12 best practices for securing surveillance networks against cyber attacks
Given all of the high-profile data breaches that have made headlines recently, the issue of securing surveillance camera networks and other physical security systems has become a hot topic in the security industry of late. With an ever-increasing number of security sensors becoming internet-connected as the industry continues to migrate to IP-based technology, there is realistic possibility that those devices could be accessed by hackers or potentially used as a gateway to enter the larger corporate network.
There has already been at least one highly-publicized incident in which the former threat became a reality. In the recently uncovered $1 billion bank heist carried out by the Carbanak cyber gang, it was discovered that the group gained access to cameras inside banks where they were able to monitor what employees were doing on their computer screens.
Perhaps the larger threat that has many systems integrators and end users concerned is that of cyber criminals using unsecured cameras and other devices as a means through which they can penetrate an organization’s network to gain access to sensitive information. According to a survey conducted by auditing firm PricewaterhouseCoopers, incidents of cyber breaches rose 48 percent in 2014. In another study conducted by the Ponemon Institute, 43 percent of U.S. executives admitted that their company had been victimized by a data breach.
It is out this growing concern surrounding the cybersecurity of video cameras and other physical security tools that cloud-based VMS provider Eagle Eye Networks on Thursday released a whitepaper with a list of 12 best practices that organizations can adopt to help mitigate these threats. According to a survey conducted by the company last year, 69 percent of IT personnel polled said that video surveillance systems were vulnerable to a cyber-attack. Another 17 percent of respondents said they didn’t know if they were vulnerable and 14 percent said that they were not vulnerable.
“Our physical security systems - access control, fire alarms and video surveillance systems – basically have all kind of quietly become internet-connected,” said Dean Drako, president and CEO of Eagle Eye Networks. “In addition to being internet-connected, these systems are also connected to the local network in the majority of situations. What that means is that physical security systems are now smack dab in the middle of the cybersecurity world and it is a serious problem.”
Drako said the cybersecurity of physical security systems has flown relatively underneath the radar until recently because some people wrongly assumed that these devices and IP addresses were not known about. “That’s not going to stay true any longer and, in fact, it never was really true,” he said.
Drako believes that the biggest shortcoming of systems integrators and end users when it comes to protecting security systems against cyber threats is not fully realizing the ramifications and risks of connecting these devices to the internet.
“When you’re going to expose a machine to the internet, there’s a certain set of responsibilities that go with that and I think that that is actually the biggest issue,” he added.
Here is a look at the 12 best practice topics and how organizations can go about shoring up their safeguards in each of these areas:
1). Camera Passwords
The security industry has been notorious for leaving default usernames and passwords in place on cameras when they are installed. The problem with this practice is that these usernames and passwords can be easily discovered with a simple internet search which makes them easy prey for hackers. Ideally, Drako said those with a small system in place should use a different strong password for each camera on the network. However, in a larger network where that may not be feasible, he said that organizations should use a VLAN or a private network and have the same strong password for all the cameras on the network.
2). Port Forwarding
In order to give users remote access to their video systems, an HTTP server must be exposed to the internet to be able to serve up those video feeds. This opens machines up to threats from cyberspace, one of the most notable of which was the recent Heartbleed Open SSL exploit. The best practice to prevent against threats posed by port forwarding really depends on the architecture of the network. If it is a traditional system with an NVR, only the minimum number of ports should be forwarded and the organization should implement some type of next-generation firewall. In a hosted environment, there is no port forwarding to speak of so the threat is non-existent. That’s not to say, however, that the cloud system is properly architected, so organizations should still check with their integrator.
3). Firewalls
Firewalls are one of the most complex and misunderstood mechanisms for protecting any network – security or otherwise –from threats that lurk in cyberspace. For this reason, those with traditional surveillance system architectures should consult a professional network security expert to verify and configure their firewall and make sure there is clear documentation on firewall configuration. Organizations should also regularly monitor and implement changes as needed. In the hosted environment, there is no onsite firewall configuration needed because there are no inbound ports.
4). Network Topology
According to Drako, mixing surveillance camera systems with a standard corporate IT network can be a recipe for disaster as it creates doorways for hackers to enter into the main network. An increasing number of DVRs and NVRs are being connected to the internet and many of them are shipped without any antivirus protection on them. One of the problems is that there are numerous applications running on these appliances which, if not properly patched, leave openings for hackers. The best practice, in this case, is to place the camera network on a physically separate network from everything else. However, because this may not be possible in many cases, Drako recommends that organization use a VLAN.
5). Operating Systems
The threats against operating system are well documented and all surveillance systems run on one of these operating systems, typically Windows or Linux in most cases. Due to the number of exploits that exist, it is critical that organizations know the operating system their network runs on as well as the version used so that their IT team can track, monitor and patch against these vulnerabilities as they become known. This is another area in which having a hosted video solution can really benefit the end user as a true cloud-managed system does not require the customer to keep tabs on these vulnerabilities. On the contrary, the cloud vendor should be responsible for monitoring cyber threats and if one is found, they should be able to instantly implement a patch or update over the internet to protect the video network. Not all cloud vendors provide this level of service, however, so each organization should check to make sure that their cloud provider does and that they also have a dedicated security team.
6). Operating System Passwords
As with cameras, there are quite a large number of users that leverage weak passwords for gaining access to their operating system. Oftentimes, multiple administrators within an organization will share the same root or admin passwords and some organizations are not diligent enough in changing passwords when there is turnover in the workforce. Drako recommends that organizations set long, high-quality passwords for the operating system and establish password policies and procedures for changes in personnel.
7). System Password
Once strong passwords are implemented on the cameras and operating systems, administrators should also not forget to do the same for their surveillance system as a whole. Organizations should enforce the same quality passwords with equally stringent requirements for those people that are granted access to the video network. It is also not a bad idea to require that video surveillance systems passwords be changed on a regular schedule.
8). Connection Encryption
According to Drako, a surprising number of DVRs, NVRs and VMS solutions use internet connections not encrypted with SSL (Secure Socket Layer) protection or an equivalent due primarily to costs. Drako said that an SSL certificate costs $500. Without this protection, passwords are essentially going over the internet in clear text, which Drako explained as being tantamount to logging into a bank account without using the HTTPS protocol. To remedy this, Drako says that organizations should only use systems which encrypt with SSL or an equivalent.
9). Video Encryption
Drako said that video data should not only be encrypted at rest but also in transit. This means that, as a best practice, video should be encrypted when it is both stored on disk and when it is being streamed.
10). Mobile Access
One of the biggest trends in video surveillance over the past several years has been the drive to push real-time and recorded video to people in the field via mobile devices. With the proliferation of mobile video also comes risk. In a sense, the risks that apply in some of the aforementioned best practices apply double when you add a mobile component to your video system as the same concerns surrounding passwords, account deletion and encryption also come into play. Drako said that identical best practices should be used including making sure that an encrypted mobile app connection is used, high-quality passwords are set and that people are diligent about password enforcement and account deletion for staff turnover.
11). Computer and Storage Physical Access
Even if an organization employs the best measures to protect against thieves in the cyber realm, if they don’t put physical safeguards around them then their efforts may be for naught as it would be just as easy, if not more so, for someone to break into the system onsite. Drako recommends that facility managers keep cabinets and cables secure, along with rooms that house various components of the security system.
12). Video Recording Software
Because video management software often leverages components beyond the operating systems on which they run, such as Microsoft database applications and vendor-proprietary software, these components must be upgraded to avoid various vulnerabilities. To stay on top of the risk, Drako advises organizations to check for and install updates to these software platforms regularly and to be proactive in monitoring for threats.
“If you really want to implement these 12 best practices, the checklist is something that involves the end user, the integrator and the surveillance vendor,” said Drako. “All three parties really need to play a role because otherwise you’re going to miss pieces of it.”
Click here for more information or to download a copy of the whitepaper from Eagle Eye Networks.