Money in the Bank

Money in the Bank

Protecting financial Institutions through cyber resilient physical security

We have all read or heard about incidents of cyber crime targeting government and commercial entities to compromise services or harvest information. As you can image, financial institutions are a primary target for attack.

While they have top-notch security, financial institutions may be still be the target of threats involving software and hardware vulnerabilities that could lead to exploitation. The most consistent feedback we hear is that their primary concern is cybersecurity. Given that financial institutions can lose customers, revenue, and reputation because of a breach, this is hardly surprising.

Physical security in banking has evolved toward network-based solutions with high-resolution cameras and high-capacity recorders. These devices have operating systems, communication capabilities, and passwords just like any other computer on a network. Any poorly protected device can easily become the attack surface hackers need to gain access to a financial institution’s infrastructure.

As a result, IT teams have become involved in the process of testing, selecting, and deploying all the devices on a bank’s network, including cameras and video management systems (VMS). The shift from focusing on physical security to IT security has changed the discussion. Many IT specialists ask questions about whom a vendor works with, and how they secure their products. However, when they aren’t sure about what questions to ask, it is up to vendors to lead these conversations.

Financial institutions need physical security system vendors who understand their cybersecurity concerns and who are working to mitigate against the risks associated with cyber threats. To start, they should be looking for four Key Cybersecurity Measures:

Device Hardening Protocols
While changing factory-set passwords might seem like a simple action, many institutions struggle with it. This is partly because of the sheer volume of devices they have on their networks. However, it is also because, during the installation process, many skip this step, assuming they’ll come back to it later. Unfortunately, just one camera that still has the default password can increase a network’s vulnerability to attacks.

Cameras that do not have default passwords and instead require users to set strong passwords before attaching the device to the network help protect banks. In addition, some vendors, like Hanwha Techwin, also provide network hardening guides that reduce the risks associated with improperly or unprotected devices.

End-to-end Encryption

Given the volume and type of data that financial institutions are collecting and storing, end-to-end encryption is vital. It is not enough to encrypt data in motion. Financial institutions must also be able to encrypt data at rest as well.

Encrypting data in motion protects it from anyone who is sniffing a system with the intention of capturing data packets passing through a network. On most networks, this means passwords and other account information. Within a physical security system, however, it also means transmitted data from the camera to the recorder or from the recorder to the management station.

Financial institutions still have to protect data at rest. In a physical security system, depending on IT policy this may include the video stored in cameras and recorders. This data may need to be encrypted in case hackers gain access to the recording platforms themselves.

Patch Management

Hackers take advantage of vulnerabilities in operating systems and third-party applications not kept up to date. Keeping current with the latest software updates and firmware patches helps reduce a system’s attack surface significantly.

In order to protect their networks, financial institutions should work with vendors who monitor cybersecurity threats globally, then produce, and distribute patches. The dedicated Security-Computer Emergency Response Team, or S-CERT, at Hanwha Techwin, for example, monitors evolving cybersecurity threats worldwide and develops patches to harden our devices against these threats. Through S-CERT, we are continuously working to future-proof our cameras.

Working with a Trusted Supply Chain

Banking and financial institutions need to work with vendors who manufacture all aspects of their cameras or security system products and who control their own distribution. End-to-end, in-house manufacturing is the best way to ensure that parts and chipsets follow best practices. When a vendor controls all aspects of manufacturing, it also provides customers with peace of mind because they know that all upgrades or changes are coming directly from the vendor rather than a third-party manufacturer.

To harden networks and protect against potentially devastating data breaches, it is important to collaborate with physical security vendors who are already out in front of cybersecurity issues. A vendor with strong cyber hygiene can help financial institutions and other financial institutions install the advanced solutions they require to mitigate against the risks of cyber threats.

[Case Study Sidebar] Wilson Bank

Wilson Bank & Trust, member FDIC, is an independent, community-based bank that began operating in Tennessee in 1987. Today, they have mortgage offices, operations centers, ATMs and branches located in and around Middle Tennessee that serve the city and surrounding rural areas. In total, they have operations and security at approximately 40 locations. The bank had cameras from multiple manufacturers on multiple systems. Most of them were already 8-10 years old. The image quality was low, and they could not get the video retention rates they wanted. In addition, many of the cameras had licensing agreements, so they were paying fees for products that were not meeting their needs.

The Bank wanted IT-based, PoE (Powered over Ethernet) cybersecure cameras that could produce high-quality video and did not require licenses. They also wanted DVRs or NVRs that would give them longer-term retention rates, 90-days at a minimum. After investigating their options, Wilson Bank & Trust determined that working with Hanwha Techwin cameras would be the best fit for their requirements. During the decision-making process, one of the deciding factors was that Hanwha cameras are manufactured in-house end-to-end. In their view, this was particularly important for mitigating cyber security risks.

According to Huff, “at the time, cybersecurity and network security issues were frequently reported as cameras were being compromised for use in Distributed Denial of Service (DDoS) attacks. The ability to work with a company that does everything from manufacturing the chipset and camera to developing the software was a game-changer for us. We knew it would give us tremendous peace of mind.”

Upgrading the branches has included the installation of several panoramic cameras and network IR dome cameras. The PNM-9020V multi-sensor 180-degree panoramic camera provides up to 30fps at full resolution and are able to capture good quality images of a large area. For branch and building interiors, they installed a variety of dome cameras, including the QND – 6010R Network IR. This indoor camera provides 2MP maximum resolution, 30fps at all resolutions, motion detection, as well as tampering and defocus detection.

Today, the Bank has upgraded the security infrastructure at 40 of its locations with Hanwha cameras. By switching to industry standard PoE, IP-based cameras, the bank has realized significant savings concerning installation and maintenance costs. The bank installed cameras to record parking lot entrances and exists. This strategy has already helped the security team identify a vehicle associated with a fraud case by using an image of its license plate captured as it was leaving the facility.

The bank has also made use of the XNB-H6241A Network ATM Camera Kit with 8m cable. These cameras do not disrupt a branch’s aesthetics, which is important for maintaining a positive customer experience. At the same time, these kits have allowed the bank to capture images that are not possible with a traditional top-down view. Waist-up images, which include a person’s face, can be vital when it comes to investigating or prosecuting theft and fraud. Having access to images from this angle is already proving to be invaluable. In a recent case of fraud involving identity theft, an individual presented fictitious and forged documents at one of the bank’s branches. “Thanks to the Hanwha high resolution camera, we had a clear image that we were able to use to identify the individual,” said Elvis Huff, Assistant Vice-President and Director of Security at Wilson Bank & Trust.

This article originally appeared in the November / December 2021 issue of Security Today.

Featured

  • ASIS International and SIA Release “Complexities in the Global Security Market: 2024 Through 2026”

    ASIS International and the Security Industry Association (SIA) – the leading security associations for the security industry – have released ”Complexities in the Global Security Market: 2024 Through 2026”, a new research report that provides insights into the equipment, technologies, and employment of the global security industry, including regional market breakouts. SIA and ASIS partnered with global analytics and advisory firm Omdia to complete the research. Read Now

  • President Biden Issues Executive Order to Bolster U.S Port Cybersecurity

    On Wednesday, President Biden issued an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity and more Read Now

  • Report: 15 Percent of All Emails Sent in 2023 Were Malicious

    VIPRE Security Group recently released its report titled “Email Security in 2024: An Expert Look at Email-Based Threats”. The 2024 predictions for email security in this report are based on an analysis of over 7 billion emails processed by VIPRE worldwide during 2023. This equates to almost one email for everyone on the planet. Of those, roughly 1 billion (or 15%) were malicious. Read Now

  • ASIS Announces ANSI-Approved Cannabis Security Standard

    ASIS International, a leading authority in security standards and guidelines, proudly announces the release of a pioneering American National Standards Institute (ANSI)-approved standard dedicated to cannabis security. This best-in-class standard, meticulously developed by industry experts, sets a new benchmark by providing comprehensive requirements and guidance for the design, implementation, monitoring, evaluation, and maintenance of a cannabis security program. Read Now

Featured Cybersecurity

Whitepapers

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3