Cybersecurity ********
**** **** ****, ************* has ****** * *** issue, **** ********* ***************, hacks, *** ******* ** the ****.
** **** *** **** 2 *****, ***** *************** (and ***** *******) **** reported ** ******** *************, including:
******* ** *** ******** of ***** ********* *** their ********** *********, ** is ******** **** ***** understand *** ****** ** cyber ******** *** ************ systems, *** *** ** protect ******* ****** ******* at *** **** *****.
Network ********* ******
** *** ** ******** at *****, ******* ********* guides *** ******, ********* recommendations (** ** *******, see ********* ********* ***** ) ** **** *** network **** ******. ****/**** of ***** *************** ***** to ************ ********, ** well, ********* *********** ******** and ***** *******, ******** passwords, ********* *****, ***.
*******, **** *************** *** be ***** *** ****** what **** ** ***** integrators *** ******* **, or **** ** ********* for * ***** ******. Complex ************** ******* **** as ***.**, **** ***********, SNMP **********, ***., *** simply *** ***** *** time/cost ** ********* *** many *******, ***** *** limited ****.
Surveillance ********* ****** ************ ******
****** **, ************ ******** hardening ****** **** ************ been ****. *******, **** number *** ******* ** the **** * *****
*** ***** *************** ** each ** ***** ****** vary, *** **** *** divided **** ***** *** advanced ******, ********* ** the *********** ** *** installation.
*** **** *****, *** instance, ****** **** **** only (*** ********** ***) to ****** ****** ********** networks, *** ******* ***** best *********, **** ** strong *********, ******** ********, and ********* ********* ******, through **** ******* *********, such ** ***.** **************, SNMP **********, *** ****** servers.
***** ***** ****** *** manufacturer-specific, ********* ************ ********* to *** ****** ** VMS, **** *************** *** useful ****** *** *************, and **** ** **** with ** ******** **** practices, *** *** ********* discussed *****.
Strong *********
****** ********* *** *** most ***** ******** *******, but *************, ******* ** many *****. **** ************ systems *** ******** ** the ***** **** ******* passwords ** *** *********, including *******, ********, *********, and **** (*** ***** ******* ******* ********* List ). ***** ** *** make ** ****** *** techs ** ****** ******* but **** **** ** simple *** ****** ** log **** ***'* ******* (see: ****** ****** *** ******* IP ******* ).
** *** **** *****, all ************ ******* *******, including *******, *******, *** servers, ****** ** ******* from *** ******** **** strong *********, ********** ** a ****** ********. **** prevents ****** ** *** network ***** ****** ******** guessing, ********* * **** skilled ******** *** **** complex *******.
**** ************* ******* ******** the ******* ******** **** connecting *** *** ***** time (*** *********** ** *** ****, Dahua *** ******* *** passwords ). ******, ** ************* ******* (*) ***** **** ******** ******* passwords *********, ****** *** well **** ** ******* remains ** ** ****.
LDAP/AD ***********
***** ****/****** ********* (**) integration, *** *********** *** assigned ** ******* ***** managed ** * ******* server (**** ****** ****** sign-on). ***** ***** **** accounts ***** ********* ******** strength *** ********** *****, this *********** *** ******* security **** ***** *** accounts ***** ** *** have ***** ************. **** reduces ************** ********, ***** individual ******** ** *** to ** ******* *** maintained.
*********, **** *** ** restricted ** ******, ********** systems, ***** **** ***** installations ** *** **** an **** ****** ***********. Some ***** ** ******* systems ***** *** ********* in ****** ********, ********** education *** ********* **********, may *** **** ** these ************* *** ****** to *** ** *** their ******* ****** *******.
**** / ** ***** theoretically ** **** *** IP *******, ***, ** practice ** ***. ***************, as * ********* ********, is *** ********* ** almost *** ** ******, which ********* *** ** Linux. ********** ** ****** ******* to ** ** , *** ** *** not ****** *** ********** market *****.
Firewalls/Remote ******
** ******* ************ ****** access, **** ************ ******* are *** ********* ** the ******** ** ***, instead ** * ******* separate ***. **** ******* risk, *** *** **** service **** *********, ** updates ** ************ ******** and ********, ******* ****** downloaded, **** ** ****** from *** ** ***** means.
***** ******* ***** *** connected *** ********* ****** a ********, ***** ****** inbound/outbound ******* ** **** specific ** ********* *** ports ***** **** **** authorized. ***** ******* ** rejected. ******** ***********, **** may ******* *** **** majority ** *******. **** cameras *** ***** ************ equipment ** ** ********* to **** ******* ******** up ** ****. ***** have **** *** ***** security *************** ******* ** insecure *******. *** ***** is ************** ** ***** ******** , *** *** ***** is ********** ********** ********* ************** ** **** ** ********* insecure **** / *** routers.
Remote ****** *****
*** ******* ***** ************* ****** , ***** *** ******* may ******* *** ** more ***** ** ** open. *******, **** **** port ******** * ******** opportunity *** ** ********. Exactly *** **** *** which ****** ** *** VMS. ***** ****** ***** to ************ ************* *** which ***** **** ** open ** ****** ****** is ******** (*** *********** or ****** *******), *** we **** **** ******** in ********** ***** *** ** Video ************ ******** .
P2P/Cloud ******
*************, **** ************* ***** for "***** ****" ****** access, ***** **** ** a ****** ****** *** an ******** ********** ******* requiring **** *****, ******** risks. **** ******* *** recorders *** ***** *********** for ****** ******, **** as ********* ***** ,***** *** ***** *** , ********** ***** . ************, **** ****** desktop ******** *** ******* technology, **** ** *******, TeamViewer, *********, ***.
** ******* ***** ******* in ********* ******* ****** *** Video ************ ********.
*****
******* **** (********* ** VLANs) ******* ******** ** ********** traffic **** ******** ******* networks. ** ***** ***** services, **** ** ** based ************ ********* ** general ****** *** *******, may ***** ** *** same ******** ******, *** practical ******** *** ******** are ********* ** **** other, *** ***********.
*** *******, ** *** image *****, *** ************ equipment ** **** * may *** ** ******* by *** ****** ** on **** *, *** could * **** ** the ****** (**** *)"***" traffic ** *** **** VLAN (**** *).
***** *** **** ******** set ** ********.** ******* , ***** **** * header ** **** ***** containing **** ***********. **** header ** *********** ** the ****** *** ******* forwarded **** ** ***** devices ** *** **** VLAN.
**** **** ***** ******* may *** ** *********** across *****, ********* *********** still *****. ******** ***** video ******* *** ********** impact **** *** ****** application ***********, ***** ***** file ********* *** ****** the ************ *******. ******* of ****, ***** *** also **** ***** ******** in *********** *********** ** ******* (***) , ***** *********** ******* traffic, ******* ***** ******* ahead ** **** *********, for *******, ** ***** quality ** *** ********.
*** ******** *** ************ ***** *** ******* ***********.
Disabling ****** ****** *****
******* **** *** ********* overlooked ****** ** ******* unauthorized ******* **** ********* a ****** ** ** disable *** ****** *****. This **** ********* *** risk ** ******* ****** to ****** * ******** subnet ** ******** * patch ***** **** * switch ** ****** ******* jack. *** ****** ** disable ******** ***** ** a ****** ****** ** managed ********, **** *** cost *** **********:
***** ********* ** ********* the ****** ** ********* access ******, **** **** does *** *********** ******* unauthorized ****** ** * network, ** ******* ***** potentially ****** * ****** (camera, ***********, *******) **** a ********** ********** **** or **** *** ****** its ****, ****** ******** such ** *** ********* or ***.** *** ** place.
Disabling ****** ******* *****
**** ******* **** **** unneeded ******* ***** ****** on, **** ** ******, SSH, ***, ***., ** we ***** ** ********** ** ******* **** . ***** ***** *** favorite ******* ** ******* (as *********** ** ******* miners *** ****** *************** found *********** ******* ).
* ***** ** ****** scan ** * ******* IP ****** ******* ******** open ***** ***** **** those ******** *** *** access *** ***** ********* (80/554):
***** ***** ****** ** disabled ******** ******** ** prevent ********* *******.
Disabling ****** ********
*********** ******** ** ******* workstations *** ******* ****** be ****** ***. ***** may ******* ************-******** ****** utilities, ******* ********* ****** services, *** ********, ***. These ******** ******** *** act ** * ******** for ******* ** *******, consume ********** ********* *** memory, *** ******** ******* time.
***** ******** ****** ** disabled ** *** ** operate **** **** ******** started, ** **** **** in *******:
OS *** ******** *******
** *********** ****** **** * ****** ** some ****** , **** **** ***** installing ***** ********* ******* Update, *** *******, ***** others ****** **** ***** updates *** ***** *** software ** ****** ************.
*******, ***** ******* (********** Windows ******) ***** ******* patches ** ***** ********** security ***************, **** ** the ********** *** ************* , ***** ******** ******** of ********* *********. ******* for ***** *********** ****** should ** *********.
*****, **** *******, ******* may ** ********. ***** especially ********* ***** ************* issues ****** ******* ***** camera/recorder/VMS ************* ** *** their *************** *** ******** updates ** ***.
MAC ******* *********
*** ******* ********* ****** only * ******** **** of ******* ** ******* to *** ******. ***** devices ******* **** *** switch *** *******, **** if *** **** ********** was **** ** * valid ******. *** ********* is ******** **** ***** managed ********.
** ************ ********, *** filtering ** ********* **** to **********. **** *** cameras, *******, *** ******* are *********, ** ** enabled, *** ********* *******' MACs ***** ** *** whitelist. ***** ***** ******* in * ************ ******* are ****** ******* ***, little ***** *********** ** required. ** ***** ******** where ******* *** ********** be ***** ** *******, administrators *** **** ********* more ********** ** **********.
**** ***** ***** *** filtering ******* ** * typical ******* ****** *********:
*** ********** ********** *** ***** Surveillance ***** *** **** ********** *** a ***** ******** ** MAC *********.
***.**
***.** ******** ******* ****** to ******* ** *** network ** **** ****** credentials ** ** ******* on. **** ****** ****** devices ** ********* **** just ******* ** * network.
***** ***.**, * "**********" (client **** * ******, PC, ***.) ******** ** connect ** ******* *** a ****** ** *** (called *** "*************"). *** authenticator **** ****** *** credentials ** *** ********** with * ******, **** the ************** ****** (********* using * ******** ************ , *** ****** ** denies ****** ***********.
***** ***.** ******** ****** security, ******* ** * network ** ******* ** can ** ********** *** involved. *** **** **** connected ******* (*******, ****, client ***, ****, ***.) support ***.** ***********, *** switches ****, ** ****. Each ** ***** ******* must ** ************ ********** for ***.**, ****** ********** configuration **** ** *** install.
******* ** ***** *******, which ******** **** *** administration ********, ***.** ** rarely **** ** *** but *** **** ******* enterprise ************ ********, **** users ****** *** ******* security ******** *******.
Locking *****
******* ***** ** ******** that ********** ******** ********** or ********* **** ******* cabling ** ************ ******* are **** ***** *** cable *****. ***** ******* mechanically **** * ***** into * ******, ***** panel, ** **** ****, or **** ****** ****** ports, *** *** **** be ******* **** * proprietary ****.
***** ***** ***** ** locks *** ********* ** stopping ****** *********, **** are *** ********** ** indestructible, *** * ********** intruder *** ****** ** able ** ***** **** out ** *** **** loose ***** ****** ****. As ****, ******* ***** should ** ********** **** of * **** ******* security *******, *** *** the **** *******.
*** * ****** ****, read ********** **** ******* *********** ******.
Door ***** *** ******** ******
*******, **** ********* **** for *********** ****** ** the **** ********** ***** of * *******, *** rooms, *******, ** ***** where ************ ******* *** switches *** ********* *******. By ******** *** ********* availability ** ***** *****, many ***** **** ********** or **** *********** ******* can ** *******. ** doors ****** ** *******, individual **** ***** ** switch ********** ****** **. Most ****** ** ********* includes ******** ********* ** standard *******:
** * ******, **** facilities ****** ********** ****** control ** ****** ** network ********* *****. *******, even ***-****** ********** **** and ***** *** ** a ***** *** ** protecting ********* ***** **** properly *******.
Managing ************* *** ***** ************ *******
***** *** *** ***** below *** ******* ******** on ***** ***, **** are **** ********* **** documented ** **** ** a ******* (*** ********) security ******.
** ************, **** ****** is ** ** *** individual *******, *** ********* it ***** **** *** of *** ******:
*** ****: **** *** ************ ******* is **** ** * larger *********/********** *** (******* sharing ******** ** *********), end ***** **** ****** control *** ******** ****** for *** ******* *******, and *** ***** ***** requirements **** *********** (*** better ** *****).**********: ** ** *** **** does *** **** * security ****** ** *****, the ********** ********** *** choose ** ****** *** as **** ** ***** documentation, ********* ** ** be ******** ** ***** for *** ******** ** be ******** *** ***** liability ** **** ** a ******.Test **** *********
**** ****** ******** **** ***.
[****: **** ***** *** originally ********* ** **** but ************* ******* ** 2018 **** ********** ******* exploit/vulnerability ***********, ********* ******, image ********, *** ****]
Comments (14)
Undisclosed Manufacturer #1
Excellent overview. Thank you.
Create New Topic
Undisclosed End User #2
Vivotek Security Hardening guide is listed twice, once under the Hanwha hyper link and also under the Vivotek Security Hardening guide. Great subject matter however thank you for the information.
Create New Topic
Undisclosed Manufacturer #3
(Milestone employee posting)
The current Milestone link looks like it's from 2016.
Milestone does update their Hardening Guide for each one of their three releases per year - search for "hardening guide" at their Content Portal at https://content.milestonesys.com
bit.ly link for current one: https://bit.ly/2Li7BXq
Create New Topic
Brian Anderson, CPP®
This is why I pay money to IPVM. Very well done. Do you think there will ever be a Cybersecurity for Access Control Guide? We're actually working a lot of these things into our security specifications.
Create New Topic
Michael Gonzalez
05/23/18 03:05am
Excellent, thanks!
Create New Topic
Paresh Desai
I am surprised to see UPnP and Bonjour comes on by default even on non-consumer cameras.
Create New Topic
Sean Osborne
Wow..mind blown..
A lot of useful information, great job putting this together, guys.
Create New Topic
Undisclosed #4
In hardening a new network what is your priority of work?
Create New Topic
Undisclosed End User #5
FYI:
The "Dahua Best Practices" link returns a 404 error, "Page Not Found" message. Go To Homepage>Support>Cybersecurity will get one to the desired destination. I do highly recommend those who want a decent chuckle to click the link above in this article as Dahua's typed message above the search box should do the trick. Enjoy!
Create New Topic
Joey Rao-Russell
i like the idea of locking network plugs, how might i go about finding them?
Create New Topic