Transcript Video Surveillance Hacking

Video Surveillance Hacking –
How Weak Controls put IP Camera
Feeds at Risk
Anthony C. Caputo
Advisory Board Member
2017 Connected Security Expo @ ISC West
Security Policy Architecture
• A Security Policy Architecture is necessary to identify existing
enterprise policies and associate them with policy authorities
and supporting roles. The security policy architecture typically
contains top level policies that bring together all common
themes of operational risk management, across all operational
disciplines.
• It is important to identify the current security policies and
procedures to incorporate them and/or improve upon them
moving forward for security assets.
Data and Information Security
This includes the organizational risk management policy for video surveillance assets that applies
to Data and Information Security risk including:
•Enterprise Information Security
–
Security devices should not be on the same network as corporate email or web browsing
•Physical Security
–
Location of devices, power, etc., and its accessibility, maintainability
•Identity and Access Management Policy
–
Who, what, where and how
•Encryption Policy
–
128bit, 256bit, PKI?
•Information Classification
–
Is data categorically classified?
•IT Physical Security policy
–
Who has access to Data Center, MDF, IDF, Enclosures, Cameras, etc
•Network Security Policy
–
Is the security network segregated? Port security to the edge? Default passwords? LDAP? WiFi?
Physical Infrastructure Security
Physical Infrastructure Security policies are more specific to topics or assets being
protected. The security policies that are categorized as Physical Infrastructure Security
policies typically include:
•Acceptable Use policy
–
Includes Remote Worker, Personnel and Subcontractor, Traffic Controller, MDF, IDF, )
•Access Control policy
–
Who, when and how
•Identity and Access Management Policy
–
Who holds the keys?
•Asset Protection
–
Intrusion alarm, fire alarm, climate control, etc)
•Perimeter Protection
–
Fence, access control, cameras, sensors, etc)
•Network Security Policy
–
Remote access to what security assets?
Enterprise Information Security
Where does video surveillance fit in the enterprise information security policy?
Enterprise
Video Surveillance
Access Control
WiFi
Internet Access
Laptop
Email
Printer
Fax Machine
Smartphones
Tablets
Server & Storage
Network Switches
WiFi
Wireless Radios
IP Cameras
Video Encoders
Power Management Systems
Sensors
Archives
Discrete.
Physical Security
• Intruders don’t need to
unplug a copier.
• Easier power installation
doesn’t mean better
physical security (30ft pole
with elevated hand holes)
• Who has access to power
sources?
• Equipment should be out of
reach and inaccessible
(with no passwords or IP
schema information
displayed)
Network Security
•
•
•
•
DHCP Disabled – Static IP Addresses only
Port Security – tied to Physical MAC Addresses of devices with authority
Hidden SSID for WiFi (Maintenance Only)
Mesh Networking Radios for Video Transport (no direct client machine
access)
• Physically or Virtually Separate Network
– VLANs – avoid a city-wide flat Layer 2 network (broadcast storms and
increased risk)
• Many IoT devices with access via HTTP, HTTPS, Telnet and SSH. Disable
what is not used. If disable is not an option, use a different manufacturer.
Passwords
• Change the Default
Password
• Change the Default
Password
• Change the Default
Password on ALL devices
• More complex, the better
Unlike a tablet or printer, it should not be easy to access security devices –
all it takes is ONE DEVICE on the entire network to take it down.
Identity and Access Management Policy
Who has access to what, when and how they can have access?
There are many IoT devices within the system with access
interfaces: cameras, switches, routers, radios, UPS’s, PDUs,
NVRs, DVRs, clients, servers, etc.
• Multi-Tiered User
Management
• VMS and/or Web Access
• VPN
• Telnet
• SSH
• Password Policy (NO
DEFAULT PASSWORDS)
Staging Checklist
• Test each unit for operational integrity.
–
–
–
–
–
Camera video signal is operational.
Camera PTZ is operational.
Archiving is operational.
Wireless radio(s) are operational
All devices have the latest firmware upgrade
• Change Passwords for Root, Admin and User.
• Label device with Installation Location
• Populate a spreadsheet for Information Management
A malfunctioning device can be a vulnerable device.
Firewall
• A firewall is typically used to
protect your private LAN from the
Internet at a Layer 3, 4 and 7
levels. Layer 3 is the Network Layer
(IP), Layer 4 is the Transport Layer
(TCP and UDP), and Layer 7, which
is the Application Layer.
• It’s all about control.
• A Firewall should be very granular
with what is allowed inbound and
outbound the network
Thank you
Anthony Caputo is an Advisory Board Member of the upcoming
2017 Connected Security Expo at ISC West, April 5-7th 2017 in
the Sands Expo, Las Vegas, Nevada.
If you would like to learn more about this topic or other
articles/books that Anthony Caputo has written, feel free to visit
his website or connect with him directly on LinkedIn