Consider Data Security -- Security Today

Consider Data Security

Every project must ensure best practices

By Paul Garms, Sean Murphy
Sep 01, 2018

Data security is just as important as the premises we safeguard, making it imperative to consider both physical and cybersecurity simultaneously. As security technology becomes increasingly connected—allowing it to take advantage of the Internet of Things and offer enhanced integration capabilities—we must ensure data security best practices in every project.

As with any connected device, there are risks to security technology that must be addressed. Similar to other devices attached to a network, these can include unauthorized access, denial of service attacks, and repurposing a device by downloading malware. We have seen increasing use of data security best practices in our industry, but there is still room for improvement. Do you know what to look for when considering data security? Let’s break down some of the key points for minimizing risk.

Operating Systems

Full featured operating systems, such as Linux or Windows, provide services to install and run applications and support file systems and general purpose remote sessions, and these services can be used to attack the system. Most VMS servers and NVRs reside on either a Windows or Linux operating system, making it imperative that the most current updates and patches are applied. Also, ensure the VMS can work with a firewall up, anti-virus software, and within network policies. This includes hardened passwords, restricted physical and network access, and disabling USB ports.

As for IP cameras and intrusion system devices, their operating systems should be closed and run in limited memory space. There should be no capability to create files, and nothing should be able to be written to the device itself with the exception of digitally signed firmware. Devices that can run third-party apps can be weaponized and used as an attack platform against a network.

Password Use

User accounts and access to devices is one of the largest issues today. For example, many IP cameras are installed with the default user name and password. If installed on an accessible network, a connection can be established from anywhere in the world. Devices should have a force password feature that also adheres to password policies.

User Access Rights

For remote access, users should be required to use a password to access system functionality. Apps or other means of remote command and control should limit user access to only the features they are authorized to use at the system level. This ensures only authorized people have access to data.

Encryption and Authentication

To reduce the possibility of data being intercepted, viewed, and analyzed by packet sniffers, unencrypted communication channels should be avoided. Systems should support encryption of data transmitted over the network and to the cloud using up to 256-bit AES Encryption. AES encryption that uses Cipher Block Chaining (CBC), which changes the key with each message, can also greatly reduce the possibility of decoding. Systems should also support certificates used in secure network scenarios, such as Public Key Infrastructure (PKI).

For end-to-end security of video systems, all network-wide communications between the cameras, recording devices and video management system should be assigned an authentication key. This ensures that an infrastructure of trust is built before network-wide communications start. Video devices should also include a built-in Trusted Platform Module to safely store cryptographic keys used for authentication and encryption. All cryptographic operations for authentication and encryption should only be executed inside the Trusted Platform Module.

For mission critical video applications, consider taking authentication a step further by using a system that supports the use of certificates as well as highly-secure identification and authentication through multi-factor smart card credentials.

For intrusion systems, end-to-end encryption is essential for remote programming data. Authentication of control panel communications is also important. The receiver at the monitoring center should perform authentication on all messages to prevent replay or substitution of the control panel. Replay of messages occurs when a network sniffer is used to record messages and attempt to play them back. Substitution occurs when a panel is replaced by another panel. These tactics attempt to fool the receiver that a panel is still online and working when there is actually a problem. Authentication can be done by using a key to verify each message that is received. The key should be changed with each message, including supervision, openings and closings, and alarm events.

Port Usage

Network and vulnerability scanners are designed to scan a specific range of ports and the protocols associated with those ports. The more ports that are open on a system, the more opportunity there is to leverage a device or the services on that device. Ports that are not needed in a particular installation should be disabled.

Today, internet access to security devices, such as IP cameras and intrusion control panels, is desired for maintenance, updates and remote access, especially to cut costs. It is recommended to only use cloud connecting cameras and no port-forwarding configurations. Also, protocols such as Telnet should not be used. For cloud-ready control panels, ensure they are programmed with a unique cloud ID and PKI certificate that will allow a mutually authenticated Transport Layer Security (TLS) connection to the cloud services. These advanced cryptology standards help to prevent eavesdropping, substitution, and data tampering. The cloud should also be continuously monitored and updated to maintain the security of connected devices.

Prevention of Denial-of-Service (DoS) Attacks

All computing systems have a finite set of resources, such as processing power and memory, to use, and this is especially true for embedded devices. A DoS attack can occur when a hacker opens multiple TCP sessions with a device, rendering it unable to receive additional messages. Consider ways to minimize the risk of a denial of service attack caused by a flood of network traffic.

For example, although a flood of network traffic will not cause a failure of a security control panel that prevents it from monitoring the physical security of the premises, very high levels of traffic may cause the loss of received packets. If the high volume of traffic is over an extended time, the loss of received packets could result in communication failures. To prevent this, connections with remote programming software should be authenticated. For monitoring center receivers, the receiver should only process data that is expected and in the proper format. If the account is not in the receiver’s account database or the data isn’t in the correct format, the receiver should not spend time processing and responding to the message.

The Highest Standards

Given today’s environment, where a single weak link is all it takes for a hacker to jeopardize an entire data system, it is imperative to protect all facets of a system. Make sure you are taking the proper precautions with the systems you are purchasing or installing and understand how to achieve the highest standards in end-to-end data security.

This article originally appeared in the September 2018 issue of Security Today.

Genetec, SaferWatch Bring Real-Time Vehicle Intelligence to Public Safety Agencies
05/08/2025
ZBeta Strengthens Its Advisory Bench with New Appointment
05/05/2025
Security Trends Reshaping Enterprise Resilience Into 2027
05/05/2025
Amerant Bank Selects Omnilert AI Technology for Enhanced Video Surveillance Security
05/02/2025
Minnesota County Is Still Reaping Huge Benefits from ASAP Service
05/01/2025
Winsted Unveils Pinnacle Collection with Sliding Worksurface
04/30/2025
Everon Awarded Sourcewell Cooperative Purchasing Contract
04/30/2025
Honeywell Signs Global Distribution Agreement With Milestone Systems
04/28/2025

Featured

TSA Begins REAL ID Full Enforcement Today

Today, the Transportation Security Administration (TSA) announced the imminent implementation of its REAL ID enforcement measures at TSA checkpoints nationwide. Read Now
Body-Worn Cameras on the Rise

On the evening of Oct. 29, 2024, the owner of 300 Guard based in Houston, was shot while on duty at a convenience store. He returned fire. He was wearing a plated vest and thankfully recovered in the hospital. Read Now
- Government
Brazil Port Enhances Surveillance and Supports Wildlife Conservation with Sustainable Technology

Ferroport, which operates the iron ore terminal at the Port of Açu in São João da Barra, Rio de Janeiro, Brazil, has deployed state-of-the-art video surveillance cameras from Axis Communications to enhance nighttime security and visibility, while decreasing environmental impact and prioritizing sustainability. With cutting-edge technology, the port now has precise surveillance cameras that capture high-quality nighttime images, while reducing the amount of artificial lighting that negatively impacts the surrounding ecosystem. Read Now
- Government
Fast-Forward from 1,000 B.C.E. to Today

The lock and key have been around since time immemorial. In fact, the locksmith profession is one of the oldest in the world when you consider the earliest wooden tumbler lock debuted three-plus millennia ago. Read Now
- Access Control
Verizon’s 2025 Data Breach Investigations Report Notes Alarming Cyberattack Surge Through Third Parties

Verizon Business recently released its 2025 Data Breach Investigations Report (DBIR), which reveals a significant increase in cyberattacks. The report found that third-party involvement in breaches has doubled to 30%, and exploitation of vulnerabilities has surged by 34%, creating a concerning threat landscape for businesses globally. Read Now
- Cybersecurity

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

HD2055 Modular Barricade

Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.
Hanwha QNO-7012R

The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection.
Camden CV-7600 High Security Card Readers

Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.