Cybersecurity: No weak links

February 29, 2024



Martin McGrath, Sales Manager UK & Ireland, Milestone Systems provides an understanding of cybersecurity for video. 

Cybersecurity is a constant concern in the digital age, with cybercrime projected to cost the world a staggering $9.5 trillion USD in 2024.

Moreover, the sophistication and severity of cyber-attacks are reportedly increasing due to advances in AI. Keeping on top of threats and reducing all vulnerabilities are business-critical for every leader. 

The evolution of cyberattacks, marked by increased targeting, complexity, and cost, presents a growing threat to various industries including the security sector.

Being aware of the risks of an insecure video system and how to mitigate these is a key skill for all security leaders today.

As recent incidents like the Verkada breach have shown, surveillance systems can be particularly vulnerable to cyber-attacks due to the potentially sensitive data collected by video cameras or as a gateway device for a larger attack.  

But there are actions you can take today to ensure your video system isn’t a weak link in your cyber-defences. 

The Verkada breach: lessons learned  

In March 2021, Verkada, a well-known video surveillance company, fell victim to a security breach, exposing not only video recordings but also the sensitive financial information of high-profile clients like Tesla and Halifax Health.

This incident underscores the urgent need for robust cybersecurity measures in video technology, as even basic exploits, such as exposed usernames and passwords, can lead to significant, potentially business-ending breaches.  

Indeed, to gain access to Verkada’s systems, hackers didn’t use any sophisticated techniques or AI. They merely found a username and password exposed in the public domain.

This underpins the crucial role of robust, multi-layered cybersecurity in video technology and reinforces the need for every employee to be trained in cybersecurity best practices.  

Video is an attractive target 

As video cameras become increasingly advanced and connected to wider security systems, their potential value to malicious actors rises.

IP-network video cameras pose unique risks to overall cybersecurity since they can be used as gateways for unauthorised access to your systems.

When a camera is located physically outside, it can be easily accessed and tampered with.  

The data collected by devices is also becoming more detailed and potentially sensitive. In manufacturing, video data can be exploited to see proprietary product information, and in healthcare, patient details can be exposed.

This data can be sold via the black market to interested parties or used against an organisation for blackmail.

Unencrypted data transmission and insecure mobile applications offer additional vulnerabilities that hackers can exploit.  

Introducing the cyber kill chain 

As you now understand, there are several potential entry points that hackers will use to gain unauthorised access to your system.

The Cyber Kill Chain, introduced by Lockheed Martin, offers a systematic framework to understand and counter such cyber threats. It breaks a cyber-attack down into distinct, progressive stages:  

  • Reconnaissance: Where a cyber-criminal looks for system vulnerabilities. To combat this, companies should ensure their systems are invisible to port scans, which can be achieved with security measures like firewalls and intrusion detection systems
  • Weaponisation and Delivery: Hackers create a malicious payload and deliver it to the target system. Defences at this stage include robust email security to prevent phishing attacks, frequently updating and patching systems to fix known vulnerabilities, and implementing strong controls over Universal Serial Bus (USB) and other physical interfaces
  • Exploitation and Installation: The stage where the attacker breaches the security defences. Organisations can defend against these activities by installing advanced endpoint protection solutions, which employ machine learning to identify and block novel threats
  • Command and Control: This is the stage where hackers establish a backdoor into the compromised system so they can enter it whenever they please. Detecting such activities requires continuous monitoring to spot unusual patterns of communications with known malicious IP addresses 
  • Actions on Objectives: This is the final stage when an attacker carries out their intended action

By knowing these different stages, you can predict an attacker’s next move and prevent or mitigate the negative effects of a cyber-attack.

By implementing defences at each stage, you make it harder for a malicious actor to launch a successful attack on your video technology solution.  

For instance, at the reconnaissance stage, a hacker might identify IP-network video cameras as a potential target and gather information about their locations and vulnerabilities.

However, by understanding this, you can ensure that your video camera firmware and VMS (video management software) drivers are always updated to reduce potential vulnerabilities.

You may also wish to keep your video system’s network separate from your corporate network using managed network switches.  

Best practice tips 

There are some practices that will help to secure your VMS and video devices against hackers, that all security leaders need to be aware of.

Some are foundational, such as ensuring your admin password has changed from its factory settings and your cameras are set up to only support HTTPS (​​Hypertext Transfer Protocol Secure).

Regularly updating firmware is another effective way to increase the protection of your IP-network video cameras.

Similarly, data backups can limit the damage caused in a cyber-attack and speed up recovery.  

Penetration testing of your VMS and other devices on your network will help to uncover vulnerabilities. Ideally, you’d want to be doing this with every new update.

System audits can also quickly detect any unusual new connections, communications, or actions in your network. 

Securing your video system with multiple layers of defence will limit hackers to one part of your solution.

If they do manage to breach one device or part of your VMS, they cannot gain access to your wider network.

This makes your system a lot less attractive to attackers since the effort to breach it requires a lot more.

It also supports your auditing and post-mortem analysis, allowing your administrators to analyse the intricacies of an attack, the underlying causes, and the actions of the attacker.

This can inform future preventative measures.  

Everyone’s responsibility  

For an effective cybersecurity strategy, every stakeholder needs to understand their role in securing your systems.

The human factor is a big vulnerability, with human error accounting for between 88 to 95% of data breaches.

Everyone needs to be on-board and trained to secure your systems. For operators, bi-annual or quarterly training can keep them updated with the latest threats and security processes relevant to their jobs.

User control can also assist here, with admin and data access rights only given to those who require it.

Assigning different VMS user credentials will (hopefully) prevent password sharing and allows you to remove a user’s access when they leave your company.  

On-prem versus cloud cybersecurity  

It’s worth mentioning the differing responsibilities and considerations for on-premise versus cloud video systems.

On-premises solutions place the cybersecurity responsibility squarely on a customer’s shoulders or their chosen reseller partner.

Cloud solutions transfer that responsibility to the vendor.

Each approach has unique advantages and challenges for cybersecurity.  

For on-premise solutions, ultimately the customer or partner’s technical team needs to implement the VMS correctly to reduce vulnerabilities.

VMS solutions can be configured securely, but this cyber-protection will come undone if an end-user doesn’t update the software regularly, uses a weak password or insecure network connection, or is missing encryption.  

A widespread misconception prevails that offline systems, with no public access, are inherently secure.

Yet, someone gaining physical access to a server room or connected device can still exploit the network.

This makes an understanding of both physical and cybersecurity paramount, to reduce all possible opportunities to hack your video system.

Conversely, the same collaboration between those responsible for your cybersecurity and those in charge of your physical security will help to secure cloud and other models.  

For cloud-based VMS, most responsibility for cybersecurity lies with the vendor in what is known as the Shared Responsibility Model.

For Surveillance-as-a-Service (SaaS) solutions, most of the responsibility for security falls on the vendor, however, the customer is still responsible for configuring who has access to the service so that it is secure.

Typically cloud vendors offer sophisticated encryption options, both for transmission (data-in-transit), and for storage (data-at-rest), but again it is the customer’s responsibility to ensure these are configured correctly. 

Therefore, misconfiguration, weak passwords, and vulnerabilities in the interface’s security can all pose a cyber threat to your system.  

Partnering with the right vendor 

Selecting a reputable and trusted vendor is essential to your cybersecurity, especially if opting for a cloud solution where you rely heavily on their data protection and cybersecurity practices.

Prioritising vendors who can show an ongoing commitment to security and transparency will put you on the right in securing your video system now and against future threats.

Some green flags to look for include an openness to answering your specific security concerns, and a willingness to collaborate and update you on the latest threats and vulnerabilities.  

Cybersecurity is priceless 

In an era where cyber threats are a constant challenge, safeguarding video technology requires a comprehensive and proactive approach to cybersecurity.

This does come with a price, but it is pocket change compared to the millions lost every year in data breaches and penalties like GDPR.

Security for video technology is not a luxury, but a necessity in this digital age.

Be proactive, educate your stakeholders, work with trusted vendors, apply all recommended security patches, and ensure your systems are up to date. 

This article was originally published in the March Edition of Security Journal United Kingdom. To read your FREE digital edition, click here.

Read Next