Cyber security and responsible video surveillance:
accept, mitigate and prevent the risk of attacks.
When we talk about Cyber Security, first we have to look at the increasingly widespread use of the web and to the environment within which the operations that make use of the Internet take place, the so-called cyberspace. The digital evolution of society and the economy has encouraged and increased interaction between individuals, businesses and institutions for social, economic and financial purposes, while, at the same time, creating new opportunities for a host of criminal activities, leading to new models of setting up and organising illegal activities.
If, on the one hand, the increase in the level of dependence on Cyberspace offers new opportunities, on the other hand it also introduces new threats. The Internet makes exchanges and interaction possible on an international scale; an opening can make the computer systems on which it relies more vulnerable to attacks by criminals, hackers and terrorists with the intention of compromising, damaging or exploiting them to obtain personal or business information.
Computer security, therefore, becomes a very salient issue due to the steady rise in the computerisation of society and services while, at the same time, potential criminals become more widespread and specialised. Interest has increased considerably over the years in different areas. There is, for example, a team of professionals who are responsible for security problems linked to the transmission of confidential information on the internet. It follows that knowing how to develop new skills and new tools to improve Cyber Security is one of the challenges of modern day society, even for those who deal with video surveillance with IP cameras, sensors that should be viewed as they were similar to a networked computer.
In recent years, we have seen a convergence between physical security and IT security; areas, that until a short time ago were quite distinct. Today, however, they share common tools and work in synergy to mitigate both physical and computing threats against a specific company or institution.
Despite this integration and the ongoing developments in the field, we need to be aware that it is not possible to create a system that is 100% secure, or at least not one that is usable.
However, it is definitely possible to make a system more secure by limiting the areas that are exposed and by mitigating the risks. There will always be risks, but they need to be recognised and managed because it is impossible to guarantee that products, applications or services will be free of defects or vulnerabilities that can be exploited by malicious attacks
Security must not, therefore, be viewed only as the final state, but rather as the result of a process involving the structures which deal with security. A process that becomes an integral part of corporate paths and which may develop, evolve and be implemented in time, on the basis of potential threats.
It is important to understand that threats must be managed at system level and not at the level of each individual product: Cyber Security is a process, not a product. It is objectively impossible to eliminate all risks. As a matter of fact, such an attempt could prove to be extremely expensive and even futile at times. The recommendation is, therefore, to identify the most sensitive data and protect it in the most effective way possible. To this end, the risk can and should be accepted and consequently mitigated by certain measures, such as transferring the risk to third parties like insurance companies. But is this really the best solution?
Accepting the risk should be a conscious, rational decision. It is not just the damage caused by the attacks themselves, but above all the consequences which they cause in the long run which are the greatest dangers to companies. In recent times, we have seen an increase in targeted attacks, such as the appropriation or deletion of sensitive data, or the theft of copyrighted material.
However, if you do not acknowledge these risks, you are unable to take effective decisions when they are needed: a targeted analysis of cyber threats could actually indicate what data and information would be lost in the event of attack, a tangible element that would help to understand to what extent and how to invest in protection. An incorrect analysis, conversely, could lead to high investments or protection that are not adequate for the system.
The crux of the matter is to contribute towards helping businesses reach an acceptable level of systems security and reduce the inherent costs for protection. The definition of an acceptable level of security depends on the situation, the level of threat and the cost of possible breaches.
Cyber Security: areas of vulnerability
Companies do not always realise they have been violated and often do not know how to protect themselves, mistakenly believing that the actions that need to be taken are merely technical ones and are economically challenging.
The risk is there, it is a fact of life and we must accept it. There is no doubt that a lot of educating is required because there are different areas of vulnerability which can be grouped into three different categories:
- Users: who, more often than not, are negligent and not very well informed, pose the greatest threat to any system. The improper use of social media is one of the most common threats that can cause serious damage to systems security; using incorrect passwords and ones that are easily circumvented and often simple to decrypt because they are predictable or jotted down on post-it notes stuck to the computer screen; phishing, namely the phenomenon of messages (e-mails, instant messages or through a social website) which induce users through deception to provide confidential or personal information; the installation of dubious Apps and the loss of USB devices that may contain sensitive material about the company.
- Systems: poorly protected in general, they are extremely vulnerable for various reasons. One of the reasons that can be singled out is the low level of configuration and the design of the entire infrastructure; a lack of knowledge and competence in the field of protection; security policies which are often not adequate and a low or non-existent maintenance of the system itself with often insufficient software updates.
- Defects in implementing security: meaning “bugs” in solutions or defects in system production and design, as well as the lack of knowledge of the device applications that lower the implementation of security processes.
Cyber Security experts state that over 90% of all “successful” breaches and intrusions are due to failures caused by people and poorly configured systems, together with a lack of maintenance. A malicious user will always start his attack from the easiest and least demanding point, namely the users, and then attack the whole system at a later stage.
Cyber Security: types of attacks
When we talk about attacks via the network, we can classify them into two main types:
- Opportunistic attack: this occurs when the attacker exploits well-known weaknesses to attack the victims; if the selected attack vector fails, the attacker will move on to the next victim. An opportunistic attack focuses on users and poorly configured systems.
- Targeted attack: this usually involves intelligent planning and occurs when an attacker selects a specific target to achieve a specific objective. The attack will concentrate on vulnerable users and on defective or poorly protected systems.
The first types of attack are definitely the most frequent and the easiest to carry out, while the second are undoubtedly more dangerous because the stakes are often higher, such as the appropriation and deletion of sensitive data or the theft of copyrighted material.
How to protect a video surveillance system
When a video surveillance system is set up, it increasingly involves the use of IP network cameras which from a computing point of view should be regarded as sensors connected to the network in the same way as a PC. To obtain the most secure system possible, you need take a detailed look at all the components that make up the surveillance solution, namely the server (with discs for recording images and data), the client and the number (variable) of IP cameras.
To ensure the highest level of protection, therefore, it is necessary for the video system, which forms part of the network, to meets certain requirements that will enable it to match the levels of protection for the existing infrastructure and the protection policy defined by the person in charge of the network. The system must also have adequate protection based on the level of risk previously calculated for all its components (servers, clients and devices connected to the network), on the basis of a preliminary risk analysis which is of fundamental importance.
Axis Communications is aware of the importance of Cyber Security in the field of video surveillance as well and, as a leading company in network video systems, is committed to providing all the tools required to protect its customers from attacks on the web and to creating increasingly secure solutions from this point of view. Axis offers its customers a technical guide to follow the correct procedures when installing a video surveillance system. A commitment represented by the “Axis Hardening Guide”, a document that makes this process easier and helps to protect against cyber attacks.
When you choose to install a video surveillance system you should, first and foremost, look at the different levels of security involving the entire network. This is a sort of standard protection based on which more specific mechanisms can be adopted, such as a firewall, a security tool which can protect a computer or a network from unauthorized attempts to access the system; network access control and segmentation of the network; a request for access authorisation to various network services and maintenance and to provide constant monitoring of the “status” of the network on the security front.
From the point of view of client protection, the technical department of Axis and those dealing with Cyber Security recommend protecting all the network “nodes” in accordance with the policies dictated by the IT department by using an accurate and timely management of account passwords and access privileges to network services, through the proper choice and implementation of Antivirus software and Firewalls, by implementing a careful Encryption process, and by providing an accurate management of client maintenance with a constant updating of operating systems and applications.
To this end, it is essential to protect the servers, an operation performed by the IT systems administrator with the implementation of existing security systems which normally include: management of accounts and privileges, service configuration and once again a correct use of Antivirus software and Firewalls, without forgetting encryption and general maintenance that are always two fundamental processes for the overall security of the system. Server security is always very important, but it becomes of paramount importance when there are VMS management servers (Video Management System) where camera images are very often stored and where a possible intrusion by a hacker, who intends to steal images, would adversely affect the security standards of data protection with regard to compliance with the Data Protection Authority.
We also need to consider that it is easier to perform cyber hardening on IoT devices than it is on clients and servers, because they have a smaller number of internal services and interfaces. Most of the devices are protected by infrastructures which can only be accessed through cloud services/servers and their users do not install unsafe applications, do not open dangerous email attachments or access suspicious sites.
Axis Communications is fully aware of the importance of the issue, but at the same time acknowledges that its customers are already following the basic rules for Cyber Security, and has drawn up the guide with the aim of making it easier, through simple steps, to fine tune cameras acting as network devices.
For further information and details on security levels recommended by Axis, you can download the Axis Hardening Guide.