In early March of last year, one of the most brazen cyber-attacks occurred as more than 150,000 video surveillance cameras deployed on myriad organizations’ network cloud platforms were compromised by a group of hackers. These cybercriminals accessed and published live video feeds from the likes of Tesla and Cloudflare, along with videos and images apparently taken from a variety of other clients of this particular video software solutions provider.
The most frightening aspect of this cybersecurity incursion was that the hackers were not looking to harm their victims’ brands, nor did they demand ransom for hostage data. These were amateur hackers who attacked these video surveillance systems’ endpoint vulnerabilities because they could. The hackers found legitimate credentials to access the cloud accounts and were able to navigate through live video feeds for two days, accessing tens of thousands of cameras, some of which were streaming sensitive data.Every video technology vendor and end user realizes that if their cameras and servers are on the organization’s network, they will eventually become a target of a cybersecurity breach. In this installment of Security Technology Executive’s series of Tech Roundtables, editorial director Steve Lasky shares the importance of good video security hygiene with Aaron Saks, a senior product and technical training manager for Hanwha Techwin America. Saks’ primary responsibilities include managing the development of training and certification programs for various user groups. He also authors various technical documents, white papers, sales materials, and other literature. As new products are developed, he provides extensive testing and benchmarking to ensure high-quality products are released. STE also talks with Dustin Giltnane, the director of business development for Bankpak Inc., where he leads the sales team. His team is dedicated to meeting the security needs of bankers throughout the southeastern United States.
STE: Because surveillance cameras often still operate during cyber-attacks and continue to capture video, your first reaction may be, “why should I care?”
Aaron Saks: Of course, a bank should care. If someone gets the data off your cameras, then they can either hold that data hostage or convert it into bots to do their bidding against you. If the data or the servers are important, then they should be protected. If they're mission-critical, they need even more protection.
If you expect to rely on these devices to work at all times, then cybersecurity needs to be considered directly alongside physical security and not separately, to ensure you’re in the best position to capture the key footage that will assist in future forensic investigations.
It used to be that people would say “my system is standalone; it doesn't matter.” But the truth is very few surveillance systems are truly air-gapped. There may be cameras segmented on one network, but what’s often overlooked is that a VMS server or NVR is usually sitting in between them and those could be exploited.
Dustin Giltnane: Many of our customers are dealing with physical security attacks just as often as cybersecurity attacks. Those physical security attacks range from people walking up to a teller trying to pass a fraudulent check up to more significant criminal activities. Online, it could include identity theft or misuse of customer information. These activities are linked so both departments need to work together as one team. At many banks, fraud and risk management are continuing to get more attention, and physical security departments need to work closely with IT teams to guard against on-premise and cyber-attacks. It’s important to have state-of-the-art camera systems like those installed at Wilson Bank, acting as a first line of defense against fraud of any type at a financial institution.
STE: Do camera passwords matter and why?
Saks: Weak passwords are one of the biggest reasons why devices get hacked. There are bots on the internet just continually scanning, probing and trying to find any vulnerability to exploit, especially default passwords. Once someone gets access to a password, they don't need to “hack” your system. They can just walk in the front door. Just as you wouldn’t leave your front door open or unlocked and expect privacy, it's the same with passwords. Anyone can easily tamper with a camera or networked device.
Even if bank’s cameras aren’t attached to the internet, the growing number of devices in between each camera – VMS servers, switches – can easily be compromised, in turn making the connected devices internet accessible. There will always be bad actors trying to hack a system, especially when money or data are the ultimate goals. Having insecure and weak passwords without the proper levels of complexity is guaranteed to eventually fail. That's why Hanwha implemented a policy against putting default passwords in our cameras. It makes it too easy for people to choose the path of least resistance.
Giltnane: Yes, they definitely matter. Specifically at Wilson Bank, we change every camera’s password regularly and we never leave the default admin passwords because that is an easy point of penetration for a cyber-attacker. We recommend changing passwords quarterly or at least during every firmware update. Also, if your password is extremely simple, like 12345, then that’s an open invitation for attackers. We've also seen situations where certain bank employees, or even known customers, are allowed entry to an IT room where cameras are installed. If their intent is malicious, then they may be able to log in to those cameras and perform any number of illegal activities, if the password is not strong enough. We recommend a mix of numbers and characters, making them as strong as they can be to successfully block any attempts at camera or network intrusions.
STE: Should cameras be set up on the network with one login used by the VMS that allows for streaming video only and an admin login that is only used on rare occasions, such as updating firmware?
Saks: It really depends on the VMS. From a cyber-security perspective, there's what's called the principle of least required privilege. That means giving each system user – and one user could be your VMS -- the minimal level of permission they need for their jobs. For example, if someone wants to stream video, they don’t need admin-level permission to do that. The concept behind this is, that if your VMS server gets attacked, they're not going to get my admin credentials because I'm not sending my admin credentials. However, some VMS systems do require admin credentials if they are pushing settings to the camera. To make this process more secure, Hanwha recently implemented a firmware update with the ability to have multiple admin users in a camera for that purpose, as well as audit capabilities.
Now I can have my top-level admin access, and that's restricted to system maintenance. If a technician needs to go on-site for a firmware update, they can use one password, but for my day-to-day operations, users can log in with a different account. That account may still have admin permissions, but it's at least segregating out the user roles so there's less chance of those credentials leaking out.
Giltnane: Yes. We set up a login for every user with system access and then we create different profiles and permission rights. One benefit of the Hanwha WAVE system is that you can be as granular or as broad, as necessary. For example, we'll have an admin login that allows a user to view all cameras at any branch and make any settings changes. The user has full access to the system. Then we go to a branch manager level which only has access to the cameras at their branch. They can't make any settings, but they can export video and view all cameras at the branch. Then another setting could be for either branch staff or head teller that only has access to the teller cameras if they need to review a specific transaction.
Our standard operating procedure, at Wilson and other banks, is to organize the system to the point where everybody has their own login. No logins are shared, so you can use the audit reporting feature and you can determine who's seeing what and what they can view.
STE: What are the unique security requirements for banks and financial institutions?
Saks: Financial institutions have a unique set of requirements when it comes to security and surveillance, beyond the traditional methods of on-premise security camera monitoring for keeping employees and customers safe. Keeping pace with the rise in online banking, mobile payments and electronic transactions is the growing threat of cybersecurity attacks. New innovations in technology can also create new opportunities for suspicious or malicious activity – making security a priority for any organization, but especially financial institutions.
Giltnane: Banks are unique environments and as such have unique security requirements. That’s why we’ve developed a set of security recommendations for our bank customers, based on a two-tier principle.
For example, tier one covers any area where cash is handled or transferred including teller transaction areas or the teller counter space. This also includes remote lanes and ATMs, where cash is transferred through mechanical means. Other examples include banks with mobile branches where they have a large motor vehicle or something similar that's set up as a mobile bank. These are areas unique to financial institutions that require specific types of security and surveillance.
Tier two covers bank-specific requirements but also requirements that could apply to other critical applications. For example, the need to protect your physical infrastructure, or capture facial images or other identifying information of customers for use in forensic investigations. For every location, depending on if it's an operations center or loan processing center or a retail branch, there are different security requirements and considerations, which are constantly changing and evolving.
STE: How can upgrading a bank's camera infrastructure deliver enhanced cyber security (investigating or prosecuting identity theft or fraud)?
Saks: To echo what Bankpak said, yes, keeping your security infrastructure current is critical, to ensure you have access to the latest surveillance capabilities. I’ll just provide a few examples of the technologies being deployed in newer devices, to show the importance of staying up to date. Like nearly every business operating today, a growing number of banking and financial institutions are realizing the benefits of Artificial Intelligence (AI). Beyond protecting and monitoring, surveillance and security solutions are increasingly incorporating onboard analytics delivering data that can drive intelligent business decisions. The role of data and analytics will continue to expand significantly in 2022 and beyond, as customers combine edge computing and AI to complement and enhance data collection and analytics.
The use of Edge AI, especially with analytics based on deep learning algorithms, can be a key element in a range of “smart network” surveillance applications. These include object detection and classification, especially in remote applications like drive-through lanes or ATM kiosks – all while reducing latency and system bandwidth burdens and enabling real-time data gathering and situational monitoring.
AI and edge computing will continue to improve the efficiency and effectiveness of network video surveillance systems, applying analytics (object, loitering, virtual line and area crossing detection to name a few) to monitor every type of area or situation.
Giltnane: Keeping your security and surveillance infrastructure up to date is incredibly important, so you continually have access to the latest features and capabilities for capture and recognition. We estimate that 95% of legacy camera systems don’t have the capabilities necessary to meet a bank’s unique modern security requirements. It’s incredible in this day and age that we’ve still got customers with black and white cameras. By simply upgrading their infrastructure there’s so much more they can do that they wouldn’t have been able to do even a year ago.
The newer cameras have much better resolution and color contrast, with powerful zoom capabilities allowing you to capture up-close views of any key area in a bank. Even with a basic newer model, it’s possible to clearly capture tags, bumper stickers and any other identifying information from multiple vantage points. Newer models even employ Artificial Intelligence technology, so they can “learn” to detect suspicious activity. For example, if a car pulls up perpendicular to an ATM rather than alongside it, the camera will detect a possible attempt to rob that machine.