Network Communications News (NCN) December 2016 - Page 23

IP security updates a name server in the Domain Name Server (DNS) to enable the user to find the DVR. This allows a potential attacker to find hundreds or even thousands of vulnerable devices simply by testing domain names. Many DVRs also run on distinctive ports, so an attacker knows exactly where to look to find them on a server. Further problems are created by manufacturers, who provide few, if any, automatic firmware updates to fix bugs and often include ‘back door’ functionality which is then shared on the web. To highlight these issues, the independent consultant ran two experiments. First, five routers, DVRs and IP cameras running the latest available firmware, in their default configuration, were placed onto the open Internet. Within minutes, attackers had begun attempting to use common logins; one device fell to this basic intrusion. Within a few hours, each device had been port-scanned, and within 24 hours two had been entirely compromised and were under the control of an unknown attacker. The attacker was free to access the network the device was connected to, install their own software and transfer data back out. Another device was left in an unstable state after an attempted attack, rendering it inoperable. Secondly, the consultant tested 15 DVRs to look for bugs and manufacturer ‘back doors’ and found that none were free from serious vulnerabilities. Some took many hours to breach, but the majority took less than an hour. Without the ability to update firmware, these vulnerabilities can persist for years, leaving an organisation’s entire network exposed. There is also a lack of oversight by users because footage may rarely be looked at and the user interface provides no feedback as to what is going on inside the CCTV systems. This means problems may not be discovered until long after a security breach has occurred. Get off of my cloud! Not all cloud systems are secure. Dedicated cloud based solutions are designed with built-in Internet connectivity and features such as remote video streaming and data back-up, so in principle should offer improved security. However, most IP cameras support incoming connections using Real-Time Streaming Protocol (RTSP). A large number of cloud video providers recommend using S P E C I A L F E AT U R E More secure systems should be on the way. port forwarding to allow access to the RTSP stream of the IP cameras from outside the firewall – creating the same problems discussed earlier. Data security is also a potential concern. The independent consultant carried out a passive survey of popular cloud-based video websites which found many common security mistakes, including use of insecure protocols, poor configuration of secure protocols and a lack of encryption or digital signatures. However, many cloud based systems offer well thought out security and data protection standards, providing better security for a lower cost. Organisations should look for authentication, end-to-end encryption with SHA-2 and TLS and a digital signature to ensure data integrity. Cloud based systems also provide the physical security of holding data in a remote location, provided it complies with Data Protection regulations. Intelligent IoT camera adapters are also available which only allow encrypted outbound connections to specific cloud based services, and can be retrofitted to existing analogue and digital cameras. Authorised users can then access the footage from any device and location using standard Internet connections. Such adapters only require a fraction of the processing power of a full DVR, so are much less useful to a potential attacker. Securing your system While cloud may offer a medium to long term solution to CCTV security, there are some additional steps that organisations can take immediately to increase the security of their existing systems. First, they should ensure that usernames and passwords have been changed from the default state and are of sufficient strength to prevent immediate access. Second, they should ensure that they comply with the recommendations of the Information Commissioner’s Office and the Surveillance Camera Commissioner by ensuring that all CCTV data is encrypted when in transit and when stored to prevent it being used for unauthorised purposes. Finally, they may be able to address some of the security issues outlined above, for example looking proactively for software upgrades, using different ports and avoiding Dynamic DNS. They should also make regular checks to ensure that their system is still working correctly and has not been breached. Looking to the future, the European Commission is drafting new cybersecurity requirements Ѽ)ɕ͔͕ɥ䁅ɽչ%P٥̰)Ցݕѕ͕ɥ)Ʌ̰ɽѕ́х٥)ɕɑ̀YI̤Mձݔݥ)͕܁ QXѕ́ݥѠɽٕ)͕ɥ䁥ѡЁ܁啅̸(((ȴ́%@Mɥ䃊L Ց٥ܹ((ȼȼ؀((0