In 2021, cybersecurity firm Cyfirma uncovered a critical security flaw in a leading surveillance manufacturer’s software, potentially allowing unauthorized control of surveillance cameras. Despite a swift security patch, over 80,000 cameras remained at risk a year later. Malicious groups exploited these vulnerabilities, targeting the infrastructure and services of enterprises across more than a hundred countries and impacting over 2,300 organizations.
The primary purpose of surveillance systems is to protect physical assets, but inadequate security or poor management can turn the surveillance system into a vulnerability that exposes businesses to data breaches and cybersecurity threats. Therefore, the meticulous management of these systems’ security is essential, requiring careful evaluation during selection, deployment, and maintenance.
Given the complex nature of surveillance system security and the resource management needed to maintain an enterprise-level deployment, Synology recommends that companies take time to meticulously assess their system’s potential vulnerabilities. This assessment should include system security to safeguard IT infrastructure, transmission security to avoid data breaches, data security to maintain video integrity, and redundancy security to ensure uninterrupted operation.
System and device security
According to research by Palo Alto Networks, 70% of cybersecurity incidents stem from either phishing or software vulnerabilities. This highlights the importance of starting with system and permission security when maintaining the safety of a surveillance system.
The first consideration is system security: consider how frequently the VMS (Video Management System) or device manufacturers update their software, how promptly they fix security vulnerabilities, and what continuous costs there are for updates and support. A swift response is crucial to prevent malware from infiltrating systems after a vulnerability has been revealed. This is particularly important when the network is not adequately defended, leaving devices exposed to zero-day attacks.
Synology, for example, has a dedicated Security Incident Response Team (SIRT) that promptly addresses CVE vulnerabilities, aiming to resolve high-impact issues within 24 hours. However, in order to make this sort of support effective at patching vulnerabilities and warding off attacks, administrators must also regularly update the system to keep it at the latest version.
Beyond direct exploitation of security flaws, hackers can obtain system access through phishing or social engineering, making detailed permission control critical. Surveillance systems typically allow for role-based permission settings, but at Synology we have noted that many businesses fall into a binary approach to permissions, granting unlimited high-level access to all managers and minimal basic access to all security personnel. This distribution of responsibility can lead to a variety of issues, but particularly makes the organization vulnerable to damage via compromised user identities.
Adhering to the minimal privilege principal and distributing responsibilities can significantly mitigate the risk of errors or infiltration. As an example, let’s consider a retail chain store. In this case, store managers might have the authority to review footage and adjust camera settings, but deleting footage should require higher-level approval, while drastic changes such as alterations to system protocols would be reserved for corporate.
Synology recommends a zero-trust security model with its VMS, Surveillance Station, enhancing security via two-factor authentication for critical tasks and encryption keys for viewing footage. This provides robust security by ensuring that unauthorized access to video files is ineffective without decryption capabilities.
Transmission and footage protections
Whether transmitting from network cameras to recording servers or accessing data on recording servers from the client side, there is a risk of interception during transmission. Therefore, when purchasing cameras and surveillance management systems, ensure they support HTTPS encryption for connections and access, and that images can be protected with SRTP.
Beyond the transmission process, consider whether the surveillance system has additional protective measures for the video files themselves. For instance, Surveillance Station offers the functionality to add viewer account watermarks to images, which can help trace the source if footage is leaked. It also provides a privacy masking feature, allowing the setting of masked areas during recording to protect confidential information.
File backup
Organizations such as financial institutions and government agencies often require surveillance footage to be archived for an extended period. Proper preservation of recorded data is also a major concern for enterprise-level organizations. Retaining and preserving surveillance data requires not only sufficient storage space, but also complete backups to reduce the risk of loss due to damage or accidental deletion. The 3-2-1 backup rule remains a practical approach to planning backups.
When selecting a surveillance system, consider whether the manufacturer can provide a one-stop solution for multi-point backup. Synology’s solution offers businesses the option to back up both to other servers and to cloud destinations. This backup solution can be set up within Surveillance Station, making it easy for administrators to configure while ensuring the system complies with backup standards.
Server redundancy
A server cannot record surveillance footage if it is removed, shut down, or destroyed. Thieves or malicious actors may interfere with the server to prevent themselves from being recorded, and server outages can occur even without external influence. What if an incident occurs while the recording server is down, so no recordings are saved?
Redundancy mechanisms ensure that surveillance continues to operate when the primary recording server is down, which is especially important for systems that are supposed to operate 24/7. Common redundancy methods include establishing HA (High Availability, where organizations set up an additional “passive” server that constantly syncs data from the “active” server. If the active server experiences an unexpected outage, the passive server takes over, continuing to record footage and avoiding downtime.
To maintain surveillance security, it is necessary to establish systematic standards and carefully adhere to them over time. Working with a reputable provider of end-to-end surveillance solutions with a good reputation in the cybersecurity space can significantly reduce IT workloads in this matter.
Best Practice | Create a Secure, Smart Surveillance Architecture with Surveillance Station