If you have an IP networked CCTV System on your corporate network, you may have inadvertently enabled vulnerabilities that weren't there previously!
Today's CCTV Systems are far more complex than just a simple camera carrying images to a TV screen; they are very sophisticated computer devices consisting of many processing components and running a whole host of computing and internet services and protocols. Left unchecked and uncontrolled, these services and protocols can give criminal hackers a way into your network.
With many manufacturers now phasing out the production of traditional CCTV Systems (which were closed), anyone purchasing a CCTV System today is most likely to buy a 'networked' camera. The functionality offered by these systems gives users the ability to run any or all of the following on each separate device: compression chips (or software), encryption chips (or software), motion sensors, light sensors, operating system (usually Linux or a variant of), TCP/IP; UDP, FTP (many systems were still only running TFTP until about a year ago), web server, SNMP, SMTP, DNS (or Dynamic DNS), HTTP (and possibly HTTPS), Telnet, Shell, PHP scripting, task scheduler, (and more depending on functionality). More importantly is that they are linked into and managed over the corporate network, or the internet.
Once purchased they will most likely be installed by a traditional CCTV system installer, who is unlikely to have the same length, depth or breadth of knowledge of any of the services or protocols, or the implications of mis-configuration that most of your network staff have. Nor will they have the same level of recognised network training (a two day course if you are lucky) as your internal network team. With regards to the security of the device maximum control some offer is no more than a password. This is because they are not designed to meet basic security principles. Consisting of multiple components from multiple vendors, some systems have vulnerabilities inherent in their design, but unlike other PC systems no 'patches' or other measures will be available, as we have come to expect with software products.
So, CCTV devices running many different internet services and protocols (which may be vendor specific versions of those running on PC), installed by teams whose knowledge in securing such technology may be less than your network staff can ultimately lead to a high risk situation for any organisation and is probably already a major concern for many who just don't know it.
To counter this, if you are considering an IP networked CCTV System to be installed onto your existing corporate network, then I would suggest that it is important to determine what the cameras are to be used for (surveillance, observation or identification, for example) as this would assist in determining both the risk assessment (for CIA) and specification for the system. Further, when speaking to vendors, be sure that they know what every service and protocol on each device is and what difference it makes to the overall security of the system; (my experience in speaking to vendors tells me that you shouldn't hold much hope for anything useful), because you need to be satisfied that you know what's there and that you can deal with it by implementing compensating controls. Configuring these systems adequately to avoid creating 'back doors'into the corporate network is essential.
If you already have a system running on your corporate network, then you still need to undertake a risk assessment and determine what risks you want to address and what controls you can put in place to deal with the risks, (obviously involve network and security staff to assist with this).
By dealing with physical security and business risk as a core part of information security, companies can remedy the insecurities posed to the corporate network by some of today's IP-based CCTV systems.
The author is Head of the Security Practice at financial sector consulting organisation Etheios.
