The Security of Your Security System
More often than not, passwords are left as defaults
- By Brian Carle
- Feb 01, 2016
Ironically, not much attention has been paid
to the security of most security systems.
Anecdotal reports of video security deployments
seem to indicate that more often
than not, passwords are left at defaults, default
accounts are left enabled, firewalls are
not configured, and other best practices of proper information
security are commonly not adhered to.
In the past two years several high profile data breaches, namely
the Target data breach in 2014, have put greater focus on the data
security of all network connected devices. More recently, prominent
video security brands have had significant vulnerabilities
exposed that could allow for malicious network attacks for organizations
that have deployed the affected equipment.
Although attention is paid when a corporation suffers a major
data breach, or a product vendor has an unintended vulnerability
exposed, many “everyday” security deployments would benefit
greatly from some basic IT best practices for securing network
connected systems.
Default Passwords
Without question, changing default passwords on network connected
devices should be standard practice. Although this practice
should be in place for all network connected devices, in video
security often camera passwords for default user accounts are not
altered. Some camera vendors force a password to be set for the
administrative account when first logging into the web interface,
but if installers connect the cameras to the corresponding NVR
without ever using the web interface, this step could be overlooked.
Creating passwords that are difficult to guess may involve
incorporating special characters, numbers and capitalization.
To take password security to the next
level, use different passwords for all devices.
It is quite common for all cameras to
share the same password, even if the password
has been changed from its default.
In the event the new password becomes
known to unauthorized individuals, all
the camera devices become compromised.
Some organizations will go as far as
removing default user accounts, so accounts
can be created in their place without
the default usernames. This is typically
an effort to reduce the possibility of
‘brute force’ attacks, where combinations
of passwords are attempted on a known
user name. Not all video security products
support this capability so if policy dictates
this level of configuration, verify products
support this function.
Locking Down Unused
Services and Ports
Cameras and NVRs often ship with all
features and methods of access turned on
by default. Once deployed, only subsets
of these functions are ever used.
Leaving unused features and protocols
turned on, exposes the camera and NVRs
to methods of access that are not intended,
and no additional system functionality
is gained by leaving these settings turned
on. Using a software firewall on an NVR
and turning off unused services should be
considered part of the basic configuration
when deploying systems.
Some examples of services and protocols
which should be turned off in most
deployments include FTP, SSH or telnet,
remote desktop, file sharing, UPnP and
other discovery methods (after setup).
Network Segmentation
and 802.1X
Deploying IP cameras means access to
switch ports will be exposed in public locations.
It’s possible a camera enclosure
could be opened to access the network
cable connecting the camera to the internal
network, providing relatively easy
physical access to other networked systems.
This is particularly a concern for
cameras mounted outdoors, on a rooftop
or in a parking lot, because network access
is available outside the physical protection
of the building.
A first step to protecting unauthorized
physical access to the network is to connect
cameras to a switch that is not physically
connected to the organization’s main computer
network. This is commonly done by
using an NVR with two or more network
ports. One network port of the NVR connects
to the camera-only network and the
other side connects to the main network,
allowing access to the video feeds. VLAN
configuration can be used to segment
ports on the same physical switch which
prevents direct communication with other
devices on that switch that are not defined
as part of the VLAN, providing the same
end result.
Some cameras and network switches
offer 802.1X, which is a network switch
level authentication protocol. In short,
this functionality ensures only the device
authorized to connect to a particular
switch port is able to. If another device is
plugged into an 802.1X protected switch
port, it will not be able to communicate
on the network. For deployments where
cameras are located outside a building or
in publically accessible locations, 802.1X
capable switches and cameras should be
strongly considered.
Encrypted Communications
Encryption of communications is what
most people think of first on the topic
of security. Using a network sniffing
tool, account credentials and data can
be recorded by an unauthorized device.
Without encryption, captured data can
be easily used by someone other than the
intended recipient.
It is more common for encrypted communications
to be considered for data
being transmitted over a public network,
such as the internet, however more network
security professionals consider it
necessary for internal network communications
to prevent security breaches by
unauthorized employees and contractors
with network access.
Ongoing Patching and
Management
Devices marketed as an “Appliance”, which
may apply to an NVR or an IP camera, may
not get the same level of IT attention that
a standard Windows workstation or server
deployment would, potentially leading to
systems with known security vulnerabilities
connected to the network. Some organizations
have policies that require various departments
to pay IT for support of newly
connected Windows systems, or there may
be a policy preference against using systems
with a full Windows deployment in favor
of ‘appliance’ devices due to a perception
of reduced need for software updating
and patching.
This is generally a mistaken perception.
Devices marketed as ‘appliances’ are
still running operating systems, generally
Windows Embedded or Linux, and still
connected to the network. An older version
of an operating system on an appliance
could present a security risk in the
same way an unpatched and unsecured
Windows computer would.
When considering an ‘Appliance’ best
practice would dictate verifying the underlying
Operating System used, the version
and patch level of the OS. Also, ask
the vendor how OS security issues are
resolved when vulnerabilities are uncovered.
A delay between a known OS vulnerability
and the corresponding patch
becoming available for the appliance
should cause concern.
Post Installation Auditing
Consumers that are concerned over the
configuration of deployed systems should
consider third party or internal security
auditing following the installation of a
video security system. Adding this procedure
is a simple and effective way to
validate the installation is configured according
to security policies and meets a
minimum standard of security hardening.
Free scanning tools, such as Nmap, can
be used to generate reports on what ports
are open on a network connected device,
providing for simple and fast verification
of whether unused protocols are enabled.
In addition, verifying password strength
and other configuration mentioned herein
should provide a basic means of validation
system security post-installation.
When valuable data is compromised,
there are significant risks to any organization.
In the case of data belonging to a
third party or a customer, the cost of the
associated legal liability can be huge. Furthermore,
the impact to an organization’s
brand can have lasting consequences. Having
a strong set of security best practices
will minimize these risks and can differentiate
integrators who educate consumers
on the risks and technologies.
This article originally appeared in the February 2016 issue of Security Today.