The Security of Your Security System - More often than not, passwords are left as defaults

The Security of Your Security System

More often than not, passwords are left as defaults

Ironically, not much attention has been paid to the security of most security systems. Anecdotal reports of video security deployments seem to indicate that more often than not, passwords are left at defaults, default accounts are left enabled, firewalls are not configured, and other best practices of proper information security are commonly not adhered to.

In the past two years several high profile data breaches, namely the Target data breach in 2014, have put greater focus on the data security of all network connected devices. More recently, prominent video security brands have had significant vulnerabilities exposed that could allow for malicious network attacks for organizations that have deployed the affected equipment.

Although attention is paid when a corporation suffers a major data breach, or a product vendor has an unintended vulnerability exposed, many “everyday” security deployments would benefit greatly from some basic IT best practices for securing network connected systems.

Default Passwords

Without question, changing default passwords on network connected devices should be standard practice. Although this practice should be in place for all network connected devices, in video security often camera passwords for default user accounts are not altered. Some camera vendors force a password to be set for the administrative account when first logging into the web interface, but if installers connect the cameras to the corresponding NVR without ever using the web interface, this step could be overlooked. Creating passwords that are difficult to guess may involve incorporating special characters, numbers and capitalization.

To take password security to the next level, use different passwords for all devices. It is quite common for all cameras to share the same password, even if the password has been changed from its default. In the event the new password becomes known to unauthorized individuals, all the camera devices become compromised.

Some organizations will go as far as removing default user accounts, so accounts can be created in their place without the default usernames. This is typically an effort to reduce the possibility of ‘brute force’ attacks, where combinations of passwords are attempted on a known user name. Not all video security products support this capability so if policy dictates this level of configuration, verify products support this function.

Locking Down Unused Services and Ports

Cameras and NVRs often ship with all features and methods of access turned on by default. Once deployed, only subsets of these functions are ever used.

Leaving unused features and protocols turned on, exposes the camera and NVRs to methods of access that are not intended, and no additional system functionality is gained by leaving these settings turned on. Using a software firewall on an NVR and turning off unused services should be considered part of the basic configuration when deploying systems.

Some examples of services and protocols which should be turned off in most deployments include FTP, SSH or telnet, remote desktop, file sharing, UPnP and other discovery methods (after setup).

Network Segmentation and 802.1X

Deploying IP cameras means access to switch ports will be exposed in public locations. It’s possible a camera enclosure could be opened to access the network cable connecting the camera to the internal network, providing relatively easy physical access to other networked systems. This is particularly a concern for cameras mounted outdoors, on a rooftop or in a parking lot, because network access is available outside the physical protection of the building.

A first step to protecting unauthorized physical access to the network is to connect cameras to a switch that is not physically connected to the organization’s main computer network. This is commonly done by using an NVR with two or more network ports. One network port of the NVR connects to the camera-only network and the other side connects to the main network, allowing access to the video feeds. VLAN configuration can be used to segment ports on the same physical switch which prevents direct communication with other devices on that switch that are not defined as part of the VLAN, providing the same end result.

Some cameras and network switches offer 802.1X, which is a network switch level authentication protocol. In short, this functionality ensures only the device authorized to connect to a particular switch port is able to. If another device is plugged into an 802.1X protected switch port, it will not be able to communicate on the network. For deployments where cameras are located outside a building or in publically accessible locations, 802.1X capable switches and cameras should be strongly considered.

Encrypted Communications

Encryption of communications is what most people think of first on the topic of security. Using a network sniffing tool, account credentials and data can be recorded by an unauthorized device. Without encryption, captured data can be easily used by someone other than the intended recipient.

It is more common for encrypted communications to be considered for data being transmitted over a public network, such as the internet, however more network security professionals consider it necessary for internal network communications to prevent security breaches by unauthorized employees and contractors with network access.

Ongoing Patching and Management

Devices marketed as an “Appliance”, which may apply to an NVR or an IP camera, may not get the same level of IT attention that a standard Windows workstation or server deployment would, potentially leading to systems with known security vulnerabilities connected to the network. Some organizations have policies that require various departments to pay IT for support of newly connected Windows systems, or there may be a policy preference against using systems with a full Windows deployment in favor of ‘appliance’ devices due to a perception of reduced need for software updating and patching.

This is generally a mistaken perception. Devices marketed as ‘appliances’ are still running operating systems, generally Windows Embedded or Linux, and still connected to the network. An older version of an operating system on an appliance could present a security risk in the same way an unpatched and unsecured Windows computer would.

When considering an ‘Appliance’ best practice would dictate verifying the underlying Operating System used, the version and patch level of the OS. Also, ask the vendor how OS security issues are resolved when vulnerabilities are uncovered. A delay between a known OS vulnerability and the corresponding patch becoming available for the appliance should cause concern.

Post Installation Auditing

Consumers that are concerned over the configuration of deployed systems should consider third party or internal security auditing following the installation of a video security system. Adding this procedure is a simple and effective way to validate the installation is configured according to security policies and meets a minimum standard of security hardening.

Free scanning tools, such as Nmap, can be used to generate reports on what ports are open on a network connected device, providing for simple and fast verification of whether unused protocols are enabled. In addition, verifying password strength and other configuration mentioned herein should provide a basic means of validation system security post-installation.

When valuable data is compromised, there are significant risks to any organization. In the case of data belonging to a third party or a customer, the cost of the associated legal liability can be huge. Furthermore, the impact to an organization’s brand can have lasting consequences. Having a strong set of security best practices will minimize these risks and can differentiate integrators who educate consumers on the risks and technologies.

This article originally appeared in the February 2016 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3