For years I’ve been finding flaws in IP-based video and access control systems. The problem is everywhere — in businesses and government agencies both large and small. It is a security risk I covered in depth in my recent SecurityInfoWatch.com webcast, Building and deploying secure video and access control systems (http://bit.ly/si1uSP).
Creating a security flaw with these unsecured video and access control systems happens pretty easily. Here’s how:
1. A team (typically physical security) decides to install the latest and greatest video monitoring or building access control systems on the network.
2. IT and information security is kept out of the loop, or worse, IT and information security don’t even want to be in the loop.
3. The systems sit unsecured on the network waiting for a rogue insider or malicious outsider to exploit.
This ongoing disconnect between physical security, IT and information security is something that must be addressed. In so many cases I see, there’s no real oversight. I also believe there is a lack of information security training and foresight on the part of systems integrators who are often installing these systems. But the bad guys don’t care. All they know is the vulnerability is widespread and the odds of not getting caught are in their favor.
Anyone on the network with any lick of sense can simply load up a Web browser, connect to these devices (or directly to the central management console) and then control, reconfigure or reset them at will. With so many of these network-based systems seemingly full of misconfigurations and security holes, it makes you wonder why they are even being used at all. It can be argued that they are creating even bigger security problems than they are solving, and that’s the irony of it all.
Although this issue has been around for years, it seems it is just now starting to get the attention it deserves. Apparently, mismanagement of security systems is widespread, even among law enforcement. According to a recent story in the Los Angeles Times (http://lat.ms/uoaJHb), the L.A. Police Department had numerous cameras that were broken or never even hooked up. A recent SecurityInfoWatch.com story (www.securityinfowatch.com/10617679) highlighted the vulnerabilities in videoconferencing systems — a similar technology with the same problems. The reality is, if a system has an IP address or a URL — two things these video and access control systems happen to have — then they are fair game for attack.
So, the question is, of course, what can you do about it?
Network-based video and access control systems are no different than any other host or application you set up in your environment. You must step back and think through how your current information security standards and policies apply and then take the proper steps to make security a reality. Most importantly, never assume that your integrator or IT staff have properly secured these systems. The “someone else will take care of that” approach can get you into a real bind, especially if you have a serious physical intrusion or related matter that requires a detailed investigation or ends up in court.
You cannot secure what you don’t acknowledge. Get these systems on your radar and the radar of those who are ultimately responsible for information security. Any system that connects to your network — regardless of what it is or what it does — needs to be locked down from the elements. Otherwise, it’s a vulnerability creating business risk that, no doubt, some threat will exploit in the future.