Security and privacy protection aspects of CCTV systems:

September 28th, 2019

Closed-circuit television (CCTV) is a TV system in which signals are not publicly distributed, but are monitored, primarily for surveillance and security purposes. CCTV systems rely on strategic placement of cameras and observation of the camera’s input on monitors. As the cameras communicate with monitors and/or video recorders across private coaxial cable runs, or wireless communication links, they gain the designation “closed-circuit” to indicate that access to their content is limited to only those with authorization to see it.

The effectiveness of video surveillance technology is continuously improving, and it has already established itself as a vital security tool for the police, private companies and many public sector organisations.. An effective CCTV system contributes to the detection and prevention of crime, as well as protecting towns, cities and transport networks from the threat of terrorism.

Advances in CCTV technologies are especially from analog CCTV cameras to internet protocol (IP) ones which certainly improves the safety and security that CCTV systems provide, but also increases information security and privacy concerns. Having in mind that the new EU privacy protection regulation, General Data Protection Regulation (GDPR), will be applied from 25th May 2018, information security and privacy protection concerns of CCTV systems are being recognized.

Applications of CCTV systems for security:

There are three primary ways to use CCTV systems:

  • As  a deterrent;
  • For forensic purposes; and
  • As an interactive device.

Originally, CCTV surveillance systems were simply a deterrent. The notion that “Big Brother” was watching was often enough to keep people from misbehaving.

On the other hand, as recording and storing technologies and software, such as video analytics, have become more efficient, CCTV systems have evolved into a forensic surveillance tool, enabling the collection of evidence after an event has taken place.

Finally, as CCTV surveillance systems become more easily integrated with monitoring devices, alarm systems and access control devices, a third use of CCTV is related to help security personnel to identify and interrupt security breaches as they’re occurring, or even before they take place.

CCTV systems are commonly used for a variety of purposes:

  • Maintaining perimeter security in medium- to highly-secure areas and installations;
  • Observing the behavior of incarcerated inmates and potentially dangerous patients in medical facilities;
  • Traffic monitoring;
  • Overseeing locations that would be hazardous to humans, for example, highly radioactive or toxic industrial environments;
  • Building and grounds security;
  • Obtaining a visual record of activities in situations where it is necessary to maintain proper security or access controls, for example, in a diamond cutting or sorting operation, banks, casinos, or airports;
  • Home security;
  • Public transportation;
  • Crime prevention;
  • Business surveillance;
  • School protection;
  • Body worn;
  • Sporting events;
  • Monitor employees; 
  • CCTV for Open Data purposes.

We should have surveillance cameras in public places because they ensure public safety. Rarely will anyone attempt to harm anyone else when they know their actions are being recorded on camera. Cameras keep the public and their personal property safe.

The police can identify criminals through recordings on camera. Through surveillance cameras, the police can both prevent crimes from happening and can quickly solve criminal cases with material evidence.

Surveillance cameras protect against property theft and vandalism. It is very difficult for criminals to get away with stealing if there are cameras in operation. Therefore, the thief will often get caught. Surveillance cameras will catch the thief before, or during, the process of committing the crime.

Cameras, through video analytics, now have a zoom feature, allowing the camera to reveal someone’s identity, which can be beneficial to crime prevention when used in the correct way. As a result, the criminal can be apprehended quickly. For instance, in abduction cases a video would be a great way of tracking down a person quickly, and may even prevent a death.

In industrial plants, CCTV equipment may be used to observe parts of the process from a central control room, for example when the environment is not suitable for humans. CCTV systems may operate continuously, or only as required to monitor a particular event. A more advanced form of CCTV utilises digital video recorders (DVRs), providing recordings for many years potentially, with a variety of quality and performance options and extra features, such as motion detection and email alerts. More recently, decentralized IP cameras, some equipped with megapixel sensors, support recording directly to network-attached storage devices, or internal flash for stand-alone operation.

Advances in CCTV Technologies:

CCTV surveillance systems have made tremendous technological progress in the last decade, not only in individual capabilities, but also in the ability to interact with other security technology.

The following advances are:

  • Video content analysis (VCA)
  • High definition (HD) CCTV;
  • Sophisticated motion detection algorithms;
  • Wide dynamic range;
  • Internet of Things (IoT);
  • Cloud technology;
  • Big Data;
  • Video management systems (VMS); and
  • Wireless technology.
  • Video content analysis
  • A key area where CCTV is rapidly developing is that of VCA. This impressive technology is already contributing to the security of a range of high-level facilities, such as city centers, transport facilities, and utilities. The costs of the technology are falling and the capability increasing to the extent that it is becoming a cost effective option for commercial premises.


VCA is the automatic analysis of CCTV images in camera or centrally, utilizing advanced algorithms to create useful information about the content. Generally, these systems need a static background and, consequently, tend to operate with fixed cameras or pan, tilt, zoom (PTZ) cameras at set positions, as they are looking to identify changes or movement at a particular scene. The scope of VCA is considerable and can be used in the detection of intruders, abandoned packages, wrongly parked vehicles or as a means of counting people.

One particular area that VCA can be especially effective is around the perimeter of a site. Securing a perimeter can be seen as one of the most crucial steps in any security plan. An early detection of a threat also means that there is more time and space available to formulate the necessary response, potentially preventing an intrusion all together.

One of the solutions is to hold CCTV information securely in the Cloud, with access limited to authorised personnel. There is no longer a physical DVR; data is sent directly and securely from the cameras to the Cloud. Such systems can not only provide an overview of all visual data collected by the CCTV cameras connected to it, but also complete control over access to that data, which is encrypted from end-to-end and can be viewed using a standard computer, tablet or smartphone, via secure browser technology. They can also only record CCTV data when needed and can automatically delete it when it is no longer required.


Ensuring Network Security System For Surveillance System:

September 21st, 2019

Security camera systems are increasingly internet connected, driven in great part by customer demand for remote video access. The systems range from cloud-managed surveillance systems, traditional DVR/VMS/NVRs connected to the internet, and traditional systems connected to a local network which in turn is connected to the internet.

With cyber-attacks accelerating, physical security integrator and internal support staff must keep up-to-date on cyber security attack vectors which can impact the camera video management systems they sell and/or support. These systems require the same level of protection from cyber security vulnerabilities given to traditional IT systems.

The best practices for internet-connected security camera systems.

  1. Physical Security: A Dangerous Door for Cyber Attacks:

Security Camera Systems are increasingly internet connected, driven by the desire for remote access and control, integration, and drastically reduced cloud storage costs.

In addition to the growing number of cloud-managed surveillance systems, most traditional security camera systems are now connected to the internet for remote access, support, and maintenance, or they are connected to the local network which in turn is connected to the internet.

In parallel, cyber-attacks continue to escalate. Reading about millions of breaches in the news headlines are becoming commonplace. Liabilities for damages are a great risk to companies.

Thus it is critical that security camera systems get the same level of attention to, and protection from, cyber security vulnerabilities that are given to traditional IT systems.

Physical security integrator and internal support staff must keep up-to-date on cyber security attack vectors which can impact the camera video management systems they sell.


  1. Major Attack Vectors for Security Camera Systems:

The five major cyber-attack vectors for surveillance camera systems are:

Windows OS

Linux OS


Endpoints (Cameras)

Firewall ports

We will discuss these attack vectors in context of applicable best practices which can be deployed to protecting your surveillance system against them.


  1. Best Practices Differ Based on Surveillance System Type:


The term ‘cloud video surveillance’ and cloud system’ is used inconsistently. Thus it is important to check with your provider to see exactly how they achieve internet access, as it will impact which steps you must take to ensure your system is secure.

A traditional system, either DVR, NVR or VMS, with an internet connection, typically for the purpose of remote video access.

A cloud-managed system, also called VSAAS. With a cloud-managed system, though there may be an onsite device, the video is recording and managed from the cloud.

There are differences within each of these categories that impact features and functions, however, this top-level distinction will offer clarity in how you can apply cyber security best practices, as well as what questions to ask your provider.


  1. Best Practices for Cyber-Safe Security Camera Systems:


At first glance, camera passwords may seem like too obvious a security measure to discuss. However, a Network World article in November 2014, cited that 73,011 locations with IP Cameras from 256 countries were exposed on one website. The United States topped the list with 11,046 links, where each link could have up to 8 or 16 cameras.

Further,, it is estimated that 1 in 5 Web users still use easy-to-hack passwords.

The Top 10 passwords of 2013, according to Splash Data.


  • 123456
  • Password
  • 12345678
  • qwerty
  • abc123
  • 123456789
  • 111111
  • 1234567

Almost all cameras sold today have a web-based graphical user interface (GUI) and come with a default username and password which is published on the internet.

Some installers don’t change the password at all and leave the same default password for all cameras.

Very  few cameras have a way to disable the GUI, so the security vulnerability is that someone can attempt to hack into the camera via the web GUI to guess a password.

The  hacker must have network access to do this, but the cameras are often on a shared network, not a physically separate network or a VLAN.


Port Forwarding:

Most end users now demand and expect video access from remote mobile devices.

This feature is normally delivered by exposing the DVR, NVR, or VMS to the internet in some way.

This  typical exposure to the internet of an HTTP server is extremely dangerous, as there are a large number of malicious exploits that can be used to obtain access. Machines open to the Internet are typically scanned more than 10,000 times a day.

One example of this vulnerability was the Heart-bleed OpenSSL exploit in 2014; many manufacturers had to ask users to reset their passwords.



As stated above, any on-premise DVR/NVR/VMS should have a firewall for protection, especially if you are going to expose it to the internet for any type of remote access.

Firewalls can be very complex, with thousands of rules. The next generation firewalls are even more complex because they analyse the protocols going over the ports and verify that proper protocols are being used.


Network Topology:

Mixing the cameras on a standard network without separation is a recipe for disaster.

If your security camera system is connected to your main network, you are creating a doorway for hackers to enter your main network via your surveillance system, or to enter your physical security system through your main network.


Operating Systems:

Your on-premise VMS, DVR, NVR or recording system will all have an operating system. The cameras all have an operating system.

All operating systems have vulnerabilities, both Windows-based and Linux-based.

Window OS vulnerabilities are so well-accepted that IT teams monitor them regularly. Recently it has become more and more apparent that Linux has many vulnerabilities also, such as Shell-shock (2014) and Ghost (2015), which made millions of systems vulnerable.

In  theory, your system manufacturer would have a high-quality security team that is responsive in providing you with security updates. The reality is that many vendors don’t do this on a predictable basis.

Cloud-Managed System

Best  practice here is to inquire with your integrator or cloud vendor if the cloud vendor has a dedicated, experienced security team which monitors vulnerabilities.

It also  confirm whether the cloud vendor will automatically send security patches/updates through the cloud to any on-premise appliance. If so, no action is required from the end user to do operating system security monitoring, patching or upgrading.


Data breaches continue to accelerate throughout the world. With increasing Internet connectivity, physical security systems are very vulnerable to cyber-attacks, both as direct attacks and as an entrance to the rest of the network. Liabilities for these attacks are still being defined.

It  is prudent to protect your company and your customers through preventative measures.

To maximize your cyber security, it is critical to define best practices for your own company, as part of your security camera system assessment, as well as its deployment and maintenance.