Last year’s massive distributed denial of service (DDoS) attacks against the website of cybersecurity journalist Brian Krebs and domain name service (DNS) provider Dyn opened the eyes of many within the security industry to the dangers posed by unsecured IP cameras. However, as devastating as these botnet attacks were, they are just one of the many threats facing network surveillance installations today.
Last month, the Washington Post reported that just prior to the presidential inauguration, ransomware infected 70 percent of the storage devices used to record footage from the city’s police camera network. The city refused to pay the ransom and was able to solve the problem by taking the appliances offline, removing all software and restarting them, the newspaper reported. Although the outcome caused minimal damage beyond man hours in this case, it demonstrates the myriad risks and needed protections facing end-users and systems integrators.
According to Hart Brown, senior vice president, organizational resilience for insurance brokerage firm HUB International, safeguarding against ransomware and other types of cyber intrusions into physical security equipment now extends beyond organizations relying on their integrators to practice good cybersecurity hygiene. The end-users must have an understanding of the devices themselves and the applications being used to drive them.
“What’s happening in this space is that many of the hacks are occurring directly against the devices,” explains Brown, who is also a certified ethical hacker and chair of the ASIS Crisis Management & Business Continuity Council. “When they are going after the devices, many times they are using very simple hacking techniques – it is a matter of those devices having default passwords, using antiquated software with vulnerabilities that have never been patched. There are a number of (vulnerabilities) which allow hackers an easier mechanism to get into the devices.”
Brown recommends end-users familiarize themselves with their security supply chain – from the components all the way to the endpoint – to determine if adequate controls are in place. As a part of that process, Brown says security executives should also get to know their individual vendors and find out if they have mechanisms in place for responsible vulnerability disclosures and the ability to support and fix any cyber vulnerability that is discovered throughout the lifecycle of the device.
Who is to Blame?
Ray Coulombe, president of SecuritySpecifiers.com and monthly columnist for SD&I and STE magazines, says that both people and products with weak cyber protections are to blame for many of the threats that exist today. “Manufacturers need to have the will and the processes in place to develop and support hardened products, and to make their products patchable – some are, but many aren't,” Coulombe says. “Users must incorporate cyber hardening into their decision and deployment criteria. Backup strategies need to be in place to deal with ransomware incidents, including cloud and other off-site. For all, the mindset to deal with these threats needs to be there.”
The Federal Trade Commission has decided to hold manufacturers responsible as it recently filed a lawsuit against camera maker D-Link alleging that company failed to take reasonable steps to secure its IP cameras which could have allowed hackers to view live video and audio feeds.
While there has been a tendency towards pointing fingers in the industry as to whom exactly bears the most blame for this issue, Coulombe says everyone is culpable to some extent. “Manufacturers are to blame to various degrees,” he says. “Some are pretty good; others have had their heads in the sand; however, you can build all the cyber features you can think of into products, but if users don't use them, what good are they? Some actions, like changing from default passwords, can be forced; many others can't.”
Because there have historically not been very many IT networks infiltrated by hackers as a result of compromised security devices, Brown says it is an area that not many people paid attention to until recently. “As we’ve gone through the development of these devices – starting with analog devices turning into IP devices – they were historically very closed-loop systems that had inherent protective measures inside them,” Brown explains. “Over time, that has changed, in many cases due to convenience, pricing and increased capabilities. As we opened those networks, I don’t think security was necessarily at the forefront of that transition.”
However, because the concept of securing data has itself become commoditized, Brown believes the cybersecurity robustness of products will be a differentiator for many companies in the industry moving forward. “The ability to protect that data has value, and it is not necessarily the least expensive option that may be the best option or the one that many clients choose,” Brown says. “Then it is a matter of the integrators, manufacturers and others making the determination on their own about what is going to make them the most competitive, and I think the ability to secure these devices is going to be a significant advantage.”
Mitigating Cyber Threats
Although it has been pointed out numerous times as one of the biggest cybersecurity shortfalls in the industry, Brown emphasizes the importance of changing default passwords and other settings in cameras, calling it the “low-hanging fruit” that every hacker will look to exploit. Additionally, Brown says organizations need to have a process in place to be able to update cameras and other devices when firmware patches are released.
“What we see, in some cases, are integrators that maintain positive communications with their clients in making sure these things are upgraded in a timely manner; and we also see some that do not,” Brown says. “Even when we have the ability to fix the devices and create patches, in many cases, organizations don’t do so because they are either unaware or they are relying on an integrator who isn’t being communicative.”
Additionally, Brown says organizations should be diligent in gathering as much information as they can about current cybersecurity trends and what is going on within the hacking community. This will help both end-users and integrators have a better feel for what the current threat vectors look like and what areas they may need to shore up from a security perspective.
Aside from implementing some basic cybersecurity safeguards, such as the ones suggested by Brown, Coulombe says it remains incumbent on everyone involved in the security ecosystem – manufacturers, integrators and end-users – to play a role in protecting systems against attack.
“Good cyber hygiene should be the first level of defense, and this includes being aware of malware threats that enter a network through the email system,” Coulombe says. “However, manufacturers need to make cyber hardening a priority in the development process and communicate that to the market. Organizational and IT management need strong enforceable and communicated policies and procedures to protect themselves. Even with this, plans must be in place should all best efforts fail.”