In a technology world that is rapidly changing, the conversation today’s system integrators have with clients regarding system security resulting from potential cyber threats is sometimes the elephant in the room.
This is particularly true when you consider the continued expansion of endpoint devices on most physical security systems and the fact that almost all provide a gateway into an organization’s network and thus its treasure trove of corporate secrets and information. As we have seen in recent headlines, perhaps no endpoint device is as vulnerable as the ubiquitous IP network camera. At the recent Axis Communications Conference in Tucson, which hosted close to 300 systems integrators from around the country, cybersecurity and its impact on the integrator community was a focal topic.
One of the key questions posed to a panel of experts was why integrators, consultants, and end-users should be concerned about cyber threats to their video and other operational security? For John Bartolac, a Senior Manager for Industry Segments and Cyber Security with Axis, the answer is simple enough.
“This is a very important question because as I go to these various conferences I see the focus concentrating on data, but at the end of the day, the camera is really just a server just processing data that is coming off an imager being sent through a chip to the VMS platform. So it is data, but the question ultimately is; what kind of value do you put on that data and what can the bad guys do with it if that data does get compromised,” asks Bartolac. “Video that is used to watch trends within an organization, like where VIPs are or where high-value assets are stored is very sensitive. If I was able to get that information and find out trends and how organizations operate on a day to day basis, that would be pretty valuable operational info that could be used to penetrate the company. Then you have to consider the denial of service attacks. If I’m able to bring down your entire system, now that becomes super critical since your entire organization is blind. It can be extremely devastating.”
Robert Brown, a Systems Solution Architect with Axis and CISSP, is quick to point out that most data hackers could care less about the video. Information is the gold standard and in many organizations, the camera can be the portal to information riches.
“There are opportunistic attacks and there are targeted attacks, so if you are trying to steal data from an organization you are going to look for the unlocked door; the weak link, which can be that camera if it is not secured properly. So it is not about stealing the camera, they are about getting access to other systems that may be on that network,” Brown says. “That computer on your network being used as an access point that potentially allows a hacker to get onto your system has always been my biggest concern. You don’t want to be in that media room a day or two after a hack and realize there has been a breach and now your team has to sift through the bread crumbs to find out when it happened and how it happened. You don’t want to be that weak link in any sort of cyber attack.”
When it comes to the law enforcement perspective, Detective Constable Kendrick Bagnall, a member of the Toronto Police Services Computer Crime Unit, warns system integrators to assess risk and mitigate what they can. He insists many incidents may be beyond their control, but the key is to manage what events you can from the outset.
“From a law enforcement perspective, there are two things that are beyond your control when it comes to a cyber threat. You can’t control the motivation for the attack and you can’t control their skill sets. So as consultants and integrators the things you need to focus on are circumstances that are within your control. And certainly you are able to control the solutions and technology you provide to address these threats,” Bagnall confides. “The cameras on the network and the other fringe or edge technologies are effectively access points. I can tell you about walking into organizations where I’ve seen VoIP phones in the lobbies that are unsecured and there was nothing behind it that was secure. I was able to unplug the VoIP phone and connect a laptop providing me access to the entire network. Whoever the integrator was that installed that device really didn’t take control of his environment. They failed in taking control in terms of securing the end point. Your customers are entrusting you with the keys to the kingdom, so you have to have a solid cybersecurity roadmap when you begin the project.”
Bagnall continued that the impact of video evidence is not to be diminished and its impact on any investigation carries huge potential. “From an evidentiary perspective, there are certain things we are looking for at a crime scene like DNA and fingerprints. But next to those two key elements, your video can be among the most compelling pieces of evidence you have. We have had investigations where we’ve been able to pull video off of social media feeds with suspects that matched the descriptions and clothing they are now posting on their social media. So the video, apart from being an access point in terms of the physical technology, from a law enforcement perspective is huge because it offers key investigative help.”
There is also the constant question of whether segmenting or isolating your security network can help mitigate the cyber risk for an integrator’s project. Having a plan to provide an environment where all your endpoint devices can coexist on the same network is crucial for a successful deployment.
“I have to laugh a bit when people say you can eliminate the risk in anything you do. It is about making the challenge more difficult. In the end is it worth somebody’s time trying to hack into a system, and if network segmentation can be part of that solution so be it. I firmly believe if you can do some of this segmentation or work with your networking partner to put viable policies in place so you can isolate the traffic you can then implement other controls on top of that to provide a layered approach to security,” says Brown. “You can begin to look for other sorts of behavior that say if a device on this segment is using this port that is a red flag, so as part of another comprehensive monitoring system in place we can begin to find that needle in the haystack. It is not a complete solution and doesn’t eliminate all risk but it is certainly a step in the right direction.”
Bagnall insists that one of the most sensitive areas in the cybersecurity matrix is the employees signed into the network. Social engineering and internal threats are among the most common stress points for any organizational network and perhaps the worst addressed according to Bagnall and Bartolac.
“There is one thing that is always left out when we are discussing cybersecurity and it is the art of social engineering – the art of human hacking. No network is completely secure or infallible and the problem that a lot of consultants and integrators run into is the approach is not correct from the beginning. The system has to be designed and implemented as if it will be compromised. It is a difficult position to take, but if you approach it from that mindset then you start engaging with law enforcement and security consultants and you start pre-planning what the post-incident response will look like,” concludes Bagnall.
Bartolac says there are avenues an organization can take beyond segmenting to help curb internal threats.
“I think we will all agree that the majority of organizational breaches are internal. So it is important that we as the community make the customers aware of certain risks, but stress we can’t control that social aspect of it. We have to ask that beyond segmenting the system, which is not going to solve all the problems, what else is out there,” he asks. “There are some things I’m seeing now that are options like masking a network so it is not seen. We also have companies making switches that coexist within a Cisco and an Avaya network framework that actually focuses on the physics of what’s happening on the network. So if you see you’re getting multiple hits on the board, this thing is actually monitoring the heat temperature and sensor of the traffic and looking at the physics of the network to provide alerts. These are things hackers cannot exploit. It is impossible to exploit the physics of the network.
“Bottom line, it comes down to the social responsibility of the organization and building that into the entire conversation with the customer as you plan out their system.”
