7-tips For preventing your CCTV network becoming a cybersecurity gateway

Introduction

The fight against cybercrime can often feel like hackers are always one step ahead. Unfortunately, this is the nature of the battle since the cybercriminal’s quest is to continuously search for new vulnerabilities within our networks and attached devices while we go about our daily work. Every device connected to an internal corporate network, whether it be within the four walls of an once or computer room, or an end point device such as a remote workers laptop or phone presents a potential entry point for hackers to infiltrate systems and data. The combined total of the devices attached to a network presenting themselves through the public internet, plus any software applications that may facilitate unauthorised access are deemed a part of the total ‘attack surface’. Reducing your risk of a cyberattack can be achieved by reducing your attack surface through limiting the number of visible devices and ensuring that all access points present as many barriers as possible to unwanted visitors. CCTV networks and Networked Video Recorders (NVRs) have been identified as access points for hackers in many instances, either where advantage has been taken of weak defences due to inadequate CCTV network security configuration, or specific vulnerabilities found and exploited within the design of the NVR network interface software.

Tip 1 – Eliminate port forwarding for NVR access

NVRs offer remote configuration capabilities through a web browser interface or other dedicated application with port forwarding used as the default method to facilitate access from outside of a corporate IT network. Port forwarding uses a technique called network address translation that redirects a communication request from one address and port number combination to another through a gateway within your internal network, such as a router or firewall. Port forwarding unfortunately means leaving a gap in your security defences. This can be potentially dangerous because hackers could use this to penetrate your network. Consequently, there are many documented cases where an opened port has been used as an attack vector.

How does CameraMate eliminate port forwarding vulnerability?

CameraMate does not rely on port forwarding, instead it uses a highly secure gateway agent to proxy communications between Dahua NVRs and the Cloud Platform for CameraMate. To communicate with the CameraMate Cloud Platform, each of the gateway agents need to be provisioned beforehand. This is an internal process that happens when the device is installed. Any devices that have not been pre-provisioned are unable to connect to the platform. This provisioning process allows a device to connect in and request an authentication certificate. If the correct details (unique to each gateway device) are provided, then a certificate is generated, registered with the platform, and sent to the device. No connections can be made without this certificate. The certificate can be revoked if it is ever compromised to stop a particular NVR being used for any further access.

How does CameraMate eliminate port forwarding vulnerability?

All transactional communications (events coming in and commands sent out) between the NVR and the platform are made using MQTT which is authenticated and encrypted using the certificate mentioned previously. The MQTT protocol is an open OASIS standard and an ISO recommendation (ISO/IEC 20922). Any uploads from the gateway device such as configuration files or snapshot images are made over HTTPS. These secure protocols both prevent any sniffing of the network traffic that could occur if you are using port forwarding and standard HTTP which is the default method used by the Dahua web user interface.

Tip 2 – Improve Password Security

Almost all cameras sold today have a web-based graphical user interface (GUI) which comes with a default username and password that can easily be found on the internet. It is alarming how many installers do not change the password and leave the same default password for all cameras. Very few cameras have a way to disable the GUI, so the security vulnerability is that someone can attempt to hack into the camera via the web GUI and guess a password. Of course, the hacker must have network access to do this, but cameras are often on a shared network, not a physically separate network to the corporate IT network or a VLAN. Therefore, ensuring no element of your CCTV network retains a default password is an important task. The next challenge is to develop and maintain an effective password management policy.

Could your passwords be cracked in 60 seconds?

If your passwords are 7 characters long or less and use a mixture of numbers with uppercase and lowercase letters, then the answer is YES¹. This is based on an analysis undertaken in 2019, so the situation is probably even worse today as the processing power in the hands of cybercriminals continues to increase. Unfortunately, some password ‘best practices’ that you may see or be forced to implement are actually detrimental to information security so we will offer here some methods for creating strong passwords that are easy to remember but hard to guess.

Password management: typically, a painful necessity

It is no secret, passwords are a pain for everyone. They cause frustration for employees, customers, and the support staff who must manage them. Who can remember the 11-character combination of letters, symbols, and digits that are prescriptive of strong passwords, let alone devise them in first instance? When a password gets lost or stolen, which they frequently do, it places a burden on the support desk. According to Gartner Group, 20-50% of support calls are for password resets, with an average cost to the organization of £50 per call, according to Forester Research.

Hackers have developed a wide range of tools to infiltrate confidential data. The main impediment standing between your information remaining safe, or leaking out, is the password you choose. Ironically, the best protection people have is usually the one they take least seriously.

From a password cracking perspective password complexity certainly improves password strength as can be seen in the diagram reproduced below from Hive Systems, but enforcing ‘strong’ password rules upon users that are difficult to remember can reduce the security of a system in the following ways:

Users may need to write down or electronically store the password using an insecure method
Users will need more frequent password resets
Users are more likely to re-use the same password
Similarly, stringent requirements for password strength, such as “having to mix uppercase and lowercase letters with digits” or “changing the password monthly”, increase the degree to which users will try to subvert the system².

Easy to Remember but Hard to Guess

Users rarely choose passwords that are easy to remember but hard to guess. A study³ in 2004 entitled “The Memorability and Security of Passwords” set out to determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenged the established wisdom.They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed “algorithm” for generating obscure passwords can easily build strength upon these examples. One way to create an easy-to-use algorithm could be to take the unrelated word example but separate each word with a choice of symbols. Three random words with three different symbols could certainly create a strong password with the user having just 6 password elements to remember.In addition, wherever possible adopt the use of Dual Factor Authentication (2FA) systems which generate a one-time key or require a secondary piece of security information to be entered by the user. Single sign-on and password management apps can both help to overcome the security problems of weak passwords and that of username and password re-use that is widely used for gaining access to multiple accounts, both personal and for business.

Tip 3 - Prevent physical access to CCTV and security system network components

The financial rewards from exfiltrating company data are sufficiently high that intruders may seek to access your network by directly hacking into your onsite physical equipment. Physical elements of the CCTV and integrated security system should therefore be fully secured. Cameras should be positioned so that their power and wired network connections cannot be easily tampered with. When this cannot be easily achieved, having cameras protect each other may be a solution. NVRs and switches should be in secured areas where they cannot be switched off, such as locked server rooms or equipment cabinets. Also prevent unauthorised access to areas where video is monitored, as access to IT systems may be possible through an unattended and unlocked computer or mobile device. If using mobile devices to access elements of the CCTV network, configure them to delete all data after repeated failed access attempts in case they are lost or stolen.

Tip 4 - Separate the networked IP CCTV system from the corporate IT network

To minimise the risk of the CCTV network providing access to the corporate IT network, and vice versa, different routers and switches should be used to isolate the IT and CCTV systems. For larger installations with multiple high resolution 4k colour cameras, the bandwidth requirement of networked CCTV is substantial, therefore isolating networks may in any case be essential to avoid significant network performance issues for IT network users.

Tip 5 – Pay attention to WiFi network access security

Unfortunately using WiFi or wire-free CCTV cameras for convenience presents additional points of attack. Although hackers must be physically near the devices, it is not uncommon for WiFi networks and devices to get hacked. To protect WiFi cameras and networks do not freely share your WiFi password. If you have site visitors who need internet access, we recommend enabling your router’s guest network instead of sharing the main network password. Guest networks generally have default restrictions in place that prevent hackers and visitors from snooping around.

Tip 6 - Enable automatic software updates

Cyberattacks seek out vulnerabilities that exist within any layer of the technology stack, this extends from the physical network infrastructure in the lower layers, right through to the business applications at the top. Every IP video surveillance system requires occasional software updates to maintain its security. Wherever it is supported by the hardware, automatic software updates should be enabled on all elements of the CCTV network. Updates are frequently released to patch recently discovered bugs or vulnerabilities which hackers may be able to exploit. Whether it is the network infrastructure components, security appliances, cameras, NVRs, or systems running video analytics software, ensure all operating systems and applications are updated. The role of any systems administrator in the context of cybersecurity is very much a constant race against the bad guys, where the hackers always have the upper hand. The reason for this is that most traditional security tools such as firewalls, anti-malware and anti-virus scanners are based on an approach known as ‘blacklisting’, whereby lists of known vulnerabilities and malware codes need to be constantly kept up to date. Of course, these vulnerabilities have already been exploited by the time they appear on any blacklist, so this traditional approach is a very reactive one, which always leaves the door open to hackers in that period between malware detection, and definition file updates. Most operating systems and blacklisting based security tools offer automated updating which should be enabled for maximum protection. However, many organizations with under resourced IT departments or limited budgets, such as the public sector, often possess outdated systems and security tools which can provide any easy target for cybercrime.

Tip 7 – Educate all users on basic cybersecurity awareness

As with any other network or device, people are the weakest link in an IP surveillance system’s security profile, 98% of cyber-attacks rely on social engineering. The easiest way for hackers to deliver a malware payload, or gain private information, is by duping a company employee to follow a malicious link, open an attachment, or give away sensitive information or data such as usernames, passwords, or banking details. The act of disguising oneself as a trustworthy entity in an electronic communication with malicious intent is covered by the umbrella term ‘Phishing’, which is reasonably well known. Training aimed at helping staff recognize the likely forms of phishing attacks is a very valuable exercise for any company to undertake. This can be just in textbook form, but a more effective approach would be to run simulated phishing attacks performed either internally, or through an external company. There are many phishing simulators available on the market to assist with phishing training. Infosec Resources is an excellent online cybersecurity awareness and training resource that offers the Infosec IQ Security Awareness Training & Anti-Phishing Simulator as well as a round-up article highlighting the current Top 9 Phishing Simulators

References

(1). Data sourced from HowSecureismyPassword.net online: https://www.hivesystems.io/blog/are-your-passwords-in-the-green?

(2). Managing Network Security. Fred Cohen & Associates. All.net. Retrieved on
January 31, 2013 online:
https://web.achive.org/web/20110126220702/http://all.net/journal/netsec/1997-09.html

(3). Yan, J.; Blackwell, A.; Anderson, R.; Grant, A. (2004). “Password Memorability and
Security: Empirical Results” (PDF). IEEE Security & Privacy Magazine online:
https://ieeexplore.ieee.org/document/1341406