advantage of (in the nicest way possible). The same I am sure can be said of installers, manufacturers and other interested parties. Often the difficulty can be in taking the wide variety of people and preferred contact methods they may have into account when trying to gauge the opinion of the whole. We could use tools such as private LinkedIn groups and built in polling facilities: This can quickly help to identify the collective opinion of individual members. However, though users can comment on polls in such groups it is important that a facility somehow remains for users to contribute comments anonymously if they wish as it may be that an unpopular or controversial opinion may in fact be an important point for all to consider. It is also important that such questions remain relevant, neutral and help to identify or resolve key concerns in the day to day operation of such facilities, as this will promote participation and engagement while providing useful output for interested parties. Sharing ideas Why would potential competitors want to share information and ideas? Everyone knows that our industry historically has thrived on secrecy and that unique technology can give businesses a cutting edge over others with whom they are in competition, so why would anyone want to share? There is value in effective collaboration which can simply not be achieved in isolation. We have gone from being one way consumers of information to instead being very effective communicators of information. What seems interesting to one person could inspire another to actually create an innovative idea or approach. It is now recognised that there is a "cognitive surplus" which is often untapped and which is willing to give input autonomously to the benefit of the greater good. Now, whilst I am very mindful of intellectual property and issues related to it, there are issues which are broader and affect all interested parties within a group. These are the types of challenges to which a collective group of experienced and interested people can help to overcome. Given the opportunity to participate and with enough barriers to participation removed, then people will go out of their way to help. Many individuals in our industry have valuable contributions to make, it is a question of giving them an opportunity to have a voice whilst accounting for their hectic schedules and any genuine concerns.

App-something?.... The recent launch of the Windows 8 operating system has become the flagship of a new thrust in technology culture that is here to stay if we like it or not. Windows are trying to push their desktop experience into the App based smartphone sector whilst at the same time crossing paths with Google who are busy working on selling their App based platform to desktop users. At the same time Apple is looking to futher improve communications between their many available devices to ensure a smooth user experience and to bond users more closely to their brand. Users are increasingly being taught to think less about the specific machine that they are using to access tools and data (Laptop / Mobile / PC) and to instead focus on a common interface and a shared pool of data. More content is being delivered to users in the 'App' format. By 'App' I mean simple, modular applications that are generally geared towards a specific focus area or subject. The aim in most cases is to simplify the interface used, allowing the more non-technical minded among us to interact in ways that would have been either slow or difficult to achieve previously. This combines with an ever increasing 'Always on' mindset to create a demand whereby users are surprised and disappointed if they can't 'find an app for that' when they search. Conversion One of the most common themes at the moment is the migration of existing products and services from a traditional email / letter / phone approach to instead utilise an App. What name is given to the process of converting something which is not an App into an App though? Imagine converting your hard copy lens calculator into an App, or maybe making your invoice payment system into an App. How do you describe this process of taking a none-app format procedure or task and making the same process achievable through an App? I came across this dilemma recently and discovered the following terms actively being used in this context: Appifying? (4.7k Google hits) Sounds satisfying but not quite self explanatory enough Appverting? (14.4k Google hits) "Converting into an App" sounds feasible however this term was hijacked by the marketing industry for use as 'Appvertising' (A failed marketing attempt to channel adverts to mobile devices) Appetising? (Huge number of irrelevant Google hits) Hungry? This causes confusion already... Apping? (576k Google hits) A term that is used already to cover many different non App based uses (Such as applying for something) Appification: (23.3k Google hits) Probably the most prominent term currently in use, perhaps also the least self explanatory one for ‘Joe Bloggs’ non-technical person Applicable applications Why would this process be important to the Electronic Security industry? Our industry already embraces this technology in many ways you could say, with many hardware manufacturers beginning to make interfaces to their products possible through apps. Is this the only narrow use for this approach though? We are a service industry. Many of the services we provide can be made more efficient or more easily accessible to a wider audience if converted to a format with which an end user can easily and securely access. Processes which currently soak up valuable staffing hours could instead be made automated or at least interactive. The evolving possibilities presented by the internet of things (IoT) and IPv6 offer amazing scope but also an amazing level of potential complexity. Apps could help organise and empower users so that they are able to be informed, advised and participatory in the naming and configuration process. Communication can be made much simpler and the secure sharing of information to relevant parties can be done in a transparent, seamless and immediate manner. Many of the back end systems currently utilised by Installers and ARCs have common protocols such as SOAP or XML available which means that your App can directly interface with your core products if you wish. You may find it worthwhile to take some time to stand back from your organisation and consider how you could use this ‘App momentum’ to your advantage. There is potential for all sectors of our industry to take advantage of this migration including but not limited to Installers, ARCs and service providers. How can you empower your end users and staff through this technology?

Innovation It is easy with hindsight to look at some developments and think 'why didn't I come up with that?' We are currently living at point in time where technology is developing rapidly across a wide spectrum of disciplines, this is at the same time as we are bringing billions more people online to join the global discussion. Will this inevitably lead to progression or will these new minds need first to assimilate all of the current and existing ideas in order to further innovate? I beleive that there is immense value in being able to look at your existing problems from an outside perspective. It is all too easy today to say that something is "impossible" if you have only one or a few fixed ideas about how something can be acheived. We can focus too often on fixing the symptom of an issue rather than looking to the root cause. In addition, some of the barriers that led to dead ends when perhaps we first investigated an issue have perhaps been removed since or will be over the next few years. There is a risk that a viable solution could be missed as you may automatically write off what is a valid answer based on your past experiences, without looking objectively at the issue as it presents itself here and now (and in the future). Progress The British government has indicated in the past that it sees innovation as a key 'currency' in the future as more mundane or manual tasks become automated: "We want to make sure that Britain is the best place in the world to run an innovative business or service - this is critical to the UK's future prosperity, our quality of life and future job prospects" (Department BIS - Policy statement) Innovation is celebrated in our sector with annual award schemes and peer review. There have been attempts within the industry to push the benefits of apprentiships with programmes such as the "Engineers of tommorow - 100 in 100" (pdf) which has been vocally led by Simon Banks We have a history within our industry of being at the cutting edge of technology in order to stay one step ahead of the more manevolent members of society and this continues to be the case. There is no doubt that many of the people working within the industry already have an idea of the capabilities they want to see from equipment within 5 - 10 years and currently the technology is lagging behind the ideas being generated, how long will this last for though? Electronic Security This perhaps leads to some questions that the Electronic Security industry can ask of itself regarding innovation: What steps can we take to avoid blind spots and recognise all possibilities? How do we as an industry ensure that such opportunities are not missed? Are we introducing enough new thinkers to our industry through measures such as apprentiships? Should we do more to encourage transparency from manufacturers about their roadmaps? Is some innovation only possible through collaboration? Not all change is good, how do we differentiate the good from the bad? Do we consider other points of view enough? Does your business carry out enough research and development? These questions are worth considering regardless of the sector of the industry to which you belong as they may have a impact upon you at some point. As always please share your thoughts and views on the subject.

Hah - Yes it is MrHappy To test it out yourself take a peek at Aurasma Lite on iphone or Android for a quick test of what can be done directly from a phone to set this type of thing up. This can be based on specific graphics or specific geolocation. I think they have a 3D shark you can use as a test

James, You are spot on and as mentioned existing 'old style' PSTN comms can be affected just as much as 'new style' IP / GPRS connectivity. There are a number of methods that would be effective against ARCs though I see some ARCs beginning to implement counteractive measures as a form of target hardening. Forward thinking ARCs are ensuring as much redundancy as is feasible and structuring their systems to ensure that such a threat is minimised. The only sad part is that for each ARC that does approach things this way, twice as many will bury their heads. As for false signals vs outright bandwidth flooding - The former may be more effective initially as it will form shaped traffic more likely to pass through any initial early stage filtration. The issue will be (as it is for unrelated websites usually) how to distinguish genuine traffic from spoofed traffic and to ensure that this is carried out with zero latency and zero errors. A tough ask. Joe

Augmented Reality There was a glut of press attention given recently to a free Android and iPhone application called "Chestburster" which allowed users to see a 3D ‘alien’ type creature emerge and come to life when viewing a particular static image along with gory sound effects. This image could be downloaded from their website and placed; for example, on a t-shirt / computer screen or as a printed image. Whilst this was very much a niche ‘toy’ to demonstrate the possibilities it is a powerful reminder that augmented reality (AR) is very much here and all of the tools required to utilise it are available now. AR uses static ‘trigger’ images or location data such as GPS to overlay virtual content on top of the real world. This virtual overlay can then be interacted with based on user input if they so wish. To bring people up to speed and help explain the possibilities we can look to Google as a good example of usage. Apple have been developing wearable systems (iShades?) to provide AR functions since 2008 or earlier. Google have been working for just as long on "Project Glass" which is in effect a pair of clear glasses which overlays 3D virtual images and data onto a real 3D landscape. In a basic form it would effectively allow you to have a ‘Streetview’ style view of streets as you walk around in an area or for the purposes of directions. This could theoretically extend to whilst driving and can indicate locations of landmarks or retail outlets etc… Go a step further if you would and imagine looking at a retail outlets signage and suddenly it comes to life listing the current special offers and promotions. With this being Google of course the content of such promotions can be specifically targeted for your demographic or interests. They can even remind you of that item which you looked at before but didn’t buy at the time for which they can offer you a unique one off discount…. Billboards will just be blank canvasses in future, a man and woman walking down the road may see a different moving advertisement each or may even see a different advert if together than they would each see apart. Those in a vehicle would see the same billboard specific perhaps to the type of vehicle they are driving or their plans for that evening. This is aside from any seamless integration of social networking applications, checking in to locations, advising stores or restaurants of your details as you enter the premises… “Hello Mr. Smith, it’s good to see you again, did you enjoy the steak last week?” You can begin to see what could be achieved through careful application of this additional layer of reality when usage becomes common. - So you may rightfully ask ‘What does this mean to us in the Electronic Security Industry though Joe?’ Whilst it is arguably the retail and entertainment sectors that will see the most dramatic impact from this technology it still allows our industry many ways of capitalising on the technology to deliver our services more effectively and efficiently. Some examples could be as follows: Training Whilst there is no replacement for full on training it would be a powerful tool to allow engineers to see a video demonstration or a list of specifications when viewing a signalling device or alarm panel. A link can be given to contact the manufacturer or ARC or maybe to documentation or a replacement parts lists. Circuitry can be overlaid with plans and inputs and outputs labelled to millimetre accuracy in clear text and full colour with active links to enable context based content. This training can also be extended to security system users to explain how to reset an alarm or to help them understand how to omit a detector or zone or other such issues. Marketing It can be difficult sometimes to convey an important message in the short length of time in which you hold captive a persons attention whilst they read a brochure or advertisement. Through AR you have an opportunity to showcase your products and services in a manner that is relevant to the end user. Complex issues can be more effectively delivered through media playback or animated images or diagrams triggered by static images on a website or leaflet for example. Day to day usage Aside from training and graphical overlays it may be that suppliers can start to think more diversely in their approach. Why have a keypad on the wall at all if a virtual keypad could display upon approach for verified users carrying an authenticated fob or similar? Why not allow engineers to receive feedback from detector positioning and any masking to allow an overlay showing precisely where the detection covers within an environment during the installation of equipment? This data could even be used as a form of Kinect style visual overlay of a scene to provide ARCs with an image of the specific activity that led to an alarm activation so as to allow them to make an informed decision on a relevant handling procedure. Bell Boxes These already provide a form of advertising for Electronic Security companies but what if the same devices could trigger advertisements in full even with geographic based promotions? Imagine a virtual billboard on every home which can be constantly updated remotely if you wish? Promotional offers could be provided simply on the basis of having viewed an existing installation and then making an enquiry or you could even elect to provide some form of promotion for specific properties which generate enquiries based on their location. - I have only scratched the surface of some of the possibilities that could potentially be achieved. With a little imagination I am sure that each of you could find a way to use this technology to your advantage and I would ask that you begin to consider how you could go about utilising it to full effect in your own business by making it a reality before it becomes ubiquitous. The final word goes to T.S.Eliot... Human kind Cannot bear very much reality. Time past and time future What might have been and what has been Point to one end, which is always present

With standardised chargers now being implemented for mobiles and the "optimal" phone designs now settling in, I would like to see a system where my phone docks into a cradle to form the keypad / home control unit or docks in my vehicle dash when out and about to act as my satnav etc. These things are possible already but I want a more seamless and intuitive integration that just works. Once you remove the shackles of sticking to conventions and assuming that the old way was always the right way you can really start to explore truly ergonomic solutions. The only thing to be careful of is that not all change is good change - so research carefully and test fully. P.S. - Trifactor authentication based on: Physical device (Phone) Code entry (Keypad displays on insertion into dock) Iris / facial recognition (Using camera built into phone) Could be a useful way to provide further authentication without requiring a lot of time or equipment which could work for several applications.

An excellent summary and analysis thanks Chris.

Summary Many specific industries in the UK are currently being targeted for online attacks in order to access the information which they hold. This information is rapidly becoming a new commodity in these changing times. The financial sector saw a 3000% increase in the volume of attacks directed specifically at them in the first quarter of 2012. [1] [2] The electronic security industry is a definite target due to the ‘low risk, high yield’ target nature of ARCs & Installers for potential attackers coupled with the lack of up to date awareness in many parts of the industry. The risk from DDoS type attacks in particular is a well founded one but also comes on the back of other concerns in respect of “information security”. Our industry is at particular risk from this threat for a number of reasons: In the first case we hold (as an industry) vast amounts of sensitive data on our clients. We are ourselves a means by which access can be granted to further information from our clients. As an example consider an attacker armed with a security firms authorisation credentials or a site password then contacting a client of the ARC whilst performing a social engineering attack. Mobile telephone numbers can lead to location data or voicemail access of end users. The other aspect to consider is that as an industry we face an increased exposure from this type of attack that can be very detrimental to business. “Electronic security” is not the same thing as information security but to end users and clients this distinction is not so clear. We operate in an environment of trust and robust security protocols. Clients would potentially steer clear of the victim of a data breach as they would be seen as ‘untrustworthy’; this can have a massive impact within the industry. [3] A small investment in time and resources now could save businesses a great deal of cost and time at a later date. Following some basic principles [4] of system management will help. In the long term a complete managed structure is the only effective solution to mitigate the increasing risk and exposure. To manage system updates, audit all of the many server and client machines, keep up to date with trends and exploits and to effectively harden the many networks, software platforms and systems is a lengthy and laborious task which businesses small and large may struggle to keep up with. [5] [6] Threats & Exposure To understand the risks and better manage them we ought to first understand who would be aiming to access data. I believe we can categorise the majority of potential attacks as coming from one of five primary sources presenting the highest risk factors for our industry: Hacktivists Whilst traditionally few ARCs or Installers are seen to have any specific political or corporate ties (which reduces exposure to this threat) the servers and bandwidth available to ARCs can be seen as a potentially lucrative target to use for attack redirection or to include within a zombie network for attacking other targets Staff / Industry competitors Whilst a lower risk it needs to be considered and accounted for. Attacks such as competitors taking up similar domain names in the hope of emails being mistakenly delivered to them needs to be monitored for and addressed. Sensitive commercial information is in itself of value to a potential attacker from this sector. Criminals Well, at least with this source it is one we are all very familiar with. It is interesting that information security and electronic security are both very similar when criminals form the source of the attack. Target hardening is effective and will cause criminals to instead opt for an easier alternative target. The reason and target of attack is financially motivated. The best defence here can be to make it labour intensive, time consuming and expensive for anyone to perform a successful attack and it will reduce the impact from this source. It must be remembered though that the criminal enterprises can have *significant* resources available to them and they are becoming wise to utilising cheap mass labour to perform the legwork which can complicate matters. Script Kiddies This is becoming a dwindling form of attack source, however, it cannot be discounted entirely. While this particular source of attack generally uses widespread and basic tools which can be protected against, there is also the opportunity for talented and determined individuals to find previously unknown 0sec (zero seconds / newly discovered) exploits, which would not be so easily detected. State sponsored This is the largest threat to our industry. The sheer numbers involved and the impunity in which attackers operate highlight the fact that the internet is now very much like the old west with very few laws and regulations and several different highly active groups (the UK is no exception). Please take a moment to consider the type of information that could be useful to a potential attacking state. Vast amounts of data is stored which can all be funnelled into pool of information for later analysis. Nation states have many Petabytes / Exabytes of data storage for just this purpose and in many cases employ very effective attack teams. They have staff dedicated to harvesting and categorising target clients (IPV4 means fairly limited numbers which they can go though quite literally one by one). In the case where a target client is not immediately exposed to any current risk their equipment and services can still be categorised. When a new ‘0sec’ exploit is then released / discovered or purchased then these categorised targets can all be revisited quickly and with ease. This is also a form of attack that will not entirely disappear in the future without significant changes, indeed there are claims that this is now the modern battlefield between nations, we need to be careful to ensure that as an industry we do not become the injured innocent bystanders. Attack Vectors For the modern ARC or Installer there are several attack vectors and points of exposure: External webservers / client interfaces Company websites Mail servers Corporate intranets USB / Removable media Precompiled VMs IP Signalling device connectivity Receiver software / firmware You must ask questions of yourselves in relation to each of the above vectors remaining honest with yourself whilst doing so. Are each of your systems adequately protected? Is the authentication procedure appropriate to the risk exposure? How do you know if you have already been infiltrated? What measures can you take to prevent exposure to each of the above? Are your staff members trained to respond to and recognise these risks? Are you opening up more data than is required to perform the task at hand? If so why? Are your contingency arrangements formed with these risks in mind? Does your backup procedure give you scope for recovering to a point prior to an attack occurring which may be discovered at a later date? The reality in our industry is that the technical expertise employed within and by third parties on behalf of ARCs and Electronic Security Installers is often quite specialised. Whilst there are very many incredibly talented individuals working in the industry, it does not follow that they are necessarily aware of all aspects which are required in order to effectively protect company assets. The Solution? There is no "one size fits all" solution that would work for all types of businesses. There are however, some good practises and recommendations that can be made. Where possible implement managed network provision from a suitable supplier. Ensure that you have the support of any ISP utilised in order to help counter DDoS types of attacks. There has been a gradual evolution of some signalling products and back office systems to utilise remote access and various forms of IP technology. Ensure that the systems you are utilising have approached the implementation of this technology with a sound understanding of the risks involved. Other products have been designed from the very start around the core principles of data security and robustness, this should be a primary consideration. With all the points raised above, the key thing is awareness. Understand the capabilities and weaknesses of each product and perform your own risk assessments. You may conclude that it is no longer appropriate to utilise some equipment or demand more robust solutions from the supplier. In either case at least you are prepared and aware. Ensure that you are able to accurately track the flow of data in and out of your business and be able to see the status of all critical equipment and networks instantly at any time (keep your fingers on the pulse). We are all in the habit of assuming the worst case scenario in order to minimise risk. This puts our industry in a good position to be able to overcome such issues as and when they arise as long as we continue to be prepared. Consider your existing networks and infrastructure carefully. What is your exposure to risk? Can action be taken to reduce or ideally, entirely negate the risk? It will become crucial in future for Installers and ARCs to communicate effectively to highlight and manage risks. We have already begun to see the efectiveness of this approach when nationwide issues occur and in future we should all take advantage of these networks to help mitigate and protect from risk.

Enjoyable read Jim, echoes a great deal of that which I have seen recently in industry. Thanks for taking the time and I look forward to the next article. 'J