“DVRs commonly had two network interface cards, one for the device network and one for the operational network, so IT departments felt confident in only having to monitor two connections.”
cern if something has changed or happened and which account was involved. Sadly, in the security industry this rarely happens.
It is typically one admin account for all devices which is not ad- equate. Admin privileges should only be reserved for those who un- derstand network security management. We’ve even seen the same username and password used for every account that an SI services. In this case, the SI believed this made it secure since it was “their” password (used across hundreds of sites) and not the end users.
As privacy concerns arise, it is also important to demonstrate that not everyone has the same privileges to view security footage. The principle of least privilege states that a subject should only be given those privileges required to complete its task. As an ex- ample, privacy masking at the edge is a popular way to blur faces captured on security cameras. Only certain senior-level users or admins should have the privileges required to expose identities or view certain streams as part of a documented event. This demon- strates accountability within operations and security departments and goes a long way towards building good will.
4. No one can use an end-point device as an attack vector. It can be hard to imagine, with so many attack vectors out there (malware, ransomware, phishing, and compromised or weak cre- dentials), that a network camera would be a legitimate target that hackers would seek out. In fact, the exponential growth of IoT de- vices on corporate networks has made end-point devices a major target for bad individuals both inside and outside of a company.
Not long ago, a major manufacturer suffered a Distributed De- nial of Service (DDOS) attack that was waged in part from anoth- er company’s unsecured cameras that were co-opted by a botnet. The vulnerability of those cameras had been previously detected, and the camera manufacturer had issued a firmware patch to ad- dress the weak point, but unfortunately, it had not been applied.
When it comes to ensuring cyber security for end-point devic- es, everyone shares some of the responsibility. The manufacturer must ensure that their device is properly designed to thwart at- tempts to gain access to the camera or its accompanying network infrastructure. If a vulnerability is discovered, it is the manufac- turer’s responsibility to address the situation, issue an update that remedies the problem and notify their suppliers and partners.
Once such an update is available, it’s the responsibility of the reseller or integrator to notify end users that the update is avail- able and ensure that it is installed. This is also why it’s so impor- tant to have a service contract in place that provides continual maintenance and updates. The end user is also responsible for making sure their devices are regularly inspected and adheres to any regulations or best practices that their industry requires.
5. Data in the cloud is safe and secure. This popular myth is based on the belief that when utilizing a cloud-based security system, it is solely the cloud provider’s responsibility to ensure everything is cyber secure. While it is true that the cloud provider is responsible for the security of their datacenter, the access to media on the cloud is still in the domain of the user.
Not long ago, a cloud-based security provider suffered a ma- jor breach because super admin-level credentials were widely shared by more than 100 employees. Those credentials ended up online, which let hackers have access to more than 150,000 cam- eras. The best things about the cloud (scale) can also be the worst things about the cloud when things go wrong. So, it is paramount to choose a cloud provider with a proven track record of cyber security that uses best practices for how data is accessed.
Cloud vendors can vary widely regarding the levels of protec- tion offered. It is critical to conduct due diligence and understand what your service level agreement (SLA) is with a cloud provider. There are different SLAs for different types of clouds. For ex- ample, if you’re using a cloud provider just as a container, then typically you’re responsible for all of the security.
It is advisable to perform a security-focused vendor assessment, such as the one created by the National Institute of Standards and Technology (NIST), prior to signing up with a cloud provider. Are they Criminal Justice Information Service (CJIS) or System and Organization Controls (SOC) compliant? How do they vet their employees? How do you ensure that your data isn’t mixed with other people’s data? How do they manage access control so that only the authorized people have access to your content?
Many verticals have their own methods for vendor assessment such as HECVAT for education and HITRUST for health care. If you’re in a regulated environment, you need to ensure that whatev- er design implementation, policy or process that you are required to adhere to is represented in the cloud workflow you adopt.
There are plenty of myths and long-held beliefs in our indus- try about how to best protect security systems and network infra- structure. Some of these may have represented adequate protec- tion years ago, but as we all know, technology evolves quickly, and with it, so do the tools and techniques designed to take ad- vantage and exploit any perceived weaknesses.
In our rush to make things work and move onto the next task, it can be tempting to take shortcuts and calculated risks that may seem unlikely to result in a serious event. We’ve also heard from people that no one could possibly care about these mundane video feeds — until they are forced to — when a company’s intellectual property is compromised, or someone uses an unprotected device to inject malware and ransomware that brings an organization to its knees.
With everything you do to help protect people and assets, don’t toss it down the drain by relying on outdated information. Make it a priority to stay on top of the basics
of cyber security.
Will Knehr is the senior manager of Information Security and Data Privacy at i-PRO Americas Inc.
40
SEPTEMBER/OCTOBER 2022 | SECURITY TODAY
CYBER SECURITY