Integrators: How Do You Secure Customer Systems?

IoT device security is a hot topic recently. I'm curious what techniques are commonly used to make Internet-connected security devices secure, but still easy enough for an average user to access without a hassle.

I made a quick poll, but I'm sure there are other approaches, if you have a good method please share.


I think 'strong passwords' are a prudent step that mitigates most risk, except in the case of backdoors *cough*.

However, setting up an IP whitelist is fairly easy and absolute way of controlling access. I'm not sure why it isn't a more common step to take?

However, setting up an IP whitelist is fairly easy and absolute way of controlling access. I'm not sure why it isn't a more common step to take?

I'm guessing because of mobile apps. Your mobile IP tends to change a lot.

In addition to the mobile apps, whitelists also don't really allow people to travel and access their systems. (hotel rooms, airports, etc...)

yeah backdoors are a huge concern, it's why I feel all users behind exposed VMS should be running all their patch's and updates... not just for the VMS, but the underlying operating system as well.

Whitelist does not provide with the reliable security. I would stick with the VPN plus strong passwords.

I'm wondering how effective using obscure ports would be in addition to a strong password.

It seems that someone trying to gain access to the system, would have to go through a lot more effort, if you setup non standard ports.

or just a smarter port scanner, there are really easy tools for a whole stack of things, but if you have a good firewall the blocks IP's after x number of attempts that might make it a bit harder.

wouldn't listing the things you do be a vulnerability in itself?

who said to list them?

the post says please share....

Ok, got it.

wouldn't listing the things you do be a vulnerability in itself?

If those things include effective countermeasures heretofore unknown to the cybersecurity community at large, then I suppose it would be.

Otherwise, since one can post anonymously, I not sure why it would be a problem.

*puts on tin foil hat* if you were trying to get into someone's system, a thread like this would be my first step to look for idea's :)

keep in mind I'm only half serious when I post this.

We have a few different methods we use depending on the system and customers budget.

1.) The system is 100% offline. With Strong passwords.

2.) Strong passwords and obscure ports (I understand this doesn't do much but for a budget system its better than using factory defaults). We also retain the password for administrator and limit their login to only a few essential capabilities.

3.) More recently, customers who subscribe to our remote services use 2048 RSA to log in, and video stream is encrypted using 256 AES.

  • 10-character app and browser passwords, with complex combination of non-alpha characters

    required

  • Three invalid codes entered will log users out

  • Video stream IDs frequently change, with URLs randomly generated at time of viewing

  • All video streams over closed and encrypted VPN, and requires authentication at the camera

  • Panel user-code, email address and password authentication required for login

  • Touch ID supported as an option to launch the app

  • Account enumeration prohibited

  • 2048-bit RSA and 256-bit AES used for encryption

  • No user feedback provided to users regarding email address validity

Sound good!

What NVR/VMS are you using?

Thanks

256-bit AES used for encryption

Don't you have issues with the video streaming?

We keep remote access limited to 4CIF for streaming to mobile devices. We can go higher, but there's significant lag time connecting to the cameras with higher resolution. Once connected, live viewing is smooth. During alarm events, VGA gets sent to the cloud for recording. We've found our customers would rather know their data is secure than have higher resolution. Locally they can view and playback full resolution.

We purchase this solution from DMP. DMP installs their certificates and firmware on Hikvision NVR's and cameras. Everything is programmed through their dealer site. This solution is intended for small business and residential systems. Not ready for systems requiring higher resolution.

Take a look at this demo I just recorded to show the speed of connection and image quality. You should know that the Kitchen, Liam, and Ellie cameras are all WIFI. The Safe camera is hardwired to the NVR and Driveway is going through a powerline adapter to the router and then to the NVR. I try to test the most absurd connections I can come up with at my house.

I'm a little surprised that the "obscure ports" hasn't gotten more votes, but I think people are doing strong password + obscure ports in many cases, but voting for "Strong Password" because it's the more effective of the two options.