A Conduit For Attack

A Conduit For Attack

What every retailer should know about managing patches and updates

In the days of analog DVR-based surveillance systems, the biggest worries retailers faced were equipment failure and theft of the recording medium. As closed systems, their problems remained contained within those systems. But in today’s surveillance landscape, where an ever-greater number of IPbased cameras ride on the corporate network, retailers need to understand their video security system’s vulnerabilities in a whole new light.

Specifically, any under-protected, network-connected device presents a potentially exploitable entry point for attacking every system and any data on the network, from point-of-sale transactions and credit card processing to strategic business plans and company financials. With today’s PCI requirements pushing physical and cyber security closer together, addressing this topic becomes paramount.

TAKE A LESSON FROM YOUR IT COUNTERPARTS

When it comes to network security, IP-based cameras are relatively new kids on the block. But the guiding principles for securing those devices are the same as IT uses for any device sharing their network. So it makes sense for Loss Prevention and Asset Protection Departments to reach across the organization to their IT counterparts for expertise and guidance in protecting their surveillance technology.

So, what are some of the best practices LP and AP can apply to their video systems?

Change factory default log-in credentials. This is a common oversight that needs to be addressed before the device goes live. Back in the days of analog, if the DVR had password protection it was generally the default one and couldn’t be changed or updated. However, with IP systems password control is in the hands of the end user. When changing the default log-in, make sure that users create strong passwords that are at least eight characters in length that incorporate a mix of uppercase and lowercase letters, numbers and symbols. To maintain security, users should change their passwords with some frequency.

Create a least-privilege access hierarchy. Also during the analog days, rights and privileges were generally global in scope. If you had access to the system, you had access to the entire system. IP systems give you much more granular control. When creating user accounts be sure to grant only those privileges that are essential to a user’s daily job performance and nothing more. If you let users access your company’s network video recorders and IP cameras using an admin’s root credentials, those credentials risk compromise and then hackers can gain wholesale access to the entire network.

Be diligent about configuration and patch management. Being a closed system, analog technology was inherently difficult for IT departments to update and manage. But the open standards used by today’s IP systems allow them to evolve over time. This puts the onus on companies be sure their operation keeps pace with the changing threat landscape. Failing to update years-old firmware can leave your surveillance system exposed to many known virus and malware and give hackers an open door to the network through your camera.

Track attempted hacks and breaches. The best way to shore up defenses against future attacks is to understand what’s happening on the network today. This is where the partnership with IT becomes paramount. IT usually owns the network monitoring technology and possesses the log analysis skills to identify unauthorized access attempts and breaches. They can help pinpoint the exploitable weaknesses in your surveillance technology and devise strategies for hardening your devices.

THE PENALTY FOR LAX SECURITY PRACTICES

Because of their high-capacity processing power many IP cameras are delivering added value beyond traditional security. With the ability to run onboard analytics such as people counting, traffic patterns, dwell time, line queuing and more, they’re able to provide retailers with vital business intelligence to improve marketing, merchandising, and operations. But those added apps present yet another layer of potential vulnerability that must be tightly managed.

The lack of cybersecurity awareness coupled with careless security precautions (such as haphazard application of updates and patches) invariably opens the door for malware infection and exploitation.

Denial of service. One of the more common attacks is denial of service. Whether through an intentional internal act, a mistaken download of particular software, or an external attack, the malware purposefully increases communication on the network, eventually clogging the network by repeatedly flooding it with tens of thousands of requests per second. Once the network is clogged, retailers can no longer conduct business—including POS transactions, credit card verification and other mission critical activity.

Port hijacking. Oftentimes hijackers will troll for open, unsecured ports that they can commandeer to gain access to the network or they gain physical access to your network by grabbing the network cable from an outdoor camera and plugging into their laptop. Once inside your system they can do unlimited damage.

Brute-force dictionary attacks. This attack’s name comes from the way hackers try to penetrate the system: trying as many permutations and combinations as there are words in a dictionary. When faced with a log-in credential request—a decryption key or passphrase—sophisticated hackers try hundreds or even millions of likely possibilities to defeat the authentication mechanism. Once this line of defense is breached they can penetrate any part of the system that credential is authorized to access.

OUTSMARTING MALICIOUS ATTACKERS

In addition to the lessons from IT, industry specialists recommend a number of other steps you can take to secure your surveillance devices and your network.

  • When using your smart devices implement security principles such as input validation, bounds checking, access control and authentication.
  • Encrypting communications is good, but if the keys are readily available then all they do is delay an attacker rather than stop him. Keys should be guarded as closely as possible and not recorded in logs. They should also be protected against resetting by an untrusted party.
  • If encryption is used on an interface then the secret information contained within should not then be decrypted and passed on via an unencrypted interface as it defeats the purpose of encryption. Encryption/ decryption should be used as quickly and discretely as possible then cleared from memory.
  • Firmware should be signed and encrypted to prevent bad firmware uploads or tampering. Failure to do this not only carries security risks but business risks as well since smart devices like cameras rely on their firmware to protect their customers. Open source firmware—such as Jail Break which allows the device to download free software—opens that device to future attacks because developers rarely issue updates to repair security gaps.

IS IT ALL DOOM AND GLOOM?

Cybersecurity for surveillance systems certainly grows more challenging every year. As a retailer, your environment often stretches across a wide geographic area and includes a host of network attached devices. Managing cybersecurity on such a large scale might seem quite daunting, but consider looking to your own IT department for guidance and partnership. Employing the same common sense security policies and practices that they already have in place will help you mitigate your risks. It will also give your enterprise a much more cohesive and holistic approach to loss prevention, operations, strategic merchandising and overall cyber protection. In turn, that will help you safeguard your assets, your bottom line and your brand.

This article originally appeared in the June 2016 issue of Security Today.

Featured

  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • Global IT Outage Cause by Faulty Update from Cybersecurity Provider CrowdStrike

    Systems are starting to come back online after a global IT outage on Friday disrupted everything from airline operations to banks and 911 call centers. Read Now

  • Securing the Flow of Operations

    The transportation industry is a complex and dynamic environment where efficient management of physical keys, vehicles and shared devices is critical to ensuring smooth operations, reducing costs and maintaining security. Every day, more transportation facilities are using modern electronic key and asset management systems to better secure, audit and manage the important assets that keep operations running smoothly. Read Now

  • The Recipe for Stadium Security

    The threat landscape of stadium security is fluid. Today’s venues and stadiums have operational security 24/7, hosting sporting events, community events, concerts, conventions and more – each with a unique visitor base and each with unique security risks. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3