CCTV
What is CCTV?
CCTV stands for closed-circuit television and is commonly known as video surveillance. “Closed-circuit” means broadcasts are usually transmitted to a limited (closed) number of monitors, unlike “regular” TV, which is broadcast to the public at large. CCTV networks are commonly used to detect and deter criminal activities, and record traffic infractions, but they have other uses.
CCTV technology was first developed in 1942 by German scientists to monitor the launch of V2 rockets. It was later used by American scientists during the testing of the atomic bomb.
So how does a modern CCTV system work?
The answer depends on the type of system involved. The systems are best defined by the types of cameras used. There are two common types of cameras in use today: Analog and IP-based cameras.
CCTV systems that use analog cameras have been around for years. They are still the most common type of camera installed in the field, experts say. Picture a camera or series of cameras with a dedicated set of wires fed into a recording device and series of monitors. Video is recorded and stored on site.
IP-based cameras carry out the same function as analog ones, but with a host of extra capabilities. IP cameras typically offer better images with higher resolution and more flexibility, allowing users to e-mail video images for consultation. In a large organization with many facilities, insurance companies often prefer, and in some cases demand, IP systems.
While many people use the term CCTV to refer to both IP and analog cameras, strictly speaking, the term should be limited to describing analog cameras.
Combined with powerful new software known as video analytics, an IP security camera can be programmed to “watch” for suspicious activity. A camera on an air intake, for example, can be programmed to display an alert and record video only when the space around the intake is disturbed.
IP cameras work by using an IP (IP stands for internet protocol) network, often the same data network the rest of a company uses. If bandwidth is a problem, a separate network using category 5 wiring can be used. Either way, video information is recorded on a server, which means video data can be located on site or in a remote location.
Though storing the vast amount of data can be a concern, it’s not unusual for IP CCTV systems to have software that governs how long the video is stored, and at what quality. After a time, video can be compressed to save storage space, for example.
Access Control
What is access control?
Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data.
At a high level, access control is a selective restriction of access to data. It consists of two main components: authentication and authorization, says Daniel Crowley, head of research for IBM’s X-Force Red, which focuses on data security.
Authentication is a technique used to verify that someone is who they claim to be. Authentication isn’t sufficient by itself to protect data, Crowley notes. What’s needed is an additional layer, authorization, which determines whether a user should be allowed to access the data or make the transaction they’re attempting.
Without authentication and authorization, there is no data security, Crowley says. “In every data breach, access controls are among the first policies investigated,” notes Ted Wagner, CISO at SAP National Security Services, Inc. “Whether it be the inadvertent exposure of sensitive data improperly secured by an end user or the Equifax breach, where sensitive data was exposed through a public-facing web server operating with a software vulnerability, access controls are a key component. When not properly implemented or maintained, the result can be catastrophic.”
Any organization whose employees connect to the internet—in other words, every organization today—needs some level of access control in place. “That’s especially true of businesses with employees who work out of the office and require access to the company data resources and services,” says Avi Chesla, CEO of cybersecurity firm empow.
Another reason for strong access control: Access mining
The collection and selling of access descriptors on the dark web is a growing problem. For example, a new report from Carbon Black describes how one cryptomining botnet, Smominru, mined not only cryptcurrency, but also sensitive information including internal IP addresses, domain information, usernames and passwords. The Carbon Black researchers believe it is “highly plausible” that this threat actor sold this information on an “access marketplace” to others who could then launch their own attacks by remote access.
These access marketplaces “provide a quick and easy way for cybercriminals to purchase access to systems and organizations…. These systems can be used as zombies in large-scale attacks or as an entry point to a targeted attack,” said the report’s authors. One access marketplace, Ultimate Anonymity Services (UAS) offers 35,000 credentials with an average selling price of $6.75 per credential.
The Carbon Black researchers believe cybercriminals will increase their use of access marketplaces and access mining because they can be “highly lucrative” for them. The risk to an organization goes up if its compromised user credentials have higher privileges than needed.
Access control policy: Key considerations
Most security professionals understand how critical access control is to their organization. But not everyone agrees on how access control should be enforced, says Chesla. “Access control requires the enforcement of persistent policies in a dynamic world without traditional borders,” Chesla explains. Most of us work in hybrid environments where data moves from on-premises servers or the cloud to offices, homes, hotels, cars and coffee shops with open wi-fi hot spots, which can make enforcing access control difficult.
“Adding to the risk is that access is available to an increasingly large range of devices,” Chesla says, including PCs, laptops, smart phones, tablets, smart speakers and other internet of things (IoT) devices. “That diversity makes it a real challenge to create and secure persistency in access policies.”
In the past, access control methodologies were often static. “Today, network access must be dynamic and fluid, supporting identity and application-based use cases,” Chesla says.
A sophisticated access control policy can be adapted dynamically to respond to evolving risk factors, enabling a company that’s been breached to “isolate the relevant employees and data resources to minimize the damage,” he says.
Enterprises must assure that their access control technologies “are supported consistently through their cloud assets and applications, and that they can be smoothly migrated into virtual environments such as private clouds,” Chesla advises. “Access control rules must change based on risk factor, which means that organizations must deploy security analytics layers using AI and machine learning that sit on top of the existing network and security configuration. They also need to identify threats in real-time and automate the access control rules accordingly.”
