How to improve surveillance device and network security

Wayne Dorris

As evidenced by the seemingly endless string of cyberattacks in the news, cyberthreats have become an unfortunate way of life thanks to the ever-evolving connected world we live in. Needless to say, given the potentially disastrous ramifications from a breach, protecting networks and systems has become a top priority for organizations of all sizes.

It should come as no surprise then that the majority of organizations are well aware of this critical need and therefore have developed policies to ensure the highest level of security for protecting their data from unauthorized access.

Networked surveillance cameras and other security devices are certainly not immune to cyberthreats, which makes it imperative that the correct steps are taken to secure systems. One of these steps is applying cybersecurity best practices in the design, development and testing of cameras and devices. These devices are configured to ensure installers apply the necessary controls to mitigate threats from hackers.

This first layer of cybersecurity is a good initial step, but adequately securing a network and its devices depends not only on technology, but also on people and processes, which requires active participation from everyone along the chain—from manufacturers down to every individual in an end user’s organization.

It is incumbent upon installers and integrators to first and foremost understand an organization’s needs and what they can do to provide solutions that will meet or even exceed them. For this reason, it’s imperative organizations work with a skilled, experienced and knowledgeable security professional who is well-versed in cybersecurity best practices and the ability of available products to provide the highest level of protection for networks and devices.

After all, network and device security is hardly optional.

Security policies are the driving force

Fortunately, many organizations have developed a set of information security policies to help guide their cybersecurity practices. Serving as an overview or generalization of an organization’s needs, an information security policy is organized into a simplified document that defines the scope of security an organization requires. It also discusses what must be protected and the extent to which security solutions must go to provide the required level of protection.

Video surveillance devices and systems, for example, tend to be deployed on their own standalone network, making it the responsibility of the installer to secure that network with the proper technical controls. And because each organization has specific and unique cybersecurity needs, there is no “one size fits all” cybersecurity configuration. So security installers must have a firm grasp of an organization’s requirements before equipment is even selected for the project.

With this in mind, the critical first step in this important process is to provide your security professional with your organization’s information security policy, which will give them an understanding of the actions they must take to ensure your installed devices and systems will meet the requirements set forth in the policy. This will also enable the installer to choose devices from manufacturers with the proper capabilities.

Reduced costs, increased security

Many equipment manufacturers provide a hardening guide for installers, but these are merely intended as a starting point for configuring devices and systems for optimal security. The installer’s job is to match what’s contained in that hardening guide with an organization’s information security policy. In many cases, this involves manual configuration, which can be time-consuming. Recognizing this challenge, Axis has developed technology that can streamline the process while ensuring that devices and systems meet or exceed end users’ needs. The solution allows installers to quickly configure multiple devices at once, reducing the time and cost of installing surveillance and security systems.

The importance of trust

One of the fundamentals of any information security policy is establishing trust between devices, which is normally accomplished through the use of X.509 certificates. These certificates provide secure, encrypted communication between networked devices and services and are deployed using LDAP.  Active Directory is the Microsoft implementation of LDAP that covers a range of directory-based, identity-related services to authenticate and authorize users within a network.

Working with Active Directory is unfortunately a skillset some physical security professionals lack. This reality underscores the need to choose an installer or integrator carefully, looking for those who have Active Directory and other critical network proficiencies, which will only become more crucial as we move farther into the cyberage.

This is also another area where Axis’ device management software can help by acting as an intermediary for Active Directory. The intermediary is used to integrate 3rd party LDAP clients into the LDS via proxy authentication.  Even those who are proficient in Active Directory benefit from knowing that the certificates they’ve issued are in compliance with organizational security policies and that the network is as secure as possible.

The importance of actively monitoring vulnerabilities

The majority of vulnerabilities that are discovered are not critical—not critical in the sense that your device is behind firewalls and not on a public facing network.  However, from time to time, a vulnerability may be discovered that puts devices and/or networks at risk regardless of network location. Providing continuous protection and compliance against these vulnerabilities requires devices to be patched through a software or firmware update. And to provide the most up-to-date and secure software updates and patches, manufacturers must take care to ensure proactive monitoring of vulnerabilities and provide the necessary updates as quickly as possible.

IP cameras and security devices—like all software-based technologies—must be regularly patched to prevent hackers and others from attempting to exploit known vulnerabilities. While this is an essential procedure that is often required under security policies, the reality is that many organizations fail to do so. The main reason is because of the time and effort involved in updating each and every device on the network. This is where an experienced security professional can help by ensuring these updates and patches are installed as they become available, and thus devices and systems are in continued security policy compliance. The other reason this largely is not done in a timely manner is there isn’t a clear definition of who’s responsible. In many cases, the integrator is turning over the system to the end user at the commissioning point of the IP security system. It’s critical to define at the beginning of the project whether the end user, or with an ongoing service contract, the integrator, will continue to patch and update the IP security system.

The best response to cybersecurity threats is a fast response

When vulnerabilities are discovered, speedy response is crucial, and it’s up to manufacturers to take immediate steps to fix problems promptly and provide security advisories to help handle cybersecurity issues. Therefore, it’s important to select products from manufacturers who are committed to responding quickly and providing transparency into their cybersecurity processes.

These best practices allow installers to put effective safeguards into place and apply necessary software updates and patches promptly to ensure the highest level of security for their customers’ networks and devices, as well as ongoing compliance with organizational security policies.

Document everything!

Perhaps the best thing an integrator can provide with relation to information security policy compliance is documentation that the technical controls of all devices on the network have been configured to meet the customer’s security policy. This documentation provides organizations with peace of mind that their security devices and systems comply with the established security policy.

In the event that a breach or DDoS attack does occur, this documentation can help a forensic investigation team pinpoint the vulnerability or other problem that was exploited. For example, in the case that an employee added a camera or other device to the network without properly configuring it, or he or she may have changed the configurations on an existing camera, the documentation will show the difference between the settings at present and at the time of installation.

As cybersecurity continues to be major concern for everyone, savvy organizations not only recognize the very real threats they face on a daily basis but are developing and implementing security policies that ensure their devices and network are covered by the highest level of protection. In addition to these foundational documents, it’s important to work with skilled and experienced security professionals to ensure IP cameras and security equipment are capable of meeting those requirements. Forward-thinking manufacturers can take cybersecurity to another level by providing guides and tools that give installers and integrators even more capabilities to exceed expectations and requirements to help end users avoid the potentially disastrous ramifications of a network intrusion or breach.