The San Mateo Union High School District (SMUHSD) engaged Guidepost to perform a thorough commissioning assessment of its Information Technology (IT) security virtual local-area-network (vLAN) following the installation of network video surveillance cameras. The intent of the comprehensive network commissioning was to ensure that the technology investment was both compliant with the systems design and operational intent.

The commissioning scope of work encompassed testing the district’s new video surveillance system using the GearBox cybersecurity performance and vulnerability tool. Our team used the GearBox tool to perform a comprehensive network device vulnerability assessment to confirm that device factory settings passwords had been changed by the installation contractor. Implementing the GearBox on the client network finds, assesses, and reports security and performance vulnerabilities of Internet-of-Things (IoT) network devices simply by connecting to the network and performing a comprehensive scan. This is a simple but hugely effective step and action in maintaining secure networks and ensuring that known vulnerabilities such as factory password settings and out of date firmware are not exploited by entities seeking to cause harm; maintaining a secure cyber security posture mitigating threats and vulnerabilities as a standard systems commissioning practice.

Reviewing and confirming whether any vulnerabilities were created during the installation of new network devices should be a final systems testing norm. Guidepost’s holistic approach to security technology design and implementation provides a soup to nuts service from systems design through to close-out provides clients with confidence and confirmation that all measures to maintain both physical and cyber security postures are addressed. During the SMUHSD commissioning exercise, we found no trace of vulnerabilities within the network or IoT hardware and validated the contractor’s comprehensive physical device installation and programming of the new system.

After completing the commissioning network performance assessment with the GearBox, we presented the data recorded to the district. Through data analysis, we determined the installation followed both the video surveillance system and camera vendors cybersecurity hardening practices. This included testing host passwords for both default and commonly used login credentials, performance testing in which GearBox would ping the network devices in question and measure the response time for any delays or observable losses of data, and validating that all the latest firmware was installed within each system component.

Benefit to the Client

Network vulnerabilities are a known source of concern and issue across K-12 educational institutions. Software programs are often running in the background from a central server location to identify potential breaches or attempts to penetrate networks, however, they do not provide solutions as delivered by the GearBox connected at the edge of the network. Implementing the GearBox as a standard commissioning tool provided confirmation and peace-of-mind to SMUHSD that its investment in technology did not create additional vulnerabilities. After confirmation that there were no cybersecurity issues or identified vulnerabilities through the commissioning process, the district was able to confidently move forward knowing that its new video surveillance network incorporated cybersecurity best practices and followed the National Institute of Standards and Technology (NIST) Cybersecurity framework. Ultimately, this process ensured that no cameras nor network switches had to be replaced, all firmware was up to date, and the system required no further hardening. This resulted in the district saving both time and money regarding additional maintenance and systems programming.