Recent, high-profile attacks against video surveillance systems have underscored the importance of choosing cyber secure video technology.
The fallout from a hack can be devastating, exposing highly sensitive data on the Internet, reducing customer confidence, and raising the risk of litigation and financial liabilities.
It’s imperative that businesses choose products they can trust and manufacturers with a solid reputation for investing in cybersecurity and data protection measures. Sometimes this involves digging deeper beyond the headlines and into a company’s background, R&D, and product manufacturing processes.
Here are some important things to consider when evaluating a video surveillance solution from a cybersecurity perspective:
What’s encrypted and what’s not?
While many video surveillance systems offer encryption in transit, which prevents third-parties from accessing data while it’s in transmission by keeping it encrypted until it reaches its endpoint, complete end-to-end encryption is the highest level of protection for your data. Data represents not just video and audio, but also includes metadata such as GPS data, alarm panel data, analytics data, POS data, or ATM transaction data.
Complete end-to-end encryption goes beyond just encryption in transit and includes encryption at rest so that every aspect of your data is protected. Encryption at rest is the process of encrypting data that is stored on physical media. With complete end-to-end encryption, data is encrypted both as it travels from camera to recorder and from recorder to client software, as well as on stored physical media.
Higher levels of encryption can sometimes impact CPU performance, so talk to your video provider about striking the right balance for your needs.
Operating System (OS) security
There is much debate about the security of Linux versus Windows Operating Systems (OS) in network video recorders (NVRs). While any system can ultimately be exploited, I would argue that an appliance with an embedded Linux-based OS is more secure when it has been customized for the sole purpose of recording video. The Linux-based OS in March Networks recorders, for example, is hardened, removing unnecessary services, so that there are fewer opportunities for cyberattacks.
Further, when a Linux-based OS system is customized, it is not dependent on a third-party for security updates and there is no risk of auto-applied system updates that could have a negative impact on the system. It also has tighter control over what an application has access to, making it more difficult for malicious software to gain access to the system. And for an additional layer of security, Linux has a large developer pool for its open source OS code, making it more likely that any security loopholes will be caught quickly.
Who has access to the system?
The high-profile breach that took place earlier this month allegedly involved the use of a “Super-admin” account, where one person had unlimited access to all cameras on the cloud-based system. Obviously, this type of unrestricted access is a security threat so talk to your video provider about their policies on user rights and access. (As an aside, March Networks does not have a ‘Super User’ or ‘Super Admin’ mode that could access all of our customer’s systems.)
Whether in the cloud or on-premises, a good video provider should offer tight controls over user rights and management, allowing administrators to make very specific profiles that give or restrict access for individuals using the system. This ensures that more junior or entry-level employees see only what they need to do their job; it also allows system administrators to audit user access and see who accessed what and when.
Password security sounds simple, but it’s amazing how many breaches take place due to lost or stolen passwords. A good video surveillance provider will not use fixed or hard-coded passwords on its devices, and will also encourage frequent password changes and the creation of complex passwords.
With March Networks recorders, for example, every client receives a unique one-time password for initial set up. They are then prompted to change that password to a complex, multi-character password.
Scanning for ongoing threats
Since cyber threats are constantly evolving, it is important to consider what other features can be built into your video surveillance solution to notify you in the event of a potential attack.
Some systems have security alerts and alarms built in, so you’ll get an alert if there’s any unusual attempts to access the recorder, such as repeated login failures or a potential distributed denial-of-service (DDoS) attack.
Choosing a video surveillance provider that constantly monitors for vulnerabilities and communicates all necessary information is also imperative so that issues can be fixed before an attack occurs. March Networks’ Security Updates and Advisories Program assesses vulnerabilities, determines how they affect the products or software you’re using, and alerts you so that it can be addressed.
Click here to learn more about March Networks’ cybersecurity practices or share your questions or comments below.