This is Part 4 in our series on data security for enterprise video surveillance systems. See Part 3 on Insecure NVRs & DVRs.
This series is an adaptation of our free eBook on cyber security. The downloaded version includes a Vendor Selection Worksheet, an extra feature that outlines key questions you should ask any video security provider before purchasing a system for your business.
Incomplete Encryption
A surprising number of NVRs, DVRs and other equipment are shipped without encryption enabled by default—more often than not, it’s a setting that must be actively configured by a person with technical knowledge. Even when encryption is enabled, it typically applies only at rest — that is, the system offers protection only when footage is stored on the DVR/NVR drive. Any time the footage is viewed, it’s played back over an unsecured connection—most often, this is achieved over real time streaming protocol (RTSP). Result: though your footage is protected in storage, it’s not in any way encrypted during playback. Anyone who’s able to take advantage of the insecure elements of your system architecture may be able to intercept the video stream during playback, gaining access to all of your video data.
No Active Health Monitoring
It’s a fairly common tale: faced with a recent theft or other security incident, a business owner asks video footage to be retrieved only to hear that the camera with the best vantage has been offline for an undetermined period of time. The very system that they had invested in is rendered useless right when they need it most.
Fortunately, this scenario can be avoided if you select a vendor that offers active monitoring of system health. The best providers will offer automated alerts for both system health — whether a camera is operating as normal or has gone offline—and if tampering is detected.
Weak Controls for User Permissions
As noted previously, traditional systems make it difficult to grant or revoke user access permissions — so much so that it’s not uncommon to see users opting to share login credentials rather than configuring individual logins appropriately. It’s not uncommon for multiple users at an organization to share the same log-in credentials—often via spreadsheets or other insecure means. While in a pinch it may be easier to copy/paste your login rather than to configure a new user account, this practice clearly compromises the security of the overall system and should absolutely be avoided.
