Cybersecurity requires coding

How Axis is bringing cybersecurity to surveillance solutions

Cyber ​​security threat analysis

A good cybersecurity strategy starts with knowing what common industry-specific threats an organization is likely to face, where the vulnerabilities lie in its defenses, and how the industry is regulated. Axis understands this and works proactively with partners and customers so that they have the knowledge and protocols to protect themselves from attack.

Unfortunately, security threats cannot simply be pigeonholed into clearly defined boxes. They differ in their sophistication and in their effects. Highly complex attacks with serious consequences for companies and their customers most often make it into the headlines and public awareness. However, these are rather rare incidents. You should be much more concerned about a much more common problem: failure to follow protocols or some sort of “willful or accidental system misuse”.

Fred Juhlin, Global Senior Consultant at Axis, thinks this is one of the biggest misjudgments: “Many organizations wrongly focus on protecting their companies from threats that could bring them negative headlines. Rather, they should start with the basics. User errors are the most common cause of successful cyber attacks, so they must not be forgotten in the cybersecurity package of measures. "

Eliminate cybersecurity vulnerabilities

Vulnerabilities are vulnerabilities or opportunities that can have negative consequences for the system. They exist in every system, because no solution is completely free of weak points. However, instead of focusing only on the vulnerability itself, one should investigate the possible consequences of its exploitation for the organization. You can then determine the associated risks and set the priority for eliminating the vulnerability.

Axis uses cybersecurity best practices in the design, development and testing of its devices to minimize the risk of vulnerabilities that could be exploited in an attack. However, securing a network, including all devices and the supported services, requires active participation from the entire supply chain through to the end user. The Axis Hardening Guide describes the various possible security controls for the devices. It also gives recommendations as to when, where and why they should be used to secure the network, devices and services.

From the retailer's point of view, the development of software products with built-in security over the entire development cycle requires experience and maturity in secure software design and programming. In addition, the products must meet the applicable laws (such as the GDPR or CCPA on data protection, NDAA, CCMC of the US Department of Defense on secure supply chains, and the UK's "Secure by Default" laws on secure coding) and many other requirements.

Wayne Dorris, CISSP Business Development Manager, Cybersecurity at Axis said, “We spend much of our time studying cybersecurity laws, regulations and standards and examining where and how they could affect Axis. The same provisions do not apply everywhere. This is a challenge for customers who have to install their products in different markets. For example, a firmware version for America would not be appropriate if a different version is required for EMEA. "

Axis is addressing this challenge through its Security Development Model, which is based on several industry best practices in cybersecurity. The model defines the processes and tools that are used to create software with built-in security throughout the development lifecycle - from prerequisites to design, implementation and verification to use.

Communication and collaboration

Even if critical weaknesses in a product have been eliminated using the best available methods, the threat situation is constantly changing. It is therefore important that customers and partners know immediately when a new vulnerability is discovered. In this way, they can assess the risk for themselves and initiate countermeasures (e.g. through patches).

Some customers want to assess threats themselves and use independent testing tools to report current weaknesses in the solution. These can be valuable for the long-term protection of the system, but must be seen in the right context and combined with a risk assessment. Otherwise there is a risk of drawing wrong conclusions and taking expensive but unnecessary measures.

Steven Kenny, Axis Industry Liaison Manager, comments, “It is good for customers to actively investigate their systems for vulnerabilities, but these reports can contain many false positives. Without the right context and risk assessment, it's easy to get lost and waste resources fixing problems that hardly affect the business. "

Axis works closely with customers and partners to evaluate and prioritize weak points. Together we develop a strategic, well-founded plan of action.

Education and training in cybersecurity best practices

When advising on new vulnerabilities and developing security guidelines, employee training should not be neglected. These can be one of the biggest cybersecurity vulnerabilities in an organization. They need to know exactly how they become vulnerable and what the consequences of non-compliance with security practices can be. Axis supports cybersecurity awareness training and helps establish best practices for end users.

Security officers can also be a cybersecurity vulnerability in an organization as they are responsible for managing security controls. This also includes maintaining an up-to-date device list, secure installation, adding patches and managing accounts for the devices. It is not easy to always stay up to date. Axis Device Manager (ADM) supports security personnel in this.

But the needs of customers are changing and more and more functions such as cross-location administration or improved monitoring are required. That's why we developed ADM Extend. It allows for more flexible installation and support for multiple locations. The main focus of ADM Extend is currently on joint operations. Further guidelines, security automation and integration into other systems will follow shortly.

Stable cybersecurity is only possible together

Attackers often work in teams and share information about the latest vulnerabilities, tactics and successes with each other. The fight against such a determined and often well-funded enemy is futile without proper defense and support. Defending against the ever-evolving threats requires a multi-level strategy and cybersecurity training.

The industry is driving a “zero trust strategy” in which each entity is identified and described by its risk profile. It is therefore important to choose products that are designed with safety in mind. Axis uses over 30 years of experience to develop reliable products. Our collaborative strategy ensures that partners and customers are equipped with the critical information and tools to respond to evolving threats.

Would you like to learn more about our cybersecurity strategy?
Click here