The “Internet of Things” has evolved from buzzword status to mainstream reality, but not without its challenges. While most still think of millions of IP-enabled devices as an exciting opportunity, 2016 gave us a sobering reminder of the pitfalls of not properly securing our internet-connected refrigerators, DVRs and thermostats.
What Exactly is the Internet of Things and How Does it Relate to Me?
The Internet of Things, or IoT, is the network of interconnected devices and solutions enabled to send and receive data via the internet. As a growing number of devices begin connecting to the internet, hackers are finding more opportunities to get access and steal user data. IP surveillance systems in particular have become high-profile targets for hackers the last few years.
The significant vulnerability of lower-end devices made headlines last year when a relatively simple hack of IP cameras allowed the take down of the famous security blog and global DNS provider, DYN. For anyone even remotely familiar with IP security, the banality of the script used in the hack, now known as Mirai, would be extremely disappointing – the equivalent of leaving your front door unlocked or your keys on the front steps. Continuing with that analogy, Mirai is like a bunch of goons walking from door to door looking for those keys, attempting one common password after another.
At a basic level cybersecurity is about risk management. While we know it’s impossible to eliminate all risks, and that sometimes even protecting against just some risks can be extremely expensive, it’s important to consider the top priorities for you and your organization. Identify your “crown jewels” and find ways to guard them fiercely.
Four Steps to Identify Your Level of Risk
Start by figuring out what an acceptable level of risk is, then sort those risks into two different buckets: risk with impact that you can easily mitigate, or risk that you can transfer via some form of insurance. One of the biggest challenges in cybersecurity is striking a balance between gaining knowledge of your vulnerabilities and securing the right solutions. If too much time is spent focusing on one over the other, you could face a significant security breach.
In practice, it’s impossible to determine the likelihood or impact of any given vulnerability. A security breach is binary – it is either exploited or it’s not. What are the chances that someone will discover the vulnerability and then actually write a useful script to exploit it?
In an effort to stay ahead of a hack-able vulnerabilities for, IP-connected security devices can be used to decrease the likelihood of cyber-attacks. No matter if you are responsible for your organization’s physical security or cybersecurity, you can apply the same principles to audit your vulnerability.
1. Identify Your Assets and Resources (What)
Regarding IP-connected cameras, besides the camera itself the main asset involved would be the video feed from the camera or from any video stored locally on your servers. In most situations video assets may be valuable, but of little use to anyone else. Think carefully about why an intruder might be interested in those assets. In addition to video content, user credentials, network configuration information and potential service interfaces could all provide useful intelligence to support broader attacks.
2. Identify Plausible Threats (Who and Why)
There are a few different credible threats to consider for an IP camera system:
- Physical sabotage of the cameras, or of the location the cameras are surveying
- Leaked video content
- Using the device as an intrusion point for the broader network
It’s also important to consider who could be a plausible attacker and what their motivation might be. Think about the types of vulnerabilities they might want to take advantage of and which security controls might be of interest to them specifically.
3. Identify Plausible Vulnerabilities That Could Be Exploited (How)
Obviously, no system is completely invulnerable. Any network or device must be exposed to the outside world to some degree to be of any use. It’s also obvious that some vulnerabilities are more easily mitigated than others. For example, although the physical exposure of any camera makes it vulnerable, it’s one of the easier circumstances to control. Start by doing your due diligence to make sure IP-connected cameras can withstand extreme physical conditions. Then consider any additional non-physical vulnerabilities, such as exposed passwords or credentials that access video management systems, or insufficient hardening and maintenance of the network.
4. Identify the Expected Cost of a Successful Attack (How Much)
This stage is important because if you don’t know the cost of a successful attack then you won’t know how much to invest in securing your system in the first place. If the cameras being used are in a mundane environment with little to no chance of being used as a network entry point, then you may find the cost of a breach to be very low. However if your situation is more sensitive and a breach in your network could expose your organization to financial or reputational losses, then the associated costs to secure the network will be (and should be) much higher. These considerations will help you decide how much time and energy you should invest into securing your network systems.
Incremental Change for a Long-Term Solution
The main thing to keep in mind is that cybersecurity is a process, not a product. Threats must be managed on a system-wide level. The responsibility to secure a network, its connected devices and the family of services it supports falls not only on those individuals who manage the network and its users, but across the entire vendor supply chain. Technology is important, but one single product could never eliminate all risks or threats. As technology and security improves, so do the abilities of hackers working to circumvent those measures. Treating security as an on-going scalable project can help ensure your network is prepared to face whatever threats might come its way.
The opinions expressed in this piece are solely Axis Communications'. They do not necessarily represent WESCO’s views.