Cyber Security: Reducing access points
Credible manufacturers have added cyber security elements to their products and systems in order to assist installers and integrators with regards to delivering robust and resilient solutions. There are a number of steps that can be taken at the edge device level which enhance cyber security and help mitigate the risks of on-line threats. With the help of Steve Kenny, Business Development Manager Architecture & Engineering Program at Axis Communications, Benchmark considers how device hardening can be implemented.
Cyber security is a complex issue, but there are also several basic procedures that installers and integrators can implement that will help to reduce risk. One of the most basic is device hardening; by reducing the attack surface, the potential number of unauthorised entry points is significantly reduced.
Like many credible manufacturers, Axis has applied cyber security best practices in the design and development of its devices. This provides the necessary tools to enable engineers to minimise the risk of weaknesses that could be exploited in a cyber attack.
Securing a network, its devices and the supported services requires participation by manufacturers, installers and integrators, service providers and the end-user.
Edge devices, such as security cameras, in a network environment face threats including physical sabotage, vandalism and tampering. To protect against such threats, installers and integrators should consider the use of vandal-resistant devices or housings along with protection for the cables.
From an IT perspective, the camera is a network endpoint similar to a laptop, desktop PC or mobile device. Unlike these, it will not be exposed to common threats of visiting unsafe websites, opening malicious email attachments or installing untrusted applications. However, as a network device the camera does include an interface that may expose the system to risks.
While physical protection is recommended at the camera’s location, it is additionally not recommended to expose the camera as a public web server, allowing unknown clients to get network access to the device.
In a VMS environment, the clients will access live and recorded video through the VMS server. Placing this on an isolated network, through physical or virtual isolation, is a common and recommended measure to reduce exposure and risks.
Reducing the attack surface of a system or device is a standard practice in terms of cyber security. The attack surface is made up of the many different points where an attacker can attempt data entry or extraction. The attacker only needs to succeed in violating one point, so the fewer of these that exist, the better.
The goal when reducing the attack surface of a system is to reduce the amount of code running, limit the number of potential entry points available to unauthorised persons and to close down any services that are not essential to the operation of the system.
An additional benefit to the reduction of a system’s attack surface is that by switching off non-required functions and reducing the code being executed on the devices, the processing resources will be freed up which could further enhance performance.
As the access routes to a device and availability of services are increased, so is the potential exposure to cyber attacks. Benefits such as remote access and third party integration can also create vulnerabilities, so if they are not required, best practice is to disable them.
You might not be using them, but a potential attacker could. It is vital to carry out a risk assessment in a similar way to those carried out when designing a physical security system.
Integrators and installers should also apply the same thought-processes used when protecting a typical network to mitigation of risks associated with the configuration of network security devices. This should be done despite the fact they are not exposed to the typical cyber threats associated with devices used to actively manage websites, email, etc..
If devices, services and applications do not need to interact, installers and integrators should try to limit connectivity between them.
Additionally, segmenting the security system from the core network is a good overall protection measure, thereby reducing risks of security resources and business resources adversely affecting each other.
It is important to understanding and deploy industry standard security protocols, including multi-level user authentication/ authorisation, password protection, SSL/TLS encryption, 802.1X, IP-filtering and certificate management.
Thankfully an increasing number of security manufacturers, including Axis Communications, have responded to demands for more secure systems and have added features and functions which are specifically aimed at enhancing cyber security. Such functionality should always be deployed. It should not be treated as optional. No installer or integrator worth their salt would fit an alarm system without protecting entry/exit points, so don’t leave passwords as default or bypass security features on a networked system.
It is also critical that installers and integrators ensure the firmware for products is regularly updated. Whilst some have taken that attitude that if a device works as expected it is not worth updating, increasingly the upgrades include security patches and fixes that eliminate evolving vulnerabilities.
An important part of attack surface reduction is the hardening of endpoints. An endpoint is an edge device. Such devices might be cameras, codecs, detectors, door readers or any other IP-connected device that is positioned in an insecure area.
The servers and software, storage units, power management systems and other essential peripherals may be installed inside a secure area, but this does not mean they are not vulnerable to a cyber attack. Edge devices, the endpoints, could potentially offer a connection from the outside world into the core of the system.
When considering outside interference, many consider connectivity to a WAN such as the internet as the weak point. Their focus is on protecting this and not a potential intrusion via an unprotected endpoint.
It is important to consider the security of all endpoints, because in a worst case scenario a criminal could disable the entire system by accessing it via such a connection.
Taking steps to harden endpoints include some basic tasks. Ensuring that devices are updated with any firmware upgrades is essential. Password management is important, as is ensuring that user permissions are applied in a way that helps the customer restrict control of the system to authorised personnel only.
Deploying appropriate encryption is also important. All credible security devices will support this, and it is important that installers and integrators understand how to use it correctly. If in doubt, ask the manufacturer. Axis offers a wide range of documentation and educational resources to assist engineers.
Many security devices have a number of features designed to simplify installation and set-up. Some will be used by the installer or integrator, and others are designed for end user use. Once these features have been used, best practice is to disable them.
It is also prudent to ensure that the end user is made aware of any risks associated with services running which they might have requested remain active.
The use of IP filtering should also be implemented. Most security endpoints can be configured to allow access solely by a server within the system. IP filtering can help ensure that other devices cannot gain access to them.
Axis Communications, along with a number of other credible security manufacturers, has taken steps to address cyber security issues, and will offer support to engineers with regard to how these can be deployed.
One message that cannot be conveyed strongly enough is that if unknown or unsupported products which do not come from credible security manufacturers are used, the risks will increase. Buying cheap will not be such a smart move if a customer’s business is brought to its knees as a result.
Cyber security represents a new challenge for many engineers, but as with other risks a best practice approach can help significantly.