Page 37 - Security Today, February 2018
P. 37
camera’s brightness or inserting a malicious code that takes the cameras offline until a ransom is paid. In more serious cases, they can use their access into the security network as a stepping-stone to hack other networks.
Human error contributes to the problem as well. According to NTT Security’s recently released 2017 Global Threat Intelligence Center Quarterly Threat Intelligence Report, insider threats pose one of the biggest cybersecurity risks for organizations, with 75 percent due to accidental or negligent activity. Fortunately, most of these threats can easily be avoided.
Many camera manufacturers have comprehensive, behind- the-scenes initiatives to help improve IP camera cybersecurity, which incorporate multiple components including education on how cameras should be installed and how networks should be secured. To start, end users and installers should secure IP cam- eras and other network access points with strong passwords that are changed regularly. A strong password is at least eight charac- ters long and is made up of a combination of special characters, numbers and upper and lower-case letters. There are reputable programs and web services that will assist in creating a password that is difficult to hack. Changing passwords on a regular basis is also extremely important.
It is also vital to keep all of your cameras and IP devices’ firm- ware up to date. Typically, it’s firmware vulnerabilities or coding errors that allow hackers access to devices, and once published for correction purposes, become publicly available to hackers. This makes installed devices that have not had their firmware upgrad- ed easy prey for hackers. Many companies send updated versions of firmware regularly, and releases often include important secu- rity updates. Hackers have been known to revert equipment back to earlier firmware releases in order to expose known vulnerabili- ties, and any such change should raise an alarm.
Another necessity is to disable the UPNP, P2P and SNMP functions and enable HTTPS/SSL on a security camera’s IP fil- ter. UPNP will automatically try to forward ports in a router or modem. Normally, this would be a good thing, but if a system automatically forwards the ports and credentials are left at the default, you may end up with unwanted visitors.
Remote Access
P2P is used to remotely access a system via a serial number. The possibility of someone hacking into a system using P2P is high- ly unlikely because the system’s user name, password and serial number are also required. Yet, P2P should be disabled, along with SNMP if it’s not being used. If it is being used, it should be used temporarily, for tracing and testing purposes only.
Also, it’s critical for end users and installers to set up an SSL certificate to enable HTTPS within the network. This will encrypt all communication between devices and recorders to add another layer of security.
When installing IP cameras, they ideally should be connected to the ports on the back of an NVR to keep them isolated and to prohibit direct access to the surveillance camera through a network.
Additional security actions to take with IP cameras include:
• Enabling the IP filter to prevent everyone, except those with
specified IP addresses, from accessing the system
• Regularly checking a camera’s system log that will show which IP addresses were used to login to the system and what was
accessed
• Physically locking down the camera to prevent any unauthor-
ized physical access to the system
• Limiting features of guest accounts
• Isolating the NVR and IP camera network to prevent gaining
access to the same network the security system needs in order to function properly
These important actions, along with installing security cam-
eras on a dedicated security network that is not connected to the public internet, can go a long way in lessening susceptibility to cyber attacks.
Additional Initiatives
Many manufacturers are implementing additional initiatives to help end users secure their networks. For example, one Dahua initiative focuses on authentication for administrative access to security system equipment. As part of this initiative, default ac- counts are no longer included in new devices. Instead, when in- stalling the device, the device requires initialization with a strong password. Management software communicates with the devices not by sending the strong password itself, but by sending a coded digest message instead. If anyone were to intercept the digest message, they would not be able to decode the password. This comprehensive approach to endpoint security heightens the secu- rity level of the entire system.
In addition, the session security function built into DahuaIP surveillance equipment includes an adjustable “inactivity time out” to protect against unauthorized connections. New built-in security features go much further, tracking session credentials for subsequent identity authentication. If a particular host IP address repeatedly generates security issues, the equipment will automatically lock out that address and refuse further sessions.
Even more, many security camera manufacturers are working in partnership with independent experts such as DBAPP Secu- rity and Synopsys Technology to ensure the highest security and quality for their products.
The results of those efforts are being seen in better manage- ment of identities, increased session and data security, smooth software update processes, prevention of brute force and pass- word cracking attempts, and the overall improvement in IP sur- veillance device and network security.
Organizations with IP networked surveillance systems must have a comprehensive and holistic cybersecurity program in place to protect the integrity of their physical security systems and the data on the enterprise. By taking a proactive approach to cyber- security and working more closely with equipment manufactur- ers and suppliers, security professionals can better protect their organizations while supporting global efforts to curtail future cybersecurity threats and activities.
Jennifer Hackenburg is a senior product marketing manager at Dahua Technology USA.
WWW.SECURITYTODAY.COM NS15