Your cameras were hacked? It’s YOUR fault!

Your cameras were hacked? It’s YOUR fault!

  • By Tom Cook
  • Jun 10, 2018

IP security cameras are connected to the internet. That's what allows users to access them remotely, to check in on their business, and what lets manufacturers update device software without having to physically visit their business. But this feature can also be a problem. When not secured properly, devices in the so-called Internet of Things (IoT) can be accessed remotely by just about anyone, not just those with whom you want to share access. And that’s a big problem for our industry. According to industry analyst firm, Gartner, by 2020 more than 25 percent of cyberattacks in enterprises will involve IoT devices. That includes the same devices that are supposed to keep us safe. So, when a security camera, or a NVR gets hacked everyone at some level, has to accept responsibility.

Manufacturers: Technology manufacturers should be held accountable for protecting their sales distributors and customers from exploitations of their hardware. It is their responsibility to design products with baked-in cyber security features, to ensure that the security system itself won’t introduce new vulnerabilities onto their customers’ networks. Responsible manufacturers will place security at the heart of their research and development efforts. From the design phase to quality assurance, cyber resiliency needs to be a fundamental part of the R&D process. It is also the manufacturers’ responsibility to put together hardening tools to assist their users through all the steps needed to fully secure every facet of their systems. Because new threats occur all the time, responsible manufacturers should pledge transparency about the latest vulnerabilities to their systems. They should inform their customers, partners and systems integrators about new threats as soon as they are identified and act quickly and diligently to issue timely corrections and patches so that everyone can get back to being fully secured as quickly as possible.

Systems integrators: While it is tempting to think that the cybersecurity responsibility stops with manufacturers, systems integrators have an equally important role to play in ensuring that the systems they install are secure from both a physical and a cyber perspective. To build this confidence, responsible systems integrators should partner with companies and vendors that have strong cyber security policies, dedicated resources, and a clearly articulated plan for combating security vulnerabilities. It’s also a systems integrator’s responsibility to install IP equipment properly and follow the hardening rules provided by manufacturers. This includes re-setting default passwords, utilizing multiple credentials, using the most secure authentication and encryption methods available, and setting defined access privileges for users. And just as importantly, employing and sharing best practices with their customers’ IT, security and operations department will ensure the ongoing safety and security of their people and assets.

Physical security departments: Security professionals know the importance of secure device placement --i.e. cameras should be installed so they cannot be easily tampered with; network and power cabling should run through conduit or behind/through walls and ceilings so that the cables cannot be unplugged or intercepted. Beyond deployment, there are a number of tasks security teams must continually undertake to ensure the ongoing security of their cameras and other devices such as performing regular software updates and ensuring software complies with organizational security standards. But today, the role of security departments goes beyond the placement and care of security devices. Physical security departments can no longer pass the headaches of cyber security to their colleagues in the IT department. As we have just discussed, any internet-enabled security device represents a potential entry door to cyberattacks. Additionally, as these devices increasingly leverage new technologies such as artificial intelligence and machine learning, they are simultaneously providing attackers with enhanced tools for more complex attacks. Physical security departments can no longer operate in a silo and need to work hand in hand with IT departments, procurement departments and management. They need to choose to work with well informed, cyber-educated systems integrators, and specify technology from reliable manufacturers.

IT departments: Similarly, IT departments need to work closely with security departments and set up secure network configurations that physically separate the cameras and recorders from the corporate network, using VLANs (Virtual Local Area Networks). By explicitly specifying who is allowed or denied access to a network device, they can ensure that only the correct people, based upon their computer’s IP addresses have access to the device, and thwart any attacks, hacker scanners, or script-kiddies’ attempts to access the network.

Procurement departments: Procurement departments need to be fully aware of the risks associated with procurement decisions based solely on price, without taking into consideration any possible cybersecurity weaknesses or vulnerabilities. When shown how easy it is to hack into some of the low-cost security hardware that is widely available on the market, people will understand first-hand, the perils that poor procurement choices can cause. In the event that these purchases have already been made, responsible procurement departments should work with their security and IT colleagues to evaluate the vulnerabilities and assess the risks through an analysis of the product and the code, and by performing a penetration test. Once the evaluation is complete, every effort should be made to mitigate the important risks identified and if necessary replace the devices at risk. In the light of so many high-profile data breeches, an increasing number of forward-thinking procurement departments are requesting penetration tests on the products of their suppliers, to ensure the solutions they are choosing are robust and successfully ‘hardened’ against cyber-attacks.

Executive management: Any company can have an employee who unintentionally opens the content of a malicious email or forgets to reset the default password on a camera. For an attacker, this is often the easiest and most effective way to gain access and compromise a company’s confidential data. To protect their organization against this type of attack, corporations need to put in place the necessary resources, procedures and policies to properly educate their employees and help reduce careless, high-risk behaviors. A cyber security culture should seamlessly intertwine security practices with business operations in order to improve an organization’s security posture, and demonstrate that security is not a function relegated to an understaffed and underfunded IT department.

Conclusion

The very devices that are designed to protect customers' property and personal information are increasingly used as a means of seizing sensitive personal and corporate information. It is important not to view cybersecurity as just one person’s or one department’s job: it is a collective responsibility that needs to be taken seriously by every single one of us, whether we are a manufacturer, or a systems integrator, whether we work in IT or procurement, whether we sit at the reception desk or in the executive suite.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events

  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

Most   Popular

New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.