Sponsored by Axis Communications
Attitudes toward the cyber risk posed by network devices can vary substantially. Some organizations don’t give it much thought. They plow ahead, adding this or that device to the network without much consideration. They may not even bother to change the default password on their new IP camera. At the other extreme is hysteria, facilitated by horror stories and fanciful hypotheticals that gain traction in the media. Retail professionals in this camp could shy away from adding security devices to the network–out of concerns for security.
So who’s right?
Neither, suggests John Bartolac, cyber security expert and senior manager for cyber strategy at Axis Communications, a leading provider of IP-based products and solutions.
Smart, connected products represent a real opportunity for retailers and loss prevention practitioners. Effective use of these devices can cut expenses, improve operational efficiency, enhance safety, reduce loss, and drive business. But connected devices aren’t risk-free. “Connected devices offer great benefits, but you need to be sure these things are protected,” said Bartolac. If not deployed and maintained properly, network devices can become threat vectors for cyber instrusions, such as a botnet attack.
However, while the risk is legitimate, it doesn’t outweigh the value that can be leveraged from connected devices. “You have to look at the risk, absolutely. But you shouldn’t panic or let fear paralyze you and miss out—you just need to account for the risk when you add devices,” said Bartolac.
Essentially, LP should embrace the opportunities but be diligent when deploying solutions, he suggested.
The risk is something that retailers have started to recognize. “I’m seeing retailers making themselves more aware of the risks, probably because of the marriage of LP with IT,” said Bartolac. “They are starting to look into what kinds of things can create risk and what kinds of solutions are appropriate, especially as systems are getting more complex.”
For years, the most retailers worried about with respect to a surveillance camera was whether it was mistakenly positioned to capture customer cardholder information. “However, now that it’s a network device that can be the subject of attack, you need to take those possibilities into consideration,” said Bartolac. “Imagine what a day without online sales could do a retailer. It is devastating.”
It’s an important recognition. “When you look at IP cameras, they really are acting like a server on the network,” said Bartolac. “It’s necessary to take many of the same precautions to protect a camera as a network.”
At the outset, it’s critical for LP to evaluate the security of a security device as closely they do other criteria, such as compatibility, features, and price. Bartolac noted that not all manufacturers of network security devices are designed for security, and there is no guarantee—if a flaw is found—that the manufacturer will roll out a timely fix. Often, even basic security precautions are ignored in the manufacture and installation of security devices. Additionally, not all vendors do the same amount of testing.
Consequently, choosing trusted manufacturers and integrators is critical, as is working exclusively with vendors that offer a roadmap for security. Axis, for example, provides a hardening guide for its network security devices, such as IP cameras.
It may also be helpful to resist having your heart set on specific products when entering a project, as doing so can lead to overlooking vulnerabilities. It’s also important to develop internal technology expertise so that your LP team is capable of asking all the necessary questions. Finally, Bartolac says it’s helpful to establish best practices for low, medium, or high device protection, and to then follow the appropriate level depending on the level of risk associated with a specific device.
It’s not just dodgy manufacturers or lackadaisical integrators that can be the source of risk. Retailers, too, can be guilty of failing to take even basic protections. “One of the most important security measures is the most basic—it’s passwords and the management of passwords,” said Bartolac. “It blows my mind that some companies will keep out-of-box passwords for every device and never change them.” Default passwords for IP devices are typically easy to guess and even published online, and offer an easy and frequently used avenue for cyber criminals to gain unauthorized access to a retailer’s system. Effective ways to leverage passwords to stop attacks are to set strong, unique passwords; ensure good password management; use certificates in lieu of passwords; and to change passwords on a regular basis.
What are some of the other actions that retailers and LP pros should take? Bartolac and Axis offer some valuable best practices:
- Deploy and install devices in the recommended way. By disabling unused services and only installing trusted applications reduces the chances that a would-be perpetrator could exploit a system vulnerability. Also, place cameras where they’re out of reach of a potential attacker’s tampering.
- Use a principle of “least privileged accounts.” This means limiting users to only the resources they need to perform their job.
- To reduce exposure, prohibit direct camera access from any device that accesses video, unless it is required by the solution. Clients should only access video through a video management system or a media proxy.
- Adhere to a well-documented maintenance plan, and keep network devices current with firmware and security updates.
- Work closely with your entire supply chain of vendors to understand possible threats to your network in using your selected devices. Remember to understand the system as a whole, not just each individual device. In a truly integrated system, the devices will need to speak to each other.
- Ideally, all devices should fit into your IT policy on their own as well as when configured to work together.
- Make sure your systems are using at least of one the common authentication protocols: HTTP digest authentication and HTTPS. This ensures that all information is encrypted before being sent across the network.
Technology is moving fast, and it is natural to be excited by the value that network connected devices can provide LP and retail organizations. And while the risks should not dissuade LP practitioners from pursuing those solutions, “they have to do their due diligence,” said Bartolac.