Breaches Aren’t Always the Result of a Frontal Attack
The convergence of so many new technologies on the same network infrastructure has placed an enormous burden on IT departments to pay particular attention to the cyber security of a plethora of non-traditional network-attached devices. Due diligence must be paid to the security configuration of these devices to eliminate exploitation—whether the devices are heating, ventilation and air conditioning (HVAC) controls and monitors; intelligent building automation devices such as smart thermostats, Smart Grid power monitoring and control devices; or networked surveillance cameras and IP-based access control systems.
One recent, highly publicized and massive retail customer data breach stemmed from the hijacked login credentials of a thirdparty HVAC service provider. Typically the HVAC services company would remotely log into the retail stores’ HVAC monitoring systems for maintenance. Cyber hackers followed the same protocol, logging into the system using the stolen services company’s login credentials to gain access to the network. From there they were able to tap into the retailer’s point of sale systems which resided on the same physical network infrastructure. As a result confidential customer data was compromised.
The moral of the story? Keep a close eye on all network connected systems. They could be your Achilles Heel when it comes to securing sensitive corporate and client data. Once you understand what impact a successful breach might have on your business—financial penalties, loss of company reputation and market share, or perhaps negligible repercussions—you can plan your security spending accordingly.
Strategies for Protecting Network Ports
With more companies migrating to IPbased video surveillance and access control systems, both IT and physical security departments need to educate themselves on best practices for protecting these potentially vulnerable network nodes. To help you decide which security mechanisms, policies and procedures to deploy let’s look at how a typical IP-based video system is configured.
Video cameras and access control devices attach over the network to a video and/or access control server. Or, the system can contain multiple servers for load sharing and redundancy. The video can be stored to a local hard drive, a network attached storage device (NAS), or a server storage array located at a remote data center or in the cloud. The network can also contain video viewing clients that can access video directly from the cameras or through a VMS.
To cyber-harden these physical security component, you need to focus on three areas: user/administrator credential management, physical port security, and video and data flow protection.
User/Administrator credential Management
Credential management can be as simple as making sure that default logins and passwords are changed from factory defaults. IT professionals already do this as a default installation and maintenance best practice for networking hardware and attached devices. You can add another layer of protection by creating separate user and administrative logins, passwords and privileges.
IT can install other credential security measures such as multi-factor authentication if the camera/access control manufacturer supports this feature. Many of the major VMS application platforms can help you automate the setup and maintain those attached device credentials.
Physical port security
There are a number of measures you can employ to prevent a device’s removal from the network and the attachment of a laptop or other device configured to spoof the MAC or IP address of the camera or access control pad in order to gain access to the network and network assets. Depending on the capabilities of your network hardware management software, this can be as simple as a port-based MAC address lockdown that requires manual provisioning when a port link is lost and then recovered. This does not address cable tapping, however. In that case more rigorous measures are needed such as onboard credential authentication.
When it comes to defending against network port hijacking, there are a number of network standard authentication measures you can deploy. It all depends on which ones are supported by the cameras and access control devices you’ve installed. For instance, many cameras support basic .X or RADIUS client for edge device authentication. Some camera manufactures support PKI or token-based resident certificate authentication.
The bottom line is that you should include port-based/edge-connection cyber security on all your network edge devices no matter what they are. And the cyber security of those devices should align with the high security standards your company already has in place to protect other devices and data residing on the network.
Video and data flow protection
Protecting the transmission of video or data focuses on preventing the wrong people from putting eyes on or having access to your organization’s video. You can just imagine how tactical it can be for “bad guys” to have visibility inside the walls of your business or what a PR or legal nightmare you’d have on your hands if certain sensitive video footage showed up on YouTube.
The goal is to protect the data flowing from end to end: from the camera or access control device through the network to the server and ultimately the storage device. To achieve that, your first step would be to define the protection scheme you want to deploy and then search out components that can readily integrate into that scheme. For instance, some video system manufacturers support a variety of encryption schemes from edge devices to servers. Other system components support encryption from the servers to the viewing client PCs, laptops and smartphones.
Network camera and access control system encryption generally adhere to IT methodologies standards such as .x, SSL/ TLS, HTTPS, and PKI certificates. There are also appliance-based heavier encryption methods available. But because video transmissions are extremely sensitive to transmission latency, anything short of zero latency encryption will likely disrupt recoding capabilities.
Before you make any decisions about encryption, research what your camera and VMS suppliers recommend. Then, to ensure compatibility across the board, surveillance and physical security decision makers should closely align themselves with IT to confirm that the hardware and software products they plan on deploying will meet IT standards for cyber security.
Know what security options are out there
To keep abreast of what encryption and other physical security technologies are on the horizon and what are currently available on the market, you can surf online content from camera and server manufacturers, participate in physical security seminars and trade shows held in the US and around the world, as well as attend traditional IT tradeshows and events where a sizable number of physical security companies participate as well.
The point is to educate yourself and get involved in cyber-security issues early in the vendor selection process whether you own the solution or are supporting the solution on your company’s network infrastructure.
for more news and services, follow us at IELAB.NETWORK