Today’s businesses must deal with enterprise security in a fully integrated manner, addressing security concerns before they turn into problems. In prior decades, the concepts of closed-circuit television (CCTV, also known as video surveillance) and enterprise security were completely different topics, addressed by different personnel with separate and specific roles within the organization. But after the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security alert highlighting possible exploits of certain surveillance equipment, it is clear that this can no longer be the case. Chalk this up to yet another way the roles of CIOs and CTOs and InfoSec personnel are continuing to expand, integrate, and blur.
With the news headlines of the last few years including some of the biggest and most reputable companies suffering breaches and exploits, the loss of reputation is just one of many negative factors that makes security a valuable and indispensable investment.
Security flaws, potential vulnerabilities, and consequences
Security systems have been the target of hackers for years, and many common issues stem from the usage of older technology. The basic security protocols on internet-enabled devices often involve preset passwords and insecure connections, which always concerned security experts. And many of these exact vulnerabilities have been exploited in recent hacks.
Specific faults in the design and architecture of some cloud-based camera systems make them perfect targets. Along with the simple security measures, many of these systems use wireless transmission to send information, which is not encrypted and susceptible to being intercepted. Malicious individuals can use a device to capture the transmissions and modify the signal. Other faults in the design allow hackers to access the cameras through the cloud and control the device with administrative privileges.
In 2016, the concerns of security experts came to fruition. Hackers using malware installed on cameras, routers, DVRs, and other devices launched a massive distributed denial of service attack (DDoS) disrupting major services including Netflix and Twitter. The attackers turned Internet of Things (IoT) devices into remote control machines in an attack referred to as Mirai, where over half a million units were affected by the exploit. These Mirai devices were part of other attacks as well, including one on security journalist Brian Kreb. The code for this attack was published, and copycats developed even more sophisticated versions.
How to select the right devices
Most security experts agree that installing updates and patches is a reliable way to increase security on devices and reduce their potential exploits. However, end-users need systems that are more intuitive and automatic. When selecting commercial security systems, look for solutions that offer built-in security, including automatic updates that do not require user interaction. Therefore, when circumstances arise and the provider detects a vulnerability, a patch can be pushed through to the camera. This allows companies of all levels to focus on managing their business instead of having to focus on securing devices.
Several other factors mark a difference between enterprise surveillance providers. Among these is the type of security that the vendor uses in handling the recordings. Much of the technology readily available either uses no encryption or partial encryption or requires user interaction to turn on the option. Given the sensitivity of the data, encryption should be a default standard. If a hacker does access the system, the data should be protected by a high level of encryption at the very least. Furthermore, access to this information should use two-factor authentication and needs to be logged so that administrators are aware of who is accessing the video. When selecting providers, look for these features to guarantee that your company is protected from vulnerabilities that hackers are continually looking to exploit.
