Don’t Reinvent the Wheel

Don’t Reinvent the Wheel

Six critical cybersecurity issues for video networks

As engineers, integrators, and administrators of IP video management and other network-based security systems, we have a heavy reliance on the network. If the core network system isn’t working correctly— or is under attack from internal as well as external threats—the system will not be able to perform its functions as intended, and any security breach can reach far beyond the security network to the rest of the organization’s digital infrastructure.

Edge devices of all types, including cameras, are a vulnerable part of a network. Any video security system design must take this into account. Because no single solution can meet all applications or address all threats, a multi-layered approach is best for deploying an optimally functional and secure network.

Fortunately, there are proven, standardized frameworks available that systematically bring together network best practices. There’s no reason for video surveillance and security professionals to re-invent the wheel. Taking an IT industry standards approach makes it easy to design and deploy secure video networks. Here are several network security topics often overlooked by video surveillance professionals.

Brute Force Attack

A brute force attack is a trial-and-error method used to obtain information such as user passwords or PIN numbers. Hackers use software that tries different character combinations in quick succession to crack passwords. Short and simple passwords—those that only use alphabetical characters—are easier to break than longer passwords with a mix of letters, numbers and special characters. Hackers often persist for hours, days, or even years in finding a way into a target.

Edge devices are some of the most vulnerable pieces in installations. Most cameras today can encrypt command and control traffic, but to do this, a certificate needs to be assigned to it. Typically, a selfassigned certificate is used, but which in itself is not inherently secure. So how do we introduce some certificate authority and manage the certificates from the devices and the recording servers, with a thirdparty, certificate/policy enforcement utility.

Policy management utilities can dictate password changes and password hygiene. Administrators can request that they want all cameras to have a password, say, with 25 characters, and the server will randomly generate and assign the passwords. No one involved would know the passwords, and that information is not needed as long as it resides in both the recording platform and on the camera. The policy management server can even go out to the cameras and apply password changes on a schedule, and at the same time update the video management system to ensure zero downtime.

Active Directory Attack

Active Directory is a Windows OS directory service that facilitates working with interconnected network resources. Active Directory was launched almost twenty years ago, and the security landscape has changed dramatically since. Unfortunately, businesses have not adapted their Active Directory environment to meet these new security needs and, as a result, we are seeing attackers exploit this weakness more frequently.

One of the first steps in preventing an attack on Active Directory is to make sure there’s visibility into all Active Directory activities. An Active Directory auditing solution can assist with this and help administrators be proactively alerted to suspicious activity before a full-blown attack. For every enterprise network, there should be a complete Active Directory Disaster Recovery plan in place to minimize the impact of an attack, and all for damage to be reversed within just a few hours.

Lost and Stolen Asset Devices

There are vulnerabilities everywhere, and much is dictated by the number of system endpoints. The number of PCs on a network used to be the main concern, but the primary concern now is all the IoT and edge devices—including cameras and all types of sensors—that connect to a network.

It is critical to secure all device communications with the backend systems and make it difficult for someone to access the network from the outside world, through a lost or stolen device. Keep in mind that if it’s easy to access a network, it’s probably vulnerable. Administrators have to strike a balance between security and usability and make sure we err on the side of assuring security.

The practice of Network Segmentation is a useful security layer within an overall security system design. It’s surprising how many video management software (VMS) systems don’t use any network segmentation methodology. Through network segmentation best practices, we can add difficulty in accessing parts of a network.

Insider Threats

An insider threat is a security threat that originates from within the organization being targeted, often by an employee or officer of an organization. An insider threat does not have to be a current employee, but can also be a former employee or anyone who at one time had access to the network. Logic Bombs are a type of malicious software that can be left running on a system by former employees, which can cause a wide range of problems.

Contractors, business associates, and other individuals or thirdparty entities who have or have had access to protected networks or databases also fall under the umbrella of insider threat. Network segmentation, robust password policies, and a pro-active, on-going review of all network activity is critical in protecting against internal threats.


Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to the data unless a ransom is paid. User education and awareness are critical when it comes to defeating ransomware. Treat suspicious emails with caution. Inspect email domain names and hover over links to see where they lead. Extending security through the use of anti-virus, anti-spyware on devices at the network perimeter is critical.

Most ransomware will try to spread from the endpoint to the server/storage where all the data and mission-critical applications reside. Segmenting the network and keeping critical apps and devices isolated on a separate network or virtual LAN can limit the spread.

Sandboxing technologies can provide the ability to quarantine suspicious files for analysis before they can enter the network. The files are held at the gateway for evaluation. Adopt a layered approach to stop ransomware by avoiding a single point of failure in the security architecture, and have a robust backup and recovery plan in place.

Physical Layer Compromise

Many company server rooms and data centers have easy-to-exploit physical vulnerabilities that don’t require digitally hacking into the network. Intruders simply looking to vandalize the servers can create a huge and costly level of damage.

Some of the ways of gaining access simply include accessing improperly installed doors or windows, picking locks, crawling through void spaces in the walls or above false ceilings, and “tailgating” into the building by posing as a contractor or vendor.

A major physical design flaw with server rooms is with the drop ceilings and raised floors where the walls don’t go up to the real ceiling or down to the subfloor. Intruders need to simply remove a ceiling tile from a nearby area and then crawl to the server room from above. And raised floors and crawl spaces—built for cabling and cooling purposes—can also be physically exploited.

For optimum physical protection, a combination of multiple security strategies is needed, including the use of professional-grade access control systems and locks requiring authentication, proper wall and structure design that reduces void spaces and presents physical barriers. Alarm sensors placed within potential access points is a good strategy as well. Of course, clear and detailed, documented security and access polices must be established, communicated with employees and strictly followed.

ISO 27001 and the Risk Assessment

The days of system and network isolation are over. Organizations must adopt policies and best practices that allow decision makers to have clear insight into security all practices. These policies must reach across network design, information system use, product development and, in many cases, the entire supply chain. Successful integrated solutions are the ones that withstand the test of time and are built with the cooperation of users and administrators with proper processes and technology.

The ISO/IEC 27001 information security standard, being the most widely accepted framework for the development and improvement of information security management systems, belongs to the consistently growing ISO 27000 family of best-practice security frameworks—an assembly of resources that make for seamless integration of disciplines and sub-systems. Among the others are the ISO 27005 standard, which speaks specifically to information risk management, offers a pragmatic mapping to enterprise risk management following standards like ISO 3100.

Also, the recently updated ISO/IEC 27004:2016 provides systematic guidance on how to develop and operate measurement processes for the effectiveness of security controls of products and services, as well as how to assess and report the results in the form of functional information security metrics for continuous improvement.

Whether you are an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision making, security metrics have become an essential vehicle for communicating the state of an organization’s cyber-risk posture.

To mitigate risk, comply with legislation, and assure the confidentiality, integrity, availability, and accountability of information for your company, employees, and customers—create a written data security policy based on established guidelines, enforced through regular training, reviews, and assessments.

Milestone Systems Cybersecurity Technical Forum

A critical component of defending against cyber-attacks and vulnerabilities is to stay informed. IT and security managers need to be aware of issues that affect software and hardware, including operating systems, mobile devices, cameras, storage devices, and network devices.

A reliable point-of-contact should be established for all system components, with reporting procedures to track bugs and system vulnerabilities. It’s important to keep current on common vulnerabilities and exposures for all system components and to communicate with manufacturers often.

This article originally appeared in the July/August 2019 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3