Keeping Bad Actors Out of K–12’s IP Surveillance System

IP cameras are not dissimilar from other network devices exposed to attack scenarios. As districts transition to IP security systems, they face the same data breach risks. The systems are highly vulnerable and easy to hack, and they present a considerable surface area cybercriminals can use to access a district’s network.

In addition to common threats — malware, ransomware, distributed denial of service, man-in-the-middle and brute-force attacks — video cameras are susceptible to third-party eavesdropping. As recently as May 2021, Eastern Hancock County Community School Corp. in Indiana suffered a cyberattack on its camera system, resulting in a day of lost instruction.

Best Practices for Securing IP Cameras

Fortunately for Eastern Hancock Schools, no personally identifiable information was stored on its network, and thanks to regular backups, no data was lost from the attack. Yet, this remains an example of why district CTOs and data security officers must address the vulnerabilities of their IP security cameras. The goal is to prevent unauthorized access to the system that could compromise other devices in the network.

Here are several security strategies schools can implement to prevent or mitigate attacks on their IP camera systems:

Proactive steps include partnering with an Internet of Things solution provider to discover every IoT device connected to a district’s network and assess each device’s security risk. Districts should also invest in technology that integrates IoT security into a broader solution that protects the data center, network, mobile devices, endpoints and cloud assets.

Best practices for managing staff email passwords, guarding against phishing, protecting student data privacy and restricting access to school and district networks need to extend to IP cameras. Like other vulnerable access points, IT departments must enable multifactor authentication, limit access by IP address and create a video client account to reduce the risk of compromising the device administrator password.

Penetration tests are used by many districts to evaluate network security. These simulated attacks are often carried out by trusted third parties authorized by districts to attempt a breach of their systems. However, IP cameras are often overlooked as vulnerabilities. Schools should ensure that pen tests are performed on these IP devices, using the same tools, techniques and processes attackers would use to pinpoint weaknesses in the security system.

Software updates and patches must be installed, whether the district uses CCTV, IP cameras or a hybrid approach. Access to the latest software can prevent security holes within the camera systems. Most cloud-based IP systems automatically push out updates and patches. However, for on-premises storage, IT must be sure to choose a product that requires scheduled updates and patches.

Video data storage must be secured, either on-premises or in the cloud, to avoid data loss in the event of a breach. The cloud is ideal for backing up sensitive information saved on local servers. One of the cloud’s security advantages over on-premises servers and infrastructure is its ability to segment storage away from user workstations, where most attacks enter.

LEARN MORE: What is Backup as a Service, and how can it protect K–12 districts?

The principle of least privilege limits a users’ access to what is required to do their jobs. Users are granted permission to read, write or execute only those files or resources specific to their work. This applies to network and IP camera system access as well.

Strengthen the Digital Security Chain with Collaboration

CTOs and data security officers understand the critical need to secure all elements of the digital chain: data, infrastructure, devices, endpoints, applications and identity. IP cameras include all of these elements and represent a potential gateway to cybersecurity breaches.

CTO Marlo Gaddis and her team at the Wake County Public School System in North Carolina work with security, maintenance and operations staff to manage a security chain for the district’s digital resources, data center and network systems.

“By collaborating as a group, we are making sure that we have best practices all the way around to guarantee the safety of our school community,” Gaddis says.

KEEP READING: A Wake County Public School System educator has students with superpowers.