printer friendly version

Securing security systems

Francois Malan.

This year hackers have exposed some serious flaws regarding the security of surveillance systems on our networks. In particular, what is also apparent, is that network video recorders cannot be administrated or secured by traditional network tools. At best they can be isolated.

The greatest concern is that this information is freely available on the Web for any weekend hacker to gain access, and how easily embedded appliances can be compromised. A trend that has developed is that IT professionals are choosing Windows-based server appliances for video surveillance recording, simply because these are easier to administer and secure.

The following is a basic check list to safeguard against hacking:

1. Windows Server for recording video

IT professionals can secure a Windows recording server as part of their domain, they generally cannot manage an embedded network video recorder. Using a Windows server allows the IT department to apply group policy, use a domain server for central password administration and apply updates and virus patches. Not using a Windows server gives hackers or viruses a platform to attack an entire network or simply render the device or information on the device useless. Using an embedded NVR adds uncertainty and therefore risk to an enterprise network.

2. Password management

Most sites are compromised because of poor password management and using default or simple passwords. Often installers use a set of default passwords for all their sites, these passwords are never erased from the system, even after the company is long gone, leaving a backdoor. A Windows Active Directory allows for central password management for Windows devices on the domain. This allows for an audit trail of individual user activity and a central control of all passwords. It is also important to change all default passwords on cameras after installation.

3. Segment network

Segmenting a network can be done with a recording sever with two or more network adapters; typically one adapter is used to access the camera side of the network and the other network adapter is presented to the control room. This allows a user to use a good video management platform to control who sees which cameras, and does not expose the whole camera network to a would-be-hacker that wants to see something he should not.

Best practice would be to have a completely separate network for security equipment or implement VLANS between existing networks. Additional networks should be setup to monitor any unauthorised devices.

4. Secure video feed

We have spoken about changing the password on the camera, but it would be important to also secure the video feed to the recording server so that no one else has access. Cameras could also support a white list of IP addresses that may log onto them and camera logs can be checked for unauthorised access.

5. VPN (Virtual Private Network)

It is recommend to use a VPN when connecting remotely via the Internet to view video. Using port forwarding on a router is the industry standard, but this method allows a hole in your firewall and exposes devices to the Internet. There are websites that can provide a list of these exposed devices geographical for a small fee.

Some reference articles from the Web

73 000 surveillance cameras hacked by one website: http://goo.gl/xehmSE

Chinese surveillance camera supplier confirms hacking loophole: http://goo.gl/Ne9T1s

Hackers can delete surveillance DVRs remotely – report: http://goo.gl/M75lY9

About the Hikvision zombification: http://goo.gl/2MN92L

Hackers turn security camera DVRs into worst Bitcoin miners ever: http://goo.gl/X6x8PW

Share this article:

Further reading: