Netwotk Security - Best practices for working with networked software and hardware
Cyber defence is one of the most sensitive points today for companies’ data security. It is a largely demanding task considering the escalation in frequency and sophistication level of security threats.
Not all companies and organizations have the same level of vulnerability in terms of cyber security and the first step to take should be to perform a system risk analysis in order to plan a winning strategy for preventing attacks and protecting the system. The risk analysis will take into consideration not only the potential threats but also the amount of damage they can cause and the costs companies would be forced to bear to reactivate the whole network or system. The creation and maintenance of cyberresilient networks require great efforts and investments in terms of cutting edge tools, planning effective hardening strategy, and making employees aware of how vital security is for every-day work. Networks also require to be secured using proper tools (like filters, firewalls, advanced data encryption, etc.), the performance of regular maintenance and the protection of endpoint devices attached to the network.
Strongly defended and well-maintained networks and systems grant higher levels of security. A network that has not been properly secured is very attractive for hackers. They can try to steal data or other materials or simply spread malware, viruses and other cyber threats. The impact and the costs of such detrimental actions cannot be properly estimated and must not be underestimated, both for the networks and for all the systems using such networks for their daily activity.
In such a perspective, clients have to take all necessary precautions to secure their networks, and so their systems, and shall require the same commitment to defence on the part of the installers they work with, who will implement their systems and all the devices and tools being part of such systems. Furthermore, considering the globalization and vulnerability of today networks, the security system providers cannot be held responsible for system failures due to the non-implementation or overlooking of security defensive measures.
The following paragraphs will provide more detailed information on how to protect and strengthen networks and networked appliances.
1. KEEP YOURSELF EDUCATED
Reading this guide will surely give you a precious insight over the world of network security.
However, as is the case with everything regarding informatics, threats and countermeasures constantly evolve: use the Internet to keep yourself informed about new threats and countermeasures and to further expand your knowledge about the subject of this document.
The more you know, the more you will be able to understand threats, assess the security of your system and perform useful risk analysis to decide when you need to upgrade your security procedures.
Most italic words in this document are complex concepts that you might want to learn more about.
Search for them on your favourite search engine or on Wikipedia to gain a deeper knowledge about these subjects.
2. PASSWORD MANAGEMENT
It goes without saying: you do not want any unauthorized person to access your security systems and be able to disable parts of it, change your settings or use the informations available from inside the system for their own purposes. Your system, though, has to provide access to legitimate users, which is often done using login passwords. This chapter aims at teaching you how to create passwords that are hard to guess and how to manage them properly.
2.1 Use a strong password
If attackers can guess a password in a few attempts, it is almost like using no password.
You should avoid:
- using the default password, which is publicly available in the technical documentation;
- using a short password, for it is weak to brute force attacks;
- using one or more words found in a dictionary, often a target of dictionary attacks;
- using words found in a dictionary, replacing characters with similar ones (e.g. P455W0RD);
- using common character sequences, such as “123” or “asd”;
- using personal data that might be available to the attacker, such as birth-dates or names of relatives.
A password is considered strong if it contains at least 8 random characters including upper and lower case letters, numbers and symbols.
2.2 Use unique passwords
People often use the same few passwords for several services.
Despite having to learn a lot more passwords, using a different one for each service is the right thing to do.
Indeed, should an attacker find out your password for some specific service (e.g. with phishing, or getting it from a data breach of a password database), they will most certainly attempt to track down your identity in order to try the same password on other services you use.
For the same reason, do not use the same password for several devices of the same system. In the unfortunate case someone finds out the password for one of your cameras, at least they will only be able to access that single one.
2.3 Protect your passwords
Do not tell your password to anyone. If you need someone to access your system for a while, get them their own password, or type the password yourself.
The more people know a password, the easier it is for someone to slip it out to the wrong person.
In a system where your username and password is used to identify and log who set some settings, giving someone else your password might also mean being deemed responsible for their actions.
2.4 Change your passwords often
If someone managed to learn one of your passwords and is using it for snooping on you (logging in to monitor your system, keeping a low profile), changing the passwords often will at least force them out of your system again when the leaked password stops matching your current one.
The need to choose new passwords often might tempt you into using weak passwords or into reusing previously used ones, this would turn changing passwords into a bad practice.
2.5 Disable auto-login
When accessing a security system from a computer that is used by multiple people make sure auto-login is disabled so to prevent possible undesired access to your system by users without the correct credentials.
2.6 Consider using a password manager
The need to memorize a lot of different, strong passwords might lead to password fatigue, a related form of stress that often leads users to deliberately choose weak or recycled passwords.
A possible solution to this problem is to use a password manager, a password-protected list of all your current passwords.
While password managers make it easy to deal with the high number of complex passwords, it also makes it possible to get access to all of your passwords by learning a single one. Plan accordingly.
2.7 Spread the culture
Make sure everyone who needs to use or set passwords knows about what has been detailed in the previous paragraphs.
2.8 Create a backup admin account
If attackers manage to enter your system, they will change the password in order to lock you out.
If your system allows it, create a backup account you can use to enter the system and change the password of the hacked account, regaining control over it.
3. SYSTEM SETUP
3.1 Make sure your logs provide useful information
It is important that date and time are set correctly so the logs will provide the right information at all times. Synchronize the device clock with a Network Time Protocol (NTP) server, either public or private.
3.2 Reduce your attack surface
The more complex a system is, the larger its attack surface, i.e. the number of potentially vulnerable points that outsiders can reach.
3.2.1 Install devices on a separate network
Create separate networks for your security devices (cameras, DVRs, NVRs, etc.) and for your other networked machines (workplace PCs, VoIP phones, etc.). Someone breaking into one network will not be able to influence the other.
If you do not need to access the security system from the outside, use a private network, disconnected from the Internet.
3.2.2 Connect cameras to PoE ports
Connect IP cameras to the ports of the video recorder rather than to the general network: this will make the system more secure because such ports cannot be accessed directly from the outside.
3.2.3 Apply the principle of least privilege
Every user account has to be able to access only the information and resources that are necessary to perform its intended function. Should an attacker gain access to that account, they would only be able to access a very limited set of informations and resources, limiting the effectiveness of their successful attack. Do not let users operate from the administrator account.
3.2.4 Disable everything you don’t need
Disabling a service puts its vulnerable points out of the reach of a malicious attacker. While you don’t want to disable the services you use, make sure to disable all others. Disabling services also makes them unavailable to attackers that manage to hack a camera but not the whole system.
-
- Disable audio support if not required by daily usage.
- Disable the multicast function, used to share video streams between more devices.
- Disable SNMP, an Internet protocol that enables devices to be controlled by a central instance, except while tracing and testing devices. If SNMP is necessary for monitoring purposes, use SNMP v3.
- If manual port forwarding is used, disable the UPnP function (automatic port forwarding).
- If the network does not use IPv6 addresses, disable IPv6 to prevent unintended access.
3.2.5 Limit port forwarding
Port forwarding is a function that allows to set specific communication ports to be routed to devices on an IP network (e.g. PC, DVR, or camera). For CCTV field, it allows users to view and control CCTV equipment from a remote site.
Do not forward a lot of port numbers to the device, but only TCP ports you need to use. Do not set device’s IP addresses to a DMZ zone. If a series of devices (e.g. cameras) are all connected to a single device (e.g. NVR, DVR) on site, forward only the port number of the single device.
Use a firewall to prevent access to all unused ports.
3.3 Change default ports
TCP ports are used to communicate and to view video remotely.
Data travelling over a network is correctly delivered thanks to an address (identifying a single device) and a port number (identifying a service inside that device). For instance, the internet browser in your computer reads data sent to TCP ports 80 (HTTP) and 443 (HTTPS).
Malicious outsiders can more easily monitor and intercept the data in your system if they know the port(s) your system uses. Services can be told to listen to a different port (e.g. http://xxx.xxx.xxx.xxx:30231 listens to port 30231 instead of port 80), making it possible to transmit the video stream of your camera or other data on any valid port number without breaking the correct functioning of the system. Since sending data to a different port will reduce the risk of outsiders being able to guess which ports you are using, we recommend to change the default HTTP and TCP ports used.
Set each port to a value within the range 1025÷65535.
The instructions on how to change a port number vary across our product range: follow the instructions provided in the technical manual of the single device. Also, to access devices, it will be necessary to use data provided on the label of the single device.
3.4 Apply an IP filter
The IP Filter ensures the access of the system only to devices with defined IP addresses.
Enable the IP filter function, where available, to ensure the access to the devices only from known IP addresses. Enabling IP filtering for authorized users will prevent the camera from responding to network traffic from any other user.
Verify all authorized users are added to the white list.
3.5 Buy and use a SSL certificate for your CCTV network
Some cameras can be provided with a SSL certificate that makes it possible to use the encrypted HTTPS communication protocol instead of the usual, unencrypted, HTTP one. Using an encrypted protocol makes it possible to install cameras on a public network while still maintaining a high degree of security.
However, the initial setup happens while still using the HTTP protocol: remember to change the password for these cameras once the HTTPS protocol is active.
3.6 Lock devices, physically
In order to prevent any unauthorized physical access to the system, install the devices inside physical protective structures: lock-boxes, rack mountings, rooms that can be locked up.
In case of cameras, choose vandal-resistant models and mount them in the recommended way, also protecting the cables, in order to prevent vandalism, physical sabotage, and tampering.
4. SYSTEM MAINTENANCE
4.1 Update firmware
Firmware updates often include hardening against the most recent hacking procedures, or fixes of existing vulnerabilities. Update your firmware regularly.
4.2 Check the system log
The system log can be used to check if there have been unauthorized accesses to your system. It will show IP addresses and the area(s) they have accessed.
4.3 Factory default settings
If the system has already been compromised, the attacker might have modified some setting without you noticing: it is usually best to restore the factory default settings and to configure your devices anew.
Some attacks might compromise the systems so much that not even this process can restore the initial situation: it might be necessary to send the device to EL.MO. for repair, to change some components or, in the worst cases, to replace the whole machine.
5. CHECKLIST
You can download the Network Security Best practices points by clicking the button below: at the end of the document we have also added a useful checklist to follow when installing a device within a network..
/en/news?task=callelement&format=raw&item_id=20946&element=beb5a533-ec0e-482e-8bc2-ba1875f5ffa1&method=download&args[0]=0