This is Part 2 in our series on data security for enterprise video surveillance systems. See Part 1 on Surveillance System Design.
The series is adapted from our free whitepaper on cyber security, the full version of which includes a Vendor Selection Worksheet outlining key security-related questions you should ask any video security provider before installing a system.
Outdated Software
New malware and other threats are constantly emerging and evolving. In order to ensure system security, it’s critical that your hardware’s operating system and firmware are updated regularly. In the ideal vulnerability response scenario, system providers quickly develop and release software security patches, which are then installed across all deployed devices, everywhere.
In reality, however, it can be weeks — sometimes months and even years — before a given video security system receives an update. There are a number of causes. In some cases, manufacturers don’t develop software patches fast enough, or they develop a security patch that’s just a partial fix. In other cases, the patch is developed but it’s installed only across a small subset of all the systems in operation.
Finally, many vendors rely on third party operating systems, frequently Microsoft Windows, over which they have limited control. A number of other factors contribute to low patch rates, including:
System administrators may be unaware that their system requires an update
The device’s operating system isn’t compatible with the firmware update
It’s difficult or time-consuming to properly install the security patch—in some cases, the patch must be installed manually to each camera separately, adding cost and delays to the update process
Patch rates are difficult to measure broadly. But in recent years the high number of incidents where manufacturers have failed to respond quickly — or administrators have been slow to fully adopt updates — suggest that many systems continue to run on outdated software. The longer a system goes without an update, the higher the risk that it will become a target of an attack or security breach.
Not Just for IT Admins
In many organizations, the physical security system is used and maintained by the operations, loss prevention, or facilities teams. These groups need a system that “just works” and stays secure without requiring specialized IT skills. Avoid systems that only IT can effectively keep secure, including ones that require manual firmware updates, operating system patches, complex network storage or backup devices, and sophisticated networking infrastructure. Ideally, the team responsible for the camera system should be able to plug in a new camera, see a green light, and not have to think about the security of the camera again.
