Cybersecurity ********

**** **** ****, ************* has ****** * *** issue, **** ********* ***************, hacks, *** ******* ** the ****.

** **** *** **** 2 *****, ***** *************** (and ***** *******) **** reported ** ******** *************, including:

• ********* ******** *******: * ********* ******** which ****** ********* **** control ** ********* ** cameras.
• ***** ****-***** *********** *************: ****-***** *********** **** found ** ******** *** cameras *** ****, ******** for ***** ******** *******.
• ********* ** ********* *** Vulnerabilities, ********* ****** **** access *** ***** **** credentials
• *** ********, ********* ************** ** download ****** ****** ************* - ********* ***** *** password ** ***** ****
• **** ******** ******** *************: * ************* ****** attackers ** ******** ******** a ****** **********, ******** the ******** ** **** over *** ******, ****** it, ***** ** ****, etc.
• ****** ***** ******* ***** Massive ***** ******: ** **** ** the ***** ******, ****** Dahua ******* (*** ******) took **** ***** ******** sites *** ****** ****** *******.
• *** *********** ** ***** ************ Cybersecurity *************** *** *********** **** *********** ** these *** ***** ******, including *** **** ** they *****.

******* ** *** ******** of ***** ********* *** their ********** *********, ** is ******** **** ***** understand *** ****** ** cyber ******** *** ************ systems, *** *** ** protect ******* ****** ******* at *** **** *****.

Network ********* ******

** *** ** ******** at *****, ******* ********* guides *** ******, ********* recommendations (** ** *******, see ********* ********* *****) ** **** *** network **** ******. ****/**** of ***** *************** ***** to ************ ********, ** well, ********* *********** ******** and ***** *******, ******** passwords, ********* *****, ***.

*******, **** *************** *** be ***** *** ****** what **** ** ***** integrators *** ******* **, or **** ** ********* for * ***** ******. Complex ************** ******* **** as ***.**, **** ***********, SNMP **********, ***., *** simply *** ***** *** time/cost ** ********* *** many *******, ***** *** limited ****.

Surveillance ********* ****** ************ ******

****** **, ************ ******** hardening ****** **** ************ been ****. *******, **** number *** ******* ** the **** * *****

• **** ***** ********* *****
• ***** ** ***** *** Data ******** *********
• ***** ******* ******** ********* Guide
• ******** ******** ******** ****** Best *********
• ******* ***** ********* ***** (requires ******* *****)
• ****** ******* ********* *****
• ********* ******* ******** ********* Guide
• ********* ***** ********* *****
• ***** ********* *****
• ******* ***** ************ ****** Hardening *****
• ******* ******** ********* *****

*** ***** *************** ** each ** ***** ****** vary, *** **** *** divided **** ***** *** advanced ******, ********* ** the *********** ** *** installation.

*** **** *****, *** instance, ****** **** **** only (*** ********** ***) to ****** ****** ********** networks, *** ******* ***** best *********, **** ** strong *********, ******** ********, and ********* ********* ******, through **** ******* *********, such ** ***.** **************, SNMP **********, *** ****** servers.

***** ***** ****** *** manufacturer-specific, ********* ************ ********* to *** ****** ** VMS, **** *************** *** useful ****** *** *************, and **** ** **** with ** ******** **** practices, *** *** ********* discussed *****.

Strong *********

****** ********* *** *** most ***** ******** *******, but *************, ******* ** many *****. **** ************ systems *** ******** ** the ***** **** ******* passwords ** *** *********, including *******, ********, *********, and **** (*** ***** ******* ******* ********* List). ***** ** *** make ** ****** *** techs ** ****** ******* but **** **** ** simple *** ****** ** log **** ***'* ******* (see:****** ****** *** ******* IP *******).

** *** **** *****, all ************ ******* *******, including *******, *******, *** servers, ****** ** ******* from *** ******** **** strong *********, ********** ** a ****** ********. **** prevents ****** ** *** network ***** ****** ******** guessing, ********* * **** skilled ******** *** **** complex *******.

**** ************* ******* ******** the ******* ******** **** connecting *** *** ***** time (*** *********** ** *** ****, Dahua *** ******* *** passwords). ******, ** ************* ******* (*)***** **** ******** ******* passwords *********, ****** *** well **** ** ******* remains ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) integration, *** *********** *** assigned ** ******* ***** managed ** * ******* server (**** ****** ****** sign-on). ***** ***** **** accounts ***** ********* ******** strength *** ********** *****, this *********** *** ******* security **** ***** *** accounts ***** ** *** have ***** ************. **** reduces ************** ********, ***** individual ******** ** *** to ** ******* *** maintained.

*********, **** *** ** restricted ** ******, ********** systems, ***** **** ***** installations ** *** **** an **** ****** ***********. Some ***** ** ******* systems ***** *** ********* in ****** ********, ********** education *** ********* **********, may *** **** ** these ************* *** ****** to *** ** *** their ******* ****** *******.

**** / ** ***** theoretically ** **** *** IP *******, ***, ** practice ** ***. ***************, as * ********* ********, is *** ********* ** almost *** ** ******, which ********* *** ** Linux. ********** ** ****** ******* to ** **, *** ** *** not ****** *** ********** market *****.

Firewalls/Remote ******

** ******* ************ ****** access, **** ************ ******* are *** ********* ** the ******** ** ***, instead ** * ******* separate ***. **** ******* risk, *** *** **** service **** *********, ** updates ** ************ ******** and ********, ******* ****** downloaded, **** ** ****** from *** ** ***** means.

***** ******* ***** *** connected *** ********* ****** a ********, ***** ****** inbound/outbound ******* ** **** specific ** ********* *** ports ***** **** **** authorized. ***** ******* ** rejected. ******** ***********, **** may ******* *** **** majority ** *******. **** cameras *** ***** ************ equipment ** ** ********* to **** ******* ******** up ** ****. ***** have **** *** ***** security *************** ******* ** insecure *******. *** ***** is ************** ** ***** ********, *** *** ***** is ********** ********** ********* **************** **** ** ********* insecure **** / *** routers.

Remote ****** *****

*** ******* ***** ************* ******, ***** *** ******* may ******* *** ** more ***** ** ** open. *******, **** **** port ******** * ******** opportunity *** ** ********. Exactly *** **** *** which ****** ** *** VMS. ***** ****** ***** to ************ ************* *** which ***** **** ** open ** ****** ****** is ******** (*** *********** or ****** *******), *** we **** **** ******** in ********** ***** *** ** Video ************ ********.

P2P/Cloud ******

*************, **** ************* ***** for "***** ****" ****** access, ***** **** ** a ****** ****** *** an ******** ********** ******* requiring **** *****, ******** risks. **** ******* *** recorders *** ***** *********** for ****** ******, **** as********* *****,***** *** ***** ***, ********** *****. ************, **** ****** desktop ******** *** ******* technology, **** ** *******, TeamViewer, *********, ***.

** ******* ***** ******* in ********* ******* ****** *** Video ********************.

*****

******* **** (********* ** VLANs)******* ******** ** ********** traffic **** ******** ******* networks. ** ***** ***** services, **** ** ** based ************ ********* ** general ****** *** *******, may ***** ** *** same ******** ******, *** practical ******** *** ******** are ********* ** **** other, *** ***********.

*** *******, ** *** image *****, *** ************ equipment ** **** * may *** ** ******* by *** ****** ** on **** *, *** could * **** ** the ****** (**** *)"***" traffic ** *** **** VLAN (**** *).

***** *** **** ******** set ** ********.** *******, ***** **** * header ** **** ***** containing **** ***********. **** header ** *********** ** the ****** *** ******* forwarded **** ** ***** devices ** *** **** VLAN.

**** **** ***** ******* may *** ** *********** across *****, ********* *********** still *****. ******** ***** video ******* *** ********** impact **** *** ****** application ***********, ***** ***** file ********* *** ****** the ************ *******. ******* of ****, ***** *** also **** ***** ******** in *********** *********** ** ******* (***), ***** *********** ******* traffic, ******* ***** ******* ahead ** **** *********, for *******, ** ***** quality ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* overlooked ****** ** ******* unauthorized ******* **** ********* a ****** ** ** disable *** ****** *****. This **** ********* *** risk ** ******* ****** to ****** * ******** subnet ** ******** * patch ***** **** * switch ** ****** ******* jack. *** ****** ** disable ******** ***** ** a ****** ****** ** managed ********, **** *** cost *** **********:

***** ********* ** ********* the ****** ** ********* access ******, **** **** does *** *********** ******* unauthorized ****** ** * network, ** ******* ***** potentially ****** * ****** (camera, ***********, *******) **** a ********** ********** **** or **** *** ****** its ****, ****** ******** such ** *** ********* or ***.** *** ** place.

Disabling ****** ******* *****

**** ******* **** **** unneeded ******* ***** ****** on, **** ** ******, SSH, ***, ***., ** we ***** ** ********** ** ******* ****. ***** ***** *** favorite ******* ** ******* (as *********** ** ******* miners *** ****** *************** found *********** *******).

* ***** ** ****** scan ** * ******* IP ****** ******* ******** open ***** ***** **** those ******** *** *** access *** ***** ********* (80/554):

***** ***** ****** ** disabled ******** ******** ** prevent ********* *******.

Disabling ****** ********

*********** ******** ** ******* workstations *** ******* ****** be ****** ***. ***** may ******* ************-******** ****** utilities, ******* ********* ****** services, *** ********, ***. These ******** ******** *** act ** * ******** for ******* ** *******, consume ********** ********* *** memory, *** ******** ******* time.

***** ******** ****** ** disabled ** *** ** operate **** **** ******** started, ** **** **** in *******:

OS *** ******** *******

** *********** ********** * ****** ** some ******, **** **** ***** installing ***** ********* ******* Update, *** *******, ***** others ****** **** ***** updates *** ***** *** software ** ****** ************.

*******, ***** ******* (********** Windows ******) ***** ******* patches ** ***** ********** security ***************, **** ** the********** *** *************, ***** ******** ******** of ********* *********. ******* for ***** *********** ****** should ** *********.

*****, **** *******, ******* may ** ********. ***** especially ********* ***** ************* issues ****** ******* ***** camera/recorder/VMS ************* ** *** their *************** *** ******** updates ** ***.

MAC ******* *********

*** ******* ********* ****** only * ******** **** of ******* ** ******* to *** ******. ***** devices ******* **** *** switch *** *******, **** if *** **** ********** was **** ** * valid ******. *** ********* is ******** **** ***** managed ********.

** ************ ********, *** filtering ** ********* **** to **********. **** *** cameras, *******, *** ******* are *********, ** ** enabled, *** ********* *******' MACs ***** ** *** whitelist. ***** ***** ******* in * ************ ******* are ****** ******* ***, little ***** *********** ** required. ** ***** ******** where ******* *** ********** be ***** ** *******, administrators *** **** ********* more ********** ** **********.

**** ***** ***** *** filtering ******* ** * typical ******* ****** *********:

*** ********** ********** *** ***** Surveillance ******** **** ********** *** a ***** ******** ** MAC *********.

***.**

***.** ******** ******* ****** to ******* ** *** network ** **** ****** credentials ** ** ******* on. **** ****** ****** devices ** ********* **** just ******* ** * network.

***** ***.**, * "**********" (client **** * ******, PC, ***.) ******** ** connect ** ******* *** a ****** ** *** (called *** "*************"). *** authenticator **** ****** *** credentials ** *** ********** with * ******, **** the ************** ****** (********* using * ******** ************, *** ****** ** denies ****** ***********.

***** ***.** ******** ****** security, ******* ** * network ** ******* ** can ** ********** *** involved. *** **** **** connected ******* (*******, ****, client ***, ****, ***.) support ***.** ***********, *** switches ****, ** ****. Each ** ***** ******* must ** ************ ********** for ***.**, ****** ********** configuration **** ** *** install.

******* ** ***** *******, which ******** **** *** administration ********, ***.** ** rarely **** ** *** but *** **** ******* enterprise ************ ********, **** users ****** *** ******* security ******** *******.

Locking *****

******* ***** ** ******** that ********** ******** ********** or ********* **** ******* cabling ** ************ ******* are **** ***** *** cable *****. ***** ******* mechanically **** * ***** into * ******, ***** panel, ** **** ****, or **** ****** ****** ports, *** *** **** be ******* **** * proprietary ****.

***** ***** ***** ** locks *** ********* ** stopping ****** *********, **** are *** ********** ** indestructible, *** * ********** intruder *** ****** ** able ** ***** **** out ** *** **** loose ***** ****** ****. As ****, ******* ***** should ** ********** **** of * **** ******* security *******, *** *** the **** *******.

*** * ****** ****, read ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** for *********** ****** ** the **** ********** ***** of * *******, *** rooms, *******, ** ***** where ************ ******* *** switches *** ********* *******. By ******** *** ********* availability ** ***** *****, many ***** **** ********** or **** *********** ******* can ** *******. ** doors ****** ** *******, individual **** ***** ** switch ********** ****** **. Most ****** ** ********* includes ******** ********* ** standard *******:

** * ******, **** facilities ****** ********** ****** control ** ****** ** network ********* *****. *******, even ***-****** ********** **** and ***** *** ** a ***** *** ** protecting ********* ***** **** properly *******.

Managing ************* *** ***** ************ *******

***** *** *** ***** below *** ******* ******** on ***** ***, **** are **** ********* **** documented ** **** ** a ******* (*** ********) security ******.

** ************, **** ****** is ** ** *** individual *******, *** ********* it ***** **** *** of *** ******:

• *** ****:**** *** ************ ******* is **** ** * larger *********/********** *** (******* sharing ******** ** *********), end ***** **** ****** control *** ******** ****** for *** ******* *******, and *** ***** ***** requirements **** *********** (*** better ** *****).
• **********:** ** *** **** does *** **** * security ****** ** *****, the ********** ********** *** choose ** ****** *** as **** ** ***** documentation, ********* ** ** be ******** ** ***** for *** ******** ** be ******** *** ***** liability ** **** ** a ******.

Test **** *********

**** ****** ******** *******.

[****: **** ***** *** originally ********* ** **** but ************* ******* ** 2018 **** ********** ******* exploit/vulnerability ***********, ********* ******, image ********, *** ****]