In the age of the IoT, no one wants to be the one who enabled potentially significant damage resulting from a breach.
(Extract from article – follow link at bottom to review original)
In 2006, there were a mere two billion connected devices worldwide. By 2020, that number is projected to top 200 billion, according to Intel. That’s more than 25 devices for every person on Earth based on population forecasts. Cisco is more conservative, pegging the number at closer to 50 billion, which is still staggering.
As a result of the rapidly expanding number of potential entry points for attackers, Juniper Research expects the cost of cybercrime to businesses will reach $2 trillion globally by 2019. At the same time, total cyber security spending from 2017 to 2021 is forecast to top $1 trillion, according to Cybersecurity Ventures. Yes, that’s trillion - with a T.
IP cameras are particularly susceptible, says Jeff Whitney, vice president of marketing, Arecont Vision, Glendale, Calif., because many models were not designed to address this type of challenge, making them easy to hack or be used to do things users don’t intend to happen. “When the shift came to IP cameras from legacy analog devices, most vendors moved versions of their existing architectures from analog to IP cameras, without considering the potential long-term impact on the organization,” he says. The network is no longer exclusively for the surveillance, access control, and other physical security systems. Instead, it may be a segment of the overall corporate network or part of the corporate network directly, and as such any device that becomes infected — including security cameras — can become a propagator or vehicle for cyberattacks on other platforms and networks.”
The main reason for this is the common operating systems — in many cases, Linux — employed by many cameras and DVRs. This simplifies the process of adding features, shortens time-to-market, reduces manufacturers’ costs, and lowers purchase prices for end users.
“Today, however, we now know that this approach can expose the device to cyber weaknesses or exploits. Malware, worms, and hackers can use these exploits in their attacks,” Whitney explains.
SIDE NOTE: Since 2013, more than 3.8 million records have been stolen via security breaches every day. That translates to more than 158,000 per hour, 2,645 per minute and 44 per second for the last four years. — Nu Data Security
In addition to the well-publicized Mirai malware attack that in 2016 turned millions of IP cameras into bots used to attack a number of high- profile websites in some of the largest distributed denial of service (DDoS) attacks, there have been other examples of large numbers of IP cameras being breached.
Whitney points to a high-profile incident that saw a ransomware attack infect 70 percent of the Washington, D.C., police department’s video cameras citywide just prior to the inauguration of President Donald Trump. A total of 123 of 187 NVRs had their data encrypted, and the content could only be accessed if a ransom was paid to those behind a cyberattack. Luckily, the city was able to resolve the problem without paying ransom by taking all devices offline, removing all software and restarting the system at each site — a costly endeavor.
“No device should be given access to the network without having a user ID and a 16-digit ASCII password, enabled after the device has been configured for use by the installer and turned over to the customer,” Whitney says.
SIDE NOTE: The average time a hacker remains hidden on a breached network is 140 days, during which time they may uncover additional vulnerabilities and steal sensitive data. — Microsoft
No device should be connected to the network that has not been verified as having the latest firmware from the manufacturer.
“Regular updates of IT devices are common, but security practitioners are not as familiar with performing frequent updates of cameras as they should be,” Whitney says. “This new practice needs to be enforced as a best practice. Cameras that can be updated through a planned, secure process remotely and with multiple units at a time will make this process easier and less complex for the security practitioner.”