CCTV and teleconferencing systems

According to comparitech.com there are over 770 million surveillance cameras in the world. 

While these are intended as a deterrent to crime, if they are vulnerable then they can actually encourage crime on the part of hackers. Seeing that, like SCADA, the growth of closed-circuit television (CCTV) and teleconferencing systems is only increasing, this is an area that is very important to address.

CCTV 

CCTV systems are becoming more integrated into general IT systems, as footage is streamed over an IP network. So, like SCADA systems, the risks are increasing.

These risks are different to those related to SCADA systems and include:

• An attacker intercepting or redirecting the feed from a CCTV camera.
• CCTV clips and images stored on IT systems being tampered with, deleted, or viewed by inappropriate people.
• An attacker replacing the camera feed with their own feed, with the intention of hiding activity from a CCTV operator.
• Burglar viewing CCTV before breaking into house.

Countermeasures

Countermeasures when designing a CCTV solution can include:

• Encrypting the camera feed to the control centre.
• Implementing logical and physical identification and authentication solutions on the network and in the control centres.
• Ensuring a strong password management regime.
• Ensuring appropriate authorisation procedures for the storage system to secure archive footage.
• Never using http defaults, instead of the secure https.

Teleconferencing systems

Having noticed the growth in online conferences, particularly in recent years, it's essential to secure your teleconferencing systems. These types of systems are prone to the same risks as CCTV and Instant Messaging systems: interception of feed, feed tampering, malicious files and executables. For example, a hacker with a Wireshark Network Analyser recording the session.

The primary countermeasure for protecting teleconferencing systems is the protection of the link, which is typically through encryption as well as identification and authentication mechanisms. End-to-end encryption protects the meeting from eavesdroppers. You may also need to calibrate software settings that control permissions, and lock meetings once all participants have joined.

To avoid your archive being breached, you should control access and ensure that you're using a secure server.

It's also important to remember the legal necessity: video-conferencing security is not only in a company's best interest – it's the law. Recent government regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) of 2002 require that medical providers, financial institutions and other corporations secure all electronic data associated with their customers and patients. That includes all electronic transmissions of personal client data, even video conferences. [source: Centres for Medicare & Medicaid Service].

In the US, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. This is also covered by GDPR UK, Data Protection Act.

As you will have noticed with so much work moving online and remotely, this is a growth area. For hackers it represents fresh opportunities to exploit. Therefore, you need to keep our authentication up to date and stay aware of newly evolving threats.

What's next?

Next, you will look at the issues regarding Instant messaging.