Subscriber Discussion

Integrators: How Do You Secure Customer Systems?

Avatar
Brian Karas
Mar 18, 2016
IPVM

IoT device security is a hot topic recently. I'm curious what techniques are commonly used to make Internet-connected security devices secure, but still easy enough for an average user to access without a hassle.

I made a quick poll, but I'm sure there are other approaches, if you have a good method please share.

Avatar
Brian Rhodes
Mar 18, 2016
IPVMU Certified

I think 'strong passwords' are a prudent step that mitigates most risk, except in the case of backdoors *cough*.

However, setting up an IP whitelist is fairly easy and absolute way of controlling access. I'm not sure why it isn't a more common step to take?

(2)
Avatar
Brian Karas
Mar 18, 2016
IPVM

However, setting up an IP whitelist is fairly easy and absolute way of controlling access. I'm not sure why it isn't a more common step to take?

I'm guessing because of mobile apps. Your mobile IP tends to change a lot.

(1)
Avatar
Hans Kahler
Mar 22, 2016
Eagle Eye Networks

In addition to the mobile apps, whitelists also don't really allow people to travel and access their systems. (hotel rooms, airports, etc...)

(1)
MG
Michael Goodwin
Mar 22, 2016

yeah backdoors are a huge concern, it's why I feel all users behind exposed VMS should be running all their patch's and updates... not just for the VMS, but the underlying operating system as well.

KA
Konstantin Avramenko
Mar 22, 2016

Whitelist does not provide with the reliable security. I would stick with the VPN plus strong passwords.

(1)
JG
Jeff Gack
Mar 22, 2016
IPVMU Certified

I'm wondering how effective using obscure ports would be in addition to a strong password.

It seems that someone trying to gain access to the system, would have to go through a lot more effort, if you setup non standard ports.

MG
Michael Goodwin
Mar 22, 2016

or just a smarter port scanner, there are really easy tools for a whole stack of things, but if you have a good firewall the blocks IP's after x number of attempts that might make it a bit harder.

MG
Michael Goodwin
Mar 22, 2016

wouldn't listing the things you do be a vulnerability in itself?

U
Undisclosed #1
Mar 22, 2016
IPVMU Certified

who said to list them?

MG
Michael Goodwin
Mar 22, 2016

the post says please share....

U
Undisclosed #1
Mar 22, 2016
IPVMU Certified

Ok, got it.

wouldn't listing the things you do be a vulnerability in itself?

If those things include effective countermeasures heretofore unknown to the cybersecurity community at large, then I suppose it would be.

Otherwise, since one can post anonymously, I not sure why it would be a problem.

MG
Michael Goodwin
Mar 22, 2016

*puts on tin foil hat* if you were trying to get into someone's system, a thread like this would be my first step to look for idea's :)

keep in mind I'm only half serious when I post this.

Avatar
John Bazyk
Mar 22, 2016
Command Corporation • IPVMU Certified

We have a few different methods we use depending on the system and customers budget.

1.) The system is 100% offline. With Strong passwords.

2.) Strong passwords and obscure ports (I understand this doesn't do much but for a budget system its better than using factory defaults). We also retain the password for administrator and limit their login to only a few essential capabilities.

3.) More recently, customers who subscribe to our remote services use 2048 RSA to log in, and video stream is encrypted using 256 AES.

  • 10-character app and browser passwords, with complex combination of non-alpha characters

    required

  • Three invalid codes entered will log users out

  • Video stream IDs frequently change, with URLs randomly generated at time of viewing

  • All video streams over closed and encrypted VPN, and requires authentication at the camera

  • Panel user-code, email address and password authentication required for login

  • Touch ID supported as an option to launch the app

  • Account enumeration prohibited

  • 2048-bit RSA and 256-bit AES used for encryption

  • No user feedback provided to users regarding email address validity

U
Undisclosed #2
Mar 22, 2016

Sound good!

What NVR/VMS are you using?

Thanks

KA
Konstantin Avramenko
Mar 22, 2016

256-bit AES used for encryption

Don't you have issues with the video streaming?

Avatar
John Bazyk
Mar 22, 2016
Command Corporation • IPVMU Certified

We keep remote access limited to 4CIF for streaming to mobile devices. We can go higher, but there's significant lag time connecting to the cameras with higher resolution. Once connected, live viewing is smooth. During alarm events, VGA gets sent to the cloud for recording. We've found our customers would rather know their data is secure than have higher resolution. Locally they can view and playback full resolution.

We purchase this solution from DMP. DMP installs their certificates and firmware on Hikvision NVR's and cameras. Everything is programmed through their dealer site. This solution is intended for small business and residential systems. Not ready for systems requiring higher resolution.

Take a look at this demo I just recorded to show the speed of connection and image quality. You should know that the Kitchen, Liam, and Ellie cameras are all WIFI. The Safe camera is hardwired to the NVR and Driveway is going through a powerline adapter to the router and then to the NVR. I try to test the most absurd connections I can come up with at my house.

(1)
Avatar
Brian Karas
Mar 23, 2016
IPVM

I'm a little surprised that the "obscure ports" hasn't gotten more votes, but I think people are doing strong password + obscure ports in many cases, but voting for "Strong Password" because it's the more effective of the two options.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions