The Risk Profile
Does your surveillance system fit the proper cyber profile?
- By Ron Grinfeld
- Aug 01, 2016
As surveillance system technologies advance, so do
the technologies employed by hackers. Increasingly
sophisticated cyber criminals, whether working for
criminal enterprises or for foreign governments, are
developing not just better, but entirely different, ways
to enter and manipulate or undercut the protection of surveillance
systems.
What are some of these emerging threats and how can you
protect against them?
New Kinds of Threats
Extortion hacks break into sensitive company or customer data
and threaten to release it unless the victim pays a ransom. This
increasingly popular threat is different than merely encrypting or
locking access to the data until a ransom is paid.
Last year there were two known such cases of extortion, the
first was an attack on the AshleyMadison.com site. The resulting
data dump cost the CEO his job, and it exposed millions of
would-be marital cheaters. A second case involved the hacking
of InvestBank in the United Arab Emirates and the exposure of
customer account information.
Data sabotage will, in all likelihood, be more difficult to detect
than simple theft. Since very slight data alterations could result
in enormous changes, hackers to the financial and stock-trading
systems could create havoc to—and take advantage of—the manipulated
rise and fall of stock prices.
A potentially devastating type of data sabotage could result
from the insertion of or alteration of code to a country’s weapon
systems to change how they operate.
Another threat will come about as the Internet of Things
(IoT) spreads to many appliances and other devices. How will
anyone be sure their toaster isn’t part of a menacing bot army?
How can we ensure that our connected
car won’t be susceptible to hacking? How
about life-saving medical devices? Or sophisticated
hackers who install back doors
to enable access a system whenever the
hackers want?
It’s become clear that the likelihood of
cyber attacks isn’t a question of “if,” but
rather a question of “when.” Now is the
time to examine your own surveillance
system to identify the inherent weaknesses
and cyber vulnerabilities within it, and
then develop a strategy to take action and
mitigate your risk to exposure and loss.
The Challenges of
Advanced Technology
Surveillance VMS make up one of the
key elements of today’s security systems,
whether monitoring a small private company
or a sprawling enterprise. Though
the ability to monitor and control locations
has never been more important,
many systems are migrating from analog
to an IP-based or cloud-managed system
for the promise of better image resolution,
remote access and monitoring, and
accompanying analytic software packages.
Unfortunately, better technology may
also represent a greater exposure to cyber
attacks, as such systems can offer a
number of easily accessible entry points
for hackers that could compromise entire
systems. Just last year there were several
notable cyber attacks on both government
and private organizations.
- The Office of Personnel Management
was hacked and the addresses, health
and financial information of 19.7 million
people who had undergone background
checks was stolen;
- The well-publicized breach of the Ashley
Madison site last summer resulted
in the theft of personal information
and credit card information on more
than 11 million users;
- Last fall, it was learned that healthcare
insurance company Anthem had been
hacked by the Chinese, who were seeking
to learn how medical coverage in
the United States is managed.
3 Questions to
Ask Yourself
In order to ensure that your organization’s
security is up to today’s cyber warfare challenges,
ask yourself these three questions.
Is cyber defense a priority? As physical
security systems continue to merge with
the world of IP, it is helpful to start by
declaring that cybersecurity is truly a priority
for the organization. Cyber attacks
continue to grow in both range and severity,
and from all accounts it appears they
will continue to do so. In today’s world, to
not declare that cyber defense is a priority
is, in effect, inviting attack. And sooner or
later, it will come.
Has my installer or integrator “hardened”
my system? To harden a system
against intrusion means to heighten its
security by reducing the number of potential
breach points that could be exploited
by hackers. Some installers and integrators
are cutting prices in order to remain
“competitive,” but if they don’t reduce the
number of potential breach points, they
are doing you no favors.
Today’s systems are increasingly sophisticated
and require a high level of
IT experience and knowledge in order to
implement them effectively. Also, make
sure your system manufacturer didn’t cut
any corners by failing to run a full range
of testing to determine all software and
hardware vulnerabilities of their products.
Are my users a weak link in my security
chain? Your own users can become enablers
to cyber hacking through the use of weak
or default passwords, or through requesting
unnecessary remote access privileges to the
network. Rest assured that hackers will find
the weak links in your security chain, so it’s
important to demand that all users accept
cyber security as the priority that it is.
6 Steps to Developing a
Strategy to Mitigate Risk
Everyone in both government and industry
agrees that cyber threats are one of the
nation’s gravest threats. Mitigating those
threats has attracted both media attention
and budget dollars to the tune of $90 billion
or more. Yet the threat continues, not
just for small companies, but also for Sony,
the State Department, and healthcare companies
like CareFirst. The truth is that there
is no silver bullet that will eliminate all risk,
and it takes a concerted effort to develop a
strategy that will mitigate the risk.
Here are six steps that can point you
in the direction of developing an effective
strategy to mitigate the risk to your
organization.
- Realize that your organization has cyber
risks. Hackers hack for as many
reasons as there are types of victims of
hacking: including healthcare companies,
credit card companies, manufacturers,
and government agencies. The
list goes on. Don’t be surprised if your
organization is hacked one day.
- Determine your biggest risks. You’re
not going to prevent every single attack,
so a good place to start is by determining
your most valuable assets:
what systems are the most valuable,
what information is most sensitive.
Tap your key managers to conduct a
discovery process across the organization.
- Put together a cyber risk leadership
team. Good governance requires leadership
and effective decision-making.
Don’t wait until the first attack before
assembling your team.
- Involve your entire organization. As
noted earlier, any user who doesn’t understand
that cyber security is a priority
may inadvertently assist the hackers
trying to gain admittance to your systems.
Get everyone on board.
- Don’t protect only the perimeter. Budgets
today are still skewed towards
perimeter-protecting tools like firewalls
and anti-virus programs, but it’s important
to have a plan of action for when
those perimeters are breached.
- Practice dry run responses. Don’t let
your first attack be a real one. Practice
a response ahead of time. It may mean
the difference between a contained incident
and a disastrous loss.
A mitigation strategy is also important
as a tool to help the organization better
distinguish between a threat and a genuine
loss. Experiencing a breach but containing
the damage may, in
that case, be considered
a success, and help protect
the company’s bottom
line.
This article originally appeared in the August 2016 issue of Security Today.