Private and Secure
What it takes to ensure your infrastructure is safe
- By Andrew Elvish
- Mar 01, 2016
Cyberattacks are on the rise. Whether via IT infrastructure or internally,
the Security Industry faces the challenge of guaranteeing
that the data in their systems remains private, properly protected
and encrypted.
We are confronted with how our privacy is impacted almost
daily. Whether you are part of a multinational organization, run a retail store,
work for a local school board, or are simply a member of the public, our privacy—
and who has access to it—is always a concern.
To get a sense of just how far-reaching these concerns are, in North America,
there is a weekly network television drama focused entirely on cyber threats and
cyberterrorism. When you are in the business of providing security, you take these issues
very seriously. But, you also know the difference between mitigating real danger
and worrying about fictional scenarios crafted to maximize dramatic impact.
It is no surprise that security professionals are paying closer attention than
ever before to the growing number of cyberattacks that have the potential to cause
breaches and expose sensitive data. As IP-based security systems continue to be
implemented and used to keep citizens, cities, governments, municipal infrastructure
and private corporations safe, the need to assure all parties that recorded
content is being kept secure and private is increasing. With advanced encryption,
authentication, and authorization technologies, the security industry is meeting
their customers’ requirements and assuring them that their security is kept private
and secure.
SYSTEM VULNERABILITIES
Flexibility and accessibility are some of the main benefits of implementing IPbased
security systems. In addition to supporting on-premises, cloud, and hybrid
security applications for video surveillance and access control that protect people
and assets, end-users can benefit from the ability to access the system through multiple
means, including desktop, web, and mobile apps. With real-time events, instantaneous
notifications and advanced reporting, IP-based security systems have
helped reduce security concerns related to hardware tampering and unauthorized
access and have enhanced investigations when something does happen.
These new systems, when not properly protected,
can be vulnerable to new kinds of threats. The majority
of these threats relate to the valuable data shared,
stored and moved within these systems. In light of
these potential threats, safeguarding the integrity of
the data and protecting it against hacking are increasingly
important for today’s security and IT staff.
Hacking a security system can take any number of
forms. In a brute-force attack, a hacker simply guesses
at passwords, but a hacker can also use more sophisticated
tactics to recover longer, more complex data that
is being stored or transmitted by a security system.
Using a packet-sniffer, a hacker can capture data
packets that can be used to obtain passwords and other
sensitive data, like video content, in-transit over the
network. A man-in-the-middle attack occurs when a
user gets between a sender and a receiver and sniffs
information. Oftentimes, the hacker listens until the
client sends a user name and password to the server,
which gives the hacker the credentials necessary to access
the system.
In addition, after reading and potentially altering
the data, the attacker can then send it along without
the receiver having any knowledge that the exchange
is not secure. Since neither the sender nor the receiver
is aware that this has occurred, they have no way
of knowing that their data has been tampered with
or corrupted.
Even though IP-based physical security systems
may be vulnerable to new types of threats, the good
news is that they can take advantage of new methods
of protecting against these same threats. In fact, security
professionals can now look to a new class of
security systems that leverage several technologies, including
the latest encryption protocols and advanced
forms of authentication, to keep their security system’s
infrastructure secure, to protect the privacy of
the subjects or environments under surveillance, and
to ensure that only authorized personnel have access
to sensitive data.
THE SECURITY-OF-SECURITY
Security and IT professionals began reading about
the Security-of-Security in 2015. More than simply
securing people and buildings, it refers to a greater
need for securing all assets, including the networks
and data, that comprise a physical security system.
This includes the ability to keep these systems safe
from cyber- threats and attacks as well as illegal or
unauthorized access from both inside and outside an
organization.
The main concerns related to the security of physical
security systems include:
Securing communications between client apps and
servers
- Protecting data within the system, including video
streaming from a camera or recording device or
server
- Authenticating users when logging into a system
- Assigning the proper access rights to users with
access
Ensuring the privacy of video surveillance data
means encrypting the data both in-transit and at-rest,
whether it is on-premises or in the Cloud, and providing
ways to authenticate and verify who can have access
to the data at any given time.
KEEPING VIDEO SURVEILLANCE
DATA PRIVATE VIA ENCRYPTION
A key strategy for keeping sensitive data private,
whether in-transit or at-rest, is encryption. Encryption
helps protect private information and sensitive
data and can enhance the security of communication
between client apps and servers. When an organization
encrypts the data in its physical security system,
it is essentially protecting or hiding it from unauthorized
users.
To encrypt data, the system uses an algorithm to
translate plaintext into unreadable cypher text. This
data can then be read only by an authorized user employing
a decryption key to translate it back to readable
plaintext. There are two types of encryption algorithms:
symmetric and asymmetric.
With a symmetric algorithm, both encryption and decryption
keys are the same. This means that the same key
must be used to enable secure communication. Asymmetric algorithm encryption utilizes
two separate-but-mathematically linked
encryption keys. A public key is used to
encrypt the data and can be distributed
while the private key is used to decrypt the
data and, therefore, is kept private.
THE IMPORTANCE OF AUTHENTICATION
IN VIDEO SURVEILLANCE
While encryption can effectively hide
the contents or ensure the confidentiality
of a message, additional security
measures are required to protect the integrity
and authenticity of a message.
Encryption can keep a hacker from
reading the contents of a message, but
it cannot protect its integrity. Even if
a hacker is unable to read the content,
simple encryption cannot keep a message
from being changed and neither
can ensure that the sender of the message
is who they say they are.
The process of authentication allows
a user, client, or server to determine
whether an entity is who they
claim to be. For example, through authentication,
an operator can be certain
that they are connected to their security
system when logging on to a video
surveillance server. There are several
methods of authentication, including
tokens, user name/password combinations,
biometrics, and digital signatures
and certificates.
Claims-based authentication is one
method used by applications to acquire
identity information about users inside
or outside of their organization. This
form of authentication allows an application
to know certain things about
users without interrogating them as
the claims are transported in an envelope
called a Security Token. One of
the benefits of this method of authentication
is that an application can use
third-party claims providers who offer
well-established systems for authenticating
users. Active Directory Federation
Services (ADFS) is one example of
claims-based authentication through
third-party claims providers.
Another effective method of authentication
is the use of a digital certificate,
an electronic document that proves the
ownership of a public key. The certificate
includes information about that key,
the owner’s identity, and the signature
of the digital entity that attests to the
correctness of the certificate’s contents.
Through the exchange of this authentication
data between the server and the
client application, a user can validate the
authenticity of the server and prevent
man-in-the-middle attacks. While an organization
can issue its own self-signed
certificates, it can also further enhance
security by purchasing certificates from
trusted third-parties, such as a reputable
Certificate Agency (CA).
Transport Layer Security (TLS) uses
both encryption and authentication and
is one of the latest encryption protocols
that can be employed to better protect
physical security systems. TLS provides
secure communications over a network
by protecting communication channels
between a server, such as a video recording
server, and the client application,
such as an alarm monitoring application,
as well as between servers. Using digital certificates, TLS first authenticates the counterpart
in the communication and then negotiates a symmetric
session key that is used to encrypt data during
the conversation.
MAINTAINING PRIVACY THROUGH
AUTHORIZATION
When it comes to video surveillance systems, security
professionals are working hard to guarantee that
video data is secure from unauthorized access. This
means ensuring that surveillance content stays private
and accessible only to authorized users, even in the
event of a theft or interception and developing additional
measures to secure access to system data.
It also means treating video differently based on its
contents. Even when your surveillance data is secure,
you still need mechanisms that allow you to flag video
that is sensitive and to define how it should be treated.
Through authorization, administrators are able to
assign specific rights and privileges to system users.
Security staff can ensure privacy by defining all access
rights for private data, computing resources, and
applications. This means that only authorized entities
are allowed to see sensitive data and that video
transfers in a system have to be explicitly authorized.
Additionally, when video effects, such as blurring or
pixelization are employed to mask identities and protect
sensitive areas, permission can again be required
to view the unaltered footage.
Genetec’s newest security measures will help organizations
mitigate the risk of cyber-threats by implementing
both digital certificates to guarantee trust
within a system and new levels of encrypted communication
between all Security Center components.
The new video encryption methods help ensure
that both live streams and archived video are only
viewable by authenticated and authorized users. Security
Center can also protect recorded streams so
that, even if the recording server is compromised, the
archived video remains encrypted and protected.
Additionally, by establishing secure and trusted
connections, Security Center will help security professionals
authenticate communications within their
system and ensure that neither data nor video can be
exchanged with outside sources. Organizations will
also have the ability to leverage specialized third-party
claims services, including Active Directory Federation
Services (ADFS), for user authentication.
Keeping your data safe is an ongoing and increasing
concern. With the rise in IT cyber-attacks, keeping unauthorized
parties from accessing your data or Security
Platform is more important than ever before. We need to
ensure that security operators are who they claim to be
and that your data is encrypted and
out of the grasp of hackers or interceptors.
This article originally appeared in the March 2016 issue of Security Today.