@ISACA Volume 2  23 January 2019

What to Consider When Implementing CCTV


Today, it seems everyone is watching us. In the modern urban setting, there are more closed-circuit television (CCTV) cameras recording life than ever thought possible one generation ago. The volume of information captured is creating a plethora of issues for cybersecurity professionals. These issues focus on capturing, storing and conducting analysis on CCTV video in real time.

Capturing video can be divided into 2 major categories. Camera systems are either analog or digital. Analog cameras pass the CCTV server raw video. Digital camera systems encode raw video into a format that is more conducive to transmitting across a traditional ethernet/Internet Protocol (IP) computer network. This discussion is limited to traditional CCTV camera systems that capture visible light. Common to both types of cameras is focal length and resolution. This determines how far and how accurate the camera can see objects and people in a frame.

Storing of video can become very expensive. If it is stored locally on a CCTV system, a storage strategy is usually designed to ensure continuity of operations. These strategies work on a grandfather-father-son approach to a backup site or media. This strategy is complimented with a circular approach for retiring the oldest. In other cases, the organization decides it does not want to keep video for more than a given time frame and deletes it when that time frame is met. Both approaches are valid and bound to the problem of limited video storage.

Analytics is an emerging capability that people want to see when working with CCTV. The number of algorithms is quite large, so I will just list a sampling of the major analytics being explored: face recognition, gait recognition, object recognition, patterns of life, motion and many more. Most vendors provide some level of analytics as part of their CCTV offering. However, often those analytics are limited to processing video captured by their product and only their product. For the analysis to be of any value it needs to be processed from all cameras in real time. Today, most CCTV video processing is in response to a past event and determining which cameras recorded what and when. Following this determination, the video for that event is located and processed. This is a very time-consuming and time-late business process.

Recently, I was engaged to work at a CCTV challenge involving more than 20 CCTV vendors and 10 terabytes (TB) of data. This event reinforced issues we have been tracking for as long as I can remember. Some of these issues are a result of the CCTV vendors and some of them are technical. The following are some insights that might be useful for practitioners.

The biggest issue is that CCTV vendors tend to use proprietary protocols on top of IP and use proprietary storage (under the guise of security) to protect the data and lock you into their brand. It should be noted that yes, they have an export utility, but that does not help the real-time processing paradigm. This is a hard problem to solve when anything you might write could be considered a copyright infringement with the vendor. You will not see any open-source codecs (video coders and decoders) for proprietary formats. You could replay the video and record the raw video and then process the raw video. This would take a long time and is not feasible for large CCTV architectures. The easiest way around this is to procure a software codec for their product and require the ability to tap into the video stream in real time. This would allow transfer of your data into analytic engines.

Real-time video analytics is a growing industry that promises a plethora of solutions. However, as mentioned, their problem is consuming video. To overcome this issue, organizations can just buy the analytics that are provided by their CCTV vendor. This is a valid approach for a small to medium-sized organization. However, for large organizations this becomes an interesting problem. Often, depreciation and technology refresh get complimented with competing requirements that create a wide variety of CCTV vendors. These requirements can result in several CCTV vendor who are using analog cameras, IP cameras, various protocol and storage and different levels of camera resolution and focal distances.

From a technical perspective there are several issues that you should be aware of after ingesting video and it being presented to the video analytics:

  • CCTV video tends to suffer from inexpensive cameras with short focal lengths and low resolution. This means people and objects on the move tend to appear pixelated or blurred. This requires frames to be enhanced prior to presenting the frame for analytics.
  • A great majority of vendors do not process video. They process frames that the analytics processes as a picture. In some instances, the analytics only process a given number of frames from the video. The analytic will sample and process every 60th or every 160th frame. The sample rate is often configurable, but the less frames you skip, the more processing performed.
  • For those analytics that are processing images, vs. video, every pixel is being processed in relation to every near pixel. This means some algorithms do millions of operations to process one frame. As a result, one might want to understand the processing requirement for the analytic or the shortcuts that were taken so that the processing environment has the ability to process video. This processing requirement can be reduced by processing encoded videos based on the encoded control information.
  • Artificial intelligence (AI), specifically deep learning-based analytics, is a probabilistic study. These algorithms are not giving the user absolute decisions. Instead, they are saying this the best fit to whatever criteria the algorithm is trained against. As a result, there is an open-ended issue with determining what AI analytics miss in large volumes of CCTV video.

These are just some of the high-level issues associated with video and CCTV. Ingesting videos for an integrated operational picture (pun intended) across a multivendor CCTV architecture can become difficult and frustrating. Plan your CCTV procurement from the perspective that you may need to move out of the vendor’s architecture and process video in real time on another platform. In the end, the solutions for CCTV are just coming of age. As the demand signal rises for more integrated CCTV industry standards and common formats, most of these issues will cease to exist.

Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.


Combat AI Malware


Source: Balefire9;
Getty Images

Cybercriminals have turned to artificial intelligence (AI) to access large-scale data illegally. With the potential for AI to be weaponized, cybercriminals can use AI to automate their cybercrime processes and forge video to transform the meaning of evidence and truth.

To help you learn what dangers AI can impose in terms of cyberhacking, ISACA presents the “The New Cat and Mouse Game: AI and Malware” webinar. It will give you a deeper understanding of how to detect and develop defenses against these types of attacks. This webinar takes place on 24 January at 12PM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Lisa Kaye LeVan is a cyberprofessional who designs, develops and implements solutions to business challenges for small, medium and large organizations. She will use her experience in asset security, risk management, security engineering, identity and access management, security assessment and training, security operations, software development security, communications, and network security to help you identify the dangers of AI-developed cybercriminal activity to your enterprise.

To learn more about this webinar or to register for it, visit the The New Cat and Mouse Game: AI and Malware page of the ISACA website.


Gain Insights on Managing Vendor Risk


Vendor risk management (VRM) is increasingly critical to protecting organizations that outsource products and processes to vendors. VRM helps to protect the organization’s assets while maintaining efficiency. Organizations need to create a VRM program that can scale business growth and remain relevant despite the evolving risk landscape in order to be proactive.

To help you learn to create a VRM that reduces risk to your organization, ISACA and BitSight present the “How to Create a Sustainable Vendor Risk Management Program” webinar. It will discuss how to create a VRM that allows you to make quick and effective security risk decisions, automate continuous monitoring of cybersecurity risk, enable third-party collaboration and reduce the organization’s risk of data breach. This webinar takes place on 30 January at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Jake Olcott, vice president (VP) of communications and government affairs at BitSight manages corporate communications, press/analyst relationships and government initiatives. Olcott served as cybersecurity attorney to the US Senate Commerce Committee and the US House of Representatives Homeland Security Committee. He previously consulted with Fortune 1000 executives on cyberrisk management. He will use his experience in cybersecurity and risk management to help you and your enterprise minimize vendor risk.

To learn more about this webinar or to register for it, visit the How to Create a Sustainable Vendor Risk Management Program page of the ISACA website.


Engage Offers Ways to Learn, Network and Participate


Source: zonadearte;
Getty Images

ISACA’s new Engage portal offers opportunities to learn, network and participate at ISACA in a virtual environment. If you were part of ISACA’s online communities in the past, your discussion posts from the last year have migrated to the new platform. Have you updated your email preferences to stay up to date with the latest conversations? Here are some of the opportunities the Engage portal now offers:

  • LearnOnline forums and special interest groups such as the SheLeadsTech special interest group, feature discussions and libraries to help you learn about best practices in your profession, ask questions or provide guidance to other colleagues from around the world. There are even online forums to help you prepare to take ISACA certification exams. Stay tuned for more special interest groups to be added in 2019.
  • Network—Update your profile and control your privacy settings to connect with other global professionals. Add contacts to your network or send direct messages without having to share your contact information. Interact with colleagues with diverse backgrounds and experiences.
  • Participate—Check out the latest volunteer opportunities and apply when new roles align with your interests and availability. Be sure to update your volunteer profile to help ISACA review your volunteer applications and so that ISACA can reach you with new ways you might want to get involved. Check out upcoming events hosted by ISACA chapters and International Headquarters and meet new people.

Log in and take advantage of all of the tools available the Engage website.


The Bank of Ghana Recommends ISACA Credentials for Cybersecurity Professionals


Source: Photographer
is my life;
Getty Images

ISACA certifications are globally recognized and allow ISACA members to progress their careers, raise their earning potential and add value in their current positions. In October, the Bank of Ghana recognized ISACA certifications and certificates in its Cyber & Information Security Directive’s Enhanced Competency Framework (ECF) on Cybersecurity. This directive aims to provide a framework for cybersecurity and information security protocols and procedures, in particular for the financial services industry in Ghana.

The directive’s ECF encourages professionals in various roles involved in ensuring operational cyberresilience to attain the CSX Fundamentals Certificate, CSX Practitioner certification (CSXP) or Cybersecurity Audit Certificate at the Core Level (for entry-level staff with fewer than 5 years of relevant experience) and to achieve the Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM) or Certified in the Governance of Enterprise IT (CGEIT) at the Professional Level (for staff with 5 or more years of relevant experience).

To learn more, please visit the ISACA Certification page of the ISACA website.