One of the more common cyber attack trends is the use of brute force. These attacks will bombard a device using ‘trial and error’ in an attempt to discover its authentication details. While not sophisticated, brute force attacks can be successful because they rely on user complacency. With the help of Ian Farr, Technical Director at Videcon, Benchmark considers the importance of secure authentication policies to defeat such attacks.
Brute force attacks might not be the most sophisticated cyber attacks, but are simple to instigate and more common than many think. The reason they are so frequent is given time and resources, they can be successful. The approach does rely on one thing: complacency on the part of the user.
In a brute force attack, automated software is used to generate consecutive guesses as to what the username and password might be. Some will use default settings; others will use a database of dictionary words. Brute force has been behind many of the attacks against webcams and other IoT products which have been reported in the media. However, attacks are not limited to the domestic market.
Reports show that brute force attacks have increasingly targeted CCTV devices, on-line security systems and associated products. There have also been issues where some manufacturers, admittedly more often than not at the very low priced end of the market, have used ‘white labelled’ firmware which makes large scale attacks simpler to carry out.
Brute force attacks are not clever. The perpetrators literally spend hours bombarding a device or system in the hope of getting lucky. The significant required resource is computational power to try as many combinations as possible. Tools to carry out brute force attacks are easy to find on the internet, as are databases of common log-in details. As a result, brute force attacks can emanate from diverse attackers ranging from organised cyber criminals down to amateur hackers simply looking for a ‘scalp’.
Vulnerabilities that permit brute force attacks to succeed are usually rooted in user complacency. Leaving authentication details as the default settings is more common than many think. Even where devices might force a password change, inevitably the administrator account user name is left as is.
Given that the administrator account allows full privileges and control over the system, this should certainly be one of the most protected log-ins.
It is also prudent to ensure that systems will effectively limit the number of attempts that a user can make to sign in and then lock them out after a number of consecutive failed attempts. Brute force attacks rely on being able to make thousands of attempts to gain access. Where the time period to achieve this becomes excessive, the attackers inevitably move on to another target.
Brute force attacks look for ‘low hanging fruit’. The attacks seek out devices and systems that belong to those who have some complacency with regard to cyber security. A variation of the brute force attack, and one that has been used against some video-based devices, is to scan the web for devices with open ports. Through banner grabbing, attackers can then identify specific devices which have access attempts made using default authentication data. These can also have more general brute force attacks applied against them.
When it comes to the installation of a security system, the onus is very much on the installer or integrator to ensure that the system is functional and effective, but also cyber secure. Many manufacturers, including Concept Pro, have recognised the growing importance of cyber security where systems are on-line, and have implemented a range of features to make life simpler for installers and integrators, and more secure for end users.
At the heart of protection against brute force attacks is the use of a secure password policy. A recent report on data breaches revealed that 63 per cent of reported losses were due to default or weak passwords. This figure increases significantly when you factor in compromised devices or hacked systems in which personal data was not stolen.
Acts of vandalism, denial of service or extortion attacks often go unreported, and when many DDoS attacks are investigated the result is often discovery of a huge number of devices which have been compromised and used as bots in the attacks. These devices are often part of small systems. While no data has been stolen, the result is that users are left with compromised systems, and often their dissatisfaction will be with the installer.
Those designing and installing systems must be aware that leaving the task of changing authentication details to the user will often result in systems that are not as secure as they should be. While many manufacturers have started to implement secure password policies, the strength of these does vary. It is important that installers and integrators protect themselves by seeking out systems with cyber security features, and ensuring that these are implemented.
Introduced in early 2017, installers and integrators who are specifying Videcon’s Concept Pro recording systems have been able to take advantage of the Sequrinet functionality. Sequrinet has been designed to offer robust and credible security to the security system itself, and subsequently ensures that video surveillance systems can deliver protection, detection and deterrence to a site without the risk of creating a weak point for the site’s overall network security.
Concept Pro, along with other credible professional security manufacturers, has recognised that one of the more important issues in the security market at present is cyber security. Media coverage has focused users’ minds on the importance of cyber protection in security systems. Sadly, too often the news is more about the lack of cyber protection on offer.
Complacency is a key tool for cyber criminals, as it allows unauthorised access to security devices and systems. Some security systems have inherent vulnerabilities due to coding which allows ‘backdoor’ access.
Concept Pro has introduced precautionary measures to ensure that its systems are secured. Sequrinet enforces the use of a strong, comprehensive password. Sequrinet’s enhanced password rule (EPR) implements secure password control. It prohibits the use of common passwords such as 1234, password and other common words or word and number combinations, only allowing the use of passwords that meet secure criteria.
The EPR function will also block any ‘backdoor’ capability while also disabling P2P, DDNS and audio channel options. Additional security measures are also available through IP filtering and HTTPS and RTSP encryption.
Server security is also important when considering cyber security. Concept Pro recognised the essential need for servers to be based in the EU for ease of contact, and operated by legitimate companies with high-level SLAs.
Its servers are monitored 24 hours a day, 365 days a year. Once a camera is connected to a recorder and Sequrinet is configured, the end user can download the Concept Pro App, allowing instant access to the system through a secure link.