Taking a Practical Timely Opportunity to Evaluate the Security of Your Cloud Video Surveillance Solution

Written by Stan Mierzwa, M.S., CISSP, Director and Lecturer, Kean University Center for Cybersecurity and Eliot Perez, IT Security Analyst, CSA NJ Chapter

These days, it is not unusual to walk too far before you see the endpoint of a video surveillance system.

Consider the cameras you have seen on homes, at traffic stop lights (look up), in stores, at the gym, in your workplace (when you are back in the office), transportation centers, warehouse facilities, and the list can go on and on. Video surveillance is a necessity in many environments where having the ability to review video footage following incidents; or the ability to get live feeds in the name of security is warranted. In many cases, video surveillance will be coupled with having the ability to obtain alerts, based on motion or other sensors, to bring up video instantaneously. There are many use cases for video surveillance that make security-sense. Through the Internet of Things (IoT) movement, the growth of IP-based video surveillance system is considered one of the fastest increasing elements in this evolution. In a report from Allied Market Research, the video surveillance industry’s annual growth is expected to reach $144.8 billion by 2027, an increase of 14.6% (CAGR) between 2020 to 2027 (Allied Market Research, 2020).

If you are in the cloud security business, when you see the endpoint of a video surveillance camera, one question that should arise is where and what is that camera connected to?

There are a variety of options for the termination of the cameras. These can include connection to:

1. A centralized video security center enterprise server system, housed on premise or with IAAS
2. An appliance, as in the case of smaller systems that may be used in homes or small businesses (think security camera systems that can be purchased in warehouse club store)
3. A cloud-based shared system
4. A hosted paid provider (think about the commercial vendors advertised on TV).

The recent hacking of a cloud-vendor’s security camera system reported by Bloomberg should be a wake-up call for end-users to review and assess the governance and security protocols to help prevent your video surveillance cameras being exposed and exploited. In this hacking incident, thousands of hosted camera video feeds were exposed. It may still be too early to tell if this incident could have been prevented and with what steps. However, given this incident and the media announcement, this could be a good opportunity for businesses and end-users to review their video surveillance solution security protocols.

Reviewing Video Surveillance Security

Depending on the hardware and software solution in place for video surveillance, different components need a review to ensure the equipment, including the cameras, communication, software and back-end servers are properly secured. Given the recent breach reported, at a minimum, this could be a good check-point. Here are a few things to review and check:

1. Endpoint surveillance camera device

1. If firmware exists, determine if any updates are required and have them applied.
2. Some cameras may allow the ability to login directly for configuration purposes, ensure the authentication is secure with MFA or other measures such as alerts with login.
3. Review the encryption settings in place with the physical cameras to prohibit traffic sniffing.

2. Communication network

1. For larger organizations, the use of network segmentation will be the norm, but perhaps not sure with smaller or home networks. Consider the creation of a network segment dedicated to only the surveillance solution system; this can integrate with internal firewalls to minimize connection hemorrhage into the segment.
2. Review the physical connectivity to surveillance cameras to ensure that physical Man-In-The-Middle (MITM) attacks are not possible by restricting access.
3. Evaluation of the firewall configuration and ports open to all endpoint surveillance cameras as well as to the server administrative applications.

3. Backend surveillance security manager server solution internally managed – on premise or in the cloud.

1. Whatever operating system is running, ensure it is patched and up to date on security updates.
2. For the surveillance security manager product in place, is it running the latest version and patched?
3. Limit the administrative access to the server as well as the surveillance manager product. Using Multi-Factor Authentication (MFA) and a Privilege Access Management Solution (PAM) products for a login defense layer.
4. Consider the use of a Zero Trust Security paradigm to define the access boundaries.
5. Configure logging and alerting in the event of anomaly events to allow the security and cybersecurity analysts the ability to respond immediately to potential breaches.

4. Platform As A Service (PAAS) or Software As A Service (SAAS) surveillance security management solution.

1. Check with the said or used vendor to determine if any vulnerabilities have been announced that need to be addressed with updates or configuration settings.
2. Query the provider on their strategy for notifying customers of breaches.
3. Double-check the administrative access password management practices employed by the vendor.
4. Review the access to storage of recorded video – ensuring this is protected from exploitation.
5. Consider evaluating the cloud vendor using the Cloud Security Alliances bank of tools, including the Cloud Control Matrix (CCM).

5. Third-party vendor access.

1. The role of managing video surveillance and other physical security equipment can be outsourced, and in larger organizations, it may be the norm. With this external access, it is important to review all access levels and determine if de-provisioning accounts no longer used is necessary.
2. Review the policies of the third-party vendors to ensure proper security protocols are followed with regard to customer systems, and request the sharing of those policies for evaluation.

Conclusion

There will continue to be a rash of news stories that emerge given the recent revelation into the hacking of hundreds of thousands of video surveillance cameras being exposed through a cloud-vendor solution. It is wise to stay alert to these alerts with maintaining proper security situational awareness. However, it will be equally important to take the opportunity to review your video camera solution implemented and in production. In addition, if you are planning to implement such a solution in the future, it is recommended to install it with security in mind. Although we have outlined only a cursory set of factors to consider regarding video surveillance security, our goal was to bring attention to this important topic and get Information Technology and Security departments taking stock and giving proper attention to take a stopgap and do a review analysis self-assessment. Ultimately, it is important for all video surveillance stakeholders to recognize the technology is not a “set it and forget it” solution, it requires proper systems planning and maintenance on equal par of other organizational systems.

About the Authors

Stanley Mierzwa is the Director, Center for Cybersecurity at Kean University in the United States. He lectures at Kean University on Cybersecurity Risk Management, Foundations in Cybersecurity, Cyber Policy, and Digital Crime and Terrorism. Previously he was in the role of Lead Application Security for the State of New York MTA Police. He is a member of the FBI Infragard, IEEE, CSA, ISC(2), and a board member of the global pharmacy education non-profit, Vennue Foundation. Stan holds an M.S. from the New Jersey Institute of Technology, a B.S. Electrical Engineering Technology from Fairleigh Dickinson University, and is currently pursuing his Ph.D. in Information Technology with a Cybersecurity focus. He is also Certified Information Systems Security Professional (CISSP) and vendor certified in several enterprise video surveillance and access control products.

Eliot Perez is currently an IT Security Analyst with a very large transportation agency in the New York metropolitan region. He has over twenty years experience in expanding Information Technology roles, He is expert and certified in enterprise video surveillance systems, and has implemented and managed such systems that are stationary and mobile, as in the case of those found in moving vehicles. Perez was showcased in State Tech Magazine for his innovative use and implementation of mobile communication technology in the wake of Hurricane Sandy.

References

Turton, W. (2021). Hackers Breach Thousands of Security Cameras Exposing Tesla, Jails, Hospitals. Bloomberg. As Retrieved from: https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams

Allied Market Research. (2020). Future of Video Surveillance Market Sales to Grow $144.85 Bn, Globally, by 2027 at 14.6% CAGR. Retrieved from: https://www.globenewswire.com/news-release/2020/07...