Secure your security surveillance

Secure your security surveillance

Surveillance systems offer home and business owners peace of mind, knowing that their property and valuables are protected from criminals. But during Surveillance installation owners / responsible person couldn’t change default password of product, like: DVR. NVR, IP Camera, IP Intrusion Panel, Router, Access Point etc. Many users sometimes call me and ask “my DVR data is formatted, but I couldn’t share DVR password”, “I lost my NVR password, how to retrieve the same” etc. etc.

I have seen 80% of users will not change the default username and password for their IP cameras. Electronic Security Surveillance footage is useful in conducting investigations.  IP video surveillance is not immune to cyber risks, but taking basic steps toward protecting and strengthening networks and networked appliances will make them less susceptible to attacks. Below are some tips.

1.     Change default passwords and used strong word:

You can find the default username and password from either user-manual or the product sticker on the product. Sometime your installer share password. Default passwords makes your system easier to hack. It’s like leaving the door already half open for smart hackers. The most used default account for IP camera is admin/admin.  You may need to reset your device before. After reset, user settings and account information will return to their factory settings. Below are the top 10 passwords 

            a.     12345

            b.     Password

3. 12345678
4. qwerty
5. abc123
6. 987654321
7. 111111
8. 1234567
9. iloveyou
10. adobe123

Almost all cameras sold today have a web-based graphical user interface (GUI), and come with a default username and password which is published on the internet. Using a strong password is the vital step to protect your IP camera from unauthorized accessing or hacking. The strong password must contain more than eight characters and at least include four types of characters - uppercase letter, lowercase, numbers and special characters. 

2.     Change Passwords Regularly:

Regularly change the credentials to your devices to help ensure that only authorized users are able to access the system. Most cameras offer at least some form of basic authentication. It may not be super robust, but at least it is better than nothing at all. Protect your camera feeds with a username and a strong password and change it periodically. Set high quality passwords and do password enforcement and account deletion when staff changes.

3.     Rename the Default Admin Account and set a new Admin Password

Your camera's default admin name and password, set by the manufacturer, is usually available by visiting their website and going to the support section for your camera model. If you haven't changed the admin name and password then even the most novice hacker can quickly look up the default password and view your feeds and/or take control of your camera.

4.     Limitation of Guest Accounts

If your system is set up for multiple users, ensure that each user only has rights to features and functions they need to use to perform their job.

5.      Change ONVIF Password

On older IP Camera firmware (applicable for limited product), the ONVIF password does not change when you change the system’s credentials. You will need to either update the camera’s firmware to the latest revision or manually change the ONVIF password.

6.      Manage your camera settings

Including a camera in a home security system is a must these days. It can allow you to view online what’s happening at home even if you’re on the other side of the world. However, with the same feature, you can also be exposing yourself to potential hackers.

A security camera is set for remote online monitoring by default during your purchase. This feature makes it possible for you to keep an eye on your home in real time through a specific app or website. It also makes it a possibility for hackers to use your own camera to spy on your home. Scary, right?

If you can go by without remote online monitoring, turn this feature off. However, if you feel that it’s a necessity to keep the feature, then guard your home and your system by a strong password. It can also help if you strictly position the cameras to face only the areas they’re supposed to monitor. Avoid including your living room or your bedroom entirely.

7.     If Your Camera is Wireless, Turn on WPA2 Encryption

If your camera is wireless capable, you should only join it to a WPA2-encrypted wireless network so that wireless eavesdroppers can't connect to it and access your video feeds.

8.     Enable HTTPS/SSL:

Set up an SSL Certificate to enable HTTPS. This will encrypt all communication between your devices and Storage.

Many cloud vendors provide connection encryption, but it is variable. Confirm with your cloud vendor how their system handles this.

9.      Protect your router.

Like your security system, you can also make your home more secure by protecting your router with an effective password. You can use the same ideas as above. However, make sure you don’t use the same access codes for your system and router.

You can also try hiding your router by manipulating its configuration to make it invisible. However, you have to keep in mind that doing so doesn’t completely make your router invisible. Instead, it only makes your network not easily seen on basic and automatic searches. If a hacker is too advanced, he can simply look for a tool and use it to find your network.

10.   Avoid using public wi-fi.

As much as possible, try not to access your automation devices at home using public wi-fi connections. This makes you more prone to hackers getting access to your personal informations. You can try using your mobile data service or find a more secured connection before you click connect.

11.   Enable IP Filter:

Enabling your IP filter will prevent everyone, except those with specified IP addresses, from accessing the system.

12.   Check the Log

Most of the time, the easiest way to know if someone has been messing around with your system is by checking your camera logs. There are several security cameras that can show you the IP addresses that accessed your cameras. If you find a suspicious one on your log, immediately change your access codes and notify proper authorities.

13.   Disable UPNP:

UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.

If you manually forwarded the HTTP and TCP ports in your router/modem this feature should be turned off regardless.

14.   Disable SNMP:

Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.

15.   Disable P2P:

P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.

16.   Disable Multicast:

Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.

17.   Put up a firewall.

Make sure you have a firewall in your network to prevent unauthorized access to your devices. If you don’t have one, you can browse the internet to know your best options on firewall downloads.

For a cloud-based solution without port forwarding, an on-site firewall configuration is not needed. Speak with your integrator or system manufacturer to confirm this.

18.   Change Default HTTP and TCP Ports:

Change default HTTP and TCP ports for Dahua systems. These are the two ports used to communicate and to view video feeds remotely.

These ports can be changed to any set of numbers between 1025-65535. Avoiding the default ports reduces the risk of outsiders being able to guess which ports you are using.

19.   Forward Only Ports You Need:

Ideally, do NOT connect your unprotected server to the internet. If you do expose your system to the internet, then “port forward” as few ports as possible and utilize a next generation firewall which analyzes the protocol and blocks incorrect protocols sent over the wrong port. In an ideal situation, also deploy an IDS/IPS for further protection. Its applicable for IP Camera/ DVR/ NVR/ VMS.

The more secure cloud-based systems do not have port forwarding, so no vulnerability exists, and no incremental protection action is required. Ask your integrator or provider to verify this for any system you own or are considering acquiring.

20.   Build a separate network

Mixing the cameras on a standard network without separation is a recipe for disaster. If your security camera system is connected to your main network, you are creating a doorway for hackers to enter your main network via your surveillance system, or to enter your physical security system through your main network. Some DVRs can even be shipped with a virus.

Ideally, place the security camera system on a physically separate network from the rest of your network. If you are integrating with a sophisticated IT environment, it is not always possible to separate the two systems physically.

In this event, you should use a VLAN.

21.   Connect IP Cameras to the PoE Ports on the Back of an NVR:

Cameras connected to the PoE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.

22.   Secure your smart phone

Most of today’s home security systems are controlled through smart mobile applications  and this is what makes your smartphone very important for your home’s security. Keep it in mind to always have it protected.

For one, you should avoid logging in to your system while in public places. Someone near you could be waiting for your password. Also, make sure that no one else can access your phone by securing it with a password lock. You can also install a track app just in case you misplace or lost your phone.

If such event happens, make sure to immediately remove your phone’s access from your security system and report the incident right away.

23.   Upgrade your apps and firmwares.

The reason why companies keep updating their firmwares is to fix bugs and glitches as well as to add security patches. By complying with the updates, you are arming yourself with better protection against hackers.

24.   Disable Auto-Login on apps:

If you are using apps to view your system and you are on a computer that is used by multiple people, make sure auto-login is disabled. This adds a layer of security to prevent users without the appropriate credentials from accessing the system.

25.   Use a Different Username and Password for apps:

In the event that your social media, bank, email, etc. account is compromised, you would not want someone collecting those passwords and trying them out on your security surveillance system. Using a different username and password for your security system will make it more difficult for someone to guess their way into your system. Set high quality passwords and do password enforcement and account deletion when staff changes.

Surveillance System Assessment, Deployment & Maintenance

Data breaches continue to accelerate throughout the world. With increasing Internet connectivity, physical security systems are very vulnerable to cyber-attacks, both as direct attacks and as an entrance to the rest of the network. Liabilities for these attacks are still being defined.

It is prudent to protect your company and your customers through preventative measures.

To maximize your cyber security, it is critical to define best practices for your own company, as part of your security camera system assessment, as well as its deployment and maintenance.

Security audit is another way to know system performance of your security Surveillance systems. You need to see what camera saw, Auditing of CCTV Video Easier and Efficient. Auditing helps in gaining better Situational Awareness and Actionable Intelligence.

Some of these technologies are new and have been developed specifically to combat cyber-attacks whilst others, which were originally intended simply to make chipsets more efficient, are also able to contribute to camera security. Almost all, when mentioned in video surveillance-related documents, datasheets or on the Internet, are stated as acronyms or have names which do not make it obvious what they are intended to do. Here, therefore, is an explanation of some of those you are most likely to come across.

• Anti-Hardware Clone: Anti-hardware clone functionality prevents a chipset from being cloned. In addition to protecting intellectual property, this ensures that a chipset with a manufacturer’s label is a genuine copy and removes the risk of a cloned device which may contain malicious software being used to steal sensitive data such as passwords.
• Crypto Acceleration: When applied to video surveillance solutions, crypto acceleration is normally referred to within the context of a camera chipset performing complex mathematical functions for encryption and decryption This is a very intensive operation requiring the chipset to use a large proportion of its resources. Equipping chipsets with a dedicated ‘engine’ for this purpose ensures that encryption/decryption is efficiently carried out, without affecting other camera functionality.
• Image Scrambling: Between the location of a camera and where the images it captures are remotely viewed, recorded and stored, there is always the possibility that a cyber criminal could hack into the network and gain access to what may be confidential video and data. Image scrambling is the encryption of video prior to transmission over the network. It does so by randomly rearranging the pixels of each image so that it cannot be viewed by anyone maliciously hacking into the network.
• Secure JTAG: JTAG ports are hardware interfaces which are used to programme, test and debug devices. However, they can be compromised by cyber criminals to gain low level control of a device and perhaps replace firmware with a malicious version. This can be prevented by securing the JTAG port via a key-based authentication mechanism to which only authorised personnel working for the manufacturer have access.
• Secure UART: UART ports are serial interfaces typically used for debugging cameras. They allow administrator access to a camera and are therefore a target for hackers attempting to access sensitive information such as password keys. Hackers could also potentially access a camera’s firmware in order to reverse engineer it, as well as examine it for vulnerabilities in the device’s communications protocols. Enforcing restricted and secure access to the UART port, will allow the debugging process to be safely completed, without opening the door to cyber criminals.
• OTP ROM: This is an acronym for One Time Programmable Read Only Memory which allows sensitive data, such as encryption keys, to be written only once onto a chipset and then prevents the data from being modified. This protects the integrity of encryption keys which are used to validate the stages in a secure boot up sequence and allows access to the JTAG Port.
• Secure Boot Verification: Secure Boot provides an extra layer of security by sandboxing different elements of a camera’s operating system, which means they are in a protected space. The system will complete a full boot before communicating with any other part of the system and this prevents an interruption to the boot process which could be exploited by a hacker.
• Random Number Generator: Computers are designed to create very predictable data and are therefore not very good at generating random numbers which are required for good encryption. A dedicated random number generator overcomes this problem by having a dedicated mechanism for the task.
• Secure OS: Using a separate operating system (OS) for encryption and decryption, as well as for verifying apps have not been modified or are forgeries, reduces the workload of a camera’s main OS. A separate Linux based API is needed to access a Secure OS and without this, there is no way to make any changes from the outside of a camera. A Secure OS should always, therefore, be used to process important stored information.

In a highly competitive market, there is no shortage of camera manufacturers to choose from. Consultants, system designers and systems integrators therefore have the freedom to narrow down their shortlist of preferred supplies to those who have fully embraced and incorporated best practise into their manufacturing process. A clear demonstration of this would be if they have equipped their cameras with most, if not all, of the above functionality and technology.

Biography:

Arindam Bhadra is an eSecurity professional 11yr + in this industry. He is a good freelance blogger. His blog is now No 1. Blog in India. 2.9L page viewer globally. Mr. Bhadra is an Electronics & telecommunication Engineer from IETE, New Delhi. He is a member of FSAI from 2011 & Go Beyond security from 2008. His blog arindamcctvaccesscontrol.blogspot.com focuses on security. Apart from his job, he loved to spend all his time with eSecurity & Safety technology understanding and loves to help people. He is a Tech enthusiast and has written articles over the period in this Magazine & blog. You can follow him on Facebook, Twitter, LinkedIn & Google+ etc.

Managing risks to CCTV data and systems

Managing risks to CCTV data and systems

CCTV systems collect all types of information for a wide range of reasons. While the equipment is valuable, it is almost always the records, and the information they hold, that matter the most.

Many CCTV systems record images of people, especially if they are set up in a public space. This type of record is 'personal information', which is protected under privacy legislation. As a result, every effort should be made to keep the records secure and avoid misuse.

Managing the risk to records protects the CCTV owner as well as the individual being recorded. CCTV records may be used as evidence in criminal proceedings. They can also be used to demonstrate that an innocent activity was genuinely innocent. Either way, the records should be stored securely until they are handed over to the police. For private operators, there may also be good commercial reasons for ensuring confidentiality of the records.

At a basic level, the question is: what can go wrong, and how much does it matter?

CCTV systems are exposed to a range of intentional physical security risks such as tampering with camera placement, power supplies, communications cabling and controlling equipment.  These risks may be prevented with physical control measures, such as housing these items in locked enclosures appropriate to the risk and environment (such as equipment that is accessible to the public).  Procedural security can be used to deter and detect attacks on CCTV infrastructure by visual inspection and review of indicative alarms.

Natural disasters also present risks. You can't prevent fires, floods, or earthquakes, but you can minimise the risk of damage or loss of data from your CCTV system.  While insurance can cover the loss of equipment, data is not replaceable. A good offsite backup system for electronic data, such as CCTV video, configuration data, usage logs etc, can reduce this risk.  Systems that instantaneously backup data provide less likelihood of data loss when compared to scheduled periodic backups.

Modern digital CCTV systems are typically dependent on computing equipment performing continuously.  Protection from inevitable hard disk failure is usually provided with redundant disk storage systems (using RAID arrays).  Once a disk failure has been detected (automated detections should be tested regularly) it can be substituted with a replacement disk onto which the missing data is automatically copied. This rebuilding process can take many hours due to the large storage capacity which presents additional risks; the storage system may not cope with rebuilding load resulting in missing data, and data from any further coincidental disk failure(s) may not be protected (depending on the redundancy design).   Whilst it may be impractical to have full CCTV system redundancy it may be prudent to maintain service spares of essential components.  For example, power supplies are required for interrogation of system data or access live CCTV resources.  As such battery backup and/or alternate utility supplies may be warranted.

Attacks on CCTV information from human threats can be grouped as:

• Availability; the information is not required when needed.  Information may have been deleted accidentally or maliciously, or normal access prevented through disruption to normal processes, such as physically damaging equipment and communications or inundating communication channels.
•  Accuracy; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.
• Confidentiality; the information has been disclosed to unauthorized persons.  This may have occurred with or without knowledge of the CCTV system owner.  An obvious example of this is the unauthorized duplication and dissemination of video to media outlets - made easier if operators have ready access to high speed internet connections.  A less obvious example may be an unauthorized access by computer 'hackers' where CCTV systems are interconnected with other data networks.
• Integrity; the information has been compromised. This may include substitution of real data with artificial data, or breaching evidential requirements for handling information that casts doubt on its authenticity.

Even with the best of intentions, mistakes can and do happen. They include accidentally deleting records or even entire hard drives, overwriting backups, forgetting to maintain a system, placing cameras in the wrong place, or forgetting to make a regular, scheduled backup. Some of these can be prevented by information management policies that include user training and restricting access to system resources, usually with logical access control (such as user sign log-on accounts). This can also help reduce the chances of deliberate actions aimed at destroying or stealing data or equipment.  Personnel security vetting is often included in licensing requirements and can reduce risks of inappropriate usage by CCTV operatives.

Cybersecurity Measures (Protecting the Network)

• Change Default Credentials: Immediately change default usernames and passwords for cameras, routers, and Network Video Recorders (NVRs) to strong, unique credentials.
• Implement Network Segmentation: Place CCTV cameras on a dedicated Virtual Local Area Network (VLAN) to isolate them from critical business IT networks.
• Update Firmware Regularly: Check for and install firmware updates from manufacturers to patch known security vulnerabilities.
• Disable Unnecessary Services: Turn off unused features like UPnP (Universal Plug and Play), HTTP, and unused network ports.
• Use Encryption: Ensure data is encrypted in transit (using HTTPS or VPNs) and at rest (using AES-256 for storage).
• Secure Remote Access: Avoid direct port forwarding. Use a VPN for secure remote access to the system

It is worth considering how you will manage these and other risks to the security of your CCTV equipment and records. Most strategies fall into one of four categories:

• Avoid the risk - for example, by moving a camera out of reach of vandals, or locking a door after hours.
• Transfer the risk - for example, by outsourcing the CCTV system and ensuring that contracting organizations, within the contract, are responsible for the security of records.
• Accept the risk - for example, by relying on default settings in CCTV equipment because you believe the risk is low.
• Reduce the risk - for example, ensuring only authorized people have access to CCTV computer systems and information.

In most cases, the final approach uses several strategies and depends on individual circumstances. It ultimately depends on the value of the records, the risk of loss or damage, and the consequences. These decisions are best made before the records are collected and, if possible, before a CCTV system is even installed.  It is advisable to have an Information Security Management Plan that includes CCTV systems to ensure that risks are treated appropriately.  The policies and procedures used to apply information security should be competently reviewed and executed.

Physical Security Measures (Protecting the Hardware)

• Lock Down Equipment: Secure recorders (DVRs/NVRs) and network switches in locked cabinets or access-controlled rooms.
• Protect Cabling: Use cable conduits to prevent tampering, "smash and dash" thefts, and environmental damage.
• Anti-Vandal Enclosures: Use cameras with IK10 impact-resistance ratings for high-risk, accessible areas.
• Regular Maintenance: Clean lenses and inspect cameras for tampering, ensuring they have not been moved or covered

Government organizations have an additional obligation to consider the security classification of CCTV records and may consider implementing an information classification policy in accordance with the relevant government regulations. The agency's security officer should be contacted for advice in these cases. 

Personnel and Operational Security

• Employee Training: Educate staff on the risks of phishing, the importance of password security, and how to report suspicious activity.
• Manage Staff Turnover: Immediately revoke access to the CCTV system for departing employees.
• Work with Professionals: Utilize reputable, certified installers who understand both physical and cybersecurity requirements

Information classification should be considered by private CCTV system owners, particularly with the advent of computer based CCTV system designs and high capacity portable media.

This process helps provide assurance that CCTV records information will be handled appropriately to reduce negative risks.