The Security of Your Security System - More often than not, passwords are left as defaults

The Security of Your Security System

More often than not, passwords are left as defaults

Ironically, not much attention has been paid to the security of most security systems. Anecdotal reports of video security deployments seem to indicate that more often than not, passwords are left at defaults, default accounts are left enabled, firewalls are not configured, and other best practices of proper information security are commonly not adhered to.

In the past two years several high profile data breaches, namely the Target data breach in 2014, have put greater focus on the data security of all network connected devices. More recently, prominent video security brands have had significant vulnerabilities exposed that could allow for malicious network attacks for organizations that have deployed the affected equipment.

Although attention is paid when a corporation suffers a major data breach, or a product vendor has an unintended vulnerability exposed, many “everyday” security deployments would benefit greatly from some basic IT best practices for securing network connected systems.

Default Passwords

Without question, changing default passwords on network connected devices should be standard practice. Although this practice should be in place for all network connected devices, in video security often camera passwords for default user accounts are not altered. Some camera vendors force a password to be set for the administrative account when first logging into the web interface, but if installers connect the cameras to the corresponding NVR without ever using the web interface, this step could be overlooked. Creating passwords that are difficult to guess may involve incorporating special characters, numbers and capitalization.

To take password security to the next level, use different passwords for all devices. It is quite common for all cameras to share the same password, even if the password has been changed from its default. In the event the new password becomes known to unauthorized individuals, all the camera devices become compromised.

Some organizations will go as far as removing default user accounts, so accounts can be created in their place without the default usernames. This is typically an effort to reduce the possibility of ‘brute force’ attacks, where combinations of passwords are attempted on a known user name. Not all video security products support this capability so if policy dictates this level of configuration, verify products support this function.

Locking Down Unused Services and Ports

Cameras and NVRs often ship with all features and methods of access turned on by default. Once deployed, only subsets of these functions are ever used.

Leaving unused features and protocols turned on, exposes the camera and NVRs to methods of access that are not intended, and no additional system functionality is gained by leaving these settings turned on. Using a software firewall on an NVR and turning off unused services should be considered part of the basic configuration when deploying systems.

Some examples of services and protocols which should be turned off in most deployments include FTP, SSH or telnet, remote desktop, file sharing, UPnP and other discovery methods (after setup).

Network Segmentation and 802.1X

Deploying IP cameras means access to switch ports will be exposed in public locations. It’s possible a camera enclosure could be opened to access the network cable connecting the camera to the internal network, providing relatively easy physical access to other networked systems. This is particularly a concern for cameras mounted outdoors, on a rooftop or in a parking lot, because network access is available outside the physical protection of the building.

A first step to protecting unauthorized physical access to the network is to connect cameras to a switch that is not physically connected to the organization’s main computer network. This is commonly done by using an NVR with two or more network ports. One network port of the NVR connects to the camera-only network and the other side connects to the main network, allowing access to the video feeds. VLAN configuration can be used to segment ports on the same physical switch which prevents direct communication with other devices on that switch that are not defined as part of the VLAN, providing the same end result.

Some cameras and network switches offer 802.1X, which is a network switch level authentication protocol. In short, this functionality ensures only the device authorized to connect to a particular switch port is able to. If another device is plugged into an 802.1X protected switch port, it will not be able to communicate on the network. For deployments where cameras are located outside a building or in publically accessible locations, 802.1X capable switches and cameras should be strongly considered.

Encrypted Communications

Encryption of communications is what most people think of first on the topic of security. Using a network sniffing tool, account credentials and data can be recorded by an unauthorized device. Without encryption, captured data can be easily used by someone other than the intended recipient.

It is more common for encrypted communications to be considered for data being transmitted over a public network, such as the internet, however more network security professionals consider it necessary for internal network communications to prevent security breaches by unauthorized employees and contractors with network access.

Ongoing Patching and Management

Devices marketed as an “Appliance”, which may apply to an NVR or an IP camera, may not get the same level of IT attention that a standard Windows workstation or server deployment would, potentially leading to systems with known security vulnerabilities connected to the network. Some organizations have policies that require various departments to pay IT for support of newly connected Windows systems, or there may be a policy preference against using systems with a full Windows deployment in favor of ‘appliance’ devices due to a perception of reduced need for software updating and patching.

This is generally a mistaken perception. Devices marketed as ‘appliances’ are still running operating systems, generally Windows Embedded or Linux, and still connected to the network. An older version of an operating system on an appliance could present a security risk in the same way an unpatched and unsecured Windows computer would.

When considering an ‘Appliance’ best practice would dictate verifying the underlying Operating System used, the version and patch level of the OS. Also, ask the vendor how OS security issues are resolved when vulnerabilities are uncovered. A delay between a known OS vulnerability and the corresponding patch becoming available for the appliance should cause concern.

Post Installation Auditing

Consumers that are concerned over the configuration of deployed systems should consider third party or internal security auditing following the installation of a video security system. Adding this procedure is a simple and effective way to validate the installation is configured according to security policies and meets a minimum standard of security hardening.

Free scanning tools, such as Nmap, can be used to generate reports on what ports are open on a network connected device, providing for simple and fast verification of whether unused protocols are enabled. In addition, verifying password strength and other configuration mentioned herein should provide a basic means of validation system security post-installation.

When valuable data is compromised, there are significant risks to any organization. In the case of data belonging to a third party or a customer, the cost of the associated legal liability can be huge. Furthermore, the impact to an organization’s brand can have lasting consequences. Having a strong set of security best practices will minimize these risks and can differentiate integrators who educate consumers on the risks and technologies.

This article originally appeared in the February 2016 issue of Security Today.

Featured

  • Security Today Announces The Govies Government Security Award Winners for 2025

    Security Today is pleased to announce the 2025 winners in The Govies Government Security Awards. The awards honor outstanding government security products in a variety of categories. Read Now

  • Survey: 60 Percent of Organizations Using AI in IT Infrastructure

    Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now

  • New Research Reveals Global Video Surveillance Industry Perspectives on AI

    Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now

  • SIA Urges Tariff Relief for Security Industry Products

    Today, the Security Industry Association has sent a letter to U.S. Trade Representative Jamieson Greer and U.S. Secretary of Commerce Howard Lutnick requesting relief from tariffs for security industry products and asking that the Trump administration formulate a process that allows companies to apply for product-specific exemptions. The security industry is an important segment of the U.S. economy, contributing over $430 billion in total economic impact and supporting over 2.1 million jobs. Read Now

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • Hanwha QNO-7012R

    Hanwha QNO-7012R

    The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.