A Conduit For Attack

A Conduit For Attack

What every retailer should know about managing patches and updates

In the days of analog DVR-based surveillance systems, the biggest worries retailers faced were equipment failure and theft of the recording medium. As closed systems, their problems remained contained within those systems. But in today’s surveillance landscape, where an ever-greater number of IPbased cameras ride on the corporate network, retailers need to understand their video security system’s vulnerabilities in a whole new light.

Specifically, any under-protected, network-connected device presents a potentially exploitable entry point for attacking every system and any data on the network, from point-of-sale transactions and credit card processing to strategic business plans and company financials. With today’s PCI requirements pushing physical and cyber security closer together, addressing this topic becomes paramount.

TAKE A LESSON FROM YOUR IT COUNTERPARTS

When it comes to network security, IP-based cameras are relatively new kids on the block. But the guiding principles for securing those devices are the same as IT uses for any device sharing their network. So it makes sense for Loss Prevention and Asset Protection Departments to reach across the organization to their IT counterparts for expertise and guidance in protecting their surveillance technology.

So, what are some of the best practices LP and AP can apply to their video systems?

Change factory default log-in credentials. This is a common oversight that needs to be addressed before the device goes live. Back in the days of analog, if the DVR had password protection it was generally the default one and couldn’t be changed or updated. However, with IP systems password control is in the hands of the end user. When changing the default log-in, make sure that users create strong passwords that are at least eight characters in length that incorporate a mix of uppercase and lowercase letters, numbers and symbols. To maintain security, users should change their passwords with some frequency.

Create a least-privilege access hierarchy. Also during the analog days, rights and privileges were generally global in scope. If you had access to the system, you had access to the entire system. IP systems give you much more granular control. When creating user accounts be sure to grant only those privileges that are essential to a user’s daily job performance and nothing more. If you let users access your company’s network video recorders and IP cameras using an admin’s root credentials, those credentials risk compromise and then hackers can gain wholesale access to the entire network.

Be diligent about configuration and patch management. Being a closed system, analog technology was inherently difficult for IT departments to update and manage. But the open standards used by today’s IP systems allow them to evolve over time. This puts the onus on companies be sure their operation keeps pace with the changing threat landscape. Failing to update years-old firmware can leave your surveillance system exposed to many known virus and malware and give hackers an open door to the network through your camera.

Track attempted hacks and breaches. The best way to shore up defenses against future attacks is to understand what’s happening on the network today. This is where the partnership with IT becomes paramount. IT usually owns the network monitoring technology and possesses the log analysis skills to identify unauthorized access attempts and breaches. They can help pinpoint the exploitable weaknesses in your surveillance technology and devise strategies for hardening your devices.

THE PENALTY FOR LAX SECURITY PRACTICES

Because of their high-capacity processing power many IP cameras are delivering added value beyond traditional security. With the ability to run onboard analytics such as people counting, traffic patterns, dwell time, line queuing and more, they’re able to provide retailers with vital business intelligence to improve marketing, merchandising, and operations. But those added apps present yet another layer of potential vulnerability that must be tightly managed.

The lack of cybersecurity awareness coupled with careless security precautions (such as haphazard application of updates and patches) invariably opens the door for malware infection and exploitation.

Denial of service. One of the more common attacks is denial of service. Whether through an intentional internal act, a mistaken download of particular software, or an external attack, the malware purposefully increases communication on the network, eventually clogging the network by repeatedly flooding it with tens of thousands of requests per second. Once the network is clogged, retailers can no longer conduct business—including POS transactions, credit card verification and other mission critical activity.

Port hijacking. Oftentimes hijackers will troll for open, unsecured ports that they can commandeer to gain access to the network or they gain physical access to your network by grabbing the network cable from an outdoor camera and plugging into their laptop. Once inside your system they can do unlimited damage.

Brute-force dictionary attacks. This attack’s name comes from the way hackers try to penetrate the system: trying as many permutations and combinations as there are words in a dictionary. When faced with a log-in credential request—a decryption key or passphrase—sophisticated hackers try hundreds or even millions of likely possibilities to defeat the authentication mechanism. Once this line of defense is breached they can penetrate any part of the system that credential is authorized to access.

OUTSMARTING MALICIOUS ATTACKERS

In addition to the lessons from IT, industry specialists recommend a number of other steps you can take to secure your surveillance devices and your network.

  • When using your smart devices implement security principles such as input validation, bounds checking, access control and authentication.
  • Encrypting communications is good, but if the keys are readily available then all they do is delay an attacker rather than stop him. Keys should be guarded as closely as possible and not recorded in logs. They should also be protected against resetting by an untrusted party.
  • If encryption is used on an interface then the secret information contained within should not then be decrypted and passed on via an unencrypted interface as it defeats the purpose of encryption. Encryption/ decryption should be used as quickly and discretely as possible then cleared from memory.
  • Firmware should be signed and encrypted to prevent bad firmware uploads or tampering. Failure to do this not only carries security risks but business risks as well since smart devices like cameras rely on their firmware to protect their customers. Open source firmware—such as Jail Break which allows the device to download free software—opens that device to future attacks because developers rarely issue updates to repair security gaps.

IS IT ALL DOOM AND GLOOM?

Cybersecurity for surveillance systems certainly grows more challenging every year. As a retailer, your environment often stretches across a wide geographic area and includes a host of network attached devices. Managing cybersecurity on such a large scale might seem quite daunting, but consider looking to your own IT department for guidance and partnership. Employing the same common sense security policies and practices that they already have in place will help you mitigate your risks. It will also give your enterprise a much more cohesive and holistic approach to loss prevention, operations, strategic merchandising and overall cyber protection. In turn, that will help you safeguard your assets, your bottom line and your brand.

This article originally appeared in the June 2016 issue of Security Today.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West
  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.