[an error occurred while processing this directive]

Is Your IP-Based Surveillance System Stopping or Aiding Criminals?


Introduction
New technologies are always emerging; however, with growth and change come new areas of risk. The one-time standard for video surveillance, closed circuit TV (CCTV), is being crowded out by IP-based cameras. An important difference between CCTV and IP-based cameras is that the former didn?t allow images to leave the protective confines of the building; whereas, unsecured IP-based cameras transmit live videos or images across the Internet.

It is easy to lose sight of the dangers posed by unsecured IP-based cameras, especially amidst all the promotional fanfare surrounding the latest IP surveillance systems. However, after taking time to do some Google research and reading some objective end-user analysis, it becomes clear that there are very real threats to using unsecured IP-based cameras; in fact, they can become a valuable tool for the criminal.

One voice particularly resounded on the subject of unsecured IP-based cameras and that was Sarb Sembhi's. As a world expert on network security, Sembhi said, "The one thing we can be sure about is that IP surveillance networks will have all the vulnerabilities that other data networks have." These are true words; yet many today overlook the far-reaching effects of introducing IP-based security cameras into their networks.

Problems arise when those who install the cameras are unaware of networking and security best practices. Speaking at a CCTV User Group Conference, Sembhi said that secure protocols are not always being sold with IP-based surveillance systems and that the data transmission setup can affect the level of security.

He makes it clear that anyone can install a camera; however, a true expert is one who merges knowledge of network design and configuration with installation procedures.

IP-Based Cameras: A Game of "I Spy"
A glaring weak-spot in IP-based cameras is that many run internal Web servers with http instead of https for administrative logons. Only https allows for an encrypted session; whereas, http enables unencrypted data, such as user names and passwords, to be transmitted across the network.

Another problem is that these IP-based cameras run insecure file transfer protocol (FTP) sessions instead of a more secure (SSH) session that encrypts user names and passwords during image transfer to a server or client. Because these server connections enable unencrypted data to be sent across a LAN, WAN, or both, unauthorized users can gain access to such critical information as user names, passwords, and IP addresses. With this information, hackers can then attack the network system, potentially gaining access to confidential files and personal customer information. This wealth of information enables hackers to do serious damage to an enterprise and those who are affiliated with it.

Unsecured cameras are also useful tools for those who want to do cyber spying. Because manufacturers use consistent URL strings in their camera systems, anyone with search engine capabilities can gain access to these cameras. If you Google "URL strings in IP-based cameras," you will find some interesting information. One site lists 753 unsecured IP-based cameras across the globe, providing helpful hints for accessing them. As one cyber spy noted, security cameras have become normal webcams, allowing worldwide public access.

What are the ramifications of this cyber intrusion? As we know, loiterers are unwelcome on business property and are promptly asked to leave. However, the hidden presence is the real threat in today's cyber-fixated world.

Some might want to watch your business via the Internet purely for entertainment purposes; however, others have more devious motives. Many are watching because they want to steal merchandise.

These criminals can watch unsecured IP-based cameras from the comfort of their living rooms, giving them ample time to plot an effective attack strategy. At their leisure, they can take notes on the layout of the business and become familiar with the daily routine of the staff. So, while remote access is necessary for authorized users, it also has a special place in the hearts of the criminally inclined.

Scarier still, many IP-based cameras have pan, tilt, zoom (PTZ) features, which allow cyber spies to manipulate camera angles and zoom in on selected areas. When they are ready to make their well-planned attack, criminals can use their access to PTZ features to divert the camera away from their target area, ensuring a clean getaway.

Thieves, who don't want to pound the pavement and physically enter a business, can also use these PTZ features to zoom in on credit card numbers and personal pin numbers, giving them access to customers? financial resources.

So, we know the dangers of the hacker and the thief. What about the dangers of the voyeur? Voyeurs are, in essence, stealing a person?s dignity. Though what they take is not tangible, it does have far-reaching emotional effects for those whose privacy is violated.

As a Google search will show, images and video from retail store cameras, particularly those images from changing rooms, can be seen across the Internet. Businesses have a legal and ethical responsibility, governed by the Fourth Amendment of the Constitution, to safeguard these private images from public exposure. Thus, it is incumbent upon businesses to take reasonable privacy measures that are governed by sound security procedures. The primary focus of these procedures should be to ensure that only authorized staff has access to the server, its systems, and its images and data. As anyone with search engine capabilities can tell, many businesses are in violation of these reasonable security procedures.

When do these security violations turn deadly? The answer: when sexual predators use their access to cameras as a means of tracking their victims and plotting attacks. For example, pedophiles can access school security cameras via the Internet. By monitoring the comings and goings of children and taking note of those who tend to stray from the group, a sexual predator can map out an abduction strategy.

Also, pedophiles can have images of children relayed to another network location, where they can use these images for their own devious purposes. This level of violation is insidious and can threaten the welfare of our most precious resource, our children. What is the Source of the Problem

The problem originates with the quality of the surveillance equipment and the security knowledge of the camera installer. All IP cameras have built-in password protection; however, some of the more expensive models also offer other security features, such as encryption. It is essential for an enterprise?s decision-makers to research the security features of various models and choose one that best fits their security needs. Choosing an IP-based camera that offers the best security features is an excellent first step; however, the next critical step is to have it installed by someone who is cognizant of those features and how they should be implemented within the system network.

The camera installer who lacks security know-how will likely use the camera's default password, not realizing that this provides easy access to the system. Camera installers with basic security knowledge will steer clear of using the default password; however, they may choose a weak password. A weak password does not follow all the necessary security protocols found in a strong password, which must be 8 or more characters in length and include upper and lowercase letters, numbers, and symbols. Thus, we return to Sembhi's point that camera installation has to be coupled with network security know-how in order for a business to be truly secure.

Preventing Network Intrusion
Enterprises have a responsibility to safeguard the personal information, financial resources, and physical/emotional well-being of their employees, customers, and shareholders. For this reason, security must involve more than just buying surveillance equipment, installing it, and having in-house staff monitor it; it must be governed by detailed security practices based on sound policies and procedures.

Every enterprise today needs to understand the network vulnerabilities caused by IP-based cameras. In order to zone in on a particular computer, a hacker only needs to know its IP address---knowledge that unsecured IP-based cameras reveal.

The IP address uniquely identifies a computer or other network device; and once this information is known, a hacker can develop exploits against the system, potentially gaining access to files, user names, passwords, and personal information. Thus, it is essential for today's enterprises to have well-trained security professionals who can properly install IP-based cameras, implement all security mechanisms, and design a network that is safeguarded against potential exploits.

How can your IP-based cameras be secured? Firewalls are one strategy. They prevent an unrecognized IP address from entering into a network. However, as revealed earlier, it is not difficult for hackers to uncover a camera?s IP address and change their computer address to match that address, thereby gaining entry through a network firewall.

So, if a firewall is not foolproof, what is? No one solution in itself can be completely secure. That's why a multilayered approach is always the best solution. A combination of firewalls, routers, and an intrusion prevention system (IPS), coupled with a secure remote access solution like a virtual private network (VPN), will strengthen your network security and provide a unified threat management approach

.

Whether you elect to use an IPSEC or SSL VPN, VPNs are the only way to securely access an IP-based camera through a firewall. A VPN prohibits unauthorized access from the Internet via several means. Importantly, it encrypts all the data that passes down the tunnel so that it would be indecipherable to hackers.

Also, a VPN authenticates via user name and password, making it unlikely that a hacker would even gain access to the encrypted data. However, if the data were compromised in any way, the VPN device would drop the data packets and end the session.

Video: Data Storage Protocols
Crucial in today?s world is long-term data storage and rapid recovery of relevant information. This is particularly true in the case of video images captured from IP-based cameras. These images need to be retained for a specified length of time--some businesses require at least 30-day video storage--and be easily retrievable so that illegal activity on a given day can be thoroughly investigated.

A problem with data storage is that it inundates network servers and slows down network functions. For this reason, storage security appliances are now being used. Along with on-site storage, disaster recovery plans also highlight the importance of off-site storage so that, in case of an on-site disaster, information will be safely stored at an independent facility.

Making sure that data is safe from physical damage is crucial, but it is equally important to ensure the integrity of the data. As mentioned earlier, hackers, cyber spies, and voyeurs are constantly seeking new ways to access private information. Video captured from IP-based cameras often includes private images (e.g., some retail stores have IP-based cameras in their changing rooms).

Every enterprise has a responsibility to protect this stored data from unauthorized access, and data encryption is becoming a key strategy in protecting data.

California Senate Bill No. 1836 was established to protect the privacy interests of employees, customers, and shareholders; it requires California enterprises that are not implementing encryption to notify customers if their records have been compromised.

This bill has nationwide implications and even stronger national laws are on the horizon which will make it mandatory for enterprises to disclose security breaches, even if encryption solutions are being implemented. So, rather than just implementing encryption, the focus is shifting toward stronger access controls in protecting customer databases from unauthorized access.

Because IP-based cameras introduce new levels of vulnerabilities to the computer network, it is essential for enterprises that use surveillance equipment to regularly conduct security assessments, uncover network vulnerabilities, and plug up these known holes. Constantly monitoring for intrusion is also critical.

Ultimately, the responsibility for security lies, not in the hands of the manufacturers who produce IP-based cameras or data storage solutions, but in the hands of those who implement these devices.

Implementing Video Storage
Once you have created a security road map, planned out its execution, and selected a secure IP-based camera solution, your next logical step is a secure and scalable method for storing your IP-based camera data.

With so many storage solutions available, what key factors should you consider? First, define your requirements. As any storage specialist will tell you, these priorities are usually scalability, data protection, and data security. So, should you just store your data on a server or should you use a network storage device? The answer will be determined by the amount of data you will need to store, the level of data protection required, and the amount of high availability your business requires. If you have a repair shop or small store, then the cost-effective solution may be to store your data on a server.

However, if you have 15 or more cameras across a large area, storing this data on a server or group of servers could negatively impact your network performance. In this scenario, it could be more cost-effective to use a network storage device, since it has less impact on your network's performance, has more capabilities, is easier to maintain, and allows you to consolidate data so that your servers can be used for other functions.

If you are going to use a network storage device, look for one that fits your enterprise needs now and can grow with you in the future. An appliance that is capable of NAS, SAN, and DAS right out of the box would give you more flexibility.

It should also integrate with various storage networking technologies in an affordable solution for server consolidation, disk-to-disk backup, and database expansion with a simplified management interface. On the most flexible devices, capacities start at 1TB and can scale to 6TB. Also look for storage devices that offer a wide array of connection methods like iSCSI and Fiber Channel.

These features will make your device more scalable as your environment changes and your storage requirements increase. You may think this is expensive now, but your total cost of ownership (TCO) will be much lower in the future as you will most likely just have to rearrange your architecture rather than rebuild your infrastructure.

Today there are appliances that are specifically designed to address the needs of different size organizations, while providing enterprise-like performance, scalability, and data security and protection.

For the most flexibility, it is desirable to find an appliance that uses an OS specifically designed around storage, preferably a UNIX-based OS, which is much more robust than, for example, a Windows-based OS. In addition, a UNIX-based OS is not affected by viruses.

The Importance of Well-Trained Security Personnel
Well-trained security personnel will remain abreast of the latest network intrusion strategies and block entry at every turn. However, despite best efforts, network intrusion can and does occur. Importantly, is your security staff properly trained to handle a security breach?

What are the policies and procedures that they follow? The best practices outlined by the Scientific Working Group on Digital Evidence and Image Technology (SWGDE/SWGIT) help an enterprise design effective strategies to prevent intrusion and also deal with it when it occurs.

Sadly, in some enterprises, the security personnel are the ones perpetrating the crimes. It is frightening to uncover that those to whom you have given the "keys to your kingdom" are using their security access for unethical purposes (e.g., zooming in on customer credit card numbers).

Most commonly occurring, though, is the unintentional ethics violations. Security personnel may have sound technical knowledge, but they lack training in ethics protocols. Thus, it is essential to ensure that the highest caliber of staff is hired and that they are following sound surveillance procedures. State laws vary regarding video surveillance, so security personnel need to be aware of the regulations governing their state.

For example, there are 13 states that expressly prohibit the unauthorized use of cameras in private places, such as changing rooms, rest rooms, and locker rooms.

Video surveillance cannot be entered into lightly; it is essential for enterprises to protect the constitutional rights of employees and patrons.

The Bottom Line
A badly designed and implemented IP-based camera security program can:

  • Leave you open to network hacker attacks, causing loss of data and intellectual property.
  • Allow criminals to commit crimes by tracking shipments, staff movements, and identifying security vulnerabilities.
  • Leave your company open to both criminal and civil legal action if your negligence in securing video images either violates privacy or results in a criminal act.

About the Author
The Patricia Bennett Group (PBG) has highly skilled security professionals who follow the security guidelines outlined in this paper. Our security specialists have extensive network design and configuration knowledge, enabling them to select top-notch security equipment and implement it with the highest level of security protocols.

For more information on how PBG can assist you, please call our toll free number at 1-877-724-4620 or e-mail us at Security@bennettgrp.com

What PBG Offers
The Patricia Bennett Group (PBG) has highly skilled security professionals who follow the security guidelines outlined in this paper. Our security specialists have extensive network design and configuration knowledge, enabling them to select top-notch security equipment and implement it with the highest level of security protocols.

[an error occurred while processing this directive]