As the physical and cyber worlds continue to converge, those who have historically only focused on physical security are now challenged with the risks posed from connected internet of things (IoT) devices, a topic of interest at this year’s ISC West 2019 conference in Las Vegas.
In his SIA Education sessions, Aaron Saks, product and technical manager at Hanwha Techwin America, shared best practices for applying defense in depth as a security model to secure video surveillance devices.
Because the devices are connected, securing surveillance cameras demands that they are looked at through the lens of an IoT device. In order to add the necessary layers to fortify the devices, it’s first critical to know where the vulnerabilities and issues come from.
To ensure the device is hardened, you can’t rely solely on a firewall. “The idea of defense in depth is a strategy where you have multiple concentric rings of security that build on each other, whereby a breach or vulnerability in one layer does not leave you defenseless,” Saks said.
Multiple levels of security provide multiple protections to fall back on. “What if something happens to the firewall? What happens if something is already in my network? What is stopping them from going out? From infecting my device on the network?”
“Breaking in is easy,” Saks continued. “Crossing the moat might be easy, which is why we need other layers to protect us. Firewalls are important, critical when it comes to layers of defense, but there have to be additional layers to stop an intruder if they get through a hole.”
Beyond firewalls, you need network segmentation, a strong password policy, antivirus protections and consistent upgrades of firmware and software.
IP filtering is an easy way to add an extra layer of defense that doesn’t need to happen on the network side. It can be configured on the camera side as well. “You can set rules that say you are only allowed to talk to the VMS server. That’s the allow side. There’s also a deny side so you can say you are not allowed to talk to those devices.”
If a network does get hacked, the intruder can’t talk to the camera.
In addition, it’s important to remember that a device may function, but out of the box, it’s not always set up the right way. Also spending isn’t synonymous with security. “Spending doesn’t mean it’s going to stop everything,” Saks said.
At the end of the day, defense in depth helps integrators and end users make it as difficult as possible for an attacker to gain access. “You want to make it so annoying that they find someone else to attack and leave you alone.”