While the profile of cyber attacks seems to be increasing every day, the reality for many mainstream security systems operating over networked infrastructure is that the risks can be lowered by simply applying some common sense. There is a balance to be had between making cyber security an obsession and taking a common-sense approach to security. Benchmark considers the basics of device hardening.
Many years ago, the IT sector found itself caught on the horns of a dilemma. They needed to make systems and services accessible to attract the consumer market, but they also needed to protect against the rising tide of hacks, viruses and malware. The battle is still not over, and the balancing act continues.
Things are not that different in the security market. Manufacturers need to ensure that their products are easy to install and configure, but it is vital that they don’t create an easy entry-point into an end user’s corporate network.
Sadly, some suppliers do take a somewhat lackadaisical approach to device hardening. While this makes it easier to sell products as the ease of installation and configuration is boosted, it also means that security takes something of a back seat.
There is a reason that some suppliers are happy to do this. It’s because they are separated from the final customer by the installer or integrator. As the people who effectively ‘sell’ the system to the customer, the onus is placed on them to ensure that device hardening occurs.
Luckily, a number of manufacturers don’t share this view, and many offer features and functions which allow device hardening to be implemented with ease. However, there are additional steps – many common sense and straightforward – which installers can take to enhance device hardening.
Start with the basics
When planning a system, hardening can take place before the system is even installed. During Benchmark tests we’ve come across end users that quite simply refuse to allow internet connectivity on local security networks. This gives them total control over the system, and effectively ring-fences the infrastructure from external attacks.
Unfortunately, many manufacturers demand that a system does have internet connectivity, because it makes life simpler for them with regards to licensing. It also makes their job simpler with regard to additional software components as the onus is on the installer or integrator to download them. If there is no operational need for WAN connectivity, avoid it. If a manufacturer can’t support that, look elsewhere!
Many installers and integrators prefer static IP addresses to the use of DHCP, simply for logistical reasons. There is a perception that one is more secure than the other (the more secure one changes dependent upon who you talk to). The type of address doesn’t really impact on security, so don’t think you’re better off with one or the other.
One simple task that is too often neglected is to ensure the firmware on devices is up to date. Firmware changes will not only add features, but also include bug fixes and security updates, often driven by changes in the wider IT community.
Always change default passwords. That might seem obvious, but because many VMS and NVRs automatically set supported devices to the defaults, some will leave them as they are. Increasingly manufacturers force a password change after the first log-in. Always be careful using symbols, as some ONVIF implementations won’t recognise these (it’s shame all ONVIF implementations aren’t the same).
When changing passwords, if a secure connection can be set from the camera, use it. Also, if there are options for anonymous viewing or setting addresses remotely, disable these.
Modern network cameras include a variety of services and processes. Some of these could offer additional access routes to the system. If you are not using them, turn them off. This reduces the potential attack surface area. Often cyber attacks will be based upon a ‘hit and hope’ mentality. The less ports or services they can hit the better.
None of these steps require any special skills or additional software or hardware. Any reputable device should allow such configurations to be carried out with ease. With many edge devices, additional security elements can be implemented, again without the need for specialist skills or additional hardware or software.
Applying common sense is sometimes the best approach. In short, if you don’t need a service or process, turn it off. Apply firmware updates and ensure that a password policy is in place.
Many edge devices include IP filtering. This enables you to specify IP addresses which are either allowed to access the device or are denied access. Obviously when dealing with a security system, you only want to allow the server or management device to access the edge devices.
User privileges can also be useful. By tightening down who can access what or change configurations, it’s another step towards hardening the edge device.
One final point is that audit trails within devices can be used to assess whether any unauthorised attempts to access the edge device are taking place. Manufacturers can help you understand how to best use and manage logs to remain abreast of any suspicious activities.