Cybersecurity Defense Strategies for Video Management Systems
- By Evan Stuckless
- Jan 03, 2020
As engineers, integrators, and administrators of IP video management and other network-based security systems, we have a very heavy reliance on the network. Edge devices of all types, and especially cameras, are a vulnerable part of a network. Any video security system design must take this into account. And because one solution does not fit all applications or address all threats, a multi-layered approach is best for deploying an optimally functional and secure network.
Unauthorized access to a video security network can impact system confidentiality, integrity and availability. Security flaws within IT-attached devices could potentially provide a platform from which to launch attacks at other IT systems. It must be acknowledged that all systems contain vulnerabilities, and that there are external as well as internal attackers looking for ways to exploit these vulnerabilities.
Developing and implementing security measures and best practices is known as “hardening.” Hardening is a continuous process of identifying and understanding security risks and taking appropriate steps to counter them. The process is dynamic because the threats and the systems they target, are continuously evolving.
Most hardening information focuses on IT settings and techniques, but it’s important to remember that physical security, education, and awareness, are also a vital part of hardening. For example, use physical barriers to servers and client computers, and make sure that things like camera enclosures, locks, tamper alarms, and access controls are secure. Actionable steps for hardening a video management system include:
• Understanding what components need to be protected
• Hardening surveillance system components including servers, client computers, and devices
• Documenting and maintaining software updates and security settings for each system
• Training and investing in the right people and skills — including the supply chain
Fortunately, there are proven, standardized frameworks available that systematically bring together best practices. There's no reason for video surveillance and security professionals to re-invent the wheel. Taking an IT industry standards approach makes it easy to design and deploy secure video networks. Here are several security topics often overlooked by video surveillance professionals.
Brute Force Attack
A brute force attack is a trial-and-error method used to obtain information such as user passwords or PIN numbers. Hackers use software that tries different character combinations in quick succession to crack passwords. Short and simple passwords—those that only use alphabetical characters—are easier to break than longer passwords with a mix of letters, numbers and special characters. Hackers often persist for hours, days, or even years in finding a way into a target.
Edge devices are some of the most vulnerable pieces in VMS installations. This is especially true if the installer leaves the default password unchanged. While isolating the device network from other networks is the best way to prevent unauthorized access to devices, we should still remember to change those default passwords. Most device manufacturers have tools to do this in a quick batch job. Some VMS vendors also have their own tools to do this directly from the VMS administration interface. It can even be done on a regular time interval, as required in some jurisdictions. Changing passwords directly from the VMS saves the installer from having to enter the password in two separate locations. Password complexity and length can be adjusted to a level that makes brute-forcing a poor strategy.
Active Directory is a Windows OS directory service that facilitates working with interconnected network resources. Centralizing user and computer management into Active Directory (AD) can improve security in many ways. For one, user authentication can be handled by AD, which has protections against brute-force attacks. Group Policy can be used to manage many everyday IT security tasks like password policy and computer security settings. Kerberos authentication adds another level of security. More than anything else, Active Directory can help with eliminating mistakes that can happen in distributed systems where IT staff needs to perform the same work on multiple machines, one by one.
Perhaps the most important mistake from a cybersecurity perspective is user management. Having multiple user accounts on different systems can be difficult and time-consuming to manage. By using a centralized system like Active Directory, users can be added and deleted in just one place and the change is propagated across the entire organization. This stops former employees and contractors from gaining access when they shouldn’t have it anymore.
Segmentation is an effective but often overlooked network arrangement. In it, different networks are separated from each other by a firewall appliance, or by total isolation. Does the accounting team need access to the VMS, and vice versa? By focusing on the least privilege principle, we shouldn’t allow users (and computers) access to resources they don’t need to get their job done. By implementing a segmented network approach, we can centralize what is allowed to pass from one segment to another.
In the VMS industry, a total isolation is often the standard approach. This is a terrific way to eliminate all kinds of threats originating from other networks. While it isn’t an excuse to forget about security, it reduces many of the most prevalent threats.
One of the most important security improvements we have seen both on the web and the VMS space over the last several years is encrypting everything. It’s hard to find websites that don’t encrypt traffic, whether it’s sensitive or not. Some might even argue that the encryption mania has gone too far. However, when the data is sensitive and there is a chance for unauthorized access either by eavesdropping network traffic, or accessing stored data, encryption is the right tool to protect it.
Different VMS systems implement data flow differently, so one strategy won’t work for everyone. As a rule of thumb, we can think of device data flowing through multiple steps. First it is received over the network by a recording server. Then, it may or may not be recorded on disk depending on the system configuration. Client applications request live or recorded data on demand. Finally, if deemed necessary, the data may have to be exported for handing over to authorities. All of these stages pose cybersecurity risks as well as privacy risks for the subjects in the data. Using encryption in every stage avoids unauthorized access.
Physical Layer Compromise
Many company server rooms and data centers have easy-to-exploit physical vulnerabilities that don't require hacking into the network. Physical access bypasses most security measures, whether intruders are simply looking to vandalize the servers, or do something more sophisticated.
Some of the ways of gaining access simply include accessing improperly installed doors or windows, picking locks, crawling through void spaces in the walls or above false ceilings, and “tailgating" into the building by posing as a contractor or vendor.
Server rooms shouldn’t be the only concern. If access is available on any available network socket, it should be considered a risk. Also, unplugging existing equipment and connecting the attacker’s own equipment can give unauthorized access.
For optimum physical protection, a combination of multiple security strategies is needed, including the use of professional-grade access control systems and locks requiring authentication, proper wall and structure design that reduces void spaces and presents physical barriers. Alarm sensors placed within potential access points is a good strategy as well. And of course, clear and detailed, documented security and access polices must be established, communicated with employees and strictly followed.
Stay Informed and Up to Date
A critical component of defending against attacks and vulnerabilities is to simply stay informed and up to date. IT and security managers need to be aware of issues that affect software and hardware, including operating systems, mobile devices, cameras, storage devices, and network devices. It’s important to keep current on common vulnerabilities and exposures for all system components, and to communicate with manufacturers and security professionals often.
However, education and awareness shouldn’t be limited to security and IT staff alone. Everyone needs to have a basic level of understanding of threats against our own human behavior. Why are phishing e-mails and other types of e-mail scams so common? Because there’s always someone who is clicking on those links. The same applies in a physical setting. If your company’s receptionist meets a visitor who forgot to print something for a meeting they are having, should he or she insert the USB stick with said files to a company computer? No. There’s a good chance it contains some kind of malware that could spread across the organization.
As long as we humans are such an easy target, attackers are going to take advantage of it. Systems integrators and organizations of all sizes must adopt policies and proven IT network best practices to combat various threats. Educating employees about these common threats is as important as all the technical protections we can apply.