Hikvision Cybersecurity Overvie - Hikvision Cyber...Sept 2015: “XcodeGhost” malware in apps, Hikvision included Hikvision’s response: Notifications Hikvision rewrote the software

© 2017 Hikvision USA Inc. and Hikvision Canada Inc. All Rights Reserved. Confidential and Proprietary © 2017 Hikvision USA Inc. and Hikvision Canada Inc. All Rights Reserved. Confidential and Proprietary

Hikvision Cybersecurity Overview


Remarkable Growth Rate

Why is Hikvision a target?

Set the Record Straight

Cybersecurity – Bigger Picture

Chinese Ownership

History of Vulnerabilities

2014 to Present

Approach to Cybersecurity

Why Hikvision?

01

02

03

04

© 2017 Hikvision USA Inc. and Hikvision Canada Inc. All Rights Reserved. Confidential and Proprietary

Global Overview

2016

2001

$0

$1.07B NET PROFIT

$4.67B SALES REVENUE

Currency in USD

7% - 8%

Over 20,000 globally

9,000+ engineers

No. 1 worldwide - 23.2% of

the global network security

camera market

GROWTH RATE

26.32%

of annual revenue reinvested into R&D


Top 2 Video

Security

Market

Player

Expected to be #1

by 2018

Average annual growth for the video

surveillance industry is approximately

7% per year.

Hikvision is over 50% year-over-year.

North America Overview


Local Support in the US and Canada

340 Employees CURRENT

400+ Expected By 2018

Warehouses in Los Angeles and in Miami

Dedicated customer service, inside sales support and call centers in US and Canada

Local technical support in Los Angeles, Montreal, and Dallas, and across North America

New R&D facility in Montreal

Los Angeles

Montréal

Dallas

Miami

U

s






Chinese Ownership


2014 to Present


Why Hikvision?

01

02

03

04


Hikvision has been incorrectly labeled as having poor cybersecurity practices

Let’s review the Facts


FACT:

Hikvision is a global, publicly traded company, listed on the Shenzhen Stock Exchange (SHE: 002415)

Hikvision itself is not an SEO

Four major stockholder groups:

Common-share/international institutional

SEO shareholders

Individual investor

Company founders and executives

Is Hikvision a division of the Chinese government?


Is Microsoft’s product security poor?

Microsoft product vulnerabilities are regularly discovered and exposed.

Some vulnerabilities are significant, such as “Eternal Blue.”

In CVE’s vulnerability database, Microsoft products has 4,472 vulnerabilities listed, many

more than other comparable companies.

The truth…

Microsoft is a world-class company.

Microsoft is the world leader in product security best practices


Windows

Security Updates 127 just for 2016

https://technet.microsoft.com/en-us/library/security/mt637763.aspx

Lenovo

Security Updates 16 just for 2016

https://support.lenovo.com/us/en/product_security/PS500001?LinkTrack=Solr

Oracle

Security updates 910 just in 2016

http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html

Android


https://source.android.com/security/bulletin/

Apple


https://support.apple.com/en-us/HT201222

Security exploits

Combined

Security Updates

1,520


























What is CVE? CVE is a list of information security vulnerabilities and

exposures that aims to provide common names for publicly known cybersecurity issues.

The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”

Who owns CVE?

The National Cybersecurity FFRDC, operated by the MITRE Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.

Common Vulnerabilities and Exposures (CVE)


bb

8


Mainly: One Source Reports on Hikvision Security Events

Total of 221 security articles 149 mention Hikvision

Some sites favor sensationalist

coverage over factual evidence

Where is this information coming from?


Hikvision has a backdoor Privilege Escalation Vulnerability - A “backdoor” is generally considered to be a

vulnerability that is intentionally placed by a manufacturer. A coding error, on the other

hand, is not placed intentionally. Importantly, ICS-CERT (division of DHS) classified the

Hikvision vulnerability as coding error, not a backdoor.

The issue was addressed and corrected with a firmware release within 2 weeks of

discovery.

Hikvision has been banned by the US Government There is NO “U.S. Government ban” on Hikvision products. An unauthorized reseller

listed Hikvision products on the US “GSA Schedule.” They were selling products that

should not have been listed on the GSA schedule. This was in no way sanctioned by

Hikvision. Once discovered, Hikvision asked the reseller to remove Hikvision from the

GSA as Hikvision products are proudly built, assembled and packaged in China.

Hikvision is as division of the Chinese Government — Hikvision is a publicly traded company, with a diverse set of owners. The largest

shareholder is a State-Owned Enterprise.

Quick Fact Check:


Cybersecurity requires an ongoing commitment– Hikvision is

fully engaged in this effort, and is stronger because of it.

Everyone is responsible for ensuring safe secure environments.

Although roles may differ, responsibility does not. With

everyone's participation we all stand a better chance in cyber

security.

Enacting strong cybersecurity measures may not be convenient,

but they are well worth the time spent.

If an issue occurs, Hikvision acts swiftly and efficiently to

identify and resolve it.

There is no system or product that is 100 percent secure.

Hikvision’s View on Cybersecurity


100% transparency

Set the record straight – dispel misinformation through a large-scale campaign

Provide ongoing target hardening trainings

Work with A&Es to encourage cybersecurity best practices are written into the tender documents

Offer onsite commissioning support to ensure cybersecurity best practices are followed

Be the education leaders on cybersecurity

Provide and recommend cybersecurity certification

Hikvision’s Goal:

Known Thought Leaders on Cybersecurity






Chinese Ownership


2014 to Present


Why Hikvision?

01

02

03

04


Cybersecurity 2014

MARCH AUGUST NOVEMBER

Nov 2014: Buffer overflow vulnerability was

found in Hikvision DVRs

Hikvision’s Response:

New firmware

Notifications

Constant communications

New resources created

Aug 2014: Malware targeting Hikvision 7200HWI

and 7300HWI series DVRs

Hikvision’s Response:

New firmware

Constant communication

Free shipping

Hikvision engineers onsite support

Mar 2014: Malware designed to mine bitcoins

infected many manufacturers’ DVRs

and NVRs

Hikvision Response:

New firmware where needed

Constant communication

Tech bulletin


Cybersecurity 2015 - Current

FEBRUARY SEPTEMBER MARCH

Oct 2016: Mirai botnet malware

Hikvision was not affected

Hikvision response:

Remind partners of the

cybersecurity resources

available

Sept 2015: “XcodeGhost” malware in apps,

Hikvision included

Hikvision’s response:

Notifications

Hikvision rewrote the software and

submitted it to Apple for

certification This entire process

took 2.5 days

Feb 2015: Alleged incident: Default username

and password reported to gain

access to DVRs

Hikvision Response:

Issued alert

Hikvision creates Secure

Activation procedure, others

follow suit

OCTOBER

Mar 2017: Privilege Escalation Vulnerability

New firmware

Notifications

Constant communications

Ongoing work with DHS to

address other potential

concerns

The most effective way to solve a security vulnerability is the manufacturer’s quick and active response


New Director of Cybersecurity: Chuck Davis, MSIA,

CISSP-ISSAP

Hikvision Security Center

Hikvision Network and Information Security Lab

Hikvision Cybersecurity Hotline

Network Security Hardening Guide (Update coming soon)

Third-Party Certification ISO/IEC 27001 certification

ICSA

Third-Party Penetration Test

Rapid 7

Researching others

Corporate Cybersecurity Defense


Product safety can only be assured when manufacturers constantly strengthen their internal

product safety construction, which includes security of both the product development and

product development environment.

In order to achieve this goal, Hikvision conducts the following third-party assessments:

Third-Party Evaluation: EY is carried out a group-wide information security evaluation in order to perfect Hikvision’s overall security

regimen

Cisco often works with global customers to help assess and identify opportunities to reinforce the security of

their own business. Hikvision has enlisted Cisco’s help, with the goal of elevating our R&D development

standard to match Cisco’s world-class R&D development standard.

EY from the United Kingdom is carried out an SOC2 evaluation and verification of Hikvision in order to ensure

the security and confidentiality of our cloud products.

The Real Status of Hikvision Security


Always remember: No one is immune, simply lucky. If someone wants to spend enough time and effort they can find a way to get onto any device that is attached to the Internet.

© 2016 Hikvision USA Inc. All Rights Reserved. Confidential and Proprietary.






Chinese Ownership


2014 to Present


Why Hikvision?

01

02

03

04


Why Choose Hikvision? Partner to Win

Largest A&E team

to drive sales to

Stanley

Two-tiered vertical

specialists to create

demand for Stanley

Local Support

Hikvision NAM and SAE

in the field to help local

Stanley offices with

pre- and post sales

Hikvision Mission = Trusted Partnership between Hikvision and Stanley

Regional sales team

(more than 120)

to support Stanley

nationally


Social Responsibility Programs

Leukemia & Lymphoma Society –

corporate support and fundraising

Citizen Schools – corporate support,

fundraising and educational efforts

Missing Children’s Network of Canada –

corporate support and fundraising

Jonathan Jaques Children’s Cancer

Center – corporate support and

fundraising

Facts About Hikvision

Corporate Citizenship

Jobs created in

North America 2017 – more than 400

2022 – more than 1K


Hikvision USA Inc. 18639 Railroad Street

City of Industry, CA 91748

Tel: +1 909-895-0400

Toll-Free: +1 866-200-6690 (U.S. and Canada)

Fax: +1 909-595-2788

Email: [email protected]

www.hikvision.com

Thank You!

Documents

Hikvision Cybersecurity Overvie - Hikvision Cyber...Sept 2015: “XcodeGhost” malware in apps, Hikvision included Hikvision’s response: Notifications Hikvision rewrote the software