Securing The Network
Is your network secure? Hardening guide covers cyber security practices for deploying Milestone IP video
- By Bjørn Eilertsen
- Nov 01, 2016
It is an understatement to say that IP networks have been a game changer for
specifying, installing or managing video security and surveillance systems.
When it comes to the health of an organization in today’s highly connected
environment, it’s critical to understand network security vulnerabilities that
may leave you or your customer open to compromise.
High-profile data breaches have been in the news often over the past few years.
While the security of networked video management systems has not made headlines,
this may be about to change as it becomes increasingly common for surveillance
to migrate to enterprise data network environments.
UNDERSTANDING THE BASICS
Everyone in an organization must understand at least the basics about network
and software security. Attempts to compromise critical IT infrastructure are becoming
more frequent, so everyone must take hardening and security seriously.
The recently released Milestone Systems
XProtect Hardening Guide provides
basic and advanced information
for Milestone end users, system integrators,
consultants and component
The guide describes security and
physical security measures and best
practices that can help secure XProtect
Expert and XProtect Corporate VMS
networks against cyber attacks. This
includes security considerations for the
hardware and software of servers, clients
and network device components
of the video surveillance system.
The Hardening Guide adopts standard
security and privacy controls and
maps them to each of the recommendations.
The document is a valuable
resource for compliance across industry
and government security and network
WHAT IS “HARDENING?”
Unauthorized access to a video security
network can impact system confidentiality,
integrity and availability. Security
flaws within IT-attached devices could
potentially provide a platform from
which to launch attacks on other IT systems.
It must be acknowledged that all
systems contain vulnerabilities, and that
there are external as well as internal attackers
looking for ways to exploit these
Developing and implementing security
measures and best practices is known
as “hardening” - a continuous process of
identifying and understanding security
risks, and taking appropriate steps to
counter them. The process is dynamic
because threats, and the systems they
target, are continuously evolving.
Most of the information in the
Hardening Guide focuses on IT settings
and techniques, but it’s important
to remember that physical security is
also a vital part of hardening. For example,
use physical barriers to servers
and client computers, and make sure
that things like camera enclosures,
locks, tamper alarms, and access controls
are secure. The following actionable
steps for hardening a VMS are outlined
within the guide.
- Understanding what components
need to be protected.
- Hardening surveillance system components
including physical and virtual
servers, client computers and
devices, the network and cameras.
- Documenting and maintaining security
settings for each system.
- Training and investing in the right
people and skills, including the supply
CYBER RISKS AND THREATS
There are many sources of threats to a
VMS, including business, technology,
process and human attacks or failures.
Threat takes place over a lifecycle. The
threat lifecycle, sometimes called the
“cyber kill” or “cyber threat chain,”
was developed to describe the stages of advanced cyber threats. Each stage of a threat lifecycle takes time. The amount
of time for each stage is particular to
the threat, or combination of threats,
its actors and targets.
The threat lifecycle is important for
risk assessment because it shows where
threats can be mitigated. The goal is to
reduce the number of vulnerabilities,
and to address them as early as possible.
For example, discouraging an attacker
who is probing a system for vulnerabilities
can eliminate a threat.
Hardening puts in place actions that
mitigate threats for each phase in the
threat lifecycle. For example, during the
reconnaissance phase an attacker scans
to find open ports and determine the
status of services that are related to the
network and the VMS. To mitigate this,
hardening guidance is to close unnecessary
system ports in XProtect Advanced
VMS and Windows configurations.
CYBER RISK MANAGEMENT
The overall process of risk and threat
assessment, and the implementation of
security controls, is referred to as a risk
management framework. The process
is interactive, and responses and their
outcomes are iterative. Security threats,
risks, responses and results are dynamic
and adapt, and as a result so must a security
Security and privacy controls represent
specific actions and recommendations
to implement as part of a risk
management process. It’s important
that the process includes the assessment
of the organization, the particular requirements
of a given deployment, and
the aggregation of these activities into
a security plan.
When hardening a system, IT and
security professionals must balance the
impact on business productivity and usability
for the sake of security, and vice
versa, in the context of the services you
deliver. Security guidance is not isolated
from other business and IT activities.
For example, when a user enters
their password incorrectly on three
consecutive attempts, the password is
blocked and they cannot access the system.
The system is secure from brute-force attacks, but the unlucky user cannot use the device to do their work. A
strong password policy that requires 30
character passwords and the changing
of passwords every 30 days is a best
practice, but it’s also difficult to use.
To harden system components, technicians
change configurations to reduce
the risk of a successful attack. Attackers
look for vulnerabilities in exposed parts
of the system. Surveillance systems can
involve hundreds or thousands of components
and failure to secure just one
can compromise the system.
The need to maintain configuration
information is sometimes overlooked.
XProtect Advanced VMS provides features
for managing configurations, but
organizations must have a policy and
process in place, and commit to doing
In order to be as universally applicable
as possible, the Milestone VMS
Hardening Guide leverages country,
international, and industry standards
and specifications. In particular, it refers
to the U. S. Department of Commerce
National Institute of Standards
and Technology Special Publication
800-53 Revision 4 Security and Privacy
Controls for Federal Information Systems
and Organizations. Additionally,
camera manufacturers provide guidance
for their hardware devices.
It is important to include hardware
devices in all efforts to harden a VMS
installation. For example, cameras often
have default passwords. Some manufacturers
publish these passwords online so
they’re easy for customers to find. Unfortunately,
that means the passwords
are also available to attackers.
In addition to software, the components
of an XProtect Advanced VMS
installation typically include hardware
devices, such as cameras, encoders, networking
products and storage systems.
It also includes servers and client computers
(physical or virtual machines)
and mobile devices, such as smartphones
A critical component of defending
against cyber attacks and vulnerabilities
is to stay informed. IT and security managers
need to be aware of issues that affect
software and hardware, including operating
systems, mobile devices, cameras,
storage and network devices. A reliable
point-of-contact should be established
for all system components, with reporting
procedures to track bugs and system
vulnerabilities. It’s important to keep current
on common vulnerabilities and exposures,
and to communicate with manufacturers
This article originally appeared in the November 2016 issue of Security Today.