Cybersecurity: 12 Ways to Keep Your Security Cameras Safe
Report by Dean Drako, CEO of Eagle Eye Networks
The PDF version includes additional content; download for more on this subject.
Introduction
Security camera systems are increasingly internet connected, driven in great part by customer demand for remote video access. The systems range from cloud-managed surveillance systems, traditional DVR/VMS/NVRs connected to the internet, and traditional systems connected to a local network which in turn is connected to the internet.
With cyber-attacks accelerating, physical security integrators and internal support staff must keep up-to-date on cyber security attack vectors which can impact the camera video management systems they sell and/or support. These systems require the same level of protection from cyber security vulnerabilities given to traditional IT systems.
This paper focuses on the best practices for internet-connected security camera systems. Many of these practices may be also applied to other physical security systems.
1. Physical Security: A Dangerous Door for Cyber Attacks
Security Camera Systems are increasingly internet connected, driven by the desire for remote access and control, integration, and drastically reduced cloud storage costs.
In addition to the growing number of cloud-managed surveillance systems, most traditional security camera systems are now connected to the internet for remote access, support, and maintenance, or they are connected to the local network which in turn is connected to the internet.
In parallel, cyber-attacks continue to escalate. Reading about millions of breaches in the news headlines are becoming commonplace. Liabilities for damages are a great risk to companies.
Thus it is critical that security camera systems get the same level of attention to, and protection from, cyber security vulnerabilities that are given to traditional IT systems.
Physical security integrators and internal support staff must keep up-to-date on cyber security attack vectors which can impact the camera video management systems they sell and/or support.
This paper focuses on the best practices for internet-connected security camera systems. Many of these practices can also be applied to other security camera systems.
2. Major Attack Vectors for Security Camera Systems
Five major cyber-attack vectors for surveillance camera systems are:
- Windows OS
- Linux OS
- DVRs, NVRS, VMS
- Endpoints (Cameras)
- Firewall ports
We will discuss these attack vectors in context of applicable best practices which can be deployed to protecting your surveillance system against them.
3. Best Practices Differ Based on Surveillance System Type
The term ‘cloud video surveillance’ and cloud system’ is used inconsistently. Thus it is important to check with your provider to see exactly how they achieve internet access, as it will impact which steps you must take to ensure your system is secure.
For purposes of this paper, I will distinguish between system types as follows:
- A traditional system, either DVR, NVR or VMS, with an internet connection, typically for the purpose of remote video access.
- A cloud-managed system, also called VSAAS. With a cloud-managed system, though there may be an onsite device, the video is recording and managed from the cloud.
There are differences within each of these categories that impact features and functions, however, this top-level distinction will offer clarity in how you can apply cyber security best practices, as well as what questions to ask your provider.
4. Best Practices for Cyber-Safe Security Camera Systems
4.1 Camera Passwords
Vulnerability
At first glance, camera passwords may seem like too obvious a security measure to discuss. However, a Network World article in November 2014, cited that 73,011 locations with IP Cameras from 256 countries were exposed on one website. The United States topped the list with 11,046 links, where each link could have up to 8 or 16 cameras.
Further, it is estimated that 1 in 5 Web users still use easy-to-hack passwords.
Below are the Top 10 passwords of 2013, according to Splash Data.
- 123456
- Password
- 12345678
- qwerty
- abc123
- 123456789
- 111111
- 1234567
- iloveyou
- adobe123
Almost all cameras sold today have a web-based graphical user interface (GUI) and come with a default username and password which is published on the internet.
Some installers don’t change the password at all and leave the same default password for all cameras.
Very few cameras have a way to disable the GUI, so the security vulnerability is that someone can attempt to hack into the camera via the web GUI to guess a password.
The hacker must have network access to do this, but the cameras are often on a shared network, not a physically separate network or a VLAN.
Best Practice
Traditional System and Cloud-Managed System
The ideal best practice is to assign a unique long non-obvious password for each camera. Such a meticulous process takes time to setup, is more difficult to administer, and is very hard to track. Therefore, many installers, unfortunately, use a single password for all of the cameras in an account.
To allow for this challenge, an acceptable best practice is:
- Public Network: Different strong password for each camera
- VLAN or Physical Private Network: have the same strong password for all cameras
4.2 Port Forwarding
Vulnerability
Best Practice
Traditional System
Ideally, do NOT connect your unprotected server to the internet. If you do expose your system to the internet, then “port forward” as few ports as possible and utilize a next generation firewall which analyzes the protocol and blocks incorrect protocols sent over the wrong port. In an ideal situation, also deploy an IDS/IPS for further protection.
Cloud-Managed System
The more secure cloud-based systems do not have port forwarding, so no vulnerability exists, and no incremental protection action is required. Ask your integrator or provider to verify this for any system you own or are considering acquiring.
4.3 Firewalls
Vulnerability
As stated above, any on-premise DVR/NVR/VMS should have a firewall for protection, especially if you are going to expose it to the internet for any type of remote access.
Firewalls can be very complex, with thousands of rules. The next generation firewalls are even more complex because they analyze the protocols going over the ports and verify that proper protocols are being used.
Best Practice
Traditional System
It is best to assign a professional network security expert to verify and configure a modern firewall.
It crucial to have clear documentation on the firewall configuration, and regularly monitor and implement any necessary changes to the firewall configuration.
Cloud-Managed System
For a cloud-based solution without port forwarding, an on-site firewall configuration is not needed. Speak with your integrator or system manufacturer to confirm this.
4.4 Network Topology
Vulnerability
Mixing the cameras on a standard network without separation is a recipe for disaster.
If your security camera system is connected to your main network, you are creating a doorway for hackers to enter your main network via your surveillance system, or to enter your physical security system through your main network.
Some DVRs can even be shipped with a virus.
Traditional System and Cloud-Managed System
Best Practice
Ideal Best Practice:
Ideally, place the security camera system on a physically separate network from the rest of your network.
Acceptable Best Practice:
If you are integrating with a sophisticated IT environment, it is not always possible to separate the two systems physically.
In this event, you should use a VLAN.
4.5 Operating Systems
Vulnerability
Your on-premise VMS, DVR, NVR or recording system will all have an operating system. The cameras all have an operating system.
All operating systems have vulnerabilities, both Windows-based and Linux-based.
Window OS vulnerabilities are so well-accepted that IT teams monitor them regularly. Recently it has become more and more apparent that Linux has many vulnerabilities also, such as Shellshock (2014) and Ghost (2015), which made millions of systems vulnerable.
In theory, your system manufacturer would have a high-quality security team that is responsive in providing you with security updates. The reality is that many vendors don’t do this on a predictable basis.
Best Practice
Traditional System
To ensure your system and network are protected from malicious exploits, you should track and monitor known operating system vulnerabilities, and then make sure that your OS is up-to-date with all the security patches.
If it’s a windows based system there are lot of vulnerabilities and lot of updates to be applied. And though they are less frequent, Linux vulnerabilities must also be tracked and addressed quickly.
IT security professionals typically understand which ones are relevant and which ones you can skip, but this can be an extremely daunting task without the proper training and experience.
You can also proactively contact your DVR/NVR vendor to find out which OS your NVR/DVR is using (Linux, Windows) and also the OS Versions and the versions of the additional Modules that sit on the OS (e.g. Microsoft IIS webpage server) so you can understand which security vulnerabilities will impact you.
Then track vulnerabilities to that OS and contact your OS vendor to see what patches are needed.
The best practices for a VMS is to make sure that the machines are under the domain of the IT department and that the IT department has the responsibilities and staff assigned to do the proper patching, upgrading, modifications, and has processes in place to make sure the machines are secure.
Also, make sure your camera vendor is patching for security issues, and that you are upgrading your camera firmware as soon as new versions are available.
Cloud-Managed System
Best practice here is to inquire with your integrator or cloud vendor if the cloud vendor has a dedicated, experienced security team which monitors vulnerabilities.
Also confirm whether the cloud vendor will automatically send security patches/updates through the cloud to any on-premise appliance. If so, no action is required from the end user to do operating system security monitoring, patching or upgrading.
4.6 Operating System Passwords
Vulnerability
As with camera passwords, a weak system password can create an opportunity for cyber-attacks on the surveillance system and the network.
Unfortunately in many OS environments, the root password or the administrator password is shared among all the admins, spreading the security risk. Employee turnover, either through attrition or a change of roles can create unexpected security holes.
Best Practice
Traditional System
Set high quality long passwords for the operating system.
Additionally, establish policies and procedures for changing passwords. For example, the root admin password should be changed every time an employee with password access leaves the company or changes roles.
Cloud-Managed System
No action required. True cloud systems do not have separate passwords for OS access. They only have system passwords for individual accounts (see below) which are explicitly deleted when employees leave or their roles change.
4.7 System Passwords
Vulnerability
Unauthorized access to your security camera system leaves both the surveillance system vulnerable and network connected to it vulnerable.
Best Practice
Traditional System and Cloud-Managed System
Change your surveillance system passwords on a schedule. Enforce security quality with the same stringency as your company standard. Long, strong passwords are the best.
4.8 Connection Equipment
Vulnerability
A surprising number of DVR/NVR/VMS’s use connections which are not encrypted with SSL or equivalent.
This risk would be identical to logging into a bank or doing online shopping without https. It creates password vulnerability and allows potential for privacy and eavesdropping breaches.
Best Practice
Traditional System
It is imperative that the connection be encrypted with SSL or equivalent.
Ask your vendor how they handle this. Only choose vendors who encrypt their connections.
Cloud-Managed System
It is imperative that the connection be encrypted with SSL or equivalent.
Many cloud vendors provide connection encryption, but it is variable. Confirm with your cloud vendor how their system handles this.
4.9 Video Encryption
Vulnerability
In addition to insecure connections due to lack of encryption, the same privacy risks apply when the video is not encrypted when stored on the disk or in transit.
Best Practice
Traditional System and Cloud-Managed System
For a truly secure system, the video should be encrypted, both when it is stored on disk and when it is in transit.
4.10 Mobile Access
Vulnerability
Password, account deletion and encryption vulnerabilities apply doubly to mobile.
Best Practice
Traditional System and Cloud-Managed System
4.11 Physical Access to Equipment and Storage
Vulnerability
The financial rewards for stealing company data are sufficiently high enough that intruders will also seek to access your network by directly hacking into your onsite physical equipment.
Best Practice
Traditional System
Keep secure: your cabinets; the cables; and the room where the DVR/NVR/VMS, switches and video storage servers are located. Provide secure access control to the room, including video security to monitor it. This practice not only protects your network, but prevents ‘smash and dash’ thefts at your facilities, where the recording DVR/NVR is stolen along with any other items.
Cloud-Managed System
Although the same principle clearly applies to a cloud-based system, there is much less on premise equipment to protect. The immediate cloud recording also protects against smash and dash theft of the on-site recording.
It is important to inquire of your integrator or vendor what general security measures they take for their cloud servers.
4.12 Video Recording Software
Vulnerability
Video Management Software use a lot of components beyond the operating system, such as Microsoft database applications. As with the operating system itself, these components must be upgraded and secure.
Many VMS’s for example use, Microsoft Access, or libraries, as well as the software that they have written. New system vulnerabilities can be introduced if the supporting software is not kept up-to-date, including security patches.
If you are passive here, you are highly dependent on the provider sending patches for you to update the system for such vulnerabilities.
Best Practice
Traditional System
Ask your VMS vendor about their policy for keeping the components they use up-to-date and secure. Check for and install regular updates. Be proactive in monitoring the known security vulnerabilities in the industry and contact your integrator or vendor when you learn of new breaches.
It is important to make sure the VMS vendor has a team focused on this and is sending you updates regularly.
Cloud-Managed System
True cloud managed systems do not have software on site, so no vulnerability exists here.
However, it is very important to confirm if the system is truly ‘cloud- managed’ vs. internet-connected before making this assumption, or you risk exposure to a potential vulnerability.
Conclusion
Data breaches continue to accelerate throughout the world. With increasing Internet connectivity, physical security systems are very vulnerable to cyber-attacks, both as direct attacks and as an entrance to the rest of the network. Liabilities for these attacks are still being defined.
It is prudent to protect your company and your customers through preventative measures.