Genetec CEO Warns Against Insider Threats

By: Brian Karas, Published on Sep 21, 2017

With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged.

Just put them behind a firewall, buy cheap cameras, and sleep well.

However, Genetec's CEO is warning that untrustworthy and insecure devices do not become trustable and secure simply by doing so.

In a guest post on Axis' blog, CEO Pierre Racz outlines the risk of insider threats and how this impacts cyber security. We examine the claims, pros and cons, inside.

Insider ******* **** **********

******* ******* *** *** of *** ******* ******** risks *****, ** * number ** ********-******** ************ have ******* ***:

******: ******** *** *****’* ******* security ******
******* ******** ******: *** ******* ************* ******* Are ****** **** *******
** ********: *** ******* ******: *** biggest ****** ** ******* cyber-security

**** **** ******* ******* ****** firewalls, ** ** ********** separate ******** **** ** internet ****** ******* *** threat ** ******. *******, this ***** ** **********, as ** ******* *** potential *** ****** *******, those *********** ****** *** firewall.

*******'* *** ******** *** 'inside' *** '*******' *** no ****** ****** ********:

**** ** **********, *** Internet ** ******, *** bring-your-own-device-to-work ***********, *** **** between ****** *** ******* an ************ ** *** as ***** ** ** used ** **.

*******, ** ******:

**** ** *** ******** devices ** *** ******** networks, ** *** ** longer ****** *** ******* inside *** ******** ** secure.

************, **** ********, ** ***** vulnerable ******* *** ****** a *** *** '*********' to **** ****** ** the ****** *******, ******* up *** ********* *** wide-scale ******* ** **** network.

Password ***** *****, ********* ******** ******* ******

** ***** ************, ******* that ***** ********* ** be ****** ***** ******* ****-**** *******,********** ********, *******-***** *****, ** ******* ***** make ** **** *** malicious ******** ** **** over ***** *******. ******* for **** ******** ********* the ***** ** ***** devices *************.

Question ***** ** *********

*******'* *** ********* *** ******* trust ** ******** ** the ******* ** **** network:

******** ** *** ***** building * ******* ** trust. **** ** ***** to ******* ******* ** your *******, **** ************ must *** ******* ********* about ******* ** *** the ************ *** *** organization ********** *** ****** are ***********.

** ********* *** ********* both *** *******, *** the ******/************ ********** ****, to ********* *** ******* potential ** ****** *** network. ** ******** ***** to *********** *** ****** of *** ******** ** the ******, ****** ***** the ************(*) ****** *** software ******** *** ******, and ** **** *** ********* enough ** ****** ** the ******** *******:

[*]*** ******* ***** ** put * ****** ** your *******. *** ****** ask: “*** *** ***** the ******** ********?” ********* speaking, *** ****** **: “No.” ****, *** *** whether *** **** *** person ** ****** *** wrote *** ******** *** this ******. ***,if *** ****** ** “***,” *** ** *** ******* ** * ********/********** ****** ** * ***-********* ***** ** **** **********, **** *** ****** ***** ***** ***** ******* *** ****** ** **** *******. [emphasis added]

Impact ** *********

*** ********* ** "* military/government ****** ** * geo-strategic ***** ** **** government" ** ******* ********* to *********, ********** **** *********** ******** from ***** *******. *********, *** ***** top **********, **** ***** claimed **** ******* *** devices ** ******* ******** removes *** ******* ***** by ********** ******** ***** security *****, ***** ******* the **** ** ******* attacks.

*********** *** **** ** inside ******* ********** ************* devices **** ****** **** more ********* ** ******** security, ** ** *** in ** ********. **** would ***** ********* ********** to *** *** ** Hikvision ******** ** *********/********** markets, ***** ********* **** to ******.

Smaller ***** *** *** ****

******* ***** *** **** likely ** **** ***** insider ****** *****, ************ when *** "********" *** limited ** * **** small ****** ** *********, many ** ***** *** not **** **** ******* access ** *** **** of ***** ****** ******* or ***********. ********, ******* users ***** *** *** as ******* ** ****** can '*** ***** *******' or ****** ***** ********.

*****, ***** ************* *** face ***** ** ********* *** gain ****** ** ***** internal ******* (**** ** through ****), *** ******* that ****** ** ****** things **** *** *********** data, ********** *******, ** employee ***** ***** *********** stored ***** ** **** for ******** ***** ********.

Vote / ****

Impact ** ******** *********

******* ******* *** * real ****, *** ***** have ****** ********* *** exploit **** ******* *******, as ** ** **** harder ** ****** ********* internally ******* ********* *** ability *** *****/********* ** do ***** ***. ** will ****** ** **** time ****** **** ** adequately ********** *** ********* for ******** ******** *******, but ** ***** ******** awareness *****, *** ******* vulnerabilities *** ***** ** security ********, *** ****** threat **** **** **** to ** ********* *** doing ** **** ********* involve ********** *** ************ of ******* ** *** network.

Comments (48)

Undisclosed Integrator #1

09/21/17 03:58pm

And, if the answer is “yes,” and it was written by a military/government agency of a geo-strategic rival of your government, then you should think twice about putting the device on your network. [emphasis added]

Are you referring to the "geo-strategic rival " that we asked to loan us $1.102 trillion dollars to keep our government afloat? Is this the same 'rival' we are seeking aid to stop North Korea?

Brian Karas

IPVM | In reply to Undisclosed Integrator #1 | 09/21/17 04:22pm

Global economics and insecure security cameras are really two vastly different things.

A number of countries hold US debt. Japan actually holds more than China currently. There are strategic reasons for these countries to hold this debt, and reasons for the US to offer debt to those countries.

None of the debt/global economics factors make up for the fact that Hikvision products have been plagued with security vulnerabilities, which weaken the overall integrity of any network they are installed on, firewalled or not.

John Honovich

IPVM | In reply to Undisclosed Integrator #1 | 09/21/17 05:02pm

Is this the same 'rival' we are seeking aid to stop North Korea?

No. This is the US 'rival' who is the primary trading partner of North Korea. This is the US 'rival' who defends North Korea as a buffer and counter to South Korea and the US. This is the US 'rival', who along with North Korea, are two of three top cyber attackers of the US.

This is also the US 'rival' who is the owner of your business partner - the Hangzhou Hikvision Digital Technology Co. Ltd.

This is the People's Republic of China.

Undisclosed Integrator #1

09/21/17 05:22pm

Really? Please elaborate how any camera taken out of a box installed on a network behind a firewall (as you stated) becomes a security risk due to past history good or bad of any company? Instead of a vague answer like (ownership of the company or years ago firmware issues) let's talk today, now, please elaborate and explain in a technical sense how only Hikvision cameras are a 'risk' and others are not, as you insinuate, thank you.

Undisclosed Manufacturer #3

In reply to Undisclosed Integrator #1 | 09/21/17 08:01pm

If you don't want to see it you will never see it no matter how many times its spelled out. Head, stuck and sand are words that spring to mind...

Undisclosed #2

09/21/17 06:58pm

Michael Gonzalez

Integrated Security Technologies, Inc.
In reply to Undisclosed #2 | 09/21/17 07:22pm

Hahaha, I thought the same thing. I respect his loyalty though, however misguided it may seem to people who haven't drank the Dahua and Hikvision Kool-aid.

Undisclosed Manufacturer #4

In reply to Michael Gonzalez | 09/21/17 08:36pm

Based on the ongoing news, I guess this drink is getting more and more bitter.

Hikvision and even Dahua are very big. Big drinks awaken covetousness at the neighboring tables. When you look away, the bad guys try to put their straw in your big drink. Unfortunately, Hikvision and Dahua do not seem to pay attention. If they had bought a smaller drink, they would not attract so much attention.

Undisclosed Manufacturer #5

In reply to Undisclosed #2 | 09/21/17 11:52pm

Please don't single out Marty, it's possible he didn't vote at all. It could be Russian hackers trying to sway the IPVM polls.

He is a just trying to keep his team employed and profitable.

Besides, there were two who didn't care.

Undisclosed #6

In reply to Undisclosed Manufacturer #5 | 09/22/17 12:15am

Also, it is impossible that he would post in this thread undisclosed after years of wanting IPVM to ban undisclosed posting. That is unless it is a "non-scientific experiment".

John Honovich

IPVM | In reply to Undisclosed #6 | 09/22/17 12:19am

Everybody, seriously, please go home :)

Undisclosed #6

09/22/17 12:32am

It is impressive that Genetec takes such a bold stance repeatedly. There are other VMS that are, surprisingly, taking the opposite approach and embracing lower cost cameras to let the easier license sales roll in. Genetec really deserves credit for being so ahead of the curve on this.

Christian Laforte

In reply to Undisclosed #6 | 09/25/17 02:02pm

I don't find it impressive - it's simple business strategy. Hikvision is one of their biggest threats on the recording side. People who buy Hikvision aren't likely to be good Genetec customers anyway.

John Honovich

IPVM | In reply to Christian Laforte | 09/25/17 02:07pm

Hikvision is one of their biggest threats on the recording side.

That statement says more about your lack of knowledge about the recording side than Hikvision or Genetec, which I am pretty sure both know that is not the case.

Reason: Genetec does not even seek to be a player in smaller camera count, appliance sales, where Hikvision is strong. And in the high end, where Genetec is strong, Hikvision offers no recorder / management system anywhere close.

Christian Laforte

In reply to John Honovich | 09/25/17 02:26pm

OK, I admit that Hikvision isn't one of the dozen VMSes we have installed here in our office and integrated with. But my reasoning is that Genetec's long-term competitive threat is that cheap/free recording software continues to improve in quality, making the whole category more commoditized, and make it increasingly hard for Genetec to sustain a premium price.

Certainly Hikvision has enough of a warchest to continue improving their software and catching up feature-wise with Genetec. I'm sure that some of their projects in China (with untold thousands of cameras) have enterprise-grade features. I know first-hand that the quality of Chinese software isn't on par with North American standards, but if Hikvision really wanted to, they could quickly hurt Genetec's bottom line. I think Pierre Racz and his team are being (wisely) proactive at raising awareness within their market - making it less likely that Hikvision will go after it and continue to focus on easier prey. ;-)

Christian

Undisclosed #6

In reply to Christian Laforte | 09/26/17 05:46pm

But my reasoning is that Genetec's long-term competitive threat is that cheap/free recording software continues to improve in quality,

You are making the assumption that Genetec is not further developing their product in the interim.

Undisclosed Manufacturer #5

In reply to Christian Laforte | 09/26/17 05:50pm

There has been Open Source software like Open Office for a long time and yet Microsoft has changed their model to a subscription and they continue to grow. They are still the Enterprise leader for desktop.

Corey McCormick

In reply to Undisclosed Manufacturer #5 | 09/28/17 11:36pm

I am not sure I would agree that is an apples to apple analogy. MS erased Novell from sight by changing the landscape when they bundled networking with their operation system for a very low cost. Once done they slowly raised prices until the network user/access license fees exceed anything Novell ever charged (adjusting for inflation).

Open Office is not all that great IMHO and it requires users to know a little something about their stuff. They don't want to know anything. They apparently do not even want to see the file extension listed which is how most platforms decide to launch the correct apps. Of course Open Office will struggle... I really wish Open Office was better as all vendors/markets need healthy competition. WordPerfect Office was the last real competitor and they were out maneuvered and outflanks my MS who did an excellent job bundling products and squashing their competition with a sometimes buggy, but excellent product suite tied to the OS, browser integration and networking systems. In for a penny, in for a pound...

MS is changing to a subscription because they can't make the old model work anymore. Most folks do not NEED the next version of Office and are fine skipping them. That really hurts the MS bottom line. They need people to fear losing access to their stuff and to send monthly checks their way to fund them whether they produce something you really need or not this year. It is not about products, it is about making money and FUD still works.

Just my $0.02...

John Honovich

IPVM | In reply to Christian Laforte | 10/01/17 03:16pm

New discussion: Will Hikvision Beat Genetec In VMS Software?

Undisclosed Distributor #7

09/22/17 05:40am

Would these concerns only apply to tech from Chinese companies, or include everyrhing manufactured within Chinese borders?

I mean, the NSA intercepted networking equipment in transit, and Chinese intelligence is probably capable of the same.

To what level do we keep this back and forth thing going on? If Genetec has concerns for general cyber security that is good, but claiming there is intentionally foul play is another story.

Someone take the high-end HikVision stuff and give to some Blackhat or other capable guys, have them evaluate it. Otherwise, this is getting tiresome..

Undisclosed Manufacturer #5

In reply to Undisclosed Distributor #7 | 09/22/17 06:18am

Your wish was granted!

Hackers detected and publicly posted a very simple way to access and disable HIK cameras that aren't running the very latest firmware, across many OEM/ODM brands as well.

IPVM referenced the original postings in a different discussion, they didn't do the "hacking" themselves from what I read.

This thread was about the "who cares" attitude many have and Genetec's warning that guarding the gate still leaves the refrigerator accessible for those already inside to raid.

There would be no benefit to dissuading the use of any brand of camera for Genetec, except the rumor that they feared HIK's entry into the Enterprise market. Do you believe they have gone through all this for that reason?

I'm sure if another manufacturer creeps up on HIK's track record for security issues and doesn't disclose them until caught, Genetec will pounce on that as well, regardless of whom.

Undisclosed Distributor #7

In reply to Undisclosed Manufacturer #5 | 09/24/17 11:35am

As I recall, and correct me if I'm wrong here, the case you are referring to cannot be concluded as being an intentional backdoor.

Again, there is a clear difference in exploits in weaknesses and intentional backdoors from a manufacturer. Its likely any intentional backdoors would be slightly more complex than what has been uncovered.

Statistically there is a high probability of a big amount of zero days in hardware and software across the board in this industry. So far HikVision has had a very bad track record, but probably will become best in class soon enough.

John Honovich

IPVM | In reply to Undisclosed Distributor #7 | 09/24/17 11:57am

So far HikVision has had a very bad track record, but probably will become best in class soon enough.

#7, what leads you to believe Hikvision will become 'best in class' at cybersecurity 'soon enough'?

Undisclosed Distributor #7

In reply to John Honovich | 09/24/17 05:30pm

Because the ambitions for their western campaign realistically relies on being at least on par with the competition, on all levels.

However given their current bad reputation, and their culture for competing with western tech, being on par will not suffice if they wish to reach their own short term goals for expansion.

Through western eyes the company seems somewhat strange in how they run the different aspects of development, production and also organization. But this behemoth is far from incompetent, nor is it many steps behind the traditional established frontrunners.

"Soon enough" is a relative term, but I suspect this is given the priority it deserves.

Michael Gonzalez

Integrated Security Technologies, Inc.
In reply to Undisclosed Distributor #7 | 09/25/17 10:24pm

#7, from an end-user perspective, I hope you're right. They have a long way to go to be on par, and an even longer way to be best in class. Maybe you're right, but it's going to take them longer if they keep sending people to spam message boards with positive spins on their atrocious performance rather than getting to work on these issues. I'm sure your break is over, get back to the problem so we can learn to love you again. :)

Corey McCormick

In reply to Undisclosed Distributor #7 | 09/29/17 05:22am

I do not ever doubt the states ability to execute a long term plan. (Look at how the newest Chinese supercomputers no longer use Intel/AMD CPUs but now use those that were home grown.)

That is one of the most complex technological tasks you could take on today building a modern CPU or a Supercomputer, but through many years of hard work, massive investment, remote education, corporate espionage, IP theft, economic leverage, etc... they have mostly caught up from being more than 50 years behind in tech in about 15-20 years.

Corey McCormick

In reply to Undisclosed Distributor #7 | 09/29/17 05:21am

I doubt any state actor would be such a simpleton to leave a complexly engineered intention backdoor that would lead some investigation directly to them. The last thing they might want is to lose all their plausible deniability.

They would have multiple "accidental" exploits, just like everyone else expects products to have at times.

I have no information as to why they are there, but there is no excuse for not fixing them once discovered.

Undisclosed Distributor #7

In reply to Corey McCormick | 11/09/17 08:39pm

I agree that any point of entry would have to have a plausible deniability. I believe such methods would be different to the current "childish" mistakes uncovered simply because they potentially impact the number of units sold being sold, hence being counterproductive.

Igor Falomkin

AxxonSoft | 09/22/17 06:00am

I'm sure that a camera security system must be solid, but I think that if an attacker receives access to an internal CCTV network then it's much easier not to try to hack a camera, but just to disrupt the network itself. For example the one may create intensive multicast traffic. This with a great chance may lead to disconnects of cameras, lost data packages (and artifacts in video) and so on. Or create additional ip devices with ip addresses that duplicates the cameras ones. I'm sure that an experienced IT administrator may suggest much more ideas :)

Igor Falomkin

AxxonSoft | In reply to Igor Falomkin | 09/22/17 06:33am

I think such kind of test (is it easy to broke a CCTV system via disruption of its network) may be another interesting technical article from the IPVM team (thanks a lot for your articles!).

Undisclosed Manufacturer #4

In reply to Igor Falomkin | 09/22/17 07:13am

If a "bad guy" gains control (access to the operating system, e.g. Telnet) of one camera in your network, he can do many things.
Usually his goal will be to stay undetected to use the camera for followup attacks against more interesting targets. The camera is just a tool/relay for additional attacks.

He can use the camera to gain control of computers in that network. If you do not have a VLAN or dedicated network, gaining control about ERP-Systems might be very interesting, for example.

He can spread malware in your network.

He can utilize ARP spoofing (https://en.wikipedia.org/wiki/ARP_spoofing) to control the flow of data in your network. This way he could redirect the traffic between 2 computers through the camera and he can use the camera to record all the traffic to analyze it and e.g. find passwords.

So many options :-)

Wikipedia: Anatomy of an ARP spoofing attack

The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

Undisclosed #8

09/22/17 07:38am

It's not just shoddy cameras that contribute to insider risks, it can also be the VMS as seen in the Mirasys case.

Undisclosed #9

IPVMU Certified | 09/22/17 08:19am

You should ask: “Did you write the software yourself?” Generally speaking, the answer is: “No.” Then, you ask whether you know the person or people who wrote the software for this device. And, if the answer is “yes,” and it was written by a military/government agency of a geo-strategic rival of your government, then you should think twice about putting the device on your network.

Manager: Hey Joe, just a couple questions for you before I can let you install that device. Did you write the software for the camera yourself?
Joe: I sure did. And it was a real bear lemme tell you, I spent a whole day on that new H.265+ stuff alone, but if you want something done right...
Manager: What's the OS?
Joe: I don't use any of that crap, its a security risk. I'm launching an encrypted, read-only image right off the bootloader, straight into protected memory. Gets me closer to the metal that way.
Manager: Hmm. Last question, are you working for a military or government agency of a geo-strategic rival of whatever country we are currently in?
Joe: You could of just asked if it was a Hik...

Jon Dillabaugh

Pro Focus LLC
09/24/17 12:59pm

This article seems to over simplify the stance I have taken many times. I will re-articulate it here again.

To thwart an insider attack, you could simply put the camera network on a physically separate network. This means that they wouldn't share a firewall, because the physical network would never even see a firewall. It would not have a gateway. It would not have a path to the Internet. It would be stand alone in every sense.

In fact, the only connection to the outside world of any measure would be that your VMS server(s) would have a network connection to this physical network alone. No other PCs, workstations, IoT devices, or any other host would have physical access.

If you cared to have access to the VMS server(s) for viewing, you would have an additional NIC installed to connect that server to the corporate LAN. At no point would the two networks have a single point of contact.

At this point, the only attack vector is the server itself. So if in this example, this CEO is saying that we are all STILL not SAFE, then it is the SERVER ITSELF that is indeed vulnerable.

On top of that, what damage, if any, could an isolated camera do on this physically separated network do? It cannot forward any data "home". It cannot see other PCs or other corporate network data. It is still in isolation, unless they find a way for this camera to plug itself into another switch.

Bottom line here is that when properly configured, networks themselves and the servers used for recording are the attack vectors, not the cameras.

John Honovich

IPVM | In reply to Jon Dillabaugh | 09/24/17 01:03pm

For those wanting to see JD and others debate this go here, no need to rewrite the entire discussion.

Undisclosed #9

IPVMU Certified | In reply to John Honovich | 09/25/17 08:22pm

For those wanting to see JD and others debate this go here, stay here :)

Undisclosed #8

In reply to Jon Dillabaugh | 09/24/17 02:36pm

There are still some issues with your suggestion of separate networks when there's a good number of cameras:

Arranging a physically separate network that does not share any cabling, switching or routing with anything else is very expensive unless you only have a couple of cameras, and is one of the major reasons to use IP cameras as no extra cabling after the initial investment to network infrastructure is needed in case something needs to be moved around or more cameras need to be installed.
No connectivity and no Internet basically also means that providing updates and accurate system time needs extra effort, so some compromises may be needed for manageability.
In centralized management of distributed sites, there's likely a separate network administrator team or depending on the operation, perhaps each site has their own. Getting things implemented in a certain way may be difficult even if you could justify the price, and the overhead of managing all of it yourself is significant in all but the tiniest of installations. These network managers and installers - trusted as they are - have opportunities to access devices or data that doesn't belong to them.
If we're talking serious insider threats, I would also count in the network teams and at minimum anyone who has a big keyring and gets physical access to switches. Probably the same guy who cabled the physically separate surveillance network, or even the portier who opened the cabinet door for him. Physical security and privilege management is really hard when there's a lot of people involved.
Any glaring holes such as poor key handling will in the end defeat most protective measures. An outsider could notice that an office building has Hikvision cameras for example and realizes they would just need brief access to the switch cabinet - the simplest, fairly non-technical approach - to plug in their tiny wireless network tap in the right ports to perhaps own the building or just scout around. All they need now is to put on overalls, sweet talk the guy to let them change a supposedly broken network cable at the prominent switching cabinet near the reception and not spend too much time there. All an insider would need to do is to walk to the cabinet and open it themselves, and they could do it as many times as needed to ensure success, likely without anyone questioning it.

Easy and consistent software exploits with the devices involved may act as motivation for someone to overcome any initial hurdles with the security. A grave exploit for a camera like the Hikvision one and awareness of it is exactly something that makes people ponder if the camera next to them is safe or not. If they can tell only half of the problem needs to be solved, it lowers the bar:

Maybe they didn't consider robbing a consumer tech warehouse before, but after Jane Doe arrived to the office for the second morning of her new job at the waybill archive, she had just prior evening read about the poor state of security in building services engineering in general, and also saw a headline about an easy hack in certain cameras. As a CS bachelor, she was proficient with computers yet a bit naïve, not expecting that the switch room was kept unlocked and unmonitored at all times, and it was just around the corner on the way to the bathroom. After two weeks she yielded to her curiosity, planted a RaspberryPi to the cabinet and noticed the server for the electronic locks was constantly broadcasting on the network. Sitting at her desk, seemingly working but also idly poking around the network with her mobile, she was confronted by harsh reality: the default password worked and she could now manage all locks and fob privileges, disable cameras as needed and do many other things to hide her tracks. Not that she was evil or anything, but she thought it was pretty rad.

Jane switched jobs after she felt uneasy keeping a straight face with her colleagues. The extra ten or so MacBooks and other nifty gear she took home - one at a time - should make up for it though, she thinks. She at least still has her extra master fob to sell to someone if she needs cash.

The fictional example above is just slightly based on reality - though in reality security was even worse. Obviously some scenarios may be unlikely in practice due to details in life, but the bigger the reward, the more effort someone will put in, and some security goofs are actually much more common than they ought to be - as we know.

Jon Dillabaugh

Pro Focus LLC
In reply to Undisclosed #8 | 09/24/17 02:51pm

Separate networks aren’t difficult or necessarily more expensive. You still need the same amount of overall ports.
Isnt the point of this to make the camera network more secure? That extends to firmware updates, config changes, etc. You only need to remote into the VMS server to make these changes.
I don’t get your “centralized management” argument. Are you saying that your security tech cannot possibly manage remote separate networks? Or are you saying the local IT team won’t be able to follow corporate protocols for separate networks?
Now we are getting to the point where we think the guy with the admin creds or keys is going to infect a camera instead of accessing the server data itself? Ridiculous, really.
You honestly think an outsider that gains access to the NOC is going to go straight for the Hikvision camera on a physically separate network? You wouldn’t think he would just add something on the main network to sniff data? Wouldn’t you think that Hikvision camera being segregated still highly mitigate any damages possible, even if Tom Cruise breaks in?

John Honovich

IPVM | In reply to Jon Dillabaugh | 09/24/17 02:57pm

Separate networks aren’t difficult or necessarily more expensive. You still need the same amount of overall ports.

Integrator stats show (Dedicated Vs Converged IP Video Networks Statistics) that separate networks are more difficult and more expensive for larger, multi-site organizations.

Undisclosed Integrator #1

In reply to Jon Dillabaugh | 09/24/17 04:18pm

JON- It makes no difference. We could built a Hikvision system, bury it in the middle of the Pacific Ocean with no connections and there will be detractors that swear it is Hikvisions fault for something, anything, it never ends.It has gotten to the point where basic common sense logic is neglected in any attempt to downplay Hikvisions absolute dominance of the industry.

It is not worth the time to even comment anymore, childish remarks, denouncing my heritage, etc. are the order of the day, done here.

Undisclosed #9

IPVMU Certified | In reply to Undisclosed Integrator #1 | 09/24/17 05:27pm

...denouncing my heritage, etc...

I'm third generation ud myself, us undiscloseds gotta stick together!

Brian Karas

IPVM | In reply to Undisclosed Integrator #1 | 09/24/17 06:09pm

We could built a Hikvision system, bury it in the middle of the Pacific Ocean with no connections and there will be detractors that swear it is Hikvisions fault for something, anything, it never ends.

If you go back and look at reports covering Hikvision cyber security issues, they correlate very strongly with various discoveries of exploits/vulnerabilities relating to Hikvision apps, cloud services, hardware, etc.

You are correct that "it never ends", which is Hikvision's fault for their poor cyber security.

Undisclosed #8

In reply to Jon Dillabaugh | 09/24/17 04:27pm

I'm not saying it cannot be implemented in a fashion, but where would you draw the line of two systems being physically separate? Switches and other gear have exploits too. If you had 20k ports to manage over a complex network or several (I'm not talking about just some small office here), simply managing the switches is not trivial. It can be layer upon layer of complexity even if you didn't consider the actual cabling. I surely agree it would be good to have maximum security all over but it comes at a cost.

If someone would mandate that all of the security network must be airgapped, it could prove very costly indeed, so in practice these networks connect somehow through the typical gear used for other purposes too. These networks can be created and managed in the best manner possible, sure, but resources to do so vary so they're often not what you'd hope. And often they're managed with just a few people in some office spaces.

Here's one example (2014, found with Google image search) of a random security company running a vulnerable VMS while managing the monitoring for what might be a liquor store and other spaces: http://www.mikkelinvartiointikeskus.fi/media/Valvomo_uusi.JPG. I wonder how their network is implemented and how geographically separate the cameras are.

Still doesn't stop Jane in her new job as their secretary to rob some liquor, even though the poor shop themselves had top-notch networking with just a heavily guarded VPN to allow the security company's VMS to connect through. She also erased the edge SD cards.

About outsider NOC access, yes, they probably could do both just as well, that just depends on their motivation, knowledge and how the stuff is labeled. It is certainly good to minimize all threats and I sincerely agree to that, all I'm saying is that they can't be completely eliminated with physical separation of networks alone or even industry standard practices combined because neither works perfectly. Not saying one has to be paranoid of everything or lose hope, just consider also things that "no one would ever do" because someone will.

About the admin guy being ridiculous, a person with just the keys to a building is typically not the system administrator and could be entirely unprivileged in that context. They are users of the admin's system more likely and in a position to exploit any bugs from inside if they so wish. If some corporation has, say, a hundred networking people and a couple of hundred more are allowed limited access to the systems, it's quite plausible that eventually someone could do things they shouldn't be doing, if only to accidentally witness unencrypted data not related to their job, or to look for it.

The reason why someone would attack the camera instead of a VMS for example may be that they're simply not interested in it, don't want to cause extra logging because of that, and only want the camera(s) to covertly go to sleep at the convenient time or just to scan the network carefully. Also 'accessing server data' is often not as simple as just doing a simple request to a broken camera. Another discussion perhaps should be had about how recordings and encryption is typically handled on the filesystem.

If that company in the image above had someone monitor those screens at night (with non-administrative privilege) and they just so happened to have their system monitoring tray icon there, because of the vulnerability in that particular version of the software the night shift can just choose to become the admin of that system, regardless of whether the cameras are behind the walls of that room, or in another part of the world.

It is a graphic representation of a concrete "insider" risk - in my view - where it doesn't really matter how well most of it is made if a single part is broken. Note that the VMS itself might even be tucked safely in the liquor store's basement, where they thought their brilliant security people gave the security company just the limited access to a real-time view, treating the company like a relative outsider. Insider threats are probably relieved that they don't get that scrutiny.

Undisclosed Manufacturer #5

09/24/17 04:40pm

Just to lighten things up a bit.

Imagine Being the person responsible for managing the data security of a medical research university targeted by animal rights activists, who attend the school, and have to be provided access to the network.

Those same students share dorm rooms with the computer science majors, also on the shared network.

I met that guy and he didn't find the humor in it!

Undisclosed Integrator #1

09/25/17 02:30pm

All of the arguments are feeding people information and giving them ideas that do not hep us. They do not need to know what we do or dont do with our systems, and that goes for everyone not just the Hik folks

Undisclosed #8

In reply to Undisclosed Integrator #1 | 09/25/17 03:26pm

You're saying we should stop discussing insider threats altogether because someone could get ideas? I always cringe when seeing willful ignorance and heads in sand. It's ironic that a lot of it seems to manifest in the security industry, where that stuff actually matters. Perhaps someone reading these discussions is currently sweating to fix holes they just realized exist in their systems.

Undisclosed Manufacturer #4

In reply to Undisclosed #8 | 09/25/17 10:15pm

I fully agree with you!

I beg that our security industry starts to think about IT-Security!

It's time for a change of our mindset. If you (reader of these lines) do not agree, then please think about if it's time to let your younger colleagues take over the IP-Projects!

Corey McCormick

09/29/17 04:55am

Having designed, built and supported multiple systems for a few large 100+ site corporations, to say it is not a big deal to really separate networks, is in no way accurate. If you think it was the same cost or straightforward in any way, you didn't put together a good system.

The security industry is not any better than any other industry at their own security.

When a company has security holes in products that they do not close ASAP for what ever reason they voluntarily contribute the risks we all bear in this society and specific industry. There are *many* guilty parties in this list, not just the recently published ones...

Marketing and Sales goals trump Engineering in product design more times than I can count. Physical Security overall is one of the first generations of an IOT industry which has a horrible reputation so far as I can see. (to me every remote camera, motion sensor, door alarm, lighting controller, etc.. is a member of the IOT world, whether they physically attach via Zigbee, IP, WiFi, RS-485, etc..) If it can be managed it can be mismanaged/exploited.

It is INCREDIBLY hard to do this separate network isolation well. I have tried it at various levels with many folks smarter than me and always found the results expensive and still wanting.

Security is still the inverse of convenience and always will be by design. The tools for making security effective and manageable across the board and across multiple platforms have not been created yet and maybe not for a while if ever. Security is a process, not a product, but people want to BUY products from people who SELL products. That isn't actual security, IP cameras or not.

The trend towards *AAS isn't security either, that is just selling a different product yet again. IT has had this sort of centralization/decentralization cyclical environment since before I was borne. Security is the same as a part of IT. (IMHO it always was, but the "I" was analog video, so it was counted differently, but it wasn't really different then either.)

It might be that the data center hosting things is physically more secure, but notice that nearly all of the recent breaches have been via data housed in large data centers. It wasn't on a SOHO server in a plumbing company office. *AAS is just a revenue contract for profits so far for most vendors. They do not in general deliver a better overall value than in the past. They just found a new way to create vendor lock-in with contracts instead of proprietary feature lists.

Accountant types like it because the costs are predictable and known in advance. That doesn't inherently make the product good or effective/reliable. They aren't as dependent on needing particular skillsets in staffing.

Until the customers take their own Security stuff seriously and demand the vendors work together to provide tools that integrate, are manageable and provide the needed levels of security and business function for reasonable costs, I do not see this changing.

This data infrastructure we seem to be deploying as a society of humans, has a cost that is rising along with it's perceived value to others (good and bad). This is regardless of the fact that the costs of an IP camera network is falling like a rock while the pixel and storage count climbs to the sky. (another Process vs. Product example)

Jon does a great job with products, but the process problem is not so simple. it also is depended on us as customers and us as vendors. When the most important measurements are things like market cap, stock price, quarterly sales figures, dividends, executive bonus amounts, market share, etc... No wonder security is so awful across the board...

Too few organizations and more importantly too few people really care about it enough to vote with their wallets in either direction... As Vendors we have little incentive to listen to anything else since ALL of the employees bonuses, stock options, etc.. are based on lots of things, but product security is not usually one of their measures.

You can say the market will reward those who get it right, but I say it will not most of the time, because the buyers do not generally select the path that is in their long term best interest. Buyers are generally measured by the wrong metrics as well, so until the metrics for measuring security are a significant part of the valuation for salaries, bonuses, contract extensions, future orders, etc... I do not see how this can change.

After living in my neighborhood for 15 years, I finally can see only a few homes with open WiFi routers... No matter how much we tried, folks just didn't get it... It only got better when the router vendors shipped things by default secured and forced folks to learn a little bit more than they wanted to hook up their latest gadget. This made at least a tiny step towards security as a process.

So despite the negative tone this started out with, I think there is hope, but not until the paradigm shifts. Denying the difficulty, responsibility and complexity required to solving this is just perpetuating the myth...

Never say "...it doesn't matter because..."... It does matter a LOT and so make them fix the stinking security holes and do not accept ANY excuses from ANY vendor.

Read this IPVM report for free.

This article is part of IPVM's 6,538 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Genetec CEO Warns Against Insider Threats

Comments (48)

Undisclosed Integrator #1

Brian Karas

John Honovich

Undisclosed Integrator #1

Undisclosed Manufacturer #3

Undisclosed #2

Michael Gonzalez

Undisclosed Manufacturer #4

Undisclosed Manufacturer #5

Undisclosed #6

John Honovich

Undisclosed #6

Christian Laforte

John Honovich

Christian Laforte

Undisclosed #6

Undisclosed Manufacturer #5

Corey McCormick

John Honovich

Undisclosed Distributor #7

Undisclosed Manufacturer #5

Undisclosed Distributor #7

John Honovich

Undisclosed Distributor #7

Michael Gonzalez

Corey McCormick

Corey McCormick

Undisclosed Distributor #7

Igor Falomkin

Igor Falomkin

Undisclosed Manufacturer #4

Wikipedia: Anatomy of an ARP spoofing attack

Undisclosed #8

Undisclosed #9

Jon Dillabaugh

John Honovich

Undisclosed #9

Undisclosed #8

Jon Dillabaugh

John Honovich

Undisclosed Integrator #1

Undisclosed #9

Brian Karas

Undisclosed #8

Undisclosed Manufacturer #5

Undisclosed Integrator #1

Undisclosed #8

Undisclosed Manufacturer #4

Corey McCormick

Read this IPVM report for free.

Member Login

Related Reports

Recent Reports