Insider ******* **** **********
******* ******* *** *** of *** ******* ******** risks *****, ** * number ** ********-******** ************ have ******* ***:
**** **** ******* ******* ****** firewalls, ** ** ********** separate ******** **** ** internet ****** ******* *** threat ** ******. *******, this ***** ** **********, as ** ******* *** potential *** ****** *******, those *********** ****** *** firewall.
*******'* *** ******** *** 'inside' *** '*******' *** no ****** ****** ********:
**** ** **********, *** Internet ** ******, *** bring-your-own-device-to-work ***********, *** **** between ****** *** ******* an ************ ** *** as ***** ** ** used ** **.
*******, ** ******:
**** ** *** ******** devices ** *** ******** networks, ** *** ** longer ****** *** ******* inside *** ******** ** secure.
************, **** ********, ** ***** vulnerable ******* *** ****** a *** *** '*********' to **** ****** ** the ****** *******, ******* up *** ********* *** wide-scale ******* ** **** network.
Password ***** *****, ********* ******** ******* ******
** ***** ************, ******* that ***** ********* ** be ****** ***** ******* ****-**** *******,********** ********, *******-***** *****, ** ******* ***** make ** **** *** malicious ******** ** **** over ***** *******. ******* for **** ******** ********* the ***** ** ***** devices *************.
Question ***** ** *********
*******'* *** ********* *** ******* trust ** ******** ** the ******* ** **** network:
******** ** *** ***** building * ******* ** trust. **** ** ***** to ******* ******* ** your *******, **** ************ must *** ******* ********* about ******* ** *** the ************ *** *** organization ********** *** ****** are ***********.
** ********* *** ********* both *** *******, *** the ******/************ ********** ****, to ********* *** ******* potential ** ****** *** network. ** ******** ***** to *********** *** ****** of *** ******** ** the ******, ****** ***** the ************(*) ****** *** software ******** *** ******, and ** **** *** ********* enough ** ****** ** the ******** *******:
[*]*** ******* ***** ** put * ****** ** your *******. *** ****** ask: “*** *** ***** the ******** ********?” ********* speaking, *** ****** **: “No.” ****, *** *** whether *** **** *** person ** ****** *** wrote *** ******** *** this ******. ***,if *** ****** ** “***,” *** ** *** ******* ** * ********/********** ****** ** * ***-********* ***** ** **** **********, **** *** ****** ***** ***** ***** ******* *** ****** ** **** *******. [emphasis added]
Impact ** *********
*** ********* ** "* military/government ****** ** * geo-strategic ***** ** **** government" ** ******* ********* to *********, ********** **** *********** ******** from ***** *******. *********, *** ***** top **********, **** ***** claimed **** ******* *** devices ** ******* ******** removes *** ******* ***** by ********** ******** ***** security *****, ***** ******* the **** ** ******* attacks.
*********** *** **** ** inside ******* ********** ************* devices **** ****** **** more ********* ** ******** security, ** ** *** in ** ********. **** would ***** ********* ********** to *** *** ** Hikvision ******** ** *********/********** markets, ***** ********* **** to ******.
Smaller ***** *** *** ****
******* ***** *** **** likely ** **** ***** insider ****** *****, ************ when *** "********" *** limited ** * **** small ****** ** *********, many ** ***** *** not **** **** ******* access ** *** **** of ***** ****** ******* or ***********. ********, ******* users ***** *** *** as ******* ** ****** can '*** ***** *******' or ****** ***** ********.
*****, ***** ************* *** face ***** ** ********* *** gain ****** ** ***** internal ******* (**** ** through ****), *** ******* that ****** ** ****** things **** *** *********** data, ********** *******, ** employee ***** ***** *********** stored ***** ** **** for ******** ***** ********.
Vote / ****
Impact ** ******** *********
******* ******* *** * real ****, *** ***** have ****** ********* *** exploit **** ******* *******, as ** ** **** harder ** ****** ********* internally ******* ********* *** ability *** *****/********* ** do ***** ***. ** will ****** ** **** time ****** **** ** adequately ********** *** ********* for ******** ******** *******, but ** ***** ******** awareness *****, *** ******* vulnerabilities *** ***** ** security ********, *** ****** threat **** **** **** to ** ********* *** doing ** **** ********* involve ********** *** ************ of ******* ** *** network.
Comments (48)
Undisclosed Integrator #1
And, if the answer is “yes,” and it was written by a military/government agency of a geo-strategic rival of your government, then you should think twice about putting the device on your network. [emphasis added]
Are you referring to the "geo-strategic rival " that we asked to loan us $1.102 trillion dollars to keep our government afloat? Is this the same 'rival' we are seeking aid to stop North Korea?
Create New Topic
Undisclosed Integrator #1
None of the debt/global economics factors make up for the fact that Hikvision products have been plagued with security vulnerabilities, which weaken the overall integrity of any network they are installed on, firewalled or not.
Really? Please elaborate how any camera taken out of a box installed on a network behind a firewall (as you stated) becomes a security risk due to past history good or bad of any company? Instead of a vague answer like (ownership of the company or years ago firmware issues) let's talk today, now, please elaborate and explain in a technical sense how only Hikvision cameras are a 'risk' and others are not, as you insinuate, thank you.
Create New Topic
Undisclosed #2
Create New Topic
Undisclosed Integrator #6
It is impressive that Genetec takes such a bold stance repeatedly. There are other VMS that are, surprisingly, taking the opposite approach and embracing lower cost cameras to let the easier license sales roll in. Genetec really deserves credit for being so ahead of the curve on this.
Create New Topic
Undisclosed Distributor #7
Would these concerns only apply to tech from Chinese companies, or include everyrhing manufactured within Chinese borders?
I mean, the NSA intercepted networking equipment in transit, and Chinese intelligence is probably capable of the same.
To what level do we keep this back and forth thing going on? If Genetec has concerns for general cyber security that is good, but claiming there is intentionally foul play is another story.
Someone take the high-end HikVision stuff and give to some Blackhat or other capable guys, have them evaluate it. Otherwise, this is getting tiresome..
Create New Topic
Igor Falomkin
I'm sure that a camera security system must be solid, but I think that if an attacker receives access to an internal CCTV network then it's much easier not to try to hack a camera, but just to disrupt the network itself. For example the one may create intensive multicast traffic. This with a great chance may lead to disconnects of cameras, lost data packages (and artifacts in video) and so on. Or create additional ip devices with ip addresses that duplicates the cameras ones. I'm sure that an experienced IT administrator may suggest much more ideas :)
Create New Topic
Undisclosed #8
It's not just shoddy cameras that contribute to insider risks, it can also be the VMS as seen in the Mirasys case.
Create New Topic
Undisclosed #9
Manager: Hey Joe, just a couple questions for you before I can let you install that device. Did you write the software for the camera yourself?
Joe: I sure did. And it was a real bear lemme tell you, I spent a whole day on that new H.265+ stuff alone, but if you want something done right...
Manager: What's the OS?
Joe: I don't use any of that crap, its a security risk. I'm launching an encrypted, read-only image right off the bootloader, straight into protected memory. Gets me closer to the metal that way.
Manager: Hmm. Last question, are you working for a military or government agency of a geo-strategic rival of whatever country we are currently in?
Joe: You could of just asked if it was a Hik...
Create New Topic
Jon Dillabaugh
09/24/17 12:59pm
This article seems to over simplify the stance I have taken many times. I will re-articulate it here again.
To thwart an insider attack, you could simply put the camera network on a physically separate network. This means that they wouldn't share a firewall, because the physical network would never even see a firewall. It would not have a gateway. It would not have a path to the Internet. It would be stand alone in every sense.
In fact, the only connection to the outside world of any measure would be that your VMS server(s) would have a network connection to this physical network alone. No other PCs, workstations, IoT devices, or any other host would have physical access.
If you cared to have access to the VMS server(s) for viewing, you would have an additional NIC installed to connect that server to the corporate LAN. At no point would the two networks have a single point of contact.
At this point, the only attack vector is the server itself. So if in this example, this CEO is saying that we are all STILL not SAFE, then it is the SERVER ITSELF that is indeed vulnerable.
On top of that, what damage, if any, could an isolated camera do on this physically separated network do? It cannot forward any data "home". It cannot see other PCs or other corporate network data. It is still in isolation, unless they find a way for this camera to plug itself into another switch.
Bottom line here is that when properly configured, networks themselves and the servers used for recording are the attack vectors, not the cameras.
Create New Topic
Undisclosed Manufacturer #5
Just to lighten things up a bit.
Imagine Being the person responsible for managing the data security of a medical research university targeted by animal rights activists, who attend the school, and have to be provided access to the network.
Those same students share dorm rooms with the computer science majors, also on the shared network.
I met that guy and he didn't find the humor in it!
Create New Topic
Undisclosed Integrator #1
All of the arguments are feeding people information and giving them ideas that do not hep us. They do not need to know what we do or dont do with our systems, and that goes for everyone not just the Hik folks
Create New Topic
Corey McCormick
Having designed, built and supported multiple systems for a few large 100+ site corporations, to say it is not a big deal to really separate networks, is in no way accurate. If you think it was the same cost or straightforward in any way, you didn't put together a good system.
The security industry is not any better than any other industry at their own security.
When a company has security holes in products that they do not close ASAP for what ever reason they voluntarily contribute the risks we all bear in this society and specific industry. There are *many* guilty parties in this list, not just the recently published ones...
Marketing and Sales goals trump Engineering in product design more times than I can count. Physical Security overall is one of the first generations of an IOT industry which has a horrible reputation so far as I can see. (to me every remote camera, motion sensor, door alarm, lighting controller, etc.. is a member of the IOT world, whether they physically attach via Zigbee, IP, WiFi, RS-485, etc..) If it can be managed it can be mismanaged/exploited.
It is INCREDIBLY hard to do this separate network isolation well. I have tried it at various levels with many folks smarter than me and always found the results expensive and still wanting.
Security is still the inverse of convenience and always will be by design. The tools for making security effective and manageable across the board and across multiple platforms have not been created yet and maybe not for a while if ever. Security is a process, not a product, but people want to BUY products from people who SELL products. That isn't actual security, IP cameras or not.
The trend towards *AAS isn't security either, that is just selling a different product yet again. IT has had this sort of centralization/decentralization cyclical environment since before I was borne. Security is the same as a part of IT. (IMHO it always was, but the "I" was analog video, so it was counted differently, but it wasn't really different then either.)
It might be that the data center hosting things is physically more secure, but notice that nearly all of the recent breaches have been via data housed in large data centers. It wasn't on a SOHO server in a plumbing company office. *AAS is just a revenue contract for profits so far for most vendors. They do not in general deliver a better overall value than in the past. They just found a new way to create vendor lock-in with contracts instead of proprietary feature lists.
Accountant types like it because the costs are predictable and known in advance. That doesn't inherently make the product good or effective/reliable. They aren't as dependent on needing particular skillsets in staffing.
Until the customers take their own Security stuff seriously and demand the vendors work together to provide tools that integrate, are manageable and provide the needed levels of security and business function for reasonable costs, I do not see this changing.
This data infrastructure we seem to be deploying as a society of humans, has a cost that is rising along with it's perceived value to others (good and bad). This is regardless of the fact that the costs of an IP camera network is falling like a rock while the pixel and storage count climbs to the sky. (another Process vs. Product example)
Jon does a great job with products, but the process problem is not so simple. it also is depended on us as customers and us as vendors. When the most important measurements are things like market cap, stock price, quarterly sales figures, dividends, executive bonus amounts, market share, etc... No wonder security is so awful across the board...
Too few organizations and more importantly too few people really care about it enough to vote with their wallets in either direction... As Vendors we have little incentive to listen to anything else since ALL of the employees bonuses, stock options, etc.. are based on lots of things, but product security is not usually one of their measures.
You can say the market will reward those who get it right, but I say it will not most of the time, because the buyers do not generally select the path that is in their long term best interest. Buyers are generally measured by the wrong metrics as well, so until the metrics for measuring security are a significant part of the valuation for salaries, bonuses, contract extensions, future orders, etc... I do not see how this can change.
After living in my neighborhood for 15 years, I finally can see only a few homes with open WiFi routers... No matter how much we tried, folks just didn't get it... It only got better when the router vendors shipped things by default secured and forced folks to learn a little bit more than they wanted to hook up their latest gadget. This made at least a tiny step towards security as a process.
So despite the negative tone this started out with, I think there is hope, but not until the paradigm shifts. Denying the difficulty, responsibility and complexity required to solving this is just perpetuating the myth...
Never say "...it doesn't matter because..."... It does matter a LOT and so make them fix the stinking security holes and do not accept ANY excuses from ANY vendor.
Create New Topic