Making IP Video Cyber Secure
How financial institutions should be implementing video surveillance on their networks
- By Stephen Joseph
- Feb 01, 2017
Financial institutions
have been historically
slow to adopt
IP video surveillance
citing concerns about
possibly compromising
network security. But, in fact, there
are steps institutions can take to harden
network access through the camera so
that the risk is no higher than any other
devices attached to the company’s super
information highway. Furthermore,
the economic and operational advantages
of going digital—from centralized
storage to authorized real-time access
through the cloud to remote diagnostics
and remote maintenance—make a
strong case for migration.
For the transition from analog to digital
surveillance to go smoothly, however,
corporate security officers need to work
closely with their IT counterparts to better
understand and align themselves with current
network policies and standards. They
need to convey bandwidth requirements
for any new technology so that the network
infrastructure can be designed to accommodate
IP video traffic. And they need to
work closely with manufacturers to understand
the security features of the products
they intend to install so that they can limit
potential vulnerabilities to cyber threats.
Cyber Security:
A Process Not a Product
Technology and features are important, but
they won’t eliminate all risks or threats. According
to a report issued by Trustwave Security,
more than 90 percent of successful
breaches are due to human error, poor configuration
and poor maintenance, which is
why it is so important to understand and rigorously adhere to corporate IT standards
and policies when deploying any solution
or device on the corporate network.
This first line defense includes:
- Strong password management:requires
everyone to use strong or complex
passwords with multiple characters,
numbers and special symbols.
- Common sense IT storage policies: restrict
offloading sensitive files to unsecure
locations like DropBox.
- Timely patch downloads, consistent
system upgrades and continuous virus
protection updates.
- Company-wide security education:
embraces a security culture that
teaches users to be more cautious
and automatically report suspicious
behavior.
With active cyber threat analysis, corporate
security officers can identify potential
risks and determine what steps should be
taken for protection. Whether opportunistic
or a targeted attack, it’s impossible
to eliminate all risks. So it’s imperative to
identify the institution’s “critical assets”
and take aggressive measures to make their
protection a priority.
While corporate policies and procedures
for cyber security are all well and
good, without someone to take ownership
of their implementation they’re just
empty words. It would be like putting a
lock on the door and then leaving the key
in it. Furthermore, instituting cyber security
measures isn’t a one-and-done task.
Systems need to be constantly audited to
ensure everyone continues to adhere to
cyber security measures and that those
measures adapt to changing threats and
risks. Risk and threat assessments need to
be the standard and not an exception. In
an environment that’s constantly changing,
these processes need to be evaluated
on a regular basis to ensure new potential
threats have not emerged.
Video Cyber Security:
Part of an Integrated
Protection Strategy
Network cameras don’t determine the level
of security on an institution’s network.
They integrate into the security settings
already in place. Therefore a corporate security
officer should consider a number of
factors when choosing an IP camera.
- Security is a priority: The manufacturer
should have a reputation for providing
cameras with minimal exploitable flaws.
The firmware and interfaces need to be
robust and resilient. All components
should be quality assurance validated.
And the manufacturer should be keeping
abreast of cybersecurity trends and
updating their products in response.
- Built on a standard platform: The
camera and features should easily align
with the organization’s infrastructure
and IT policies. The platform kernel
and services should be constantly
monitored and updated when
vulnerabilities and flaws come to light.
- Ongoing support: The manufacturer/
integrator should provide assistance in
configuring, managing and maintaining
the camera for optimal benefit.
As corporate security dives deeper
into camera features and capabilities
they should examine how they can be
used to harden network protection. For
instance, out of the box cameras come
with default passwords and default settings.
If left as is, they would certainly
provide an exploitable path to the network.
As a standard level of protection,
corporate security should review and
establish configuration standards that
should be implemented. This would include
changing those defaults to strong
passwords and implementing customized
network settings for their specific
network environment. They should also
set the date and time parameters to establish
an audit trail for any setting
changes. Some of the other hardening
measures network cameras should support
include.
- HTTPS encryption for network traffic
- 802.1X protection against port hijacking.
- Unique VMS/client account
credentials.
- Backup admin account credentials.
- Disabling services that aren’t being
used to prevent malware insertion
- An IP address filter to precisely define
what IP traffic can be received and sent
by the router.
- A remote syslog for auditing purposes
- Certificates of authority for managing
and authenticating permissions to
access video .
- Advanced compression algorithms like
H.264, H.265 and Zipstream to minimize
bandwidth consumption and storage.
- Edge storage encryption for installations
where recorded video needs to reside incamera
for an extended length of time.
- In the not-too-distant future, we’ll
likely see IP cameras integrating
with other common network security
features such as: Active Directory for
authenticating and authorizing who
can access, install or update network
camera settings.
- Lightweight Directory Access Protocol
(LDAP) for accessing and maintaining
distributed director information
services over the IP network.
network[WU1].
Creating a Cyber Secure
Ecosystem
A cyber secure ecosystems relies on the
coordinated efforts of physical security
and IT. If corporate security managers
adhere to IT guidelines and best security
practices when implementing their IP
video surveillance system their solution
won’t introduce any more vulnerability to
the institution’s network than any other
device attached to the backbone.
Bringing surveillance into the digital
age provides significant advantages to both
corporate security and the organization
as a whole. First is the adoption of a
technology based on open standards that
can create greater long term value. In an
analog technology world, video systems
and sites usually operate as independent
silos which require extra manpower to
manage and retrieve information. These
proprietary systems have limited scalability
and don’t easily integrate across locations
or with other security technologies such
as fire detection and access control. As
a result, unlike IP-based systems, their
investment value tends to diminish as the
institution grows and expands its portfolio
of security tools.
With IP video, corporate security becomes
a seamless part of the institution’s
digital world and can be more agile and responsive
to threats. IP video provides a security
solution that easily scales and adapts
as the business grows and the landscape of
cyber threats continues to evolve.
This article originally appeared in the February 2017 issue of Security Today.