Last March, the Crown Casino in Australia made international
headlines after a group of high-rolling card players were able gain
unauthorized access into the casino’s video surveillance system in order to
cheat Crown out of $33 million in illegal winnings. Journalists were quick to
compare the elaborate heist to the storyline of the 2001 feature film, Oceans
11, where Brad Pitt and George Clooney starred as the masterminds behind
robbing a high-profile Las Vegas casino for $150 million.
Given that Pitt and Clooney’s characters were perceived as
the good guys in the movie – to whom the audience rallied behind to pull off
the impossible - it was no surprise that the crime in Australia was glamorized
and was taken lightly in the public eye.
While it is easy to dismiss the Australian casino heist,
many people within the security industry were hit with the reality that new
approaches needed to be taken with advanced technology. Making sure your IP surveillance system is secure from
outside threats is vital no matter if you are a well-known Las Vegas casino or
a privately owned retail store. We spoke to Michael Miller, the president of
The Wire Guys, a surveillance system integrator based in the eastern United
States, to discuss this topic. Miller came up with five ways end users can
protect themselves from getting hacked.
Use a Dedicated Network for Your
Clients and Your Servers
Miller: I don’t know the particulars as far as the Australia
casino heist, but if you have your security network on your same corporate
network, which is tied to your wireless network, and if it’s all on the same
subnet, it’s pretty wide open at that point. That would be my guess to what
might have happened in Australia. It would be absolutely crazy for a casino to
be set up like that if they were. But technically in a casino, just like in
hospitals, everything is separate and dedicated. There’s absolutely no way to
get to the cameras from their corporate network.
If their network is set up like that we will step in. But a
lot of times, the IT departments are in control already, so they set the rules
and regulations and we conform to what they recommend to us. What we would
typically recommend is having a totally dedicated separate network. Separate
switches, separate cables, separate everything. Even the client machines are on
their own dedicated networks. Make it so that it's physically impossible to go
from your corporate network to your camera network. That’s the best way to do
it.
Change Your Passwords
Miller: Make sure you change all of your passwords on your
cameras and your switches. You can use authentication on your network to make
sure that only the devices that you want on your network are on your network.
Those are the things that you would typically want to do.
From Remote Access Use Your VPN
Miller: There are two ways to give remote access to your
system. The first option would be to open a hole in your firewall, or as we
call it port-forwarding. The other option, which is more secure, would be to do
a VPN access. So basically, from your mobile device, you can initiate a virtual
private network back to your firewall which puts you on your network. That is
much more secure than just opening up ports at that point. Then you have your
username and password you have to enter for Avigilon’s ACC Mobile, so you have
VPN and your username and password to get into the system.
Don’t Use Your VMS server With
Company Information on it – Dedicate a System for Surveillance
Miller: If you circumvent the VMS and go directly to the
cameras, then you can see the live feeds. If you can get into the server, you
can access recorded footage potentially delete recorded footage. Typically,
especially the way we build system and the majority of companies that know what
they are doing - you’re not going to share your surveillance system, with your
SQL server, with you database with everybody’s AR department, you wouldn’t want
to do it that way.
Check to See Who is Accessing Your
Networks
Miller: Well Avigilon’s system can do that and most VMS’ can
do that. It gets a lot trickier though if they're circumventing the VMS and
going straight to the cameras. If you have a firewall in between, then you can
track IP addresses and Mac addresses and see who’s accessing your network. And
even some of the cameras have logs in them as well so you can see what IP
address and what user would have accessed them.
Used with the permission of
avigilon.com/connected.