Weitere ähnliche Inhalte
Ähnlich wie VTI Learning Series Beyond the Convergence of Physical & Cyber Security
Ähnlich wie VTI Learning Series Beyond the Convergence of Physical & Cyber Security (20)
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
- 1. ©2016 VTI Security in association with SecureSet - Page 1
Beyond the Convergence of
Physical & Cyber Security
VTI Security in association with SecureSet
VTI Learning Series 2016
- 2. ©2016 VTI Security in association with SecureSet - Page 2
The Next Wave of Our Industry is Here
It’s more than convergence of logical and physical
security. It’s bridging the Inter-Departmental
gap between IT and Security, elevating your
design and acquisition processes, and choosing
the right integration partner to Trust with your
deployment.
Minneapolis, Minnesota
...Are You Ready?
- 3. ©2016 VTI Security in association with SecureSet - Page 3
Introduction
Have you been breached? The odds are that you have and if you haven’t,
you will be. The information security colleagues at your company are working
diligently to mitigate that risk. Are you helping or harming that cause?
The information in this paper
is designed to bridge the gap
between physical security and
information security colleagues.
The stakeholders in each of
these environments have moved
to an arena where their collaboration is necessary if you are to be successful
in protecting your business. It’s geared towards empowering one another by
framing conversation and education in a way that your partnership is able
to become proactive and strategic. We believe this kind of value is at the
foundation of our responsibility.
We plan to look at the migration of physical security technologies to the
network, overview how the network functions in support of those technologies,
understand the Cyber threat of IP devices on the network, and provide
guidance on how forward-thinking companies are approaching the design,
investment, and installation of those solutions.
“We believe this kind of value is at the
foundation of our responsibility.”
- 4. ©2016 VTI Security in association with SecureSet - Page 4
Introduction - Page 3
A Little Background - Page 5
Joshua Cummings, Director – Engineering Services, VTI Security
Evolution of Solutions
Operating Environments
Pros & Cons of Enterprise, Interoperability, and Auto Discovery
The Cyber Perspective - Page 11
Alex Kreilein, Managing Partner & Chief Threat Officer, SecureSet
Risk Calculus
Attack Surfaces
Ingress Calculus
Authentication
Vulnerability & Device Management
True Impact / So Now What? - Page 18
Stephen Fisher, Director – Business Development, VTI Security
So Now What?
The Investment Process
The Qualifying Process
The Collaborative Design Process
- 5. ©2016 VTI Security in association with SecureSet - Page 5
Moving Video to the Network:
Closed Circuit Television (CCTV)
was first introduced in 1942 in
Germany to view the launching
of the V-2 rockets. Later on, the
technology migrated to the United
States. These first systems were
limited and only allowed for live
viewing of cameras. In the 1970’s
the VCR was invented and that led
to the expansion of CCTV. with
this technology, a single camera
could be transmitted over a coaxial
cable and recorded to a cassette
tape. Additionally, with the use of a
multiplexer, multiple cameras could
be recorded on a grid to that same
cassette tape.
The VCR remained a staple of the
CCTV industry for quite some time. In
the 1990’s the DVR or Digital Video
Recorder was introduced. The DVR
had the ability to take those same
analog signals and capture them
on a hard drive. Unlike the VCR,
a DVR also had the ability to be
connected to the network for viewing
and streaming. This was a first step
toward the network.
In the mid 90’s, the first IP camera
was invented. This camera
transmitted the video over ethernet
cable instead of coax. This moved
the processing of the video to the
camera rather than at the DVR. The
DVR also had to evolve into an NVR
or Network Video Recorder to receive
the IP stream.
The deployment of analog systems
have continued to decrease as IP
Video has been on the rise.
Evolution of Solutions
Surveillance, Access Control, and More: Movement to the Network
“Although analog video may
never fully go away, the industry
has standardized on transmitting
video over the IP network.”
- 6. ©2016 VTI Security in association with SecureSet - Page 6
Although analog video may never
fully go away, the industry has
standardized on transmitting video
over the IP network. The use of
Power Over Ethernet has help
to simplify the deployment of IP
video. Manufacturers are now
focusing on developing higher
resolution video and analytics to
improve usability of the video.
Moving Access Control to the network:
Access Control is another security
discipline that is moving to the
network. Simply put, access
control is a method for requiring
authentication before entering an
area or building. Often this done with
an access card or with biometrics
such as your fingerprint.
Early on, access control
manufacturers developed their
own proprietary standards for
communication transmission
from the server to the
panel. Communication traveled
across serial connectivity utilizing
RS-232, RS-485 and other serial
communication protocols.
With the standardization of IP
networking, serial communication
has become less common, driving
access control manufacturers to
develop IP based panels. These
panels continue to move further
away from the application and are
often distributed throughout the
building, across a campus or even in
another state or country.
Credential technology has evolved
as well. Initially we utilized such
methods as barcode, magstripe,
or proximity. Over time, we have
developed more secure technologies
in Mifare, DesFire and iClass.
Proximity was introduced in the
1980’s and was a widely used
standard for two decades. In the
1990’s the credential industry
experienced a revolutionary shift
as proximity was proven to be
unsecure. Today, smart card
technology is being driven to increase
the security on the card through
encryption of communication and
data.
- 7. ©2016 VTI Security in association with SecureSet - Page 7
Your company or organization may be considering moving to IP based
systems. You may find yourself needing education about what the network
is and does. While we can’t cover this topic in depth in this white paper, we
can cover some of the major terms
and buzzwords that you may be
hearing around your organization.
First of all, it is important that you
understand the structure of the
network. The OSI Model or Open
Systems Interconnection Model is the
framework for the network. Every
aspect of the network falls into this structure. The model is made up of 7
layers. Each layer has specific responsibilities.
Learn more online at https://en.wikipedia.org/wiki/OSI_model
“...it is important that you
understand the structure of the
network.”
Operating Environments
What is the Network?
- 8. ©2016 VTI Security in association with SecureSet - Page 8
Layer 1 - Physical Layer
The physical layer specifies how the
components of the network connect
together. Ethernet is a very common
standard in this layer.
Layer 2 - Data Link Layer
Essentially this layer defines the
protocol to establish and terminate
a connection between two physically
connected devices.
Layer 3 - Network Layer
This layer provides the means for
addressing each device on the
network. It also defines the protocols
for how information is routed from
one device to another.
Layer 4 - Transport Layer
Here is where protocols such as TCP
and IP are utilized for ensuring the
packets are transmitted and received
correctly.
Layer 5 - Session Layer
This layer establishes a connection or
session between the two parties. It is
responsible for setting up, monitoring
and tearing down the connection.
Layer 6 - Presentation Layer
In this layer the data in the packet is
translated for the application on the
receiving host.
Layer 7 - Application Layer
This is essentially the application
that you use on your PC to access
information. An example of this could
be your security application, an FTP
program or even your office products.
Additionally, there are terms that you
may hear when discussing the network.
IP Addresses - every device that is
on the network needs an IP address.
This is an identifying set of numbers
similar to the address of your house.
VPN - Virtual Private Network - this is
an application or device that allows
you to connect to your company
network while away.
Firewall - A device or software that
provides a barrier between you and
the internet.
VDI - Virtual Desktop Infrastructure -
this is a desktop that is not physically
located on your PC. This desktop is
available remotely and maintained by
your IT group.
- 9. ©2016 VTI Security in association with SecureSet - Page 9
The migration of security to the
network has opened the door to
many new opportunities never
imagined with closed, proprietary
systems. For starters, the network
reaches around the world. By putting
security devices and systems on the
network, we now have the capability
to see those systems and incorporate
those devices from all corners of the
globe into one fluid system.
Another benefit is that the network
brings standards. These standards
are created and maintained by
organizations in an effort to improve
interoperability. Some examples
of these organizations are ISO
(International Organization for
Standardization), PSIA (Physical
Security Interoperability Alliance)
and ONVIF. Utilizing these standards,
manufacturers can create products
and applications that natively work
together.
Additionally, the network continues
to evolve and grow in terms of its
capability. Initially we measured
network speeds in kilobytes per
second. As technology improves,
networks speeds grew to megabytes
and now gigabytes per second.
In some network environments
such as data centers we see data
transmission speeds of 40 gigabytes
per second or more.
There are a lot of pros to having our
security systems on the network. At
the same time, being on the network
also can open these systems up to
vulnerabilities that we may not be
used to addressing.
Pros & Cons of Enterprise, Interoperability,
& Auto Discovery
“We have traded the proprietary
nature of these systems for
standardization and interopera-
bility and along with that, there
are new challenges for keeping
these systems secure.”
- 10. ©2016 VTI Security in association with SecureSet - Page 10
We have traded the proprietary
nature of these systems for
standardization and interoperability
and along with that, there are new
challenges for keeping these systems
secure.
In an effort to make security devices
and applications easy to deploy,
many manufacturers have built in
features to help. These features
allow for auto discovery, ease of
use and ease of deployment. While
initially these features have helped
tremendously in the migration to the
network, if left on, they inherently
have a lot of vulnerabilities that
can be exploited by hackers with
malicious intent.
Some of these vulnerabilities
include open ports, default or
weak passwords and unsecure
transmission protocols. While these
features make the product easy to
deploy, they must be addressed for
a system in production to provide
protection on the network from
hacking.
Denver, Colorado
- 11. ©2016 VTI Security in association with SecureSet - Page 11
Not all outcomes are equally likely
or equally consequential. Hyperbole
is helpful to no one – but risk-
informed thinking is. That is why
the first step when considering a
new implementation or integration
should be to engage is a basic
risk assessment that analyzes
threats, vulnerabilities, likelihood,
and consequence to particular
infrastructure. To engage in this
process, your organization should
begin to consider the following:
Step 1: Scope Risk Management
Activities
Step 2: Identify the Infrastructure
Step 3: Conduct a Risk Assessment
Step 4: Deploy Risk Mitigation
Strategies
Step 5: Assess Effectiveness Against
Metrics
Your organization should seek to
engage subject matter experts with
experience in the NIST Cybersecurity
Framework or the Control Objectives
for Information and Related
Technology (COBIT) framework
These frameworks should help your
organization implement the Center
for Internet Security Top 20 Critical
Security Controls and address the risk
of a threat actor who would exploit a
vulnerability in a system causing an
unwanted consequence.
“Risk is the likelihood that a threat
actor, intentional or deliberate,
will exploit a vulnerability in a
system causing an unwanted
consequence.”
Risk Calculus
- 12. ©2016 VTI Security in association with SecureSet - Page 12
The attack surface in a software
environment is the sum of the
different attack vectors where an
attacker can try to can gain ingress
or egress into an environment. In a
classical physical environment such
as a mechanical lock, the attack
surface is the locking mechanism
itself, the shackle, and the padlock
body. The sum of those parts is what
the attacker will target in order to
disable the security measure.
In computer systems, the same is
true. Attackers will try a number of
different points of potential entry
until at least a single point fails. That
is why it is paramount to ensure
consistent patching of software,
proper access control policies
and enforcement mechanisms,
and constant observation of the
perimeter and key systems. All
information is security information
and all networked devices are
involved in security.
Network access control systems,
active directory systems, border
routers and firewalls, and IoT devices
(including physical security devices)
are all at the front lines of your
perimeter defense.
Assuring their proper functionality
and resiliency is critical. But we
simply cannot stop at the perimeter
as that thinking assumes the threat
is an outsider and does not comport
with the best-in-class thinking around
defense-in-depth strategies.
“Attackers will try a number of different potential points of entry until at
least a single point fails. It is paramount to ensure consistent patching of
software, proper access control policies and enforcement mechanisms,
and constant observation of the perimeter and key systems to assure a
minimal attack surface.”
Attack Surfaces
- 13. ©2016 VTI Security in association with SecureSet - Page 13
Physical security devices can be
exploited just like any other device.
Moreover, traditional IP network
elements and systems can be
exploited and used as launching
pads for attackers who would gain
unprivileged access to the network
segment dedicated to physical
security. By pivoting through
Layer 1-3 systems, attackers could
disarm or disable physical security
devices – or – use physical security
devices to gain unprivileged access
to sensitive systems. Ideally, these
networks would be segmented from
each other. However, at the very
least, organizations can work with a
Trusted Business Partner to create
the optimal network architecture
that assures both security and
functionality while keeping an eye
towards cost.
After security policies are built and
deployed, it is important for your
organization to undergo routine
security audits such as penetration
tests to gain adversarial insights to
improve your system. A forensic
analysis of the penetration testers
attack will provide a display of the
weaknesses and vulnerabilities in
the system as well as the tactics,
techniques, and procedures used
to exploit them. Integrating this
knowledge into a security program
and the systems security architecture
will reduce the overall attack
surface in conjunction with strong
security policies and enforcement
mechanisms.
- 14. ©2016 VTI Security in association with SecureSet - Page 14
Cybersecurity threat actors are
criminals. And like other criminals,
the adage of means, motive, and
opportunity applies. Unlike a
common thief, however, attackers
of computer systems and networks
often spend a tremendous amount of
effort developing, testing, evaluating,
and refining their plan of attack.
They spend significant time in
recognizance, attempts to weaponize
and deliver an exploit, in the
exploitation of the attack surface, in
the installation of functions enabling
command and control inside the
network or system, all to take action
on their objectives. Understanding
the difficulties involved in hacking,
there are a number of considerations
that you can make in consultation
with a Trusted Business Partner.
Attackers are seeking many
opportunities of interest. To
maximize that opportunity, they
use passive and active scanners
that return results of thousands
of IP addresses at a time across
the Internet. They use computer
programs to automate attacks and
when low-hanging fruit returns a
positive result, they attack in force.
Remember that you don’t have
to run faster than the bear to get
away – you just have to run faster
than the guy next to you. While
somewhat of a crude analogy, it is
true that attackers have many targets
of opportunity. Attackers, just like
the rest of us, weigh competing
opportunities against the resource
intensity required on their part and
the outcomes should the attack be
successful. If your organization is
comparably resilient to others in your
class of business, attackers may seek
their rewards elsewhere.
“The ability for a threat actor to exploit a system vulnerability is predicated on
1) the means, motives, and opportunity of the threat actor and
2) the security of the system and the security posture of the owner organization.”
Ingress Calculus
- 15. ©2016 VTI Security in association with SecureSet - Page 15
Network 2.0
Cybersecurity in a Connected World
Many in the physical security world have remarked about the
rapid pace of change from rings of keys to IP badge readers.
That rapid pace is also something that the world of IP
networks has seen in a similar period of time – and there is no
sign of it slowing down. From network function virtualization
and micro-segmentation to machine learning software-
defined devices, IP networks have enabled a transformation
through convergence.
Milwaukee, Wisconsin
- 16. ©2016 VTI Security in association with SecureSet - Page 16
It is important to remember that
every node on the network is an
access point to either a function
or to data. The function of badge
readers is access control where as IP
cameras relay data. Understanding
that, devices on a network are
run by the software enabled by
them. That means that traditional
vulnerabilities remain persistent.
The same way that updates are
developed and pushed to an
operating system on a laptop, they
must also be developed and pushed
to the physical security device. And
while it may not be apparent, the
physical security space is about the
Internet of Things (IoT). In an effort
to reduce the available attack surface,
three factors are important when
dealing with IoT: authentication,
vulnerability management, and
device management.
Authentication
On today’s Internet, users
authenticate to Websites and
applications by using a username
and password – some require a VPN.
The browsers authenticate web sites
through the Secure Sockets Layer
protocol. And while that is often
unsecure, they are even worse for
IoT-scale authentication. OAuth
2.0 and OpenID Connect 1.0 are
two standardized frameworks for
authentication. However, they
both are bound to HTTP and not
HTTPS, which makes assuring
the authentication of a device
problematic. Authentication
standards do exist that overcome
this concern but require significantly
more effort to elegantly implement
than their less secure counterparts.
“In an effort to reduce the available attack surface, three factors are
important when dealing with IoT: authentication, vulnerability management,
and device management.”
- 17. ©2016 VTI Security in association with SecureSet - Page 17
Vulnerability Management
All software requires updating.
From vulnerabilities in the supply
chain of third party libraries such as
OpenSSL to errors in code written
by the OEM, devices require updates
as a mechanism for assuring the
security and resiliency of the device.
But many organizations do not
have processes in place to assure
the legitimacy of updates, test and
evaluate the effectiveness of the
updates, and push down updates
to devices. In order to assure that
physical security devices are not
the point of entry for attackers,
updates must make it to devices
unimpeded and in a prompt
manner. Updates (i.e. patches)
often go to address critical security
weaknesses in devices. Patching
these vulnerabilities is an optimal
mitigation strategy as it directly
addresses the weakness, is nearly
free, and reduces the overall attack
surface. It is important to ensure that
these updates are pushed to devices
but it is also important to assure that
the updates are legitimate. To that
end, organizations must ensure that
firmware is signed by the correct
software publisher prior to taking
action on it as attackers often forge
updates to gain root access.
Device Management
Assuring the persistent behavior
of a device in a sea of devices is
difficult. In environments requiring
compliance or those that have high
standards for security practices, the
most efficient method for assuring
the configuration and operational
management of a device is with
automation tools often used in the
DevOps community. A Trusted
Business Partner can help evaluate
the business cases for these tools
and assist in the implementation
itself.
- 18. ©2016 VTI Security in association with SecureSet - Page 18
So Now What?
As the importance of physical and logical convergence
continues to move to the forefront of media and
mindsets, the strategic and tactical impact to making
buying decisions is evolving, as well. Bringing together
stakeholders from Security/Risk, IT/IS, and Finance/
Purchasing has never been more important. Just as
go-to-market has changed for manufacturers and
integrators of physical security technologies, so has the
need for qualifying those solutions and integrators from
the end-user perspective before making investments
and, ultimately, accepting the responsibility for IoT
devices on the network of your company.
Omaha, Nebraska
- 19. ©2016 VTI Security in association with SecureSet - Page 19
If you are still drafting an RFP in a
vacuum and publishing it to the open
market, you are doing a disservice
to the safety and protection of all
data on your network – company and
personal.
Your scope of work, IoT device
nomenclature, specifics on how
those devices are to be operating
on your network, storing data,
and communicating across your
enterprise, and the means by which
they are to be installed are all factors
that afford threat factors – inside
your company and outside your
company – with the ability to mine
your data and harm your network
ecosystem. Protection today is about
mitigation and prevention. Following
this antiquated process does little to
do either.
Hackers follow a process called
the Kill Chain, which describes how
most threats operate in pursuit of
exploiting networks, systems, and
services. The first step in this process
is to engage in reconnaissance.
The vast majority of threat actors
use open source intelligence, such
as documentation listed in an
RFP, to determine the underlying
infrastructure they seek to
compromise.
“Protection today is about
mitigation and prevention.
Following this antiquated process
does little to do either.”
The Investment Process
Limiting Your Liability
- 20. ©2016 VTI Security in association with SecureSet - Page 20
Once the infrastructure is identified,
researched, and understood a threat
actor can weaponize an exploit and
target a vulnerability causing the
unwanted and often devastating
consequence. Providing detailed
information to the public only makes
it easier for hackers of various levels
of skill, persistence, and means to do
their dirty work.
Forward thinking end-users today
have made the paradigm shift to view
the purchasing process through an
elevated approach. They seek Secure
Integrators capable of not only
understanding this vulnerability, but
adept at the design and management
of IoT data associated with physical
security technologies. Choosing your
Partner, collaborating on a secure
design concept with capacity to meet
your performance expectations, and
negotiating all terms, conditions,
and pricing serves as a strategic and
proactive approach to protecting
your company.
- 21. ©2016 VTI Security in association with SecureSet - Page 21
The Qualifying Process
Choosing a Secure Integration Partner
The leading companies today are redefining what it means to be
a qualified security integrator. Certainly, you require a Trusted
Business Partner capable of your demand, specified performance
requirements, one who carries ‘product’ and industry/regulatory
certification, and with the infrastructure to manage assets and
resources associated with installation, project management,
and support. However, when choosing a secure partner, the
requirements have evolved.
It’s important to choose a company with the tools, processes, and
investments necessary to ensure business continuity, protection of
real-time and stored data, and the capacity to collaborate with you
on extending your secure environment beyond physical security –
those that control what can be controlled.
Dallas, Texas
- 22. ©2016 VTI Security in association with SecureSet - Page 22
At a minimum, your qualifying and purchasing process should include a
company that can prove and demonstrate each of the following:
Cyber Security Insurance
Cyber Insurance protects both of
your assets and ensures business
continuity. This insurance covers
financial losses incurred by 3rd-
party data breaches, as well as, costs
associated with any data breaches
of your Partners’ systems. This is a
standard in today’s risk environment
that your integration Partner should
be required to carry.
Data Breach Plan
Qualifying a Partner who has retained
the services of a leading Information
Security Services company to assist
with securing internal information
assets, Incident Response planning,
Incident Assistance if a data breach
were to occur, and to perform
intermittent Network Penetration
Testing should be a basic requirement
of any qualified integrator.
System Access Management
Requiring your Partner to have
developed a program that defines
how usernames and passwords are
created and provides an encrypted
database location to store the
information on their secure network.
This basic measure needs to be
extended to the original storage
location, how that information
is shared with field colleagues
accessing your systems, and how that
information is set up originally as part
of the commissioning program. We
recommend you require your Partner
to define this program as a qualified
integrator.
Colleague Integrity
As a standard, your qualified Partner
should be executing a series of
screening applications to ensure
colleagues are fit for performance.
This includes reference checks, drug
– health – and background screening,
criminal crosscheck, as well as, work
ethic and character authenticity
testing. As is most often, threats
come from ‘inside’. It is important to
fully outline your expectations in this
arena to include annual re-testing if
necessary by your Partner.
- 23. ©2016 VTI Security in association with SecureSet - Page 23
Secure Remote Support
In compliance with client accessibility
requirements, your Partner should
be able to provide instant, proactive,
and remote support using proven
technologies. This is a collaborative
process that requires inclusion of
all associated departments and
stakeholders. For your qualifying
process, it is valuable to fully
understand how your Partner does
this today.
Business Continuity
Your Partner should be designing
protocols for unforeseen events
impacting their ability to perform.
Their Continuity Plan should include
things like housing their primary
servers in managed, co-location
datacenters with redundancy in
different geographical locations
and maintaining multiple service
dispatch operation centers in
different geographic locations. Ask
your Partner, what are they doing to
protect against unforeseen events?
Internal Controls
There is a broad array of standard
internal security controls including
next-generation firewalls, encrypted
network credentials, and secure
access protocols that your Partner
should be designing, implementing,
and investing in. Ensuring trust in
your Partner means understanding
what these are today, and what
they might be on the horizon as the
network and security technology
environment evolves.
Testing Environments
Manufacturers of hardware and
software often are delivering
upgraded solutions to the market.
Your Partner should have the ability
to provide a secure environment to
test software patches and upgrades
for existing and new installations
– minimizing disruptions to your
network. This process allows for
bugs and hitches in the installation,
operation, and communication of
new solutions to be ironed out before
going live in your environment. Is
there a fully operational ‘Demo Lab’ at
your Partners location to conduct this
kind of activity?
- 24. ©2016 VTI Security in association with SecureSet - Page 24
The Collaborative Design Process
Hardened Solutions, Interoperability, and Performance Expectation
Choosing your Partner goes beyond the basics of ensuring
they have invested in the tools necessary to ensure business
continuity. It requires a collaboration of ideas, resources,
and assets for the design of your solutions. Furthermore, it
is imperative that your Partner is capable of walking the talk
– taking tactical steps to ensure the activity ‘at the ladder’ is
congruent with your performance expectations.
Amarillo, Texas
- 25. ©2016 VTI Security in association with SecureSet - Page 25
Hardened Solutions
Today, the leading manufacturers in the physical security technology space
are bringing clarity to the security of the supply chain management of their
solutions, guidance on how to harden those products via password and
physical manipulation, and separating themselves from the low-cost, overseas
products often attributed to ‘cost effective’ solutions. It’s important there is an
understanding from both the client and the Partner where this value plays into
the investment.
Partner Vested in Protection
As defined in the Choosing a Partner section, you must be looking for a Partner
with the tools, processes, and investments necessary to ensure business
continuity, protection of real-time and stored data, and the capacity to
collaborate with you on extending your secure environment beyond physical
security. Qualifying this through the RFI process before you begin to negotiate
pricing and performance standards is the way forward-thinking companies are
operating today.
Training & Accountability Programs
As part of that investment, your Partner should have fully implemented
training and accountability programs for tactical performance by colleagues
tasked with operating on your network. This includes, but is not limited to,
a Password Program, a commissioning checklist to ensure the door isn’t left
open to devices installed on your network, and a quality control process to
define completion of projects.
Clear Performance Expectations
Defining ‘ownership’ of data, management of data, and communication of
information is part of the clarity needed when executing and installing physical
security technologies. Working with your Partner to elevate the Scope of Work
and driving a collaborative partner environment is essential to your success.
- 26. ©2016 VTI Security in association with SecureSet - Page 26
Conclusion
Cybersecurity can seem daunting – and it can be. But it is not
outside of the reach of those who are trained and education
on the proper technologies, processes, and procedures used
in the enterprise to assure cybersecurity. It is important to
work with a Trusted Business Partner to assure the security
posture of the physical security implementation that your
firm is undertaking. Understanding the risks imposed by new
architectures and implementations is the first step. Assuring
that steps are being taken to mitigate them should be the
long-term goal. Knowing that cybersecurity is a team sport
helps in the development and implementation of strategies to
go to assure the effective operation of any organization.
Colorado Springs, Colorado
- 27. ©2016 VTI Security in association with SecureSet - Page 27
Joshua Cummings
Director Engineering Services / VTI Security
Josh is the Director of Engineering Services at VTI
Security, which is a Minneapolis based security
technology integrator. Josh leads VTI’s enterprise
Design Services Team including Design Engineers,
Sales Engineers and Computer Aided Design
assets built to ensure functionality of end-user
investments. Josh has over 15 years of experience
in system design architecture, leading design teams,
system deployment strategies, process and procedural development and
technology leadership in the security industry. Josh is a member of BICSI and
sits on several manufacturer advisory boards.
Stephen Fisher
Director Business Development / VTI Security
Steve is the Director of Business Development
at VTI Security, which is a Minneapolis based
security technology integrator. Fisher is called
upon to empower colleagues, discerning clients,
and Trusted Business Partners with strategic plans
for horizon effectiveness in the realm of security,
operational efficiency, revenue retention, and
policy compliance. Fisher has over 20 years of direct
industry experience in the C-Suite of Security, Risk, IT, and Operations for
enterprise-wide engagements in multi-vertical environments. Industry and
Trade membership(s) have included the American Society of Industrial Security
(ASIS), the Colorado Technology Association (CTA), and Colorado Association
of Healthcare Engineers and Directors (CAHED), Advancing Data Center &
IT Infrastructure Professionals (AFCOM), and the Department of Homeland
Security/Chemical Terrorism Information Authorized User (DHS). Fisher holds
a Bachelors Degree in Corporate Communications from Elon University.
- 28. ©2016 VTI Security in association with SecureSet - Page 28
Alex Kreilein
Managing Partner & CTO / SecureSet, LLC
Alex is the Co-Founder and Managing Partner/
CTO of SecureSet, which is a Denver, CO based
cybersecurity services company. Alex served as a
leading Technology Strategist for the Department
of Homeland Security from 2011 – 20015 and was
appointed as a Guest Researcher to the National
Institute of Standards & Technology (NIST) from
2013 – 2015. Kreilein supported the development of security strategies and
technologies in commercial LTE and NG9-1-1 networks and standards. He
advised the National Security Telecommunications Advisory Committee
(NSTAC) and engaged in standards development at 3GPP, GSMA, the Open
Networking Foundation (ONF), the Internet Engineering Task Force (IETF), and
the Broadband Internet Technical Advisory Group (BITAG). Kreilein holds a
MA in National Security and Strategic Studies from the US Naval War College
and will complete his Ph.D/MS at the University of Colorado Boulder College
of Engineering and Applied Science in 2017. His area of research covers the
integration of threat intelligence and dark web research into quantitative risk
analysis and mitigation methods. He is a Member of the Information Systems
and Security Association (ISSA), a Member of the Institute of Electrical and
Electronics Engineers (IEEE), a Member of the Electronic Frontier Foundation
(EFF), a Member of Armed Forces Communications and Electronics Association
(AFCEA), Open Web Application Security Project (OWASP), and an advisory
board member to multiple startups in the field of cybersecurity and national
security.
- 29. ©2016 VTI Security in association with SecureSet - Page 29
www.vtisecurity.com
401 West Travelers Trail, Burnsville, Minnesota 55337
800.241.1476
For over 35 years, VTI has been called upon to design, install, and support a full range of
advanced security technologies. Built upon our core values of Trust, Mutual Respect, and
Accountability, our colleagues are committed to earning status as your Trusted Business
Partner. Our company has been recognized by our industry as a Top Integrator consistently
for years.
Our colleagues deliver creativity, flexibility, and cost-effective methodologies to system
design, project management, engineering, installation and lifecycle management of your
investments. Our market experience affords you an in-depth understanding of the unique
needs of your colleagues, facilities, the information you manage, and regulation impacting
your operations.
Our reach includes successful deployments and support throughout North America and
beyond. VTI is positioned to support your requirements in virtually any urban or rural
environment. Our regional and national clients value our ability to maintain a personal
relationship while performing on an enterprise level.
Our investment in colleague certification supports VTI’s influence on your behalf. We are
a platinum level and preferred partner to most of the industry’s leading manufacturers.
From a design, engineering, and functionality perspective, we are positioned to ensure your
investment delivers on your performance expectation.
Support Services direct from VTI include multiple 7/24/365 Service Operations Centers
where we answer the needs to over 10,000 requests annually. In addition to our on-
site technician programs, we offer CORE Services including remote diagnostics, health
monitoring, strategic planning, system maintenance, management reporting, and supply
chain logistics. Each of our Support Services programs are designed to enhance, protect,
and future-proof your investments.
Our future strategic plans are geared around solidifying our Core Client Base by providing
them with future-proofed systems, Strategic Security Planning for horizon projects and
budgeting, outlining plans for technology migration as edge devices become antiquated,
and empowering our Client Partners with the information necessary to be in front of the
curve – not behind it – when operating in their own stakeholder environments. We believe
this kind of value is at the foundation of our responsibility.
In addition to our consistent investment in training and certification, our future strategic
plans include investing in efficiency to ensure our growth is sustainable – alongside the
growth activity of our Clients. This equates to implementation of technology that supports
speed, accuracy, and accountability – as well as, the ability to be proactive.
- 30. ©2016 VTI Security in association with SecureSet - Page 30
www.secureset.com
3801 Franklin Street, Denver, Colorado 80205
800.445.0024
The promise of cybersecurity is the freedom for brands to stay focused on winning
customers. SecureSet is building a community focused on fulfilling this promise. With state-
of-the-art education, business acceleration and product demonstration, we’re arming our
participants for success in the ever-evolving cybersecurity space.
SecureSet℠ Academy’s accredited CORE programs are the direct path to careers in this
booming industry. This intensive program—available in full time or evening schedules—
includes extensive hands on instruction in state-of-the-art labs, guided product training,
and essential certifications (CISSP and Security+). The evolution from a general IT career to
cybersecurity professional can take 5 to 10 years. The CORE does it in as short as 20 weeks.
SecureSet℠ Academy provides extensive job-placement mentoring and networking for all its
students. Our core objective is that each graduate receive at least one offer of employment
in the information security industry. In addition to a diploma, and CISSP and Security+
certifications, CORE graduates depart with a personal portfolio of evidence of the knowledge
and skills they have learned at the Academy.
The SecureSet Accelerator is a way for start-up companies in the cybersecurity space to
get funded, get noticed and improve their value. We’re recruiting for our first class of
companies to be in residence at our Denver campus from May-August, 2016. To qualify you
must be doing something incredibly cool and meaningful in cybersecurity. The SecureSet
Accelerator leverages a national footprint of partners, mentors and startups to attack this
single market through a 4-month program. If you make the grade, your firm will receive an
investment of $50,000, unparalleled mentorship from some of the finest minds in the field,
and ready access to potential customers. You’ll also get access to the SecureSet Proving
Ground where you can test your product and do live customer demos without the risk of
breaking the network of a foreign country or a Fortune 500 company. And, the Proving
Ground will be available to you for customer or investor pitches even after you’ve left the
Accelerator.
Our focus on cybersecurity means that every aspect of our program—from our selection
criteria to our mentor curriculum to our corporate partnerships to our investor stable—
will be more effective in helping your information security venture succeed. A great
deal of learning comes from other Accelerator firms in your class. Together, you can
share experiences and contacts that will prove to be invaluable in the years to come. An
important part of the Accelerator program is giving your company exposure and training in
some rigorous business methodologies needed to grow your company. We draw on a wide
range of expertise in information security Product Development, Design, Operations and
Strategy as well as Venture Capital, Finance, Marketing and Sales, all designed to outfit your
firm with more clarity and executional skill.
- 31. ©2016 VTI Security in association with SecureSet - Page 31
Disclaimer
The content provided in these white papers is intended solely for general
information purposes and is provided with the understanding that the
authors and publishers are not herein engaged in rendering professional
advice or services. The information in these white papers was posted with
reasonable care and attention. However, it is possible that some information
in these white papers is incomplete, incorrect, or inapplicable to particular
circumstances or conditions. We do not accept liability for direct or indirect
losses resulting from using, relying upon, or acting upon the information in
these white papers.