For the last seven years I have been working with questions related to cybersecurity. I have been investigating concepts and defining methodologies, security controls, vulnerabilities, policies and processes. In more recent years, I have been looking at common cyber security threats, common mistakes, and common concerns within in our ecosystem, and felt it would be good to bring them into a single post.
Risk management and threat assessment
When I entered the cybersecurity ‘rabbit-hole’ I began by looking at what security features our products had. From there I started building maturity. To me, cyber maturity means that you have a decent understanding of the threats you are faced with, have some understanding of the risks, and also understand how to mitigate these risks. Risk management is challenging as there is a probability and an estimation of potential negative impact. That is a guessing game. And this can only be defined or estimated by the organization that operates a system.
Threats on the other hand will be the same regardless. Threats are all over. A threat does not mean that bad things will happen. We all have a threat of a meteoroid falling from the sky and hit us in the head. That impact may be lethal but the odds are slim. It is low risk.
Threats to IT systems comes in all shapes. Cybersecurity threats are much more vast than those commonly read about in the media: hackers, viruses, and malware. The key things to protect in an IT system are commonly referred to as confidentiality, integrity, and availability. Anything that negatively impacts any of these areas is a cybersecurity incident. Hardware failure is a threat that impacts availability and is thus also classified as a cybersecurity incident.
Deliberate or accidental misuse of the system
People who have legitimate access to a system are also the most common threat:
- Individuals may access system services (e.g. video) that they are not authorized to
- Individuals steal
- Disgruntled individuals may cause deliberate harm to the system
- Individuals may try to fix things while the result is reduced system performance
- Individuals makes mistakes
- Individuals are susceptible to social engineering
- Individuals may lose or displace critical components (access cards, phones, laptops, documentation, etc)
- Individuals’ computers may be compromised and unintentionally infect a system with malware
And some of the most common vulnerabilities that provide an opportunity for the threats to impact the system are:
- Lack of cyber awareness in organizations
- Lack of policy and long-term processes to manage risks
These factors will typically result in poor account management and giving too many users too many privileges and access. This is often driven purely by convenience.
A video management system (VMS) has, potentially, numerous users accessing live and recorded video from the video management server. VMS software provides user account management with different privilege levels for the users. All the customer needs to do is define the policies and put processes in place to maintain those policies over time.
Cameras themselves do not really have users; they have clients. It is not intended for John, Bob or Jane to have accounts in the camera - individuals should never be allowed to access cameras during daily operation.
A device should have one account for administration, one account for daily operation clients (the VMS) and use a temporary account for maintenance and troubleshooting. One of the most common mistakes when deploying a video system is when all three roles share the same account. That account password may easily spread within the organization, creating an opportunity for deliberate or accidental misuse. It is essential to follow the manufacturer’s recommendations and hardening guides.
Physical tampering or sabotage
Physical protection for IT systems is very important from a cybersecurity perspective:
- Physical exposed gear may be tampered with
- Physical exposed gear may be stolen
- Physical exposed cables may be disconnected, redirected or cut
Cameras themselves are not only susceptible to tampering; they may also expose network cables. This may provide an opportunity for network breaching. The list of common vulnerabilities that may provide an opportunity for a threat to exploit are:
- Network gear such as servers and switches not placed in locked areas
- Cameras are mounted so they are easily reached
- Cables are not protected in walls or conduits
- Cameras are mounted with insufficient protective housing
Follow vendor guidelines. Common sense gets you a long way.
Mitigating the risks and impact of a breach
A breach is when someone bypasses one or more security controls in order to gain access to a system resource. There are many examples of attack vectors to breach a system. Social engineering is one of the most common and effective. It is basically a risk-free attack vector.
How much sophistication is required to breach a system depends on what security controls are added as obstacles. Any system exposed to Internet, meaning that you can access that resource from your home, gives a remote attacker an opportunity to probe and find potential vulnerabilities to exploit. This is what cyber criminals and script-kiddies do all day long.
The common mitigation technique for reducing risks is reducing the exposure. Video systems are typically not exposed to Internet and it is not recommended to do so. This will automatically reduce the risk of remote adversaries exploiting potential vulnerabilities and breaching the system.
For video systems, the common vulnerabilities relate to the physical exposure of devices. Without any protection, anybody that can reach a camera may be able to highjack the ethernet cable. There are a number of security controls that can be added if this would occur including adding additional firewalls, network segmentation and network access control (802.1X). Following the vendor’s recommended guidelines is important to reduce these risks. The products and hardening guides provided by vendors will also include recommendations and security controls that reduces the risks, even if a malicious attacker gains network access.
Preparing for more sophisticated cyberattacks
If you are not able to manage the most common threats, there is no need for an adversary to use more sophisticated efforts. Sophistication requires skills, time, determination and resources. The threat of sophisticated attacks towards a video system does exist but is not common. Video system breaches are hard to monetize and will thus reduce the interest for cyber criminals. But video systems protecting critical infrastructure do have an increased risk. Such organizations are fighting against determined and well-resourced adversaries such as nation-state and cyber terrorists. These organizations have already added security controls for common threats. The adversary needs to use more sophistication. How Axis can help reduce those risks is a topic for a future article.