The importance of Secure by Default

Steven Kenny

As the cybersecurity landscape continues to evolve at a rapid pace, partly thanks to the increasing use of Internet of Things (IoT) devices, businesses are beginning to face a proliferation of threats. This enhanced risk factor has no doubt been a driver for the implementation of new legislations, such as the General Data Protection Regulation (GDPR) and NIS Directive. There are multiple threat vectors to be considered, ranging from the rarer elite teams of sophisticated hackers, to the more common opportunistic hackers who are looking for exploitable vulnerabilities and weaknesses in a network. And let’s not forget perhaps the most potent threat of them all … employee or human error/negligence.

It is a concern that many major data breaches have been reported in recent times due to issues with system configurations, which can usually be attributed to human error. While it is widely acknowledged that education regarding the use of new technologies is hugely important, it is also essential that technology vendors support those who are installing and commissioning these systems to minimise human mistakes and configuration issues.

As the challenges rise, we will start to see organisations such as the National Cyber Security Centre (NCSC) intensify awareness programmes regarding principles like Secure by Default and, in turn, end users will start to demand that the technologies they procure are designed, manufactured and deployed with a Secure by Default strategy. Secure by Default essentially means that a technology has the best security it can have built in, without users even knowing it’s there or having to turn it on.

A new approach to cybersecurity

Simply put, a Secure by Default strategy means taking a holistic approach to solving security problems at the root cause, rather than treating the symptoms of a cybersecurity defect and therefore acting at scale to reduce the overall harm to a system or type of component. Secure by Default covers the long-term technical effort to ensure that the right security primitives are built in to software and hardware. It also covers the equally demanding task of ensuring that those primitives are available and usable in such a way that the market can readily adopt them.

This area has never been so important for businesses. Not only does poor set-up and configuration of technology increase the risk of devices providing the environment for unauthorised access to a network but, especially with physical and electronic security devices, it may also give hackers eyes and ears within a business premises, or simply provide them with the ability to access video streams of staff, customers or members of the public.

At Axis, we’ve experienced businesses questioning the danger of a cybersecurity breach, stating: “What’s the worst that can happen? They will only get access to the video feeds but won’t get into our network.” This is a dangerous scenario and mindset. At present, the worst possible outcome may be a GDPR fine, as this activity allows for unauthorised access to personally identifiable information (PII) – all because there haven’t been sufficient measures put in place to protect the PII that has been captured. Not to mention the reputational damage that comes with it.

Previously known as ‘privacy by design’, the GDPR makes ‘data protection and security by design and default’ a legal requirement. Article 25 mandates that, at the time of the determination of the means of the processing and at the time of the processing itself, organisations must put in place appropriate technical and organisational measures designed to implement data protection in an effective manner, and to integrate the necessary safeguards into the processing. (Ref# NSCS)

It was recently reported that hackers in the UK broke into schools’ CCTV systems and streamed footage of pupils live on to the Internet. Understandably, this gained a lot of negative publicity; after all, we send our children to school with the expectation that they will be safe, and the security systems are there to protect them rather than put them at risk.

The website broadcasting the footage claimed the systems hadn’t been hacked and the cameras were all Internet-connected cameras that didn’t have proper password protection. While this is still unethical, the website broadcaster is correct in stating that these systems hadn’t been hacked. So, what is the biggest issue here?

This example perfectly identifies a poorly designed technology that doesn’t follow the principles of Secure by Default; it is also poorly installed and configured, delivering a perfect storm of insecure processes. If either of these areas had been done correctly, it is more than likely this incident would never have taken place. While perhaps not recommended, it is possible to deploy a technology that doesn’t follow the Secure by Default principles and still makes the technology secure, as long as it has been configured and deployed in line with cybersecurity principles.

Or, if a technology does follow Secure by Design principles, it will have embedded out-of-box cybersecurity principles built in, which would inevitably have prevented this incident from occurring. Best practice security should include password prompts, strength indicators and – most importantly – disabled remote access. It is worth noting that it wasn’t only school surveillance systems on this site but also commercial businesses, residential properties and public space camera systems that were affected by the breach.

To support our technologies, Axis has aligned the Secure by Default principles to recommendations made within the National Cybersecurity Strategy Code of Practice, including:

  • Password prompts – in order to access the device, there will be an out-of-box password provided for the user. During the set-up process, we will prompt the user to change the password.
  • Password strength indicators – there is a strength indicator advising on the effectiveness of the password. Due to most large enterprises having their own corporate password policies, we won’t dictate and approve the password used, but will advise on the strength of the password.
  • HTTPS encryption – Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPSstands for ‘secure’. It means all communications between your browser and the website are encrypted.
  • 802.1X – IEEE 802.1X is an IEEE standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism for devices wishing to attach to a LAN or WLAN.
  • Remote Access DISABLED (NAT traversal) – while there are operational benefits to being able to remotely access devices, this is a function that needs to be enabled and the necessary procurations should be followed when this has been enabled to protect the device.

At Axis, we understand the importance of securing our technologies and, while no technology is ever 100% secure, we follow technical considerations such as Secure by Default. To gain a good understanding of the policies and procedures Axis offers to support our customers when it comes to cybersecurity.

Please download our Technical Paper

Cybersecurity Challenges – An Overview