Steven Kenny, Industry Liaison – Architecture & Engineering, Axis Communications
Network administrators are under increasing pressure to ensure networks are designed and operated securely. It is important they have the right knowledge and tools to manage cybersecurity throughout the life cycle of the system.
Recent Axis field tests compared the time required to carry out basic device management tasks on a network of 200 cameras. These basic tasks – installing add-on applications, upgrading firmware, configuring devices and hardening devices – took 106 hours when manually carried out. However, the time required was reduced to 30 minutes using management software.
Businesses should approach cybersecurity readiness in two steps. Awareness is step one. If a business is not aware of cyber vulnerabilities, threats and issues, it cannot do anything to prevent them. Step two is mitigation: once aware of a problem, what can a business do to resolve it?
A good starting point when selecting vendors and partners is to look at those that have a track record of cyber maturity: those who understand the threats and ways to counter them, and who have control over their own offerings, along with the experience to apply best practice routines properly when needed. As important is the supply of tools to enable application of the security controls to mitigate threats through device hardening and device management.
A fundamental aspect of ensuring the security of an enterprise network is the creation of a complete inventory of the devices. Device management software gives administrators an automated means to gain access to a real-time inventory. It lets them automatically identify, list and sort the devices, and enables them to use tags to group and sort devices based on criteria that suit their requirements.
Authentication and privilege control are important. Implementing an account and password policy reduces the risk of accidental or deliberate misuse. While one fundamental of this policy should be to create strong passwords, another is to reduce the risk of passwords being compromised, particularly administrative passwords.
Device passwords tend to be shared within an organisation if there is a need to adjust, optimise or troubleshoot devices. One way of addressing this issue is to create a multi-layered system of accounts with varying privilege levels, creating temporary accounts to grant temporary access as required. This would be a time-consuming process to handle manually, but device management software manages these multiple accounts and passwords.
New vulnerabilities are continuously being discovered. While most are non-critical, occasionally a critical vulnerability is discovered. A camera, like any other device, needs to be patched to prevent adversaries exploiting known vulnerabilities. It is essential to always update quickly once firmware becomes available, as attackers may try to exploit vulnerabilities that have been discovered. Rapid deployment of firmware boosts operational capabilities and removes bottlenecks related to manually rolling out new release upgrades. Patching firmware could introduce unexpected behavioural issues, so it is recommended to use LTS (Long-Term-Support) firmware for patching. These firmware versions will only include bug fixes and security patches.
Once again, the larger the network, the more effort it will take to update all devices.
Video systems may be subject to policy or regulations that require encrypting traffic between the clients and the camera, preventing network eavesdropping. There may also be a threat of spoofing, where a malicious computer tries to impersonate a network device. These threats are countered with HTTPS.
HTTPS uses certificates and the vast number of cameras can make the management costly in both deployment and lifecycle maintenance. Device management software can reduce this cost, managing certificates and HTTPS configuration for all cameras. They can act as a local Certificate Authority (CA).
By installing the root certificate in the VMS server it secures connected devices. The root certificate can also be installed in additional administrative clients. Video clients will not (and should not) access cameras directly.
Effective device management software not only enhances cybersecurity but delivers efficiencies that grow exponentially as more devices are added to the network, saving time and resources.