Until recently the safeguarding of CCTV security systems has not been a major concern to those outside of the security industry.
However, due to increased coverage in the media, there are increased concerns that unsecure CCTV systems could be hi-jacked by third parties; giving them access to video feeds from across the country including sensitive sites such as airports and government buildings. The Times covered a story of a former MI6 Office calling for greater scrutiny of foreign CCTV manufactures suggesting that they could be hacked1.
Another area under scrutiny is the growth of unsecure networked security devices, home automation products and the many components that make up the Internet of Things (IoT). The concern is that these products are creating a new playing field for hackers and malicious software to exploit. As reported on the IFSEC Global website recently a large number of internet connected cameras were hacked to crash the website of a prominent security blogger2.
Ensuring that a CCTV system is secure, is not only vital to its operation but it means that a business does not breach data protection obligations. The easiest way to achieve this is to use a CCTV company who is accredited by a trade body such as the NSI or BSIA, which will ensure that the installation and any ongoing maintenance will be to the highest industry standards demanded by the Police, Fire and Rescue Services as well as insurers.
To help businesses assess the security of their own CCTV cameras, we would recommend that the following points be considered:
Keep security systems away from other computer networks
As with all security arrangements a system is only as strong as its weakest link. Where computer networks are concerned, this is often the day-to-day users who without knowing sometimes download malicious software through a bad email attachment or a phishing website. By keeping the two networks separate it’s much more difficult for unwanted software getting onto the computer to control the CCTV equipment.
At GBSG we install our devices onto a dedicated local area network (LAN) isolated from any currently in use on a premises. In doing this the incumbent network is not overloaded with unplanned additional data and, more importantly, it keeps the security equipment separate from day-to-day business operations, meaning that if malicious software made it on to a company’s computer network it would not be able to reach the CCTV system.
Limit connections to the internet
Limiting the CCTV systems connection to the internet will make hacking of the cameras, or illegally accessing the feeds, more difficult as this reduces the visibility of the system to those who could harm it.
At GBSG we only connect security LANs to the internet or other networks when absolutely necessary. If this does need to occur, then the data is passed through a firewall and only the required network connections are established – this limits the exposure our systems have to the outside world and the risk of them becoming a target.
Try to avoid 3rd party servers for remote monitoring
Some hardware manufacturers offer access to remote monitoring packages with the purchase and registration of their devices. To achieve this a camera has to communicate with a server that could be anywhere in the world to which a 3rd party may have access. This can be avoided by using a security company with their own monitoring capability as CCTV cameras can be linked to their servers with safeguards that they put in place to protect the data as it passes through.
At GBSG any cameras that are configured to communicate outside of the security LAN do so by connecting to our servers, rather than those hosted by a 3rd party such as the manufacturer. This means we don’t have to worry about how companies protect their computer systems and we avoid unplanned system maintenance and downtime being outside of our control.
Change default access credentials
For a hacker the default access credentials are the first point of call when trying to gain access to a protected system. Unfortunately, a large proportion of the time this works, often giving the intruder full administrator access to the CCTV camera or the system running it so allowing them to change settings and delete footage.
To ensure this does not happen at GBSG we change the default username and password on all of our devices and systems; an obvious change to make but one often overlooked as many manufacturer default usernames and passwords are readily available on the internet.