Securing The Network

Securing The Network

Is your network secure? Hardening guide covers cyber security practices for deploying Milestone IP video

It is an understatement to say that IP networks have been a game changer for specifying, installing or managing video security and surveillance systems. When it comes to the health of an organization in today’s highly connected environment, it’s critical to understand network security vulnerabilities that may leave you or your customer open to compromise. High-profile data breaches have been in the news often over the past few years. While the security of networked video management systems has not made headlines, this may be about to change as it becomes increasingly common for surveillance to migrate to enterprise data network environments.


Everyone in an organization must understand at least the basics about network and software security. Attempts to compromise critical IT infrastructure are becoming more frequent, so everyone must take hardening and security seriously.

The recently released Milestone Systems XProtect Hardening Guide provides basic and advanced information for Milestone end users, system integrators, consultants and component manufacturers.

The guide describes security and physical security measures and best practices that can help secure XProtect Expert and XProtect Corporate VMS networks against cyber attacks. This includes security considerations for the hardware and software of servers, clients and network device components of the video surveillance system.

The Hardening Guide adopts standard security and privacy controls and maps them to each of the recommendations. The document is a valuable resource for compliance across industry and government security and network security requirements.


Unauthorized access to a video security network can impact system confidentiality, integrity and availability. Security flaws within IT-attached devices could potentially provide a platform from which to launch attacks on other IT systems. It must be acknowledged that all systems contain vulnerabilities, and that there are external as well as internal attackers looking for ways to exploit these vulnerabilities.

Developing and implementing security measures and best practices is known as “hardening” - a continuous process of identifying and understanding security risks, and taking appropriate steps to counter them. The process is dynamic because threats, and the systems they target, are continuously evolving.

Most of the information in the Hardening Guide focuses on IT settings and techniques, but it’s important to remember that physical security is also a vital part of hardening. For example, use physical barriers to servers and client computers, and make sure that things like camera enclosures, locks, tamper alarms, and access controls are secure. The following actionable steps for hardening a VMS are outlined within the guide.

  • Understanding what components need to be protected.
  • Hardening surveillance system components including physical and virtual servers, client computers and devices, the network and cameras.
  • Documenting and maintaining security settings for each system.
  • Training and investing in the right people and skills, including the supply chain.


There are many sources of threats to a VMS, including business, technology, process and human attacks or failures. Threat takes place over a lifecycle. The threat lifecycle, sometimes called the “cyber kill” or “cyber threat chain,” was developed to describe the stages of advanced cyber threats. Each stage of a threat lifecycle takes time. The amount of time for each stage is particular to the threat, or combination of threats, its actors and targets.

The threat lifecycle is important for risk assessment because it shows where threats can be mitigated. The goal is to reduce the number of vulnerabilities, and to address them as early as possible. For example, discouraging an attacker who is probing a system for vulnerabilities can eliminate a threat.

Hardening puts in place actions that mitigate threats for each phase in the threat lifecycle. For example, during the reconnaissance phase an attacker scans to find open ports and determine the status of services that are related to the network and the VMS. To mitigate this, hardening guidance is to close unnecessary system ports in XProtect Advanced VMS and Windows configurations.


The overall process of risk and threat assessment, and the implementation of security controls, is referred to as a risk management framework. The process is interactive, and responses and their outcomes are iterative. Security threats, risks, responses and results are dynamic and adapt, and as a result so must a security plan.

Security and privacy controls represent specific actions and recommendations to implement as part of a risk management process. It’s important that the process includes the assessment of the organization, the particular requirements of a given deployment, and the aggregation of these activities into a security plan.

When hardening a system, IT and security professionals must balance the impact on business productivity and usability for the sake of security, and vice versa, in the context of the services you deliver. Security guidance is not isolated from other business and IT activities. For example, when a user enters their password incorrectly on three consecutive attempts, the password is blocked and they cannot access the system. The system is secure from brute-force attacks, but the unlucky user cannot use the device to do their work. A strong password policy that requires 30 character passwords and the changing of passwords every 30 days is a best practice, but it’s also difficult to use.


To harden system components, technicians change configurations to reduce the risk of a successful attack. Attackers look for vulnerabilities in exposed parts of the system. Surveillance systems can involve hundreds or thousands of components and failure to secure just one can compromise the system.

The need to maintain configuration information is sometimes overlooked. XProtect Advanced VMS provides features for managing configurations, but organizations must have a policy and process in place, and commit to doing the work.

In order to be as universally applicable as possible, the Milestone VMS Hardening Guide leverages country, international, and industry standards and specifications. In particular, it refers to the U. S. Department of Commerce National Institute of Standards and Technology Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. Additionally, camera manufacturers provide guidance for their hardware devices.

It is important to include hardware devices in all efforts to harden a VMS installation. For example, cameras often have default passwords. Some manufacturers publish these passwords online so they’re easy for customers to find. Unfortunately, that means the passwords are also available to attackers.

In addition to software, the components of an XProtect Advanced VMS installation typically include hardware devices, such as cameras, encoders, networking products and storage systems. It also includes servers and client computers (physical or virtual machines) and mobile devices, such as smartphones and tablets.


A critical component of defending against cyber attacks and vulnerabilities is to stay informed. IT and security managers need to be aware of issues that affect software and hardware, including operating systems, mobile devices, cameras, storage and network devices. A reliable point-of-contact should be established for all system components, with reporting procedures to track bugs and system vulnerabilities. It’s important to keep current on common vulnerabilities and exposures, and to communicate with manufacturers often.

This article originally appeared in the November 2016 issue of Security Today.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Survey: Only 13 Percent of Research Institutions Are Prepared for AI

    A new survey commissioned by SHI International and Dell Technologies underscores the transformative potential of artificial intelligence (AI) while exposing significant gaps in preparedness at many research institutions. Read Now

  • Survey: 70 Percent of Organizations Have Established Dedicated SaaS Security Teams

    Seventy percent of organizations have prioritized investment in SaaS security, establishing dedicated SaaS security teams, despite economic uncertainty and workforce reductions. This was a key finding in the fourth Annual SaaS Security Survey Report: 2025 CISO Plans and Priorities released today by the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Mobile Applications Are Empowering Security Personnel

    From real-time surveillance and access control management to remote monitoring and communications, a new generation of mobile applications is empowering security personnel to protect people and places. Mobile applications for physical security systems are emerging as indispensable tools to enhance safety. They also offer many features that are reshaping how modern security professionals approach their work. Read Now

Featured Cybersecurity


New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3