Cybersecurity Defense Strategies for Video Management Systems

  • By Evan Stuckless
  • Jan 03, 2020

As engineers, integrators, and administrators of IP video management and other network-based security systems, we have a very heavy reliance on the network. Edge devices of all types, and especially cameras, are a vulnerable part of a network. Any video security system design must take this into account. And because one solution does not fit all applications or address all threats, a multi-layered approach is best for deploying an optimally functional and secure network.

Unauthorized access to a video security network can impact system confidentiality, integrity and availability. Security flaws within IT-attached devices could potentially provide a platform from which to launch attacks at other IT systems. It must be acknowledged that all systems contain vulnerabilities, and that there are external as well as internal attackers looking for ways to exploit these vulnerabilities.

System Hardening

Developing and implementing security measures and best practices is known as “hardening.” Hardening is a continuous process of identifying and understanding security risks and taking appropriate steps to counter them. The process is dynamic because the threats and the systems they target, are continuously evolving.

Most hardening information focuses on IT settings and techniques, but it’s important to remember that physical security, education, and awareness, are also a vital part of hardening. For example, use physical barriers to servers and client computers, and make sure that things like camera enclosures, locks, tamper alarms, and access controls are secure. Actionable steps for hardening a video management system include:

• Understanding what components need to be protected
• Hardening surveillance system components including servers, client computers, and devices
• Documenting and maintaining software updates and security settings for each system
• Training and investing in the right people and skills — including the supply chain

Fortunately, there are proven, standardized frameworks available that systematically bring together best practices. There's no reason for video surveillance and security professionals to re-invent the wheel. Taking an IT industry standards approach makes it easy to design and deploy secure video networks. Here are several security topics often overlooked by video surveillance professionals.

Brute Force Attack

A brute force attack is a trial-and-error method used to obtain information such as user passwords or PIN numbers. Hackers use software that tries different character combinations in quick succession to crack passwords. Short and simple passwords—those that only use alphabetical characters—are easier to break than longer passwords with a mix of letters, numbers and special characters. Hackers often persist for hours, days, or even years in finding a way into a target.

Edge devices are some of the most vulnerable pieces in VMS installations. This is especially true if the installer leaves the default password unchanged. While isolating the device network from other networks is the best way to prevent unauthorized access to devices, we should still remember to change those default passwords. Most device manufacturers have tools to do this in a quick batch job. Some VMS vendors also have their own tools to do this directly from the VMS administration interface. It can even be done on a regular time interval, as required in some jurisdictions. Changing passwords directly from the VMS saves the installer from having to enter the password in two separate locations. Password complexity and length can be adjusted to a level that makes brute-forcing a poor strategy.

Active Directory

Active Directory is a Windows OS directory service that facilitates working with interconnected network resources. Centralizing user and computer management into Active Directory (AD) can improve security in many ways. For one, user authentication can be handled by AD, which has protections against brute-force attacks. Group Policy can be used to manage many everyday IT security tasks like password policy and computer security settings. Kerberos authentication adds another level of security. More than anything else, Active Directory can help with eliminating mistakes that can happen in distributed systems where IT staff needs to perform the same work on multiple machines, one by one.

Perhaps the most important mistake from a cybersecurity perspective is user management. Having multiple user accounts on different systems can be difficult and time-consuming to manage. By using a centralized system like Active Directory, users can be added and deleted in just one place and the change is propagated across the entire organization. This stops former employees and contractors from gaining access when they shouldn’t have it anymore.

Network segmentation

Segmentation is an effective but often overlooked network arrangement. In it, different networks are separated from each other by a firewall appliance, or by total isolation. Does the accounting team need access to the VMS, and vice versa? By focusing on the least privilege principle, we shouldn’t allow users (and computers) access to resources they don’t need to get their job done. By implementing a segmented network approach, we can centralize what is allowed to pass from one segment to another.

In the VMS industry, a total isolation is often the standard approach. This is a terrific way to eliminate all kinds of threats originating from other networks. While it isn’t an excuse to forget about security, it reduces many of the most prevalent threats.

Encryption

One of the most important security improvements we have seen both on the web and the VMS space over the last several years is encrypting everything. It’s hard to find websites that don’t encrypt traffic, whether it’s sensitive or not. Some might even argue that the encryption mania has gone too far. However, when the data is sensitive and there is a chance for unauthorized access either by eavesdropping network traffic, or accessing stored data, encryption is the right tool to protect it.

Different VMS systems implement data flow differently, so one strategy won’t work for everyone. As a rule of thumb, we can think of device data flowing through multiple steps. First it is received over the network by a recording server. Then, it may or may not be recorded on disk depending on the system configuration. Client applications request live or recorded data on demand. Finally, if deemed necessary, the data may have to be exported for handing over to authorities. All of these stages pose cybersecurity risks as well as privacy risks for the subjects in the data. Using encryption in every stage avoids unauthorized access.

Physical Layer Compromise

Many company server rooms and data centers have easy-to-exploit physical vulnerabilities that don't require hacking into the network. Physical access bypasses most security measures, whether intruders are simply looking to vandalize the servers, or do something more sophisticated.

Some of the ways of gaining access simply include accessing improperly installed doors or windows, picking locks, crawling through void spaces in the walls or above false ceilings, and “tailgating" into the building by posing as a contractor or vendor.

Server rooms shouldn’t be the only concern. If access is available on any available network socket, it should be considered a risk. Also, unplugging existing equipment and connecting the attacker’s own equipment can give unauthorized access.

For optimum physical protection, a combination of multiple security strategies is needed, including the use of professional-grade access control systems and locks requiring authentication, proper wall and structure design that reduces void spaces and presents physical barriers. Alarm sensors placed within potential access points is a good strategy as well. And of course, clear and detailed, documented security and access polices must be established, communicated with employees and strictly followed.

Stay Informed and Up to Date

A critical component of defending against attacks and vulnerabilities is to simply stay informed and up to date. IT and security managers need to be aware of issues that affect software and hardware, including operating systems, mobile devices, cameras, storage devices, and network devices. It’s important to keep current on common vulnerabilities and exposures for all system components, and to communicate with manufacturers and security professionals often.

However, education and awareness shouldn’t be limited to security and IT staff alone. Everyone needs to have a basic level of understanding of threats against our own human behavior. Why are phishing e-mails and other types of e-mail scams so common? Because there’s always someone who is clicking on those links. The same applies in a physical setting. If your company’s receptionist meets a visitor who forgot to print something for a meeting they are having, should he or she insert the USB stick with said files to a company computer? No. There’s a good chance it contains some kind of malware that could spread across the organization.

As long as we humans are such an easy target, attackers are going to take advantage of it. Systems integrators and organizations of all sizes must adopt policies and proven IT network best practices to combat various threats. Educating employees about these common threats is as important as all the technical protections we can apply.

Featured

  • Security Industry Embraces Mobile Credentials, Biometrics and AI, New Trends Report From HID Finds

    As organizations navigate an increasingly complex threat landscape, security leaders are making strategic shifts toward unified platforms and emerging technologies, according to the newly released 2025 State of Security and Identity Report from HID. The comprehensive study gathered responses from 1,800 partners, end users, and security and IT personnel worldwide, and reveals a significant transformation in how businesses are approaching security, with mobile credentials and artificial intelligence emerging as key drivers of innovation. Read Now

  • UK’s NHS Hospital Transforms Security with Edge-processing Camera System

    i-PRO Co., Ltd.,(formerly Panasonic Security), a manufacturer of edge computing cameras for security and public safety, recently announced that a leading teaching hospital in Northeast England, has enhanced its security infrastructure with i-PRO X-Series cameras integrated with Milestone’s XProtect Video Management Software (VMS). Read Now

  • Gun Violence Report Finds Retail Spaces, K-12 Schools Most Targeted

    ZeroEyes, the creators of the only AI-based gun detection video analytics platform that holds the U.S. Department of Homeland Security SAFETY Act Designation, today announced the release of its annual Gun Violence Report, offering a deep dive into the landscape of gun-related incidents across the United States. This analysis extends beyond mass fatality events, providing a more nuanced understanding of when, where, and why shootings occur. Read Now

  • Agentic AI Will Revolutionize Cybercrime in 2025 According to New Report

    Malwarebytes, a provider in real-time cyber protection, recently released its 2025 State of Malware report, which reveals insight into the emergence of agentic artificial intelligence (AI), plus the year’s most prominent threats and cybercrime tactics. The report details a significant uptick in the number of known ransomware attacks, the total value of ransoms paid in 2024, and how IT teams can address them. Read Now

Most   Popular

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.