Video, a Stealthy Source of Risk Exposure

In the classic espionage movie Three Days of the Condor, Robert Redford learns the name of Faye Dunaway’s character by eavesdropping on a cashier reciting her credit card information over the phone. Later, on the street, Redford calls out to Dunaway by name, pretending to know her and causing a moment of confusion that enables him to kidnap her. (Spoiler alert: It all works out in the end, so don’t worry.) This was a spear phishing attack circa 1975. The technique, however, is now available to malicious actors in an exponentially more powerful form—the scanning of surveillance video to glean personal information.

Video footage, produced by millions of Internet connected video cameras so ubiquitous that we no longer even notice, is creating risk exposure for businesses, governments and everyday people. It’s a security blind spot. Billions of hours of video reside in storage arrays, often with weak protections. The material contains a great deal of information that can be used for fraud, espionage or physical crime.

I spoke about this issue recently with Mathieu Gorge, CEO and founder of VigiTrust and author of the recent book The Cyber Elephant in the Boardroom. In his experience, the collection and storage of surveillance video tends to fall between areas of security responsibility in many organizations. The physical security or anti-fraud team may be tasked with operating the cameras and handling the resulting video files. This group tends not to have the expertise in data security needed to protect these sensitive digital assets. The cybersecurity team, in turn, may not even be aware of what’s going on with video. Or, they lack the time and resources to deal with it.

While surveillance videos may seem like the world’s most boring TV program, the reality is they often contain information that is valuable to malicious actors.

While surveillance videos may seem like the world’s most boring TV program, the reality is they often contain information that is valuable to malicious actors. High-definition cameras in stores, for example, which are trained on cash registers, record credit card numbers and PIN codes. They may also pick up images of driver’s licenses and other personally identifying details. In government offices, such as passport centers or motor vehicle departments, video cameras vacuum up myriad images and text details about people’s identities from birth certificates and other documents. This can lead to identity theft. Cameras in healthcare settings can record sensitive health information about patients.

Internet cameras can be hacked. Video file repositories can be penetrated, especially if they are not well defended. With automated, AI-driven content scanning, attackers can crawl through millions of hours of video and find valuable nuggets of information for use in fraud and worse. Backups are a particular problem, in Gorge’s experience. “Pay attention to storage,” he advised. “Where are you keeping your original and your copies? Do you have policies for deleting video after a set period of time? These are issues that need attention.”

According to Gorge, “Businesses may not realize it, but the video they record is covered by the same privacy regulations as their customer databases. A breach of personal information from a video is still a data breach.”

According to Gorge, “Businesses may not realize it, but the video they record is covered by the same privacy regulations as their customer databases. A breach of personal information from a video is still a data breach.”

Physical risks can also arise from video. As Gorge put it, “If you have access to security camera footage, you can learn where the CEO parks her car, where her office is located, how many security guards the building has on duty and so forth. If you wanted to harm this person, security video gives you a lot of valuable details.” Critical infrastructure facilities like dams and nuclear power plants present comparable risks.

What can be done about video security? The answer, as Gorge sees it, is not complicated, but it could require some effort. The main cybersecurity organization should be made aware of video assets and their disposition. Video files need to be covered by an organization’s overall data security and cloud security policies and countermeasures. For example, default passwords should not be allowed on storage devices for surveillance video. Realizing these policy changes may require cross-team collaboration or changes in responsibility.

Video vulnerabilities represent a solvable problem. To deal with the issue, however, it is first necessary to understand that it exists. From there, it’s a matter of thinking through areas of risk exposure and applying countermeasures, most of which already exist elsewhere in the organization.