Advice to IT Managers on Surveillance Camera Hacking
Thomas Carnevale [00:24:25] That’s amazing because there is a big difference between an I.T. manager who could make surveillance camera decisions and a CISO right and then the security team. And so if I’m an I.T. manager is there a way I could know that my surveillance cameras could be hacked.
Alissa Knight [00:24:44] Yeah. So my advice to an I.T. manager or anyone in any capacity really in I.T. or cybersecurity at a company is, well, first of all, make sure you’re doing regular penetration testing and make sure you’re doing it with an outside company. Bring in outside expertise to make sure that… Organizations tend to be drunk on their own Kool-Aid. So make sure you’re retaining an independent third party to come and do a penetration test and make sure that your I.O T. devices are within the scope of that pen test. If they’re doing an internal penetration test which I recommend all organizations to do, make sure that your CCTV cameras your badge readers all of those things are within the scope of the penetration test. And then determine after that you know who really ultimately is in charge of this is it. Is it I.T.? Is it infrastructure and operations? Is it facilities? You know who’s in charge of the ongoing care and feeding of these cameras of these physical security devices like badge readers, moving forward once it’s up and operational. Those kinds of things needs to be ironed out because whoever is in charge of it needs to make sure that it’s part of a regular patch management strategy and vulnerability management strategy moving forward.
Thomas Carnevale [00:25:59] There’s just no doubt. I mean and I and I relate that to what you said earlier. I mean the budgets are incredibly lopsided for cyber than they are for physical. And that also spills into the ongoing service and maintenance and I think that’s a big thing that commercial security companies. They’ll spend maybe half a million dollars on a very high-end surveillance camera system or less maybe one hundred thousand dollars. But then they’ll spend nothing for the first three years to maintain it. That just happens all the time. Is that they don’t…
Alissa Knight [00:26:30] Yeah.
Thomas Carnevale [00:26:30] Consistent preventative maintenance and service agreements for video surveillance systems then what happens oh firmware’s two years out of date.
Alissa Knight [00:26:35] Yeah I think organizations have a tendency to really just kind of budget for the initial purchase and not put any thought into the real true cost moving forward of who maintains this and the continuous care and feeding. Who performs it and how is it done. Every organization really needs to adopt an information security management system framework like ISO twenty-seven thousand one, NIST, you know adopt a framework it doesn’t matter what it is. I’m more partial to ISO, organizations that are international have international locations they may find that ISO twenty-seven thousand one is the best fit because it’s more of an international standard and it’s very popular in Europe. For organizations that do business with the U.S. government or are just U.S. only may want to look at NIST, CSP that sort of thing. But I mean adopt a framework make sure that you have some sort of plan do check act meaning a continuous OODA Loop Framework that where your cybersecurity program your physical security program as part of a continuous improvement cycle, that you’re continuously improving it, tracking key performance indicators on how well it’s doing, are the number of incidents physical and cyber going down over time, and just continue improving those. And if you don’t know how to do this internally retain help. Reach out to organizations that have this expertise that can come in make sure that things are operating efficiently, that waste is being eliminated and that these devices are continuously fed and improved and kept it kept accurate over time.
Thomas Carnevale [00:28:18] Well I am one of the opinion that you are an amazing gift even though you’re not in my industry. You’re an amazing gift to my physical security industry because I really think we just need more call-outs. We need more reality checks and I really hope you continue your research because I for one have learned a lot from it and I hope that the I.T. managers and physical security managers listening really got something out of this. Any final thoughts Alissa on hacking surveillance cameras?
Alissa Knight [00:28:48] Well you know first of all thank you for the warm approbation. I’m happy. It’s a privilege to be your spirit animal in cybersecurity. And I would love to be on your show again. I think what you guys are doing is awesome.
Thomas Carnevale [00:29:01] Thank you.
Alissa Knight [00:29:01] And you know I think drawing awareness to this problem really needs to happen and it happens with one person at a time. And it’s great to meet other influencers like yourself. I do consider myself to be a content creator and cybersecurity influencer both written short long-form content as well as video, so check out my YouTube channel for those of you listening to I’ publish videos weekly. Check out my Twitter I’m at Alissa Knight its ALISSA KNIGHT, and reach out to me on LinkedIn. I love giving my time to people who are interested in this if you’re interested in moving to cybersecurity especially women out there, happy to be a guide for you and a sounding board because we definitely need more women in this industry and happy to provide that sort of guidance. So thank you very much for having me on your show. THOMAS It’s been fun.
Thomas Carnevale [00:29:53] My pleasure Alissa. Well we’re going to link all of those up so that you can click the link in the profiles and bio. And thanks again. Another episode security in focus in the books.
Announcer [00:30:03] You’ve been listening to security in focus. A service of umbrella technologies. For more information go to www.umbrellatech.co/podcasts