A Conduit For Attack

A Conduit For Attack

What every retailer should know about managing patches and updates

In the days of analog DVR-based surveillance systems, the biggest worries retailers faced were equipment failure and theft of the recording medium. As closed systems, their problems remained contained within those systems. But in today’s surveillance landscape, where an ever-greater number of IPbased cameras ride on the corporate network, retailers need to understand their video security system’s vulnerabilities in a whole new light.

Specifically, any under-protected, network-connected device presents a potentially exploitable entry point for attacking every system and any data on the network, from point-of-sale transactions and credit card processing to strategic business plans and company financials. With today’s PCI requirements pushing physical and cyber security closer together, addressing this topic becomes paramount.

TAKE A LESSON FROM YOUR IT COUNTERPARTS

When it comes to network security, IP-based cameras are relatively new kids on the block. But the guiding principles for securing those devices are the same as IT uses for any device sharing their network. So it makes sense for Loss Prevention and Asset Protection Departments to reach across the organization to their IT counterparts for expertise and guidance in protecting their surveillance technology.

So, what are some of the best practices LP and AP can apply to their video systems?

Change factory default log-in credentials. This is a common oversight that needs to be addressed before the device goes live. Back in the days of analog, if the DVR had password protection it was generally the default one and couldn’t be changed or updated. However, with IP systems password control is in the hands of the end user. When changing the default log-in, make sure that users create strong passwords that are at least eight characters in length that incorporate a mix of uppercase and lowercase letters, numbers and symbols. To maintain security, users should change their passwords with some frequency.

Create a least-privilege access hierarchy. Also during the analog days, rights and privileges were generally global in scope. If you had access to the system, you had access to the entire system. IP systems give you much more granular control. When creating user accounts be sure to grant only those privileges that are essential to a user’s daily job performance and nothing more. If you let users access your company’s network video recorders and IP cameras using an admin’s root credentials, those credentials risk compromise and then hackers can gain wholesale access to the entire network.

Be diligent about configuration and patch management. Being a closed system, analog technology was inherently difficult for IT departments to update and manage. But the open standards used by today’s IP systems allow them to evolve over time. This puts the onus on companies be sure their operation keeps pace with the changing threat landscape. Failing to update years-old firmware can leave your surveillance system exposed to many known virus and malware and give hackers an open door to the network through your camera.

Track attempted hacks and breaches. The best way to shore up defenses against future attacks is to understand what’s happening on the network today. This is where the partnership with IT becomes paramount. IT usually owns the network monitoring technology and possesses the log analysis skills to identify unauthorized access attempts and breaches. They can help pinpoint the exploitable weaknesses in your surveillance technology and devise strategies for hardening your devices.

THE PENALTY FOR LAX SECURITY PRACTICES

Because of their high-capacity processing power many IP cameras are delivering added value beyond traditional security. With the ability to run onboard analytics such as people counting, traffic patterns, dwell time, line queuing and more, they’re able to provide retailers with vital business intelligence to improve marketing, merchandising, and operations. But those added apps present yet another layer of potential vulnerability that must be tightly managed.

The lack of cybersecurity awareness coupled with careless security precautions (such as haphazard application of updates and patches) invariably opens the door for malware infection and exploitation.

Denial of service. One of the more common attacks is denial of service. Whether through an intentional internal act, a mistaken download of particular software, or an external attack, the malware purposefully increases communication on the network, eventually clogging the network by repeatedly flooding it with tens of thousands of requests per second. Once the network is clogged, retailers can no longer conduct business—including POS transactions, credit card verification and other mission critical activity.

Port hijacking. Oftentimes hijackers will troll for open, unsecured ports that they can commandeer to gain access to the network or they gain physical access to your network by grabbing the network cable from an outdoor camera and plugging into their laptop. Once inside your system they can do unlimited damage.

Brute-force dictionary attacks. This attack’s name comes from the way hackers try to penetrate the system: trying as many permutations and combinations as there are words in a dictionary. When faced with a log-in credential request—a decryption key or passphrase—sophisticated hackers try hundreds or even millions of likely possibilities to defeat the authentication mechanism. Once this line of defense is breached they can penetrate any part of the system that credential is authorized to access.

OUTSMARTING MALICIOUS ATTACKERS

In addition to the lessons from IT, industry specialists recommend a number of other steps you can take to secure your surveillance devices and your network.

  • When using your smart devices implement security principles such as input validation, bounds checking, access control and authentication.
  • Encrypting communications is good, but if the keys are readily available then all they do is delay an attacker rather than stop him. Keys should be guarded as closely as possible and not recorded in logs. They should also be protected against resetting by an untrusted party.
  • If encryption is used on an interface then the secret information contained within should not then be decrypted and passed on via an unencrypted interface as it defeats the purpose of encryption. Encryption/ decryption should be used as quickly and discretely as possible then cleared from memory.
  • Firmware should be signed and encrypted to prevent bad firmware uploads or tampering. Failure to do this not only carries security risks but business risks as well since smart devices like cameras rely on their firmware to protect their customers. Open source firmware—such as Jail Break which allows the device to download free software—opens that device to future attacks because developers rarely issue updates to repair security gaps.

IS IT ALL DOOM AND GLOOM?

Cybersecurity for surveillance systems certainly grows more challenging every year. As a retailer, your environment often stretches across a wide geographic area and includes a host of network attached devices. Managing cybersecurity on such a large scale might seem quite daunting, but consider looking to your own IT department for guidance and partnership. Employing the same common sense security policies and practices that they already have in place will help you mitigate your risks. It will also give your enterprise a much more cohesive and holistic approach to loss prevention, operations, strategic merchandising and overall cyber protection. In turn, that will help you safeguard your assets, your bottom line and your brand.

This article originally appeared in the June 2016 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3