Don’t Reinvent the Wheel
Six critical cybersecurity issues for video networks
- By Moses Anderson
- Aug 01, 2019
As engineers, integrators, and administrators of IP
video management and other network-based security
systems, we have a heavy reliance on the network. If
the core network system isn’t working correctly—
or is under attack from internal as well as external
threats—the system will not be able to perform its functions as intended,
and any security breach can reach far beyond the security
network to the rest of the organization’s digital infrastructure.
Edge devices of all types, including cameras, are a vulnerable part
of a network. Any video security system design must take this into
account. Because no single solution can meet all applications or address
all threats, a multi-layered approach is best for deploying an
optimally functional and secure network.
Fortunately, there are proven, standardized frameworks available
that systematically bring together network best practices. There’s no
reason for video surveillance and security professionals to re-invent
the wheel. Taking an IT industry standards approach makes it easy
to design and deploy secure video networks. Here are several network
security topics often overlooked by video surveillance professionals.
Brute Force Attack
A brute force attack is a trial-and-error method used to obtain information
such as user passwords or PIN numbers. Hackers use software
that tries different character combinations in quick succession
to crack passwords. Short and simple passwords—those that only use
alphabetical characters—are easier to break than longer passwords
with a mix of letters, numbers and special characters. Hackers often
persist for hours, days, or even years in finding a way into a target.
Edge devices are some of the most vulnerable pieces in installations.
Most cameras today can encrypt command and control traffic,
but to do this, a certificate needs to be assigned to it. Typically, a selfassigned
certificate is used, but which in itself is not inherently secure.
So how do we introduce some certificate authority and manage the
certificates from the devices and the recording servers, with a thirdparty,
certificate/policy enforcement utility.
Policy management utilities can dictate password changes and
password hygiene. Administrators can request that they want all cameras
to have a password, say, with 25 characters, and the server will
randomly generate and assign the passwords. No one involved would
know the passwords, and that information is not needed as long as it
resides in both the recording platform and on the camera. The policy
management server can even go out to the cameras and apply password
changes on a schedule, and at the same time update the video
management system to ensure zero downtime.
Active Directory Attack
Active Directory is a Windows OS directory service that facilitates
working with interconnected network resources. Active Directory
was launched almost twenty years ago, and the security landscape
has changed dramatically since. Unfortunately, businesses have not
adapted their Active Directory environment to meet these new security
needs and, as a result, we are seeing attackers exploit this weakness
more frequently.
One of the first steps in preventing an attack on Active Directory is to make sure there’s visibility into all Active Directory activities.
An Active Directory auditing solution can assist with this and
help administrators be proactively alerted to suspicious activity before
a full-blown attack. For every enterprise network, there should
be a complete Active Directory Disaster Recovery plan in place to
minimize the impact of an attack, and all for damage to be reversed
within just a few hours.
Lost and Stolen Asset Devices
There are vulnerabilities everywhere, and much is dictated by the
number of system endpoints. The number of PCs on a network used
to be the main concern, but the primary concern now is all the IoT
and edge devices—including cameras and all types of sensors—that
connect to a network.
It is critical to secure all device communications with the backend
systems and make it difficult for someone to access the network from
the outside world, through a lost or stolen device. Keep in mind that
if it’s easy to access a network, it’s probably vulnerable. Administrators
have to strike a balance between security and usability and make
sure we err on the side of assuring security.
The practice of Network Segmentation is a useful security layer
within an overall security system design. It’s surprising how many
video management software (VMS) systems don’t use any network
segmentation methodology. Through network segmentation best
practices, we can add difficulty in accessing parts of a network.
Insider Threats
An insider threat is a security threat that originates from within the
organization being targeted, often by an employee or officer of an organization.
An insider threat does not have to be a current employee,
but can also be a former employee or anyone who at one time had
access to the network. Logic Bombs are a type of malicious software
that can be left running on a system by former employees, which can
cause a wide range of problems.
Contractors, business associates, and other individuals or thirdparty
entities who have or have had access to protected networks or
databases also fall under the umbrella of insider threat. Network segmentation,
robust password policies, and a pro-active, on-going review
of all network activity is critical in protecting against internal threats.
Ransomware
Ransomware is a type of malicious software that threatens to publish
the victim’s data or perpetually block access to the data unless a ransom
is paid. User education and awareness are critical when it comes
to defeating ransomware. Treat suspicious emails with caution. Inspect
email domain names and hover over links to see where they
lead. Extending security through the use of anti-virus, anti-spyware
on devices at the network perimeter is critical.
Most ransomware will try to spread from the endpoint to the
server/storage where all the data and mission-critical applications reside.
Segmenting the network and keeping critical apps and devices
isolated on a separate network or virtual LAN can limit the spread.
Sandboxing technologies can provide the ability to quarantine
suspicious files for analysis before they can enter the network. The
files are held at the gateway for evaluation. Adopt a layered approach
to stop ransomware by avoiding a single point of failure in the security
architecture, and have a robust backup and recovery plan in place.
Physical Layer Compromise
Many company server rooms and data centers have easy-to-exploit
physical vulnerabilities that don’t require digitally hacking into the
network. Intruders simply looking to vandalize the servers can create
a huge and costly level of damage.
Some of the ways of gaining access simply include accessing improperly
installed doors or windows, picking locks, crawling through
void spaces in the walls or above false ceilings, and “tailgating” into
the building by posing as a contractor or vendor.
A major physical design flaw with server rooms is with the drop
ceilings and raised floors where the walls don’t go up to the real ceiling
or down to the subfloor. Intruders need to simply remove a ceiling
tile from a nearby area and then crawl to the server room from above.
And raised floors and crawl spaces—built for cabling and cooling
purposes—can also be physically exploited.
For optimum physical protection, a combination of multiple security
strategies is needed, including the use of professional-grade
access control systems and locks requiring authentication, proper
wall and structure design that reduces void spaces and presents physical
barriers. Alarm sensors placed within potential access points is
a good strategy as well. Of course, clear and detailed, documented
security and access polices must be established, communicated with
employees and strictly followed.
ISO 27001 and the Risk Assessment
The days of system and network isolation are over. Organizations
must adopt policies and best practices that allow decision makers to
have clear insight into security all practices. These policies must reach
across network design, information system use, product development
and, in many cases, the entire supply chain. Successful integrated solutions
are the ones that withstand the test of time and are built with
the cooperation of users and administrators with proper processes
and technology.
The ISO/IEC 27001 information security standard, being the
most widely accepted framework for the development and improvement
of information security management systems, belongs to the
consistently growing ISO 27000 family of best-practice security
frameworks—an assembly of resources that make for seamless integration
of disciplines and sub-systems. Among the others are the ISO
27005 standard, which speaks specifically to information risk management,
offers a pragmatic mapping to enterprise risk management
following standards like ISO 3100.
Also, the recently updated ISO/IEC 27004:2016 provides systematic
guidance on how to develop and operate measurement processes
for the effectiveness of security controls of products and services, as
well as how to assess and report the results in the form of functional
information security metrics for continuous improvement.
Whether you are an engineer or consultant responsible for security
and reporting to management or an executive who needs better
information for decision making, security metrics have become
an essential vehicle for communicating the state of an organization’s
cyber-risk posture.
To mitigate risk, comply with legislation, and assure the confidentiality,
integrity, availability, and accountability of information
for your company, employees, and customers—create a written data
security policy based on established guidelines, enforced through
regular training, reviews, and assessments.
Milestone Systems
Cybersecurity Technical Forum
A critical component of defending against cyber-attacks and vulnerabilities
is to stay informed. IT and security managers need to be aware
of issues that affect software and hardware, including operating systems,
mobile devices, cameras, storage devices, and network devices.
A reliable point-of-contact should be established
for all system components, with reporting
procedures to track bugs and system vulnerabilities.
It’s important to keep current on common vulnerabilities
and exposures for all system components
and to communicate with manufacturers often.
This article originally appeared in the July/August 2019 issue of Security Today.