Physical security is great. It’s one of the core pillars to solid cyber security. But sometimes, improving one facet of security can damage another. We have seen a large uptick in this lately, especially with one aspect of physical security: Surveillance.
Good surveillance of your critical areas is essential to strong cyber security. Having a visual record of key doorways and on areas with high valuables is like having good, centralized logging. At the least, it can help discourage unwanted behavior. Should that not be enough, surveillance cameras can provide valuable evidence of wrongdoing.
However, implementing surveillance the wrong way can put your cyber security at much higher risk.
Many surveillance companies still use a methodology called “pinholing” to provide monitoring access to staff outside the facility. Using this method, when someone goes to a particular IP address and port, that traffic is “pinholed” right through the firewall directly to the device. The device normally presents a web page which requires credentials to login.
So far, not too bad. However, a few things come into play here. First, the surveillance device is using web software to present the login page. This sort of software is well known to have new vulnerabilities found routinely. Second, often being considered an internal system, and typically maintained by different people than your network security, the surveillance system is often not updated with security patches nearly as often as the firewall. In fact, most surveillance companies are slow to release security updates, and may discontinue them entirely when a product version is no longer actively being sold. In many cases we’ve seen, the surveillance system is never updated after the original install.
If you configure your firewall so that only specific, well known outside IP addresses are allowed to pinholes to the surveillance system, then you’ve pretty much mitigated the risk. However, that’s generally not how this type of access works. Management may want the ability to remotely access the cameras when they are at home, on the road, or from their mobile phone. In those cases, the pinholing is left open to the entire internet, often on well-known ports that are constantly scanned by hackers for vulnerabilities. So as soon as a vulnerability in the surveillance system is discovered, cyber criminals can slide right past your highly secure, highly maintained firewall right into the depths of your business network and start their leisurely work on seeing what they can breach on your internal systems.
Of course, it’s just not security systems that pose this risk. A plethora of Internet of Things (IoT) can pose this same risk – nanny cams, receivers, TVs – any nonhardened device that is directly exposed to the internet. In fact, some famous breaches such as the Target breach a few years back stemmed from this very type of attack (an HVAC control system).
There are a few ways to minimize this risk. A common one is to setup an isolated network or a DMZ where the surveillance system lives. That way even if it is compromised, the hacker will not be able to get to your internal business systems. This does take some special configuring of your firewall to give consistent internal and external access to the surveillance system, but it is something that most security administrators can easily do. The challenge is if you don’t have this isolated or DMZ network setup yet, as it can take a non-trivial amount of time to setup the initial network isolation and firewall routing.
A better way now is to use a cloud based, or cloud accessed, surveillance system. They don’t require any pinholing, as the system communicates only with the vendor’s cloud system. The user then accesses the vendors website to access the surveillance system cameras. These vendor websites ARE hardened and updated on a constant basis.
At SpotLink, we have designed, deployed, and maintained some very economical cloud accessed surveillance systems. These enable our clients to roll out a physical security system that enhances their cyber security system right from the outset.
Please reach out to us if you have or are interested in adding surveillance to your physical security layer and will gladly go over your options with you.