Is a Cloud-Based Video Surveillance System Secure?

Since the inception of the cloud, security concerns have been the biggest factor limiting its wider adoption. While apprehension has eased considerably over the past decade, these worries persist. And they are keeping many chief technology officers (CTOs) from migrating more of their enterprise processes to modern, cloud-based solutions.

A risk-averse approach is certainly understandable. It fits the old adage of “if it ain’t broke, don’t fix it.” But this mentality is now not just slowing down cloud adoption, it is hindering companies with systems stuck in the past.

Video surveillance is one area where we are still seeing this in 2018. Organizations continue to employ outdated, unwieldy systems—simply because they are concerned that a modern solution will bring new, unfamiliar cybersecurity risks.

Are these fears justified? Can companies trust cloud-based video cameras? Is a cloud-based video surveillance system secure?

Traditional Video System Security

To assess the security of cloud solutions, it first makes sense to look at the traditional options. In theory, a system that uses an air-gapped network video recorder (NVR) is the most secure option. But such an installation largely defeats the purpose of having a security camera in the first place. Because if it is walled off from the network, the footage would not be accessible to anyone off site who is required to respond to an incident in real time.

So, once you do make a system based on an NVR or digital video recorder (DVR) more usable, both the device itself and the attached CCTV security cameras become highly susceptible to hacking exploits. This helps explain why, in its benchmark 2018 Internet Security Threat Report (ISTR), Symantec ranked DVRs second on its list of vulnerable devices involved in the Internet of Things attacks against its honeypot last year. After an IT team configures its VPNs and opens or forwards ports to enable remote access, the NVR immediately becomes one of the most hackable devices in the entire network.

The biggest real-world implication is that IT teams often fall into a false sense of security. They know that an air-gapped NVR is foolproof. But they fail to properly recognize that their actual installation may not be. This leads to longer-than-acceptable delays when it comes to updating firmware and installing critical security patches.

Cloud-Based Video System Security

With a cloud-based system, IT professionals are more apt to keep their guard up and install every update immediately. Increased vigilance and faster reaction times mean better security.

The ease of making changes is also a clear benefit that raises security in practice. IT professionals can update cloud-based video cameras remotely and instantaneously as soon as a vulnerability is identified. More than incentivizing quick patches, this fosters a culture of ongoing risk mitigation—rather than one that falls victim to a false promise of security, which vanishes after the system is configured properly for real-world deployment.

Furthermore, today’s leading cloud-based video cameras can be easily equipped with end-to-end encryption. This ensures that any video stored on the camera itself—as well as the footage, metadata, and still images it transmits to the cloud—is protected in the event that hackers ever manage to breach the system.

The Proactive Security Mindset

In wider-reaching terms, there is another key reason that cybersecurity concerns are falling. In the past, manufacturers and service providers offering cloud-based solutions largely left the end user to fend for themselves. This is changing. There is a new attitude emerging from the mega-players (like Amazon and Google), to industry leaders in many sectors and even smaller providers offering niche products.

Kalev Leetaru, a data security expert who has served as a Google developer expert and a council member of the World Economic Forum’s Global Agenda Council on the Future of Government, has broken down this trend. He characterized the evolution as, “the growing emphasis cloud vendors are placing on helping businesses reimagine how they manage their data in a threatening world.”

Writing for Forbes, he welcomed a shift to companies becoming more proactive in their security support and offering more realistic insight to clients about the dangers inherent in any device connected to a network.

“Unlike the VPN castle defenses of past, in which companies surrounded their assets with extensive monitoring, but blindly trusted anyone that got inside, cloud vendors are pushing businesses towards their own ‘trust nothing’ model that better reflects the reality of the uncertain world in which we live,” wrote Leetaru.

Constant Vigilance to Threats

Nothing will ever be 100% impenetrable and understanding that is half the battle. This mentality allows decision makers to properly gauge the actual risk that exists in their video surveillance system.

Compared to the alternatives, cloud-based video surveillance is now—at worst—on par with any other option on the market. And because it promotes easier firmware and security updates, offers high-level encryption and encourages an overall culture of risk avoidance, it is proving to be a effective way to keep the cameras rolling and trust that the enterprise is as fortified as possible.

To learn more about cloud-based video security, check out our Cybersecurity for Video Surveillance Systems whitepaper.

Fight These 3 Trends in ATM Fraud with Video Surveillance Technology

Notorious outlaw, Willie Sutton, was once asked why he robbed banks. As the legend goes, he had a simple answer: “That’s where the money is.”

The banking industry became an early adopter of video surveillance technology as soon as it was practical for business. Due to the philosophy espoused by Sutton (and who would know better than a bank robber?) the move to upgrade security certainly makes a lot of sense.

For banks insured by the Federal Deposit Insurance Corporation (FDIC), it is a requirement. And some states, including New York, have detailed regulations governing how and where locations must be monitored by video.

While some bank robberies do still occur, reality is typically no match for the spectacular scenes found in heist movies. It simply isn’t as lucrative or easy as it was in the days of Butch Cassidy and the Sundance Kid. With fewer actual bank branches being built, most enterprising criminals are realizing that digital defenses are easier to breach.

ATMs, however, are one type of physical location that is still being hit hard. Whether by brute-force assaults on the actual machine, technology tools that seek to steal data or good old-fashioned social engineering tricks, culprits are still continuing to go where the money is.

The following reports represent just some of the ATM fraud incidents and scares that have made news of late. There seems to be no sign of attacks slowing down any time soon, so it remains vital for operators and security officials to stay on high alert.

Cloned Cards

The FBI stunned security experts this summer when it was learned to have issued a warning to banks that an “unlimited ATM cash-out” is being plotted across the world. The note to financial institutions, which was obtained and reported by security expert Brian Krebs, stated that criminals may soon mount a coordinated withdrawal from a massive number of machines using illegally obtained card information.

By then, it was too late to stop the thieves from getting the banking info necessary to commit the crime. But banks were warned to be on watch and told that this could become more commonplace going forward.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” stated the FBI’s alert, according to Krebs. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

For consumers, protecting yourself from such a large-scale, coordinated attack is naturally difficult. But if you have been a victim in the past or have reason to believe the your card data may be compromised, it would be wise to request a new card be issued. Or, at the least, change your security PIN and digital access passwords.

Shimming: The New Illicit Card-Reading Technique

A few years ago, “skimming” (a crime that involved modifying physical ATMs) was all the rage. Criminals would attach a false card-reading device within the slot where the card is placed. During a transaction, a small piece of technology was stealing the information contained within the card’s magnetic strip, allowing it to be cloned and used elsewhere in the future. Users would then withdraw their money and card, completely unaware of what had just occurred.

When issuers moved to chip-based cards, the effectiveness of this method decreased substantially. But now a similar, new variation—called “shimming—has begun to pop up. Because these homemade readers are smaller than their predecessors, they can be installed beyond ATMs. These devices have even found in “point of sale” payment terminals within stores.

Fortunately, they remain quite rare, and a cloned chip card should not work with any merchant that has followed proper modern payment protocols, a group that includes the bulk of retailers in the United States.

Still, there have been U.S. victims of this easy-to-install and hard-to-detect scheme. One thief reportedly managed to steal some $25,000 from a federal credit union near Los Angeles this year, and international locations may be even more vulnerable.

Financial executives and security officials have tried to dismiss the shimming concern as overhyped. But operators cannot afford to ignore this type of threat. It still is possible to execute, and everyone should be aware of the risk.

Social Engineering Schemes

ATM crime is far from solely a U.S. problem. Throughout the developing world, many people have only recently joined the formal banking sector and received debit and credit cards. Cash machines in these areas remain a hotbed for theft.

Recently in Colombia, for example, online videos went viral online showing how an old trick (that has been used by con artists) can still catch people off guard. The method involves two perpetrators, one of whom casually looks on as an unaware banking client types their PIN code. Next, an accomplice distracts the ATM user to make them look away from the machine. Generally, this is done by acting as a “good samaritan”—making the victim think they have dropped something. The PIN watcher quickly takes the opportunity to grab the card from the slot in the ATM. The nefarious duo then sneak away, with both the plastic and the security code to withdraw funds.

At this point, it becomes a race against time. Their goal is to hit another cash machine and extract as much as possible before the person cancels the card. And given the often-slow response times by local banks or the need for a tourist to make an international phone call—perhaps with only limited mobile data on their phone while on vacation—it can be an effective way to dupe someone out of as much cash as their bank will allow the assailants to withdraw.

ATM Security: Staying Ahead of the Crooks

Society is rapidly moving more and more to digital payments. But for now, physical cash and cards are still the norm. And as long as they are, crooks will be on the prowl to devise new ways to defraud people out of their hard-earned income.

This is why all banks and ATM operators must have proper security strategies in place. These should include physical protections, video monitoring and other best-practice deterrents. Many of today’s most successful organizations have gone beyond the use of traditional camera systems. They recognize that a comprehensive video surveillance technology should also include secure, end-to-end, encrypted hybrid cloud system architecture with an intelligent, centralized, remote-access software platform.

Criminals will always be working to find a way around even the strongest safeguards. But staying out in front and utilizing modern technology in this ongoing battle will help ensure that clients can access their money without becoming the next victim.

For a real-world look at how one of Pennsylvania’s top financial institutions is using hybrid cloud security technology to fight ATM fraud and other threats, check out the Susquehanna Community Bank customer story.

What’s the Difference Between a Cloud vs. Hybrid Cloud Security Camera System?

What are Cloud Security Camera Systems?

With the rise of IoT in recent years, many enterprises, hospitals, schools and other multi-location organizations have considered the benefits of shifting their video surveillance security system to the cloud.

Cloud security systems consist of cameras that stream video directly to the cloud with the major advantage of being able to remotely view footage from any device. In addition, computationally challenging tasks can be done in the cloud to improve security, efficiency and ROI. However, this system architecture presents several drawbacks.

  1. Uncertainty regarding what happens to the footage when there’s an internet outage.
  2. Insufficient network bandwidth for multiple cameras streaming video simultaneously.
  3. Inability to comply with regulations, like the PCI Standard and other governmental statutes, which require at least 90 days of video retention locally and in a separate backup location.
  4. Concerns about the effectiveness of the system’s overall security.

How is a Hybrid Cloud Security Camera System Different?

A hybrid cloud security camera system consists of an on-site video surveillance storage solution as well as one located in the cloud. This hybrid infrastructure allows the system to address many of the difficulties IT departments and physical security teams have experienced with a pure cloud video surveillance security system.

Verkada: Enterprise Cameras Backed by Hybrid Cloud Architecture

All Verkada cameras come with up to 120 days of in-built video storage and processing power. In the case of an internet outage, the cameras can keep recording and footage can be viewed locally on the network. When internet access is restored, the footage in question is uploaded to the cloud (AWS).

The majority of camera footage is motionless. A hybrid cloud architecture enables Verkada systems to send encrypted outbound metadata and short video clips, at less than 20 kbps every minute. When the camera detects motion, it can send these video clips more frequently. A streaming channel at higher bandwidth is opened only when an end user wants to remotely stream a camera feed. This intelligent bandwidth management allows the cameras to work flawlessly on any network, regardless of bandwidth limitations or the number of cameras installed.

Finally, the question of cyber security is fraught with controversy. While an air-gapped NVR is technically the most secure solution, it also presents many operational limitations that defeat the original intended purpose of keeping an organization safe. As soon as ports are opened or forwarded for remote access, the NVR becomes one of the most dangerous technologies that exist. With a hybrid cloud security camera system like Verkada’s, the vendor (not the organization’s IT department) is responsible for cyber security and. Auto-updating software and proactively patching firmware to the camera enable Verkada’s systems to remain as secure as possible. End-to-end encryption also ensures that the footage cannot be stolen locally, further minimizing cyber security exposure.

Side-by-side feature lists can only provide a limited view of how a cloud and hybrid cloud security camera system compares. Taking a contextual look at the architecture of these systems can demonstrate how hybrid cloud surveillance solves a series of deep-rooted constraints in the video security space—helping to reveal new benefits, updated workflows and more seamless administration.

Want to learn more about the hybrid cloud security camera system? Check out our latest eBook, The Future of Enterprise Video Surveillance: The Shift from Traditional to Hybrid Cloud Security Systems.