SlideShare ist ein Scribd-Unternehmen logo
1 von 31
Downloaden Sie, um offline zu lesen
©2016 VTI Security in association with SecureSet - Page 1
Beyond the Convergence of
Physical & Cyber Security
VTI Security in association with SecureSet
VTI Learning Series 2016
©2016 VTI Security in association with SecureSet - Page 2
The Next Wave of Our Industry is Here
It’s more than convergence of logical and physical
security. It’s bridging the Inter-Departmental
gap between IT and Security, elevating your
design and acquisition processes, and choosing
the right integration partner to Trust with your
deployment.
Minneapolis, Minnesota
...Are You Ready?
©2016 VTI Security in association with SecureSet - Page 3
Introduction
Have you been breached? The odds are that you have and if you haven’t,
you will be. The information security colleagues at your company are working
diligently to mitigate that risk. Are you helping or harming that cause?
The information in this paper
is designed to bridge the gap
between physical security and
information security colleagues.
The stakeholders in each of
these environments have moved
to an arena where their collaboration is necessary if you are to be successful
in protecting your business. It’s geared towards empowering one another by
framing conversation and education in a way that your partnership is able
to become proactive and strategic. We believe this kind of value is at the
foundation of our responsibility.
We plan to look at the migration of physical security technologies to the
network, overview how the network functions in support of those technologies,
understand the Cyber threat of IP devices on the network, and provide
guidance on how forward-thinking companies are approaching the design,
investment, and installation of those solutions.
“We believe this kind of value is at the
foundation of our responsibility.”
©2016 VTI Security in association with SecureSet - Page 4
Introduction - Page 3
A Little Background - Page 5
Joshua Cummings, Director – Engineering Services, VTI Security
Evolution of Solutions
Operating Environments
Pros & Cons of Enterprise, Interoperability, and Auto Discovery
The Cyber Perspective - Page 11
Alex Kreilein, Managing Partner & Chief Threat Officer, SecureSet
Risk Calculus
Attack Surfaces
Ingress Calculus
Authentication
Vulnerability & Device Management
True Impact / So Now What? - Page 18
Stephen Fisher, Director – Business Development, VTI Security
So Now What?
The Investment Process
The Qualifying Process
The Collaborative Design Process
©2016 VTI Security in association with SecureSet - Page 5
Moving Video to the Network:
Closed Circuit Television (CCTV)
was first introduced in 1942 in
Germany to view the launching
of the V-2 rockets.  Later on, the
technology migrated to the United
States.  These first systems were
limited and only allowed for live
viewing of cameras.  In the 1970’s
the VCR was invented and that led
to the expansion of CCTV.  with
this technology, a single camera
could be transmitted over a coaxial
cable and recorded to a cassette
tape.  Additionally, with the use of a
multiplexer, multiple cameras could
be recorded on a grid to that same
cassette tape.    
The VCR remained a staple of the
CCTV industry for quite some time.  In
the 1990’s the DVR or Digital Video
Recorder was introduced.  The DVR
had the ability to take those same
analog signals and capture them
on a hard drive.  Unlike the VCR,
a  DVR also had the ability to be
connected to the network for viewing
and streaming.  This was a first step
toward the network.  
In the mid 90’s, the first IP camera
was invented.  This camera
transmitted the video over ethernet
cable instead of coax.  This moved
the processing of the video to the
camera rather than at the DVR.  The
DVR also had to evolve into an NVR
or Network Video Recorder to receive
the IP stream.  
The deployment of analog systems
have continued to decrease as IP
Video has been on the rise.  
Evolution of Solutions
Surveillance, Access Control, and More: Movement to the Network
“Although analog video may
never fully go away, the industry
has standardized on transmitting
video over the IP network.”
©2016 VTI Security in association with SecureSet - Page 6
Although analog video may never
fully go away, the industry has
standardized on transmitting video
over the IP network.  The use of
Power Over Ethernet has help
to simplify the deployment of IP
video.  Manufacturers are now
focusing on developing higher
resolution video and analytics to
improve usability of the video.
Moving Access Control to the network:
Access Control is another security
discipline that is moving to the
network.  Simply put, access
control is a method for requiring
authentication before entering an
area or building.  Often this done with
an access card or with biometrics
such as your fingerprint.  
Early on, access control
manufacturers developed their
own proprietary standards for
communication transmission
from the server to the
panel.  Communication traveled
across serial connectivity utilizing
RS-232, RS-485 and other serial
communication protocols.  
With the standardization of IP
networking, serial communication
has become less common, driving
access control manufacturers to
develop IP based panels.  These
panels continue to move further
away from the application and are
often distributed throughout the
building, across a campus or even in
another state or country.
Credential technology has evolved
as well.  Initially we utilized such
methods as barcode, magstripe,
or proximity.  Over time, we have
developed more secure technologies
in Mifare, DesFire and iClass.  
Proximity was introduced in the
1980’s and was a widely used
standard for two decades.  In the
1990’s the credential industry
experienced a revolutionary shift
as proximity was proven to be
unsecure.  Today, smart card
technology is being driven to increase
the security on the card through
encryption of communication and
data.
©2016 VTI Security in association with SecureSet - Page 7
Your company or organization may be considering moving to IP based
systems. You may find yourself needing education about what the network
is and does. While we can’t cover this topic in depth in this white paper, we
can cover some of the major terms
and buzzwords that you may be
hearing around your organization.
First of all, it is important that you
understand the structure of the
network. The OSI Model or Open
Systems Interconnection Model is the
framework for the network. Every
aspect of the network falls into this structure. The model is made up of 7
layers. Each layer has specific responsibilities.
Learn more online at https://en.wikipedia.org/wiki/OSI_model
“...it is important that you
understand the structure of the
network.”
Operating Environments
What is the Network?
©2016 VTI Security in association with SecureSet - Page 8
Layer 1 - Physical Layer
The physical layer specifies how the
components of the network connect
together. Ethernet is a very common
standard in this layer.
Layer 2 - Data Link Layer
Essentially this layer defines the
protocol to establish and terminate
a connection between two physically
connected devices.
Layer 3 - Network Layer
This layer provides the means for
addressing each device on the
network. It also defines the protocols
for how information is routed from
one device to another.
Layer 4 - Transport Layer
Here is where protocols such as TCP
and IP are utilized for ensuring the
packets are transmitted and received
correctly.
Layer 5 - Session Layer
This layer establishes a connection or
session between the two parties. It is
responsible for setting up, monitoring
and tearing down the connection.
Layer 6 - Presentation Layer
In this layer the data in the packet is
translated for the application on the
receiving host.
Layer 7 - Application Layer
This is essentially the application
that you use on your PC to access
information. An example of this could
be your security application, an FTP
program or even your office products.
Additionally, there are terms that you
may hear when discussing the network.
IP Addresses - every device that is
on the network needs an IP address.
This is an identifying set of numbers
similar to the address of your house.
VPN - Virtual Private Network - this is
an application or device that allows
you to connect to your company
network while away.
Firewall - A device or software that
provides a barrier between you and
the internet.
VDI - Virtual Desktop Infrastructure -
this is a desktop that is not physically
located on your PC. This desktop is
available remotely and maintained by
your IT group.
©2016 VTI Security in association with SecureSet - Page 9
The migration of security to the
network has opened the door to
many new opportunities never
imagined with closed, proprietary
systems. For starters, the network
reaches around the world. By putting
security devices and systems on the
network, we now have the capability
to see those systems and incorporate
those devices from all corners of the
globe into one fluid system.
Another benefit is that the network
brings standards. These standards
are created and maintained by
organizations in an effort to improve
interoperability. Some examples
of these organizations are ISO
(International Organization for
Standardization), PSIA (Physical
Security Interoperability Alliance)
and ONVIF. Utilizing these standards,
manufacturers can create products
and applications that natively work
together.
Additionally, the network continues
to evolve and grow in terms of its
capability. Initially we measured
network speeds in kilobytes per
second. As technology improves,
networks speeds grew to megabytes
and now gigabytes per second.
In some network environments
such as data centers we see data
transmission speeds of 40 gigabytes
per second or more.
There are a lot of pros to having our
security systems on the network. At
the same time, being on the network
also can open these systems up to
vulnerabilities that we may not be
used to addressing.
Pros & Cons of Enterprise, Interoperability,
& Auto Discovery
“We have traded the proprietary
nature of these systems for
standardization and interopera-
bility and along with that, there
are new challenges for keeping
these systems secure.”
©2016 VTI Security in association with SecureSet - Page 10
We have traded the proprietary
nature of these systems for
standardization and interoperability
and along with that, there are new
challenges for keeping these systems
secure.
In an effort to make security devices
and applications easy to deploy,
many manufacturers have built in
features to help. These features
allow for auto discovery, ease of
use and ease of deployment. While
initially these features have helped
tremendously in the migration to the
network, if left on, they inherently
have a lot of vulnerabilities that
can be exploited by hackers with
malicious intent.
Some of these vulnerabilities
include open ports, default or
weak passwords and unsecure
transmission protocols. While these
features make the product easy to
deploy, they must be addressed for
a system in production to provide
protection on the network from
hacking.
Denver, Colorado
©2016 VTI Security in association with SecureSet - Page 11
Not all outcomes are equally likely
or equally consequential. Hyperbole
is helpful to no one – but risk-
informed thinking is. That is why
the first step when considering a
new implementation or integration
should be to engage is a basic
risk assessment that analyzes
threats, vulnerabilities, likelihood,
and consequence to particular
infrastructure. To engage in this
process, your organization should
begin to consider the following:
Step 1: Scope Risk Management
Activities
Step 2: Identify the Infrastructure
Step 3: Conduct a Risk Assessment
Step 4: Deploy Risk Mitigation
Strategies
Step 5: Assess Effectiveness Against
Metrics
Your organization should seek to
engage subject matter experts with
experience in the NIST Cybersecurity
Framework or the Control Objectives
for Information and Related
Technology (COBIT) framework
These frameworks should help your
organization implement the Center
for Internet Security Top 20 Critical
Security Controls and address the risk
of a threat actor who would exploit a
vulnerability in a system causing an
unwanted consequence.
“Risk is the likelihood that a threat
actor, intentional or deliberate,
will exploit a vulnerability in a
system causing an unwanted
consequence.”
Risk Calculus
©2016 VTI Security in association with SecureSet - Page 12
The attack surface in a software
environment is the sum of the
different attack vectors where an
attacker can try to can gain ingress
or egress into an environment. In a
classical physical environment such
as a mechanical lock, the attack
surface is the locking mechanism
itself, the shackle, and the padlock
body. The sum of those parts is what
the attacker will target in order to
disable the security measure.
In computer systems, the same is
true. Attackers will try a number of
different points of potential entry
until at least a single point fails. That
is why it is paramount to ensure
consistent patching of software,
proper access control policies
and enforcement mechanisms,
and constant observation of the
perimeter and key systems. All
information is security information
and all networked devices are
involved in security.
Network access control systems,
active directory systems, border
routers and firewalls, and IoT devices
(including physical security devices)
are all at the front lines of your
perimeter defense.
Assuring their proper functionality
and resiliency is critical. But we
simply cannot stop at the perimeter
as that thinking assumes the threat
is an outsider and does not comport
with the best-in-class thinking around
defense-in-depth strategies.
“Attackers will try a number of different potential points of entry until at
least a single point fails. It is paramount to ensure consistent patching of
software, proper access control policies and enforcement mechanisms,
and constant observation of the perimeter and key systems to assure a
minimal attack surface.”
Attack Surfaces
©2016 VTI Security in association with SecureSet - Page 13
Physical security devices can be
exploited just like any other device.
Moreover, traditional IP network
elements and systems can be
exploited and used as launching
pads for attackers who would gain
unprivileged access to the network
segment dedicated to physical
security. By pivoting through
Layer 1-3 systems, attackers could
disarm or disable physical security
devices – or – use physical security
devices to gain unprivileged access
to sensitive systems. Ideally, these
networks would be segmented from
each other. However, at the very
least, organizations can work with a
Trusted Business Partner to create
the optimal network architecture
that assures both security and
functionality while keeping an eye
towards cost.
After security policies are built and
deployed, it is important for your
organization to undergo routine
security audits such as penetration
tests to gain adversarial insights to
improve your system. A forensic
analysis of the penetration testers
attack will provide a display of the
weaknesses and vulnerabilities in
the system as well as the tactics,
techniques, and procedures used
to exploit them. Integrating this
knowledge into a security program
and the systems security architecture
will reduce the overall attack
surface in conjunction with strong
security policies and enforcement
mechanisms.
©2016 VTI Security in association with SecureSet - Page 14
Cybersecurity threat actors are
criminals. And like other criminals,
the adage of means, motive, and
opportunity applies. Unlike a
common thief, however, attackers
of computer systems and networks
often spend a tremendous amount of
effort developing, testing, evaluating,
and refining their plan of attack.
They spend significant time in
recognizance, attempts to weaponize
and deliver an exploit, in the
exploitation of the attack surface, in
the installation of functions enabling
command and control inside the
network or system, all to take action
on their objectives. Understanding
the difficulties involved in hacking,
there are a number of considerations
that you can make in consultation
with a Trusted Business Partner.
Attackers are seeking many
opportunities of interest. To
maximize that opportunity, they
use passive and active scanners
that return results of thousands
of IP addresses at a time across
the Internet. They use computer
programs to automate attacks and
when low-hanging fruit returns a
positive result, they attack in force.
Remember that you don’t have
to run faster than the bear to get
away – you just have to run faster
than the guy next to you. While
somewhat of a crude analogy, it is
true that attackers have many targets
of opportunity. Attackers, just like
the rest of us, weigh competing
opportunities against the resource
intensity required on their part and
the outcomes should the attack be
successful. If your organization is
comparably resilient to others in your
class of business, attackers may seek
their rewards elsewhere.
“The ability for a threat actor to exploit a system vulnerability is predicated on
1) the means, motives, and opportunity of the threat actor and
2) the security of the system and the security posture of the owner organization.”
Ingress Calculus
©2016 VTI Security in association with SecureSet - Page 15
Network 2.0
Cybersecurity in a Connected World
Many in the physical security world have remarked about the
rapid pace of change from rings of keys to IP badge readers.
That rapid pace is also something that the world of IP
networks has seen in a similar period of time – and there is no
sign of it slowing down. From network function virtualization
and micro-segmentation to machine learning software-
defined devices, IP networks have enabled a transformation
through convergence.
Milwaukee, Wisconsin
©2016 VTI Security in association with SecureSet - Page 16
It is important to remember that
every node on the network is an
access point to either a function
or to data. The function of badge
readers is access control where as IP
cameras relay data. Understanding
that, devices on a network are
run by the software enabled by
them. That means that traditional
vulnerabilities remain persistent.
The same way that updates are
developed and pushed to an
operating system on a laptop, they
must also be developed and pushed
to the physical security device. And
while it may not be apparent, the
physical security space is about the
Internet of Things (IoT). In an effort
to reduce the available attack surface,
three factors are important when
dealing with IoT: authentication,
vulnerability management, and
device management.
Authentication
On today’s Internet, users
authenticate to Websites and
applications by using a username
and password – some require a VPN.
The browsers authenticate web sites
through the Secure Sockets Layer
protocol. And while that is often
unsecure, they are even worse for
IoT-scale authentication. OAuth
2.0 and OpenID Connect 1.0 are
two standardized frameworks for
authentication. However, they
both are bound to HTTP and not
HTTPS, which makes assuring
the authentication of a device
problematic. Authentication
standards do exist that overcome
this concern but require significantly
more effort to elegantly implement
than their less secure counterparts.
“In an effort to reduce the available attack surface, three factors are
important when dealing with IoT: authentication, vulnerability management,
and device management.”
©2016 VTI Security in association with SecureSet - Page 17
Vulnerability Management
All software requires updating.
From vulnerabilities in the supply
chain of third party libraries such as
OpenSSL to errors in code written
by the OEM, devices require updates
as a mechanism for assuring the
security and resiliency of the device.
But many organizations do not
have processes in place to assure
the legitimacy of updates, test and
evaluate the effectiveness of the
updates, and push down updates
to devices. In order to assure that
physical security devices are not
the point of entry for attackers,
updates must make it to devices
unimpeded and in a prompt
manner. Updates (i.e. patches)
often go to address critical security
weaknesses in devices. Patching
these vulnerabilities is an optimal
mitigation strategy as it directly
addresses the weakness, is nearly
free, and reduces the overall attack
surface. It is important to ensure that
these updates are pushed to devices
but it is also important to assure that
the updates are legitimate. To that
end, organizations must ensure that
firmware is signed by the correct
software publisher prior to taking
action on it as attackers often forge
updates to gain root access.
Device Management
Assuring the persistent behavior
of a device in a sea of devices is
difficult. In environments requiring
compliance or those that have high
standards for security practices, the
most efficient method for assuring
the configuration and operational
management of a device is with
automation tools often used in the
DevOps community. A Trusted
Business Partner can help evaluate
the business cases for these tools
and assist in the implementation
itself.
©2016 VTI Security in association with SecureSet - Page 18
So Now What?
As the importance of physical and logical convergence
continues to move to the forefront of media and
mindsets, the strategic and tactical impact to making
buying decisions is evolving, as well. Bringing together
stakeholders from Security/Risk, IT/IS, and Finance/
Purchasing has never been more important. Just as
go-to-market has changed for manufacturers and
integrators of physical security technologies, so has the
need for qualifying those solutions and integrators from
the end-user perspective before making investments
and, ultimately, accepting the responsibility for IoT
devices on the network of your company.
Omaha, Nebraska
©2016 VTI Security in association with SecureSet - Page 19
If you are still drafting an RFP in a
vacuum and publishing it to the open
market, you are doing a disservice
to the safety and protection of all
data on your network – company and
personal.
Your scope of work, IoT device
nomenclature, specifics on how
those devices are to be operating
on your network, storing data,
and communicating across your
enterprise, and the means by which
they are to be installed are all factors
that afford threat factors – inside
your company and outside your
company – with the ability to mine
your data and harm your network
ecosystem. Protection today is about
mitigation and prevention. Following
this antiquated process does little to
do either.
Hackers follow a process called
the Kill Chain, which describes how
most threats operate in pursuit of
exploiting networks, systems, and
services. The first step in this process
is to engage in reconnaissance.
The vast majority of threat actors
use open source intelligence, such
as documentation listed in an
RFP, to determine the underlying
infrastructure they seek to
compromise.
“Protection today is about
mitigation and prevention.
Following this antiquated process
does little to do either.”
The Investment Process
Limiting Your Liability
©2016 VTI Security in association with SecureSet - Page 20
Once the infrastructure is identified,
researched, and understood a threat
actor can weaponize an exploit and
target a vulnerability causing the
unwanted and often devastating
consequence. Providing detailed
information to the public only makes
it easier for hackers of various levels
of skill, persistence, and means to do
their dirty work.
Forward thinking end-users today
have made the paradigm shift to view
the purchasing process through an
elevated approach. They seek Secure
Integrators capable of not only
understanding this vulnerability, but
adept at the design and management
of IoT data associated with physical
security technologies. Choosing your
Partner, collaborating on a secure
design concept with capacity to meet
your performance expectations, and
negotiating all terms, conditions,
and pricing serves as a strategic and
proactive approach to protecting
your company.
©2016 VTI Security in association with SecureSet - Page 21
The Qualifying Process
Choosing a Secure Integration Partner
The leading companies today are redefining what it means to be
a qualified security integrator. Certainly, you require a Trusted
Business Partner capable of your demand, specified performance
requirements, one who carries ‘product’ and industry/regulatory
certification, and with the infrastructure to manage assets and
resources associated with installation, project management,
and support. However, when choosing a secure partner, the
requirements have evolved.
It’s important to choose a company with the tools, processes, and
investments necessary to ensure business continuity, protection of
real-time and stored data, and the capacity to collaborate with you
on extending your secure environment beyond physical security –
those that control what can be controlled.
Dallas, Texas
©2016 VTI Security in association with SecureSet - Page 22
At a minimum, your qualifying and purchasing process should include a
company that can prove and demonstrate each of the following:
Cyber Security Insurance
Cyber Insurance protects both of
your assets and ensures business
continuity. This insurance covers
financial losses incurred by 3rd-
party data breaches, as well as, costs
associated with any data breaches
of your Partners’ systems. This is a
standard in today’s risk environment
that your integration Partner should
be required to carry.
Data Breach Plan
Qualifying a Partner who has retained
the services of a leading Information
Security Services company to assist
with securing internal information
assets, Incident Response planning,
Incident Assistance if a data breach
were to occur, and to perform
intermittent Network Penetration
Testing should be a basic requirement
of any qualified integrator.
System Access Management
Requiring your Partner to have
developed a program that defines
how usernames and passwords are
created and provides an encrypted
database location to store the
information on their secure network.
This basic measure needs to be
extended to the original storage
location, how that information
is shared with field colleagues
accessing your systems, and how that
information is set up originally as part
of the commissioning program. We
recommend you require your Partner
to define this program as a qualified
integrator.
Colleague Integrity
As a standard, your qualified Partner
should be executing a series of
screening applications to ensure
colleagues are fit for performance.
This includes reference checks, drug
– health – and background screening,
criminal crosscheck, as well as, work
ethic and character authenticity
testing. As is most often, threats
come from ‘inside’. It is important to
fully outline your expectations in this
arena to include annual re-testing if
necessary by your Partner.
©2016 VTI Security in association with SecureSet - Page 23
Secure Remote Support
In compliance with client accessibility
requirements, your Partner should
be able to provide instant, proactive,
and remote support using proven
technologies. This is a collaborative
process that requires inclusion of
all associated departments and
stakeholders. For your qualifying
process, it is valuable to fully
understand how your Partner does
this today.
Business Continuity
Your Partner should be designing
protocols for unforeseen events
impacting their ability to perform.
Their Continuity Plan should include
things like housing their primary
servers in managed, co-location
datacenters with redundancy in
different geographical locations
and maintaining multiple service
dispatch operation centers in
different geographic locations. Ask
your Partner, what are they doing to
protect against unforeseen events?
Internal Controls
There is a broad array of standard
internal security controls including
next-generation firewalls, encrypted
network credentials, and secure
access protocols that your Partner
should be designing, implementing,
and investing in. Ensuring trust in
your Partner means understanding
what these are today, and what
they might be on the horizon as the
network and security technology
environment evolves.
Testing Environments
Manufacturers of hardware and
software often are delivering
upgraded solutions to the market.
Your Partner should have the ability
to provide a secure environment to
test software patches and upgrades
for existing and new installations
– minimizing disruptions to your
network. This process allows for
bugs and hitches in the installation,
operation, and communication of
new solutions to be ironed out before
going live in your environment. Is
there a fully operational ‘Demo Lab’ at
your Partners location to conduct this
kind of activity?
©2016 VTI Security in association with SecureSet - Page 24
The Collaborative Design Process
Hardened Solutions, Interoperability, and Performance Expectation
Choosing your Partner goes beyond the basics of ensuring
they have invested in the tools necessary to ensure business
continuity. It requires a collaboration of ideas, resources,
and assets for the design of your solutions. Furthermore, it
is imperative that your Partner is capable of walking the talk
– taking tactical steps to ensure the activity ‘at the ladder’ is
congruent with your performance expectations.
Amarillo, Texas
©2016 VTI Security in association with SecureSet - Page 25
Hardened Solutions
Today, the leading manufacturers in the physical security technology space
are bringing clarity to the security of the supply chain management of their
solutions, guidance on how to harden those products via password and
physical manipulation, and separating themselves from the low-cost, overseas
products often attributed to ‘cost effective’ solutions. It’s important there is an
understanding from both the client and the Partner where this value plays into
the investment.
Partner Vested in Protection
As defined in the Choosing a Partner section, you must be looking for a Partner
with the tools, processes, and investments necessary to ensure business
continuity, protection of real-time and stored data, and the capacity to
collaborate with you on extending your secure environment beyond physical
security. Qualifying this through the RFI process before you begin to negotiate
pricing and performance standards is the way forward-thinking companies are
operating today.
Training & Accountability Programs
As part of that investment, your Partner should have fully implemented
training and accountability programs for tactical performance by colleagues
tasked with operating on your network. This includes, but is not limited to,
a Password Program, a commissioning checklist to ensure the door isn’t left
open to devices installed on your network, and a quality control process to
define completion of projects.
Clear Performance Expectations
Defining ‘ownership’ of data, management of data, and communication of
information is part of the clarity needed when executing and installing physical
security technologies. Working with your Partner to elevate the Scope of Work
and driving a collaborative partner environment is essential to your success.
©2016 VTI Security in association with SecureSet - Page 26
Conclusion
Cybersecurity can seem daunting – and it can be. But it is not
outside of the reach of those who are trained and education
on the proper technologies, processes, and procedures used
in the enterprise to assure cybersecurity. It is important to
work with a Trusted Business Partner to assure the security
posture of the physical security implementation that your
firm is undertaking. Understanding the risks imposed by new
architectures and implementations is the first step. Assuring
that steps are being taken to mitigate them should be the
long-term goal. Knowing that cybersecurity is a team sport
helps in the development and implementation of strategies to
go to assure the effective operation of any organization.
Colorado Springs, Colorado
©2016 VTI Security in association with SecureSet - Page 27
Joshua Cummings
Director Engineering Services / VTI Security
Josh is the Director of Engineering Services at VTI
Security, which is a Minneapolis based security
technology integrator. Josh leads VTI’s enterprise
Design Services Team including Design Engineers,
Sales Engineers and Computer Aided Design
assets built to ensure functionality of end-user
investments. Josh has over 15 years of experience
in system design architecture, leading design teams,
system deployment strategies, process and procedural development and
technology leadership in the security industry. Josh is a member of BICSI and
sits on several manufacturer advisory boards.
Stephen Fisher
Director Business Development / VTI Security
Steve is the Director of Business Development
at VTI Security, which is a Minneapolis based
security technology integrator. Fisher is called
upon to empower colleagues, discerning clients,
and Trusted Business Partners with strategic plans
for horizon effectiveness in the realm of security,
operational efficiency, revenue retention, and
policy compliance. Fisher has over 20 years of direct
industry experience in the C-Suite of Security, Risk, IT, and Operations for
enterprise-wide engagements in multi-vertical environments. Industry and
Trade membership(s) have included the American Society of Industrial Security
(ASIS), the Colorado Technology Association (CTA), and Colorado Association
of Healthcare Engineers and Directors (CAHED), Advancing Data Center &
IT Infrastructure Professionals (AFCOM), and the Department of Homeland
Security/Chemical Terrorism Information Authorized User (DHS). Fisher holds
a Bachelors Degree in Corporate Communications from Elon University.
©2016 VTI Security in association with SecureSet - Page 28
Alex Kreilein
Managing Partner & CTO / SecureSet, LLC
Alex is the Co-Founder and Managing Partner/
CTO of SecureSet, which is a Denver, CO based
cybersecurity services company. Alex served as a
leading Technology Strategist for the Department
of Homeland Security from 2011 – 20015 and was
appointed as a Guest Researcher to the National
Institute of Standards & Technology (NIST) from
2013 – 2015. Kreilein supported the development of security strategies and
technologies in commercial LTE and NG9-1-1 networks and standards. He
advised the National Security Telecommunications Advisory Committee
(NSTAC) and engaged in standards development at 3GPP, GSMA, the Open
Networking Foundation (ONF), the Internet Engineering Task Force (IETF), and
the Broadband Internet Technical Advisory Group (BITAG). Kreilein holds a
MA in National Security and Strategic Studies from the US Naval War College
and will complete his Ph.D/MS at the University of Colorado Boulder College
of Engineering and Applied Science in 2017. His area of research covers the
integration of threat intelligence and dark web research into quantitative risk
analysis and mitigation methods. He is a Member of the Information Systems
and Security Association (ISSA), a Member of the Institute of Electrical and
Electronics Engineers (IEEE), a Member of the Electronic Frontier Foundation
(EFF), a Member of Armed Forces Communications and Electronics Association
(AFCEA), Open Web Application Security Project (OWASP), and an advisory
board member to multiple startups in the field of cybersecurity and national
security.
©2016 VTI Security in association with SecureSet - Page 29
www.vtisecurity.com
401 West Travelers Trail, Burnsville, Minnesota 55337
800.241.1476
For over 35 years, VTI has been called upon to design, install, and support a full range of
advanced security technologies. Built upon our core values of Trust, Mutual Respect, and
Accountability, our colleagues are committed to earning status as your Trusted Business
Partner. Our company has been recognized by our industry as a Top Integrator consistently
for years.
Our colleagues deliver creativity, flexibility, and cost-effective methodologies to system
design, project management, engineering, installation and lifecycle management of your
investments. Our market experience affords you an in-depth understanding of the unique
needs of your colleagues, facilities, the information you manage, and regulation impacting
your operations.
Our reach includes successful deployments and support throughout North America and
beyond. VTI is positioned to support your requirements in virtually any urban or rural
environment. Our regional and national clients value our ability to maintain a personal
relationship while performing on an enterprise level.
Our investment in colleague certification supports VTI’s influence on your behalf. We are
a platinum level and preferred partner to most of the industry’s leading manufacturers.
From a design, engineering, and functionality perspective, we are positioned to ensure your
investment delivers on your performance expectation.
Support Services direct from VTI include multiple 7/24/365 Service Operations Centers
where we answer the needs to over 10,000 requests annually. In addition to our on-
site technician programs, we offer CORE Services including remote diagnostics, health
monitoring, strategic planning, system maintenance, management reporting, and supply
chain logistics. Each of our Support Services programs are designed to enhance, protect,
and future-proof your investments.
Our future strategic plans are geared around solidifying our Core Client Base by providing
them with future-proofed systems, Strategic Security Planning for horizon projects and
budgeting, outlining plans for technology migration as edge devices become antiquated,
and empowering our Client Partners with the information necessary to be in front of the
curve – not behind it – when operating in their own stakeholder environments. We believe
this kind of value is at the foundation of our responsibility.
In addition to our consistent investment in training and certification, our future strategic
plans include investing in efficiency to ensure our growth is sustainable – alongside the
growth activity of our Clients. This equates to implementation of technology that supports
speed, accuracy, and accountability – as well as, the ability to be proactive.
©2016 VTI Security in association with SecureSet - Page 30
www.secureset.com
3801 Franklin Street, Denver, Colorado 80205
800.445.0024
The promise of cybersecurity is the freedom for brands to stay focused on winning
customers. SecureSet is building a community focused on fulfilling this promise. With state-
of-the-art education, business acceleration and product demonstration, we’re arming our
participants for success in the ever-evolving cybersecurity space.
SecureSet℠ Academy’s accredited CORE programs are the direct path to careers in this
booming industry. This intensive program—available in full time or evening schedules—
includes extensive hands on instruction in state-of-the-art labs, guided product training,
and essential certifications (CISSP and Security+). The evolution from a general IT career to
cybersecurity professional can take 5 to 10 years. The CORE does it in as short as 20 weeks.
SecureSet℠ Academy provides extensive job-placement mentoring and networking for all its
students. Our core objective is that each graduate receive at least one offer of employment
in the information security industry. In addition to a diploma, and CISSP and Security+
certifications, CORE graduates depart with a personal portfolio of evidence of the knowledge
and skills they have learned at the Academy.
The SecureSet Accelerator is a way for start-up companies in the cybersecurity space to
get funded, get noticed and improve their value. We’re recruiting for our first class of
companies to be in residence at our Denver campus from May-August, 2016. To qualify you
must be doing something incredibly cool and meaningful in cybersecurity. The SecureSet
Accelerator leverages a national footprint of partners, mentors and startups to attack this
single market through a 4-month program. If you make the grade, your firm will receive an
investment of $50,000, unparalleled mentorship from some of the finest minds in the field,
and ready access to potential customers. You’ll also get access to the SecureSet Proving
Ground where you can test your product and do live customer demos without the risk of
breaking the network of a foreign country or a Fortune 500 company. And, the Proving
Ground will be available to you for customer or investor pitches even after you’ve left the
Accelerator.
Our focus on cybersecurity means that every aspect of our program—from our selection
criteria to our mentor curriculum to our corporate partnerships to our investor stable—
will be more effective in helping your information security venture succeed. A great
deal of learning comes from other Accelerator firms in your class. Together, you can
share experiences and contacts that will prove to be invaluable in the years to come. An
important part of the Accelerator program is giving your company exposure and training in
some rigorous business methodologies needed to grow your company. We draw on a wide
range of expertise in information security Product Development, Design, Operations and
Strategy as well as Venture Capital, Finance, Marketing and Sales, all designed to outfit your
firm with more clarity and executional skill.
©2016 VTI Security in association with SecureSet - Page 31
Disclaimer
The content provided in these white papers is intended solely for general
information purposes and is provided with the understanding that the
authors and publishers are not herein engaged in rendering professional
advice or services. The information in these white papers was posted with
reasonable care and attention. However, it is possible that some information
in these white papers is incomplete, incorrect, or inapplicable to particular
circumstances or conditions. We do not accept liability for direct or indirect
losses resulting from using, relying upon, or acting upon the information in
these white papers.

Weitere ähnliche Inhalte

Was ist angesagt?

Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsCisco Security
 
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation Luca Moroni ✔✔
 
Cy Cops Company Presentation
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company PresentationChaitanyaS
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics Robb Boyd
 
Ivanti Insights Podcast - FireEye Breach
Ivanti Insights Podcast - FireEye BreachIvanti Insights Podcast - FireEye Breach
Ivanti Insights Podcast - FireEye BreachIvanti
 
Drawing the Line Correctly: Enough Security, Everywhere
Drawing the Line Correctly:   Enough Security, EverywhereDrawing the Line Correctly:   Enough Security, Everywhere
Drawing the Line Correctly: Enough Security, EverywhereLINE Corporation
 
Skyline Certificate of Completion
Skyline Certificate of CompletionSkyline Certificate of Completion
Skyline Certificate of CompletionChad Leggett
 
Cisco Connect 2018 Malaysia - Cisco services-guiding your digital transformation
Cisco Connect 2018 Malaysia - Cisco services-guiding your digital transformationCisco Connect 2018 Malaysia - Cisco services-guiding your digital transformation
Cisco Connect 2018 Malaysia - Cisco services-guiding your digital transformationNetworkCollaborators
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...United Security Providers AG
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoEMarc Vael
 
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's ProblemsDevil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problemsscoopnewsgroup
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and auditMarc Vael
 
How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf toolsMarc Vael
 
Cisco Connect 2018 Malaysia - SDNNFV telco data center transformation
Cisco Connect 2018 Malaysia - SDNNFV telco data center transformationCisco Connect 2018 Malaysia - SDNNFV telco data center transformation
Cisco Connect 2018 Malaysia - SDNNFV telco data center transformationNetworkCollaborators
 
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...Infosecurity2010
 
BCS ITNow 201409 - What's Going On
BCS ITNow 201409 - What's Going OnBCS ITNow 201409 - What's Going On
BCS ITNow 201409 - What's Going OnGareth Niblett
 

Was ist angesagt? (19)

Laser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect AssetsLaser Pioneer Secures Network End-to-End to Protect Assets
Laser Pioneer Secures Network End-to-End to Protect Assets
 
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
INFOSEK 2016 Slovenia - Cyber Risk Insurance - Scenario and Evaluation
 
Cy Cops Company Presentation
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company Presentation
 
The Polytechnic of Namibia
The Polytechnic of NamibiaThe Polytechnic of Namibia
The Polytechnic of Namibia
 
TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics TechWiseTV Workshop: Encrypted Traffic Analytics
TechWiseTV Workshop: Encrypted Traffic Analytics
 
Ivanti Insights Podcast - FireEye Breach
Ivanti Insights Podcast - FireEye BreachIvanti Insights Podcast - FireEye Breach
Ivanti Insights Podcast - FireEye Breach
 
Drawing the Line Correctly: Enough Security, Everywhere
Drawing the Line Correctly:   Enough Security, EverywhereDrawing the Line Correctly:   Enough Security, Everywhere
Drawing the Line Correctly: Enough Security, Everywhere
 
Skyline Certificate of Completion
Skyline Certificate of CompletionSkyline Certificate of Completion
Skyline Certificate of Completion
 
Cisco Connect 2018 Malaysia - Cisco services-guiding your digital transformation
Cisco Connect 2018 Malaysia - Cisco services-guiding your digital transformationCisco Connect 2018 Malaysia - Cisco services-guiding your digital transformation
Cisco Connect 2018 Malaysia - Cisco services-guiding your digital transformation
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's ProblemsDevil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
 
MEDS
MEDSMEDS
MEDS
 
Cloud security lessons learned and audit
Cloud security lessons learned and auditCloud security lessons learned and audit
Cloud security lessons learned and audit
 
How secure are chat and webconf tools
How secure are chat and webconf toolsHow secure are chat and webconf tools
How secure are chat and webconf tools
 
Cisco Connect 2018 Malaysia - SDNNFV telco data center transformation
Cisco Connect 2018 Malaysia - SDNNFV telco data center transformationCisco Connect 2018 Malaysia - SDNNFV telco data center transformation
Cisco Connect 2018 Malaysia - SDNNFV telco data center transformation
 
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
 
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
SFScon17 - Luca Moroni: "Outsourcing Cyber Risks"
 
BCS ITNow 201409 - What's Going On
BCS ITNow 201409 - What's Going OnBCS ITNow 201409 - What's Going On
BCS ITNow 201409 - What's Going On
 

Andere mochten auch

Conversion
ConversionConversion
Conversionneicher
 
Dave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO InsightsDave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO Insightsciso_insights
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom”  from CONFidence 201450 Shades of RED: Stories from the “Playroom”  from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Physical Security & IT
Physical Security & ITPhysical Security & IT
Physical Security & ITdigitallibrary
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCloudIDSummit
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew RosenquistMatthew Rosenquist
 

Andere mochten auch (7)

Ws_INREDIS_Publicaciones_científicas_2009-2010
Ws_INREDIS_Publicaciones_científicas_2009-2010Ws_INREDIS_Publicaciones_científicas_2009-2010
Ws_INREDIS_Publicaciones_científicas_2009-2010
 
Conversion
ConversionConversion
Conversion
 
Dave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO InsightsDave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO Insights
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom”  from CONFidence 201450 Shades of RED: Stories from the “Playroom”  from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
 
Physical Security & IT
Physical Security & ITPhysical Security & IT
Physical Security & IT
 
CIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control ConvergenceCIS14: Physical and Logical Access Control Convergence
CIS14: Physical and Logical Access Control Convergence
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist
 

Ähnlich wie VTI Learning Series Beyond the Convergence of Physical & Cyber Security

IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsLiwei Ren任力偉
 
IPSec And Network Security Essay
IPSec And Network Security EssayIPSec And Network Security Essay
IPSec And Network Security EssayGracie Segura
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principlesardexateam
 
Overview Of Virtual Private Networks
Overview Of Virtual Private NetworksOverview Of Virtual Private Networks
Overview Of Virtual Private NetworksMichele Thomas
 
How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks Abaram Network Solutions
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinCloud Expo
 
Wireless survey-report-saa-2016
Wireless survey-report-saa-2016Wireless survey-report-saa-2016
Wireless survey-report-saa-2016Samir Kotarwar
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
Solution Guide Secure Access Architecture
Solution Guide Secure Access ArchitectureSolution Guide Secure Access Architecture
Solution Guide Secure Access ArchitectureExclusive Networks ME
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber securityAurobindo Nayak
 
Virtual Private Networks Pros And Cons
Virtual Private Networks Pros And ConsVirtual Private Networks Pros And Cons
Virtual Private Networks Pros And ConsKristina Camacho
 
Fortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxFortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxArianeSpano
 
Essay On Network Security
Essay On Network SecurityEssay On Network Security
Essay On Network SecurityAlison Hall
 
The Concept Of Virtual Private Network
The Concept Of Virtual Private NetworkThe Concept Of Virtual Private Network
The Concept Of Virtual Private NetworkBeth Hall
 
A Review Paper On Pfsense An Open Source Firewall Introducing With Differen...
A Review Paper On Pfsense   An Open Source Firewall Introducing With Differen...A Review Paper On Pfsense   An Open Source Firewall Introducing With Differen...
A Review Paper On Pfsense An Open Source Firewall Introducing With Differen...Sabrina Green
 
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupChris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupCohesive Networks
 
Securing the digital economy
Securing the digital economySecuring the digital economy
Securing the digital economyaccenture
 
Nvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalNvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalA. Phillip Smith
 
Integrated Secure Networking - Fortinet
Integrated Secure Networking - FortinetIntegrated Secure Networking - Fortinet
Integrated Secure Networking - FortinetHarry Gunns
 

Ähnlich wie VTI Learning Series Beyond the Convergence of Physical & Cyber Security (20)

IoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and SolutionsIoT Security: Problems, Challenges and Solutions
IoT Security: Problems, Challenges and Solutions
 
IPSec And Network Security Essay
IPSec And Network Security EssayIPSec And Network Security Essay
IPSec And Network Security Essay
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principles
 
Overview Of Virtual Private Networks
Overview Of Virtual Private NetworksOverview Of Virtual Private Networks
Overview Of Virtual Private Networks
 
How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks How to deal with the impact of digital transformation on networks
How to deal with the impact of digital transformation on networks
 
The Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny HeaberlinThe Secure Path to Value in the Cloud by Denny Heaberlin
The Secure Path to Value in the Cloud by Denny Heaberlin
 
Wireless survey-report-saa-2016
Wireless survey-report-saa-2016Wireless survey-report-saa-2016
Wireless survey-report-saa-2016
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Solution Guide Secure Access Architecture
Solution Guide Secure Access ArchitectureSolution Guide Secure Access Architecture
Solution Guide Secure Access Architecture
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber security
 
Virtual Private Networks Pros And Cons
Virtual Private Networks Pros And ConsVirtual Private Networks Pros And Cons
Virtual Private Networks Pros And Cons
 
Fortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxFortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptx
 
Essay On Network Security
Essay On Network SecurityEssay On Network Security
Essay On Network Security
 
The Concept Of Virtual Private Network
The Concept Of Virtual Private NetworkThe Concept Of Virtual Private Network
The Concept Of Virtual Private Network
 
A Review Paper On Pfsense An Open Source Firewall Introducing With Differen...
A Review Paper On Pfsense   An Open Source Firewall Introducing With Differen...A Review Paper On Pfsense   An Open Source Firewall Introducing With Differen...
A Review Paper On Pfsense An Open Source Firewall Introducing With Differen...
 
It 241 Week 1 Cp Essay
It 241 Week 1 Cp EssayIt 241 Week 1 Cp Essay
It 241 Week 1 Cp Essay
 
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupChris Swan's presentation from the London Tech Entrepreneurs' Meetup
Chris Swan's presentation from the London Tech Entrepreneurs' Meetup
 
Securing the digital economy
Securing the digital economySecuring the digital economy
Securing the digital economy
 
Nvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalNvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - final
 
Integrated Secure Networking - Fortinet
Integrated Secure Networking - FortinetIntegrated Secure Networking - Fortinet
Integrated Secure Networking - Fortinet
 

VTI Learning Series Beyond the Convergence of Physical & Cyber Security

  • 1. ©2016 VTI Security in association with SecureSet - Page 1 Beyond the Convergence of Physical & Cyber Security VTI Security in association with SecureSet VTI Learning Series 2016
  • 2. ©2016 VTI Security in association with SecureSet - Page 2 The Next Wave of Our Industry is Here It’s more than convergence of logical and physical security. It’s bridging the Inter-Departmental gap between IT and Security, elevating your design and acquisition processes, and choosing the right integration partner to Trust with your deployment. Minneapolis, Minnesota ...Are You Ready?
  • 3. ©2016 VTI Security in association with SecureSet - Page 3 Introduction Have you been breached? The odds are that you have and if you haven’t, you will be. The information security colleagues at your company are working diligently to mitigate that risk. Are you helping or harming that cause? The information in this paper is designed to bridge the gap between physical security and information security colleagues. The stakeholders in each of these environments have moved to an arena where their collaboration is necessary if you are to be successful in protecting your business. It’s geared towards empowering one another by framing conversation and education in a way that your partnership is able to become proactive and strategic. We believe this kind of value is at the foundation of our responsibility. We plan to look at the migration of physical security technologies to the network, overview how the network functions in support of those technologies, understand the Cyber threat of IP devices on the network, and provide guidance on how forward-thinking companies are approaching the design, investment, and installation of those solutions. “We believe this kind of value is at the foundation of our responsibility.”
  • 4. ©2016 VTI Security in association with SecureSet - Page 4 Introduction - Page 3 A Little Background - Page 5 Joshua Cummings, Director – Engineering Services, VTI Security Evolution of Solutions Operating Environments Pros & Cons of Enterprise, Interoperability, and Auto Discovery The Cyber Perspective - Page 11 Alex Kreilein, Managing Partner & Chief Threat Officer, SecureSet Risk Calculus Attack Surfaces Ingress Calculus Authentication Vulnerability & Device Management True Impact / So Now What? - Page 18 Stephen Fisher, Director – Business Development, VTI Security So Now What? The Investment Process The Qualifying Process The Collaborative Design Process
  • 5. ©2016 VTI Security in association with SecureSet - Page 5 Moving Video to the Network: Closed Circuit Television (CCTV) was first introduced in 1942 in Germany to view the launching of the V-2 rockets.  Later on, the technology migrated to the United States.  These first systems were limited and only allowed for live viewing of cameras.  In the 1970’s the VCR was invented and that led to the expansion of CCTV.  with this technology, a single camera could be transmitted over a coaxial cable and recorded to a cassette tape.  Additionally, with the use of a multiplexer, multiple cameras could be recorded on a grid to that same cassette tape.     The VCR remained a staple of the CCTV industry for quite some time.  In the 1990’s the DVR or Digital Video Recorder was introduced.  The DVR had the ability to take those same analog signals and capture them on a hard drive.  Unlike the VCR, a  DVR also had the ability to be connected to the network for viewing and streaming.  This was a first step toward the network.   In the mid 90’s, the first IP camera was invented.  This camera transmitted the video over ethernet cable instead of coax.  This moved the processing of the video to the camera rather than at the DVR.  The DVR also had to evolve into an NVR or Network Video Recorder to receive the IP stream.   The deployment of analog systems have continued to decrease as IP Video has been on the rise.   Evolution of Solutions Surveillance, Access Control, and More: Movement to the Network “Although analog video may never fully go away, the industry has standardized on transmitting video over the IP network.”
  • 6. ©2016 VTI Security in association with SecureSet - Page 6 Although analog video may never fully go away, the industry has standardized on transmitting video over the IP network.  The use of Power Over Ethernet has help to simplify the deployment of IP video.  Manufacturers are now focusing on developing higher resolution video and analytics to improve usability of the video. Moving Access Control to the network: Access Control is another security discipline that is moving to the network.  Simply put, access control is a method for requiring authentication before entering an area or building.  Often this done with an access card or with biometrics such as your fingerprint.   Early on, access control manufacturers developed their own proprietary standards for communication transmission from the server to the panel.  Communication traveled across serial connectivity utilizing RS-232, RS-485 and other serial communication protocols.   With the standardization of IP networking, serial communication has become less common, driving access control manufacturers to develop IP based panels.  These panels continue to move further away from the application and are often distributed throughout the building, across a campus or even in another state or country. Credential technology has evolved as well.  Initially we utilized such methods as barcode, magstripe, or proximity.  Over time, we have developed more secure technologies in Mifare, DesFire and iClass.   Proximity was introduced in the 1980’s and was a widely used standard for two decades.  In the 1990’s the credential industry experienced a revolutionary shift as proximity was proven to be unsecure.  Today, smart card technology is being driven to increase the security on the card through encryption of communication and data.
  • 7. ©2016 VTI Security in association with SecureSet - Page 7 Your company or organization may be considering moving to IP based systems. You may find yourself needing education about what the network is and does. While we can’t cover this topic in depth in this white paper, we can cover some of the major terms and buzzwords that you may be hearing around your organization. First of all, it is important that you understand the structure of the network. The OSI Model or Open Systems Interconnection Model is the framework for the network. Every aspect of the network falls into this structure. The model is made up of 7 layers. Each layer has specific responsibilities. Learn more online at https://en.wikipedia.org/wiki/OSI_model “...it is important that you understand the structure of the network.” Operating Environments What is the Network?
  • 8. ©2016 VTI Security in association with SecureSet - Page 8 Layer 1 - Physical Layer The physical layer specifies how the components of the network connect together. Ethernet is a very common standard in this layer. Layer 2 - Data Link Layer Essentially this layer defines the protocol to establish and terminate a connection between two physically connected devices. Layer 3 - Network Layer This layer provides the means for addressing each device on the network. It also defines the protocols for how information is routed from one device to another. Layer 4 - Transport Layer Here is where protocols such as TCP and IP are utilized for ensuring the packets are transmitted and received correctly. Layer 5 - Session Layer This layer establishes a connection or session between the two parties. It is responsible for setting up, monitoring and tearing down the connection. Layer 6 - Presentation Layer In this layer the data in the packet is translated for the application on the receiving host. Layer 7 - Application Layer This is essentially the application that you use on your PC to access information. An example of this could be your security application, an FTP program or even your office products. Additionally, there are terms that you may hear when discussing the network. IP Addresses - every device that is on the network needs an IP address. This is an identifying set of numbers similar to the address of your house. VPN - Virtual Private Network - this is an application or device that allows you to connect to your company network while away. Firewall - A device or software that provides a barrier between you and the internet. VDI - Virtual Desktop Infrastructure - this is a desktop that is not physically located on your PC. This desktop is available remotely and maintained by your IT group.
  • 9. ©2016 VTI Security in association with SecureSet - Page 9 The migration of security to the network has opened the door to many new opportunities never imagined with closed, proprietary systems. For starters, the network reaches around the world. By putting security devices and systems on the network, we now have the capability to see those systems and incorporate those devices from all corners of the globe into one fluid system. Another benefit is that the network brings standards. These standards are created and maintained by organizations in an effort to improve interoperability. Some examples of these organizations are ISO (International Organization for Standardization), PSIA (Physical Security Interoperability Alliance) and ONVIF. Utilizing these standards, manufacturers can create products and applications that natively work together. Additionally, the network continues to evolve and grow in terms of its capability. Initially we measured network speeds in kilobytes per second. As technology improves, networks speeds grew to megabytes and now gigabytes per second. In some network environments such as data centers we see data transmission speeds of 40 gigabytes per second or more. There are a lot of pros to having our security systems on the network. At the same time, being on the network also can open these systems up to vulnerabilities that we may not be used to addressing. Pros & Cons of Enterprise, Interoperability, & Auto Discovery “We have traded the proprietary nature of these systems for standardization and interopera- bility and along with that, there are new challenges for keeping these systems secure.”
  • 10. ©2016 VTI Security in association with SecureSet - Page 10 We have traded the proprietary nature of these systems for standardization and interoperability and along with that, there are new challenges for keeping these systems secure. In an effort to make security devices and applications easy to deploy, many manufacturers have built in features to help. These features allow for auto discovery, ease of use and ease of deployment. While initially these features have helped tremendously in the migration to the network, if left on, they inherently have a lot of vulnerabilities that can be exploited by hackers with malicious intent. Some of these vulnerabilities include open ports, default or weak passwords and unsecure transmission protocols. While these features make the product easy to deploy, they must be addressed for a system in production to provide protection on the network from hacking. Denver, Colorado
  • 11. ©2016 VTI Security in association with SecureSet - Page 11 Not all outcomes are equally likely or equally consequential. Hyperbole is helpful to no one – but risk- informed thinking is. That is why the first step when considering a new implementation or integration should be to engage is a basic risk assessment that analyzes threats, vulnerabilities, likelihood, and consequence to particular infrastructure. To engage in this process, your organization should begin to consider the following: Step 1: Scope Risk Management Activities Step 2: Identify the Infrastructure Step 3: Conduct a Risk Assessment Step 4: Deploy Risk Mitigation Strategies Step 5: Assess Effectiveness Against Metrics Your organization should seek to engage subject matter experts with experience in the NIST Cybersecurity Framework or the Control Objectives for Information and Related Technology (COBIT) framework These frameworks should help your organization implement the Center for Internet Security Top 20 Critical Security Controls and address the risk of a threat actor who would exploit a vulnerability in a system causing an unwanted consequence. “Risk is the likelihood that a threat actor, intentional or deliberate, will exploit a vulnerability in a system causing an unwanted consequence.” Risk Calculus
  • 12. ©2016 VTI Security in association with SecureSet - Page 12 The attack surface in a software environment is the sum of the different attack vectors where an attacker can try to can gain ingress or egress into an environment. In a classical physical environment such as a mechanical lock, the attack surface is the locking mechanism itself, the shackle, and the padlock body. The sum of those parts is what the attacker will target in order to disable the security measure. In computer systems, the same is true. Attackers will try a number of different points of potential entry until at least a single point fails. That is why it is paramount to ensure consistent patching of software, proper access control policies and enforcement mechanisms, and constant observation of the perimeter and key systems. All information is security information and all networked devices are involved in security. Network access control systems, active directory systems, border routers and firewalls, and IoT devices (including physical security devices) are all at the front lines of your perimeter defense. Assuring their proper functionality and resiliency is critical. But we simply cannot stop at the perimeter as that thinking assumes the threat is an outsider and does not comport with the best-in-class thinking around defense-in-depth strategies. “Attackers will try a number of different potential points of entry until at least a single point fails. It is paramount to ensure consistent patching of software, proper access control policies and enforcement mechanisms, and constant observation of the perimeter and key systems to assure a minimal attack surface.” Attack Surfaces
  • 13. ©2016 VTI Security in association with SecureSet - Page 13 Physical security devices can be exploited just like any other device. Moreover, traditional IP network elements and systems can be exploited and used as launching pads for attackers who would gain unprivileged access to the network segment dedicated to physical security. By pivoting through Layer 1-3 systems, attackers could disarm or disable physical security devices – or – use physical security devices to gain unprivileged access to sensitive systems. Ideally, these networks would be segmented from each other. However, at the very least, organizations can work with a Trusted Business Partner to create the optimal network architecture that assures both security and functionality while keeping an eye towards cost. After security policies are built and deployed, it is important for your organization to undergo routine security audits such as penetration tests to gain adversarial insights to improve your system. A forensic analysis of the penetration testers attack will provide a display of the weaknesses and vulnerabilities in the system as well as the tactics, techniques, and procedures used to exploit them. Integrating this knowledge into a security program and the systems security architecture will reduce the overall attack surface in conjunction with strong security policies and enforcement mechanisms.
  • 14. ©2016 VTI Security in association with SecureSet - Page 14 Cybersecurity threat actors are criminals. And like other criminals, the adage of means, motive, and opportunity applies. Unlike a common thief, however, attackers of computer systems and networks often spend a tremendous amount of effort developing, testing, evaluating, and refining their plan of attack. They spend significant time in recognizance, attempts to weaponize and deliver an exploit, in the exploitation of the attack surface, in the installation of functions enabling command and control inside the network or system, all to take action on their objectives. Understanding the difficulties involved in hacking, there are a number of considerations that you can make in consultation with a Trusted Business Partner. Attackers are seeking many opportunities of interest. To maximize that opportunity, they use passive and active scanners that return results of thousands of IP addresses at a time across the Internet. They use computer programs to automate attacks and when low-hanging fruit returns a positive result, they attack in force. Remember that you don’t have to run faster than the bear to get away – you just have to run faster than the guy next to you. While somewhat of a crude analogy, it is true that attackers have many targets of opportunity. Attackers, just like the rest of us, weigh competing opportunities against the resource intensity required on their part and the outcomes should the attack be successful. If your organization is comparably resilient to others in your class of business, attackers may seek their rewards elsewhere. “The ability for a threat actor to exploit a system vulnerability is predicated on 1) the means, motives, and opportunity of the threat actor and 2) the security of the system and the security posture of the owner organization.” Ingress Calculus
  • 15. ©2016 VTI Security in association with SecureSet - Page 15 Network 2.0 Cybersecurity in a Connected World Many in the physical security world have remarked about the rapid pace of change from rings of keys to IP badge readers. That rapid pace is also something that the world of IP networks has seen in a similar period of time – and there is no sign of it slowing down. From network function virtualization and micro-segmentation to machine learning software- defined devices, IP networks have enabled a transformation through convergence. Milwaukee, Wisconsin
  • 16. ©2016 VTI Security in association with SecureSet - Page 16 It is important to remember that every node on the network is an access point to either a function or to data. The function of badge readers is access control where as IP cameras relay data. Understanding that, devices on a network are run by the software enabled by them. That means that traditional vulnerabilities remain persistent. The same way that updates are developed and pushed to an operating system on a laptop, they must also be developed and pushed to the physical security device. And while it may not be apparent, the physical security space is about the Internet of Things (IoT). In an effort to reduce the available attack surface, three factors are important when dealing with IoT: authentication, vulnerability management, and device management. Authentication On today’s Internet, users authenticate to Websites and applications by using a username and password – some require a VPN. The browsers authenticate web sites through the Secure Sockets Layer protocol. And while that is often unsecure, they are even worse for IoT-scale authentication. OAuth 2.0 and OpenID Connect 1.0 are two standardized frameworks for authentication. However, they both are bound to HTTP and not HTTPS, which makes assuring the authentication of a device problematic. Authentication standards do exist that overcome this concern but require significantly more effort to elegantly implement than their less secure counterparts. “In an effort to reduce the available attack surface, three factors are important when dealing with IoT: authentication, vulnerability management, and device management.”
  • 17. ©2016 VTI Security in association with SecureSet - Page 17 Vulnerability Management All software requires updating. From vulnerabilities in the supply chain of third party libraries such as OpenSSL to errors in code written by the OEM, devices require updates as a mechanism for assuring the security and resiliency of the device. But many organizations do not have processes in place to assure the legitimacy of updates, test and evaluate the effectiveness of the updates, and push down updates to devices. In order to assure that physical security devices are not the point of entry for attackers, updates must make it to devices unimpeded and in a prompt manner. Updates (i.e. patches) often go to address critical security weaknesses in devices. Patching these vulnerabilities is an optimal mitigation strategy as it directly addresses the weakness, is nearly free, and reduces the overall attack surface. It is important to ensure that these updates are pushed to devices but it is also important to assure that the updates are legitimate. To that end, organizations must ensure that firmware is signed by the correct software publisher prior to taking action on it as attackers often forge updates to gain root access. Device Management Assuring the persistent behavior of a device in a sea of devices is difficult. In environments requiring compliance or those that have high standards for security practices, the most efficient method for assuring the configuration and operational management of a device is with automation tools often used in the DevOps community. A Trusted Business Partner can help evaluate the business cases for these tools and assist in the implementation itself.
  • 18. ©2016 VTI Security in association with SecureSet - Page 18 So Now What? As the importance of physical and logical convergence continues to move to the forefront of media and mindsets, the strategic and tactical impact to making buying decisions is evolving, as well. Bringing together stakeholders from Security/Risk, IT/IS, and Finance/ Purchasing has never been more important. Just as go-to-market has changed for manufacturers and integrators of physical security technologies, so has the need for qualifying those solutions and integrators from the end-user perspective before making investments and, ultimately, accepting the responsibility for IoT devices on the network of your company. Omaha, Nebraska
  • 19. ©2016 VTI Security in association with SecureSet - Page 19 If you are still drafting an RFP in a vacuum and publishing it to the open market, you are doing a disservice to the safety and protection of all data on your network – company and personal. Your scope of work, IoT device nomenclature, specifics on how those devices are to be operating on your network, storing data, and communicating across your enterprise, and the means by which they are to be installed are all factors that afford threat factors – inside your company and outside your company – with the ability to mine your data and harm your network ecosystem. Protection today is about mitigation and prevention. Following this antiquated process does little to do either. Hackers follow a process called the Kill Chain, which describes how most threats operate in pursuit of exploiting networks, systems, and services. The first step in this process is to engage in reconnaissance. The vast majority of threat actors use open source intelligence, such as documentation listed in an RFP, to determine the underlying infrastructure they seek to compromise. “Protection today is about mitigation and prevention. Following this antiquated process does little to do either.” The Investment Process Limiting Your Liability
  • 20. ©2016 VTI Security in association with SecureSet - Page 20 Once the infrastructure is identified, researched, and understood a threat actor can weaponize an exploit and target a vulnerability causing the unwanted and often devastating consequence. Providing detailed information to the public only makes it easier for hackers of various levels of skill, persistence, and means to do their dirty work. Forward thinking end-users today have made the paradigm shift to view the purchasing process through an elevated approach. They seek Secure Integrators capable of not only understanding this vulnerability, but adept at the design and management of IoT data associated with physical security technologies. Choosing your Partner, collaborating on a secure design concept with capacity to meet your performance expectations, and negotiating all terms, conditions, and pricing serves as a strategic and proactive approach to protecting your company.
  • 21. ©2016 VTI Security in association with SecureSet - Page 21 The Qualifying Process Choosing a Secure Integration Partner The leading companies today are redefining what it means to be a qualified security integrator. Certainly, you require a Trusted Business Partner capable of your demand, specified performance requirements, one who carries ‘product’ and industry/regulatory certification, and with the infrastructure to manage assets and resources associated with installation, project management, and support. However, when choosing a secure partner, the requirements have evolved. It’s important to choose a company with the tools, processes, and investments necessary to ensure business continuity, protection of real-time and stored data, and the capacity to collaborate with you on extending your secure environment beyond physical security – those that control what can be controlled. Dallas, Texas
  • 22. ©2016 VTI Security in association with SecureSet - Page 22 At a minimum, your qualifying and purchasing process should include a company that can prove and demonstrate each of the following: Cyber Security Insurance Cyber Insurance protects both of your assets and ensures business continuity. This insurance covers financial losses incurred by 3rd- party data breaches, as well as, costs associated with any data breaches of your Partners’ systems. This is a standard in today’s risk environment that your integration Partner should be required to carry. Data Breach Plan Qualifying a Partner who has retained the services of a leading Information Security Services company to assist with securing internal information assets, Incident Response planning, Incident Assistance if a data breach were to occur, and to perform intermittent Network Penetration Testing should be a basic requirement of any qualified integrator. System Access Management Requiring your Partner to have developed a program that defines how usernames and passwords are created and provides an encrypted database location to store the information on their secure network. This basic measure needs to be extended to the original storage location, how that information is shared with field colleagues accessing your systems, and how that information is set up originally as part of the commissioning program. We recommend you require your Partner to define this program as a qualified integrator. Colleague Integrity As a standard, your qualified Partner should be executing a series of screening applications to ensure colleagues are fit for performance. This includes reference checks, drug – health – and background screening, criminal crosscheck, as well as, work ethic and character authenticity testing. As is most often, threats come from ‘inside’. It is important to fully outline your expectations in this arena to include annual re-testing if necessary by your Partner.
  • 23. ©2016 VTI Security in association with SecureSet - Page 23 Secure Remote Support In compliance with client accessibility requirements, your Partner should be able to provide instant, proactive, and remote support using proven technologies. This is a collaborative process that requires inclusion of all associated departments and stakeholders. For your qualifying process, it is valuable to fully understand how your Partner does this today. Business Continuity Your Partner should be designing protocols for unforeseen events impacting their ability to perform. Their Continuity Plan should include things like housing their primary servers in managed, co-location datacenters with redundancy in different geographical locations and maintaining multiple service dispatch operation centers in different geographic locations. Ask your Partner, what are they doing to protect against unforeseen events? Internal Controls There is a broad array of standard internal security controls including next-generation firewalls, encrypted network credentials, and secure access protocols that your Partner should be designing, implementing, and investing in. Ensuring trust in your Partner means understanding what these are today, and what they might be on the horizon as the network and security technology environment evolves. Testing Environments Manufacturers of hardware and software often are delivering upgraded solutions to the market. Your Partner should have the ability to provide a secure environment to test software patches and upgrades for existing and new installations – minimizing disruptions to your network. This process allows for bugs and hitches in the installation, operation, and communication of new solutions to be ironed out before going live in your environment. Is there a fully operational ‘Demo Lab’ at your Partners location to conduct this kind of activity?
  • 24. ©2016 VTI Security in association with SecureSet - Page 24 The Collaborative Design Process Hardened Solutions, Interoperability, and Performance Expectation Choosing your Partner goes beyond the basics of ensuring they have invested in the tools necessary to ensure business continuity. It requires a collaboration of ideas, resources, and assets for the design of your solutions. Furthermore, it is imperative that your Partner is capable of walking the talk – taking tactical steps to ensure the activity ‘at the ladder’ is congruent with your performance expectations. Amarillo, Texas
  • 25. ©2016 VTI Security in association with SecureSet - Page 25 Hardened Solutions Today, the leading manufacturers in the physical security technology space are bringing clarity to the security of the supply chain management of their solutions, guidance on how to harden those products via password and physical manipulation, and separating themselves from the low-cost, overseas products often attributed to ‘cost effective’ solutions. It’s important there is an understanding from both the client and the Partner where this value plays into the investment. Partner Vested in Protection As defined in the Choosing a Partner section, you must be looking for a Partner with the tools, processes, and investments necessary to ensure business continuity, protection of real-time and stored data, and the capacity to collaborate with you on extending your secure environment beyond physical security. Qualifying this through the RFI process before you begin to negotiate pricing and performance standards is the way forward-thinking companies are operating today. Training & Accountability Programs As part of that investment, your Partner should have fully implemented training and accountability programs for tactical performance by colleagues tasked with operating on your network. This includes, but is not limited to, a Password Program, a commissioning checklist to ensure the door isn’t left open to devices installed on your network, and a quality control process to define completion of projects. Clear Performance Expectations Defining ‘ownership’ of data, management of data, and communication of information is part of the clarity needed when executing and installing physical security technologies. Working with your Partner to elevate the Scope of Work and driving a collaborative partner environment is essential to your success.
  • 26. ©2016 VTI Security in association with SecureSet - Page 26 Conclusion Cybersecurity can seem daunting – and it can be. But it is not outside of the reach of those who are trained and education on the proper technologies, processes, and procedures used in the enterprise to assure cybersecurity. It is important to work with a Trusted Business Partner to assure the security posture of the physical security implementation that your firm is undertaking. Understanding the risks imposed by new architectures and implementations is the first step. Assuring that steps are being taken to mitigate them should be the long-term goal. Knowing that cybersecurity is a team sport helps in the development and implementation of strategies to go to assure the effective operation of any organization. Colorado Springs, Colorado
  • 27. ©2016 VTI Security in association with SecureSet - Page 27 Joshua Cummings Director Engineering Services / VTI Security Josh is the Director of Engineering Services at VTI Security, which is a Minneapolis based security technology integrator. Josh leads VTI’s enterprise Design Services Team including Design Engineers, Sales Engineers and Computer Aided Design assets built to ensure functionality of end-user investments. Josh has over 15 years of experience in system design architecture, leading design teams, system deployment strategies, process and procedural development and technology leadership in the security industry. Josh is a member of BICSI and sits on several manufacturer advisory boards. Stephen Fisher Director Business Development / VTI Security Steve is the Director of Business Development at VTI Security, which is a Minneapolis based security technology integrator. Fisher is called upon to empower colleagues, discerning clients, and Trusted Business Partners with strategic plans for horizon effectiveness in the realm of security, operational efficiency, revenue retention, and policy compliance. Fisher has over 20 years of direct industry experience in the C-Suite of Security, Risk, IT, and Operations for enterprise-wide engagements in multi-vertical environments. Industry and Trade membership(s) have included the American Society of Industrial Security (ASIS), the Colorado Technology Association (CTA), and Colorado Association of Healthcare Engineers and Directors (CAHED), Advancing Data Center & IT Infrastructure Professionals (AFCOM), and the Department of Homeland Security/Chemical Terrorism Information Authorized User (DHS). Fisher holds a Bachelors Degree in Corporate Communications from Elon University.
  • 28. ©2016 VTI Security in association with SecureSet - Page 28 Alex Kreilein Managing Partner & CTO / SecureSet, LLC Alex is the Co-Founder and Managing Partner/ CTO of SecureSet, which is a Denver, CO based cybersecurity services company. Alex served as a leading Technology Strategist for the Department of Homeland Security from 2011 – 20015 and was appointed as a Guest Researcher to the National Institute of Standards & Technology (NIST) from 2013 – 2015. Kreilein supported the development of security strategies and technologies in commercial LTE and NG9-1-1 networks and standards. He advised the National Security Telecommunications Advisory Committee (NSTAC) and engaged in standards development at 3GPP, GSMA, the Open Networking Foundation (ONF), the Internet Engineering Task Force (IETF), and the Broadband Internet Technical Advisory Group (BITAG). Kreilein holds a MA in National Security and Strategic Studies from the US Naval War College and will complete his Ph.D/MS at the University of Colorado Boulder College of Engineering and Applied Science in 2017. His area of research covers the integration of threat intelligence and dark web research into quantitative risk analysis and mitigation methods. He is a Member of the Information Systems and Security Association (ISSA), a Member of the Institute of Electrical and Electronics Engineers (IEEE), a Member of the Electronic Frontier Foundation (EFF), a Member of Armed Forces Communications and Electronics Association (AFCEA), Open Web Application Security Project (OWASP), and an advisory board member to multiple startups in the field of cybersecurity and national security.
  • 29. ©2016 VTI Security in association with SecureSet - Page 29 www.vtisecurity.com 401 West Travelers Trail, Burnsville, Minnesota 55337 800.241.1476 For over 35 years, VTI has been called upon to design, install, and support a full range of advanced security technologies. Built upon our core values of Trust, Mutual Respect, and Accountability, our colleagues are committed to earning status as your Trusted Business Partner. Our company has been recognized by our industry as a Top Integrator consistently for years. Our colleagues deliver creativity, flexibility, and cost-effective methodologies to system design, project management, engineering, installation and lifecycle management of your investments. Our market experience affords you an in-depth understanding of the unique needs of your colleagues, facilities, the information you manage, and regulation impacting your operations. Our reach includes successful deployments and support throughout North America and beyond. VTI is positioned to support your requirements in virtually any urban or rural environment. Our regional and national clients value our ability to maintain a personal relationship while performing on an enterprise level. Our investment in colleague certification supports VTI’s influence on your behalf. We are a platinum level and preferred partner to most of the industry’s leading manufacturers. From a design, engineering, and functionality perspective, we are positioned to ensure your investment delivers on your performance expectation. Support Services direct from VTI include multiple 7/24/365 Service Operations Centers where we answer the needs to over 10,000 requests annually. In addition to our on- site technician programs, we offer CORE Services including remote diagnostics, health monitoring, strategic planning, system maintenance, management reporting, and supply chain logistics. Each of our Support Services programs are designed to enhance, protect, and future-proof your investments. Our future strategic plans are geared around solidifying our Core Client Base by providing them with future-proofed systems, Strategic Security Planning for horizon projects and budgeting, outlining plans for technology migration as edge devices become antiquated, and empowering our Client Partners with the information necessary to be in front of the curve – not behind it – when operating in their own stakeholder environments. We believe this kind of value is at the foundation of our responsibility. In addition to our consistent investment in training and certification, our future strategic plans include investing in efficiency to ensure our growth is sustainable – alongside the growth activity of our Clients. This equates to implementation of technology that supports speed, accuracy, and accountability – as well as, the ability to be proactive.
  • 30. ©2016 VTI Security in association with SecureSet - Page 30 www.secureset.com 3801 Franklin Street, Denver, Colorado 80205 800.445.0024 The promise of cybersecurity is the freedom for brands to stay focused on winning customers. SecureSet is building a community focused on fulfilling this promise. With state- of-the-art education, business acceleration and product demonstration, we’re arming our participants for success in the ever-evolving cybersecurity space. SecureSet℠ Academy’s accredited CORE programs are the direct path to careers in this booming industry. This intensive program—available in full time or evening schedules— includes extensive hands on instruction in state-of-the-art labs, guided product training, and essential certifications (CISSP and Security+). The evolution from a general IT career to cybersecurity professional can take 5 to 10 years. The CORE does it in as short as 20 weeks. SecureSet℠ Academy provides extensive job-placement mentoring and networking for all its students. Our core objective is that each graduate receive at least one offer of employment in the information security industry. In addition to a diploma, and CISSP and Security+ certifications, CORE graduates depart with a personal portfolio of evidence of the knowledge and skills they have learned at the Academy. The SecureSet Accelerator is a way for start-up companies in the cybersecurity space to get funded, get noticed and improve their value. We’re recruiting for our first class of companies to be in residence at our Denver campus from May-August, 2016. To qualify you must be doing something incredibly cool and meaningful in cybersecurity. The SecureSet Accelerator leverages a national footprint of partners, mentors and startups to attack this single market through a 4-month program. If you make the grade, your firm will receive an investment of $50,000, unparalleled mentorship from some of the finest minds in the field, and ready access to potential customers. You’ll also get access to the SecureSet Proving Ground where you can test your product and do live customer demos without the risk of breaking the network of a foreign country or a Fortune 500 company. And, the Proving Ground will be available to you for customer or investor pitches even after you’ve left the Accelerator. Our focus on cybersecurity means that every aspect of our program—from our selection criteria to our mentor curriculum to our corporate partnerships to our investor stable— will be more effective in helping your information security venture succeed. A great deal of learning comes from other Accelerator firms in your class. Together, you can share experiences and contacts that will prove to be invaluable in the years to come. An important part of the Accelerator program is giving your company exposure and training in some rigorous business methodologies needed to grow your company. We draw on a wide range of expertise in information security Product Development, Design, Operations and Strategy as well as Venture Capital, Finance, Marketing and Sales, all designed to outfit your firm with more clarity and executional skill.
  • 31. ©2016 VTI Security in association with SecureSet - Page 31 Disclaimer The content provided in these white papers is intended solely for general information purposes and is provided with the understanding that the authors and publishers are not herein engaged in rendering professional advice or services. The information in these white papers was posted with reasonable care and attention. However, it is possible that some information in these white papers is incomplete, incorrect, or inapplicable to particular circumstances or conditions. We do not accept liability for direct or indirect losses resulting from using, relying upon, or acting upon the information in these white papers.