The Security of Your Security System

The Security of Your Security System

by Brian Carle

security-265130_960_720Ironically, not much attention has been paid to the security of most security systems. Anecdotal reports of video security deployments seem to indicate that more often than not, passwords are left at defaults, default accounts are left enabled, firewalls are not configured, and other best practices of proper information security are commonly not adhered to.

In the past two years several high profile data breaches, namely the Target data breach in 2014, have put greater focus on the data security of all network connected devices. More recently, prominent video security brands have had significant vulnerabilities exposed that could allow for malicious network attacks for organizations that have deployed the affected equipment.

Although attention is paid when a corporation suffers a major data breach, or a product vendor has an unintended vulnerability exposed, many “everyday” security deployments would benefit greatly from some basic IT best practices for securing network connected systems.

Default Passwords

Without question, changing default passwords on network connected devices should be standard practice. Although this practice should be in place for all network connected devices, in video security often camera passwords for default user accounts are not altered. Some camera vendors force a password to be set for the administrative account when first logging into the web interface, but if installers connect the cameras to the corresponding NVR without ever using the web interface, this step could be overlooked. Creating passwords that are difficult to guess may involve incorporating special characters, numbers and capitalization.

To take password security to the next level, use different passwords for all devices. It is quite common for all cameras to share the same password, even if the password has been changed from its default. In the event the new password becomes known to unauthorized individuals, all the camera devices become compromised.

Some organizations will go as far as removing default user accounts, so accounts can be created in their place without the default usernames. This is typically an effort to reduce the possibility of ‘brute force’ attacks, where combinations of passwords are attempted on a known user name. Not all video security products support this capability so if policy dictates this level of configuration, verify products support this function.

Locking Down Unused Services and Ports

server sphereCameras and NVRs often ship with all features and methods of access turned on by default. Once deployed, only subsets of these functions are ever used.

Leaving unused features and protocols turned on, exposes the camera and NVRs to methods of access that are not intended, and no additional system functionality is gained by leaving these settings turned on. Using a software firewall on an NVR and turning off unused services should be considered part of the basic configuration when deploying systems.

Some examples of services and protocols which should be turned off in most deployments include FTP, SSH or telnet, remote desktop, file sharing, UPnP and other discovery methods (after setup).

Network Segmentation and 802.1X

Deploying IP cameras means access to switch ports will be exposed in public locations. It’s possible a camera enclosure could be opened to access the network cable connecting the camera to the internal network, providing relatively easy physical access to other networked systems. This is particularly a concern for cameras mounted outdoors, on a rooftop or in a parking lot, because network access is available outside the physical protection of the building.

A first step to protecting unauthorized physical access to the network is to connect cameras to a switch that is not physically connected to the organization’s main computer network. This is commonly done by using an NVR with two or more network ports. One network port of the NVR connects to the camera-only network and the other side connects to the main network, allowing access to the video feeds. VLAN configuration can be used to segment ports on the same physical switch which prevents direct communication with other devices on that switch that are not defined as part of the VLAN, providing the same end result.

Some cameras and network switches offer 802.1X, which is a network switch level authentication protocol. In short, this functionality ensures only the device authorized to connect to a particular switch port is able to. If another device is plugged into an 802.1X protected switch port, it will not be able to communicate on the network. For deployments where cameras are located outside a building or in publically accessible locations, 802.1X capable switches and cameras should be strongly considered.

Encrypted Communications

Encryption of communications is what most people think of first on the topic of security. Using a network sniffing tool, account credentials and data can be recorded by an unauthorized device. Without encryption, captured data can be easily used by someone other than the intended recipient.

It is more common for encrypted communications to be considered for data being transmitted over a public network, such as the internet, however more network security professionals consider it necessary for internal network communications to prevent security breaches by unauthorized employees and contractors with network access.

Ongoing Patching and Management

Devices marketed as an “Appliance”, which may apply to an NVR or an IP camera, may not get the same level of IT attention that a standard Windows workstation or server deployment would, potentially leading to systems with known security vulnerabilities connected to the network. Some organizations have policies that require various departments to pay IT for support of newly connected Windows systems, or there may be a policy preference against using systems with a full Windows deployment in favor of ‘appliance’ devices due to a perception of reduced need for software updating and patching.

This is generally a mistaken perception. Devices marketed as ‘appliances’ are still running operating systems, generally Windows Embedded or Linux, and still connected to the network. An older version of an operating system on an appliance could present a security risk in the same way an unpatched and unsecured Windows computer would.

When considering an ‘Appliance’ best practice would dictate verifying the underlying Operating System used, the version and patch level of the OS. Also, ask the vendor how OS security issues are resolved when vulnerabilities are uncovered. A delay between a known OS vulnerability and the corresponding patch becoming available for the appliance should cause concern.

Post Installation Auditing

Consumers that are concerned over the configuration of deployed systems should consider third party or internal security auditing following the installation of a video security system. Adding this procedure is a simple and effective way to validate the installation is configured according to security policies and meets a minimum standard of security hardening.

Free scanning tools, such as Nmap, can be used to generate reports on what ports are open on a network connected device, providing for simple and fast verification of whether unused protocols are enabled. In addition, verifying password strength and other configuration mentioned herein should provide a basic means of validation system security post-installation.

When valuable data is compromised, there are significant risks to any organization. In the case of data belonging to a third party or a customer, the cost of the associated legal liability can be huge. Furthermore, the impact to an organization’s brand can have lasting consequences. Having a strong set of security best practices will minimize these risks and can differentiate integrators who educate consumers on the risks and technologies.

 

Originally posted by Brian Carle in the February 2016 issue of Security Today magazine.  As Director of Product Strategy for Salient Systems, Brian manages Salient’s CompleteView Video Management Software and CompleteView Cloud VSaaS product lines. Brian has over 13 years of experience working with network cameras and video management products. Prior to his current position, Brian worked for Axis Communications as ADP Program Manager, Technical Trainer & Sr. Sales Engineer.