A Conduit For Attack

A Conduit For Attack

What every retailer should know about managing patches and updates

In the days of analog DVR-based surveillance systems, the biggest worries retailers faced were equipment failure and theft of the recording medium. As closed systems, their problems remained contained within those systems. But in today’s surveillance landscape, where an ever-greater number of IPbased cameras ride on the corporate network, retailers need to understand their video security system’s vulnerabilities in a whole new light.

Specifically, any under-protected, network-connected device presents a potentially exploitable entry point for attacking every system and any data on the network, from point-of-sale transactions and credit card processing to strategic business plans and company financials. With today’s PCI requirements pushing physical and cyber security closer together, addressing this topic becomes paramount.

TAKE A LESSON FROM YOUR IT COUNTERPARTS

When it comes to network security, IP-based cameras are relatively new kids on the block. But the guiding principles for securing those devices are the same as IT uses for any device sharing their network. So it makes sense for Loss Prevention and Asset Protection Departments to reach across the organization to their IT counterparts for expertise and guidance in protecting their surveillance technology.

So, what are some of the best practices LP and AP can apply to their video systems?

Change factory default log-in credentials. This is a common oversight that needs to be addressed before the device goes live. Back in the days of analog, if the DVR had password protection it was generally the default one and couldn’t be changed or updated. However, with IP systems password control is in the hands of the end user. When changing the default log-in, make sure that users create strong passwords that are at least eight characters in length that incorporate a mix of uppercase and lowercase letters, numbers and symbols. To maintain security, users should change their passwords with some frequency.

Create a least-privilege access hierarchy. Also during the analog days, rights and privileges were generally global in scope. If you had access to the system, you had access to the entire system. IP systems give you much more granular control. When creating user accounts be sure to grant only those privileges that are essential to a user’s daily job performance and nothing more. If you let users access your company’s network video recorders and IP cameras using an admin’s root credentials, those credentials risk compromise and then hackers can gain wholesale access to the entire network.

Be diligent about configuration and patch management. Being a closed system, analog technology was inherently difficult for IT departments to update and manage. But the open standards used by today’s IP systems allow them to evolve over time. This puts the onus on companies be sure their operation keeps pace with the changing threat landscape. Failing to update years-old firmware can leave your surveillance system exposed to many known virus and malware and give hackers an open door to the network through your camera.

Track attempted hacks and breaches. The best way to shore up defenses against future attacks is to understand what’s happening on the network today. This is where the partnership with IT becomes paramount. IT usually owns the network monitoring technology and possesses the log analysis skills to identify unauthorized access attempts and breaches. They can help pinpoint the exploitable weaknesses in your surveillance technology and devise strategies for hardening your devices.

THE PENALTY FOR LAX SECURITY PRACTICES

Because of their high-capacity processing power many IP cameras are delivering added value beyond traditional security. With the ability to run onboard analytics such as people counting, traffic patterns, dwell time, line queuing and more, they’re able to provide retailers with vital business intelligence to improve marketing, merchandising, and operations. But those added apps present yet another layer of potential vulnerability that must be tightly managed.

The lack of cybersecurity awareness coupled with careless security precautions (such as haphazard application of updates and patches) invariably opens the door for malware infection and exploitation.

Denial of service. One of the more common attacks is denial of service. Whether through an intentional internal act, a mistaken download of particular software, or an external attack, the malware purposefully increases communication on the network, eventually clogging the network by repeatedly flooding it with tens of thousands of requests per second. Once the network is clogged, retailers can no longer conduct business—including POS transactions, credit card verification and other mission critical activity.

Port hijacking. Oftentimes hijackers will troll for open, unsecured ports that they can commandeer to gain access to the network or they gain physical access to your network by grabbing the network cable from an outdoor camera and plugging into their laptop. Once inside your system they can do unlimited damage.

Brute-force dictionary attacks. This attack’s name comes from the way hackers try to penetrate the system: trying as many permutations and combinations as there are words in a dictionary. When faced with a log-in credential request—a decryption key or passphrase—sophisticated hackers try hundreds or even millions of likely possibilities to defeat the authentication mechanism. Once this line of defense is breached they can penetrate any part of the system that credential is authorized to access.

OUTSMARTING MALICIOUS ATTACKERS

In addition to the lessons from IT, industry specialists recommend a number of other steps you can take to secure your surveillance devices and your network.

  • When using your smart devices implement security principles such as input validation, bounds checking, access control and authentication.
  • Encrypting communications is good, but if the keys are readily available then all they do is delay an attacker rather than stop him. Keys should be guarded as closely as possible and not recorded in logs. They should also be protected against resetting by an untrusted party.
  • If encryption is used on an interface then the secret information contained within should not then be decrypted and passed on via an unencrypted interface as it defeats the purpose of encryption. Encryption/ decryption should be used as quickly and discretely as possible then cleared from memory.
  • Firmware should be signed and encrypted to prevent bad firmware uploads or tampering. Failure to do this not only carries security risks but business risks as well since smart devices like cameras rely on their firmware to protect their customers. Open source firmware—such as Jail Break which allows the device to download free software—opens that device to future attacks because developers rarely issue updates to repair security gaps.

IS IT ALL DOOM AND GLOOM?

Cybersecurity for surveillance systems certainly grows more challenging every year. As a retailer, your environment often stretches across a wide geographic area and includes a host of network attached devices. Managing cybersecurity on such a large scale might seem quite daunting, but consider looking to your own IT department for guidance and partnership. Employing the same common sense security policies and practices that they already have in place will help you mitigate your risks. It will also give your enterprise a much more cohesive and holistic approach to loss prevention, operations, strategic merchandising and overall cyber protection. In turn, that will help you safeguard your assets, your bottom line and your brand.

This article originally appeared in the June 2016 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3