Cybersecurity in Video Surveillance: Security Hardening and Best Practices

Cybersecurity in video surveillance is a top priority for technology companies. As the number of connected devices on their networks grows, so does the risk of data breaches and the potential for unwanted access to vital information. 

To mitigate these risks, organizations need a video surveillance platform that leverages the latest in network security, proactively protecting against people or programs that might cause harm. OpenEye Web Services (OWS) makes it easier for you to use video intelligence as a business tool while seamlessly integrating with your existing IT infrastructure to improve cybersecurity and reduce risk. 

It’s important to not only leverage a secure video surveillance solution when deploying your cloud system, but also to identify and mitigate security issues that can occur as a result of human error during installation or operation of the OWS platform. 

This guide will examine the most common network threats that can happen as a result of user negligence, as well as provide recommendations for secure installation, configuration, and operation of the OWS platform to ensure it is secured against all attack vectors.

Understanding How Human Error Threatens Network Security 

In the age of quantum-safe cryptography, systems have become so good at defending themselves against threats that a breach normally isn’t due to any fault of the software itself. Rather, it’s because of human error. 

Over 60% of people use the same password, or a variation of it, across accounts. Usage of external drives, such as USB, continue to be popular methods for storing data, despite the fact they’re notoriously unsecure and used by hackers in the majority of malware attacks. Over 30 percent of attacks happen because software wasn’t updated in a timely manner. And while security vulnerabilities can be patched out of software, if a hacker is able to access misplaced hardware, there’s over 90 methods with which they can hack the device. 

It’s vital that employees understand how these weaknesses can impact the overall security of their organization. Below, we’ll examine them in depth before reviewing some ways that network security can be fortified to protect against threats. 

Weak Passwords 

Passwords are the first line of defense when it comes to user-managed network security, and yet the majority of people avoid using secure password best practices. With hackers able to leverage brute force attacks to guess thousands of password combinations a minute, it’s critical that businesses protect their accounts and devices with passwords that cannot be easily guessed or deduced by such attacks. 

Usage of External Devices 

External devices, while useful at times, present many concerns when it comes to network security. These drives can be easily misplaced, stolen, or swapped for malware-carrying devices. With the security of the cloud rapidly developing, it’s far better that companies avoid external devices when sharing sensitive information 

Out-of-Date Software 

Software has the benefit of being continually updated whenever a new vulnerability is found. Unfortunately, if updates are not automated, then it comes down to the user themselves to ensure their systems have the latest patches in place to avoid attacks. To ensure your system is as secure as possible, set up automatic updates, or be vigilant in checking if new patches have been released to avoid an attack on your system that could have been avoided with the click of a button. 

Poorly Placed Hardware 

Just as external devices present a problem due to their accessibility, poorly placed hardware, such as a recorder not secured in a facilities/utilities closet or locking server rack, can threaten your entire network. Avoid placing any sensitive hardware in easy-to-access locations, and ensure all devices are locked before stepping away from them to avoid attacks.

Keep Your Video Secure With OpenEye Web Services (OWS)

Network security is a key component of operating a successful business. As hackers develop more sophisticated methods for gaining access to company data, organizations must critically identify where they can fortify their cybersecurity. 

From multi-factor authentication (MFA) to identity management, a secure cloud video solution can help IT teams ensure their surveillance network is protected while reducing overall burden on their department. 

OWS makes it easier for you to use video intelligence as a business tool while seamlessly integrating with your existing IT infrastructure to improve cybersecurity and reduce risk, with tools in place to ensure user accounts are protected. 

Below, we’ll cover best practices for deploying the OWS cloud-managed video surveillance platform, so your software, hardware, and network are protected. 

System Components Overview 

There are several components that should be considered when planning installation and configuration of your security solution to ensure optimal protection. 

• Physical Environment: The physical security of your system is just as important as the cyber security of your system. Make sure to take this into consideration when planning where you will place your recorder. This should begin early in the design process as it may dictate where your power is installed and network cables are run. 
• Network: The OpenEye Web Services (OWS) platform is designed to work seamlessly with most network environments, but precautions should still be taken to ensure the network is properly secured. Follow the recommendations in this guide and any guide available from IT equipment vendors to ensure optimal security. 
• Recorder: As the hub of your surveillance solution, it is critical to ensure the recorder is secure. The recorder is comprised of multiple subcomponents, such as the operating system and recording software, which must be addressed independently to ensure its security. 
• Remote Clients: Remote clients are the primary method for users to interface with their surveillance system. It is important that these remote connections are secure and that the systems they are running on are also secure. 
• Cloud: Cloud-managed services provide a great amount of utility and convenience for both users and administrators of video surveillance systems. However, proper care must be taken to protect user accounts and credentials, as well as lock down remote access. 

Standard Protection Steps 

There are a number of standard steps that can be taken to ensure protection against the most common attack vectors with little investment of time and effort. It is highly recommended that ALL of these steps be taken to ensure the integrity of the platform. 

Physical Security 

Any networked device is only as secure as its physical environment. Anyone with physical access and enough time can compromise almost any device, so it is important to ensure the recorder is only accessible to authorized individuals. 

Keep the Recorder in a Secure Location 

The recorder should be secured in a locked room which restricts access to the recorder to only those users who need access. If a secure room is not available, consider a locking cabinet or enclosure. 

CAUTION: When using a cabinet or enclosure, ensure proper ventilation exists to prevent overheating. 

Restrict Use of Removable Media 

Malware can often spread between systems via removable media such as USB flash drives. For optimal protection, use OpenEye Web Services (OWS) to back up video clips or apply updates from the cloud. Video clips can be safely shared or downloaded and copied to removable media once they have been uploaded to OWS. If removable media must be used, consider dedicated media that is only used for recorder files or video transfer, and format the media after each use. 

Network Security 

Most modern cyberattacks focus on the theft of either information or device resources. Aside from physical access, the network is the only way for anything to enter or leave the local system, so proper network configuration is critical. Exact configuration steps for routers and switches vary widely between devices, so refer to any available security guide from the vendor, as well as device documentation, for exact steps on these recommendations 

Secure the Network Gateway 

The gateway device (usually a router or modem that provides access to the internet) has a firewall that protects against cyberattacks. Verify that the firewall is on, and that exceptions exist to allow outbound traffic on the ports used by OpenEye Web Services (OWS) enabled recorders (80 & 443 by default). 

Change the password of the gateway device. Most modems and routers have a widely published or easily guessed default password. Even if remote configuration of the gateway device is disabled, the password should be changed to help ensure protection. 

Audit the open inbound ports on your gateways firewall. OWS includes networking features which eliminate the need to open inbound ports on your firewall to enable remote access. 

Isolate Your Camera Network 

Install cameras on an isolated network. Exposing cameras to the internet or any devices beyond the recorder adds risk and should be avoided whenever possible. 

Connect cameras either to a PoE switch connected to the camera port on the recorder or directly to the recorder’s internal PoE ports (available on PoE integrated models). 

The recording software includes a camera link feature to allow direct access to the camera’s web interface through a proxied tunnel (in the case where advanced configuration is needed), eliminating the need for unnecessary exposure.

Audit All Devices on Your Network 

Every device on a network is a potential security risk if improperly configured. Ensure default passwords have been changed on all devices on your network, firmware and software are up to date, and anti-virus software is installed where applicable. 

Cameras 

Cameras are configured in a secure manner as shipped from the factory. Do not enable networking features such as port mapping or DDNS without an adequate knowledge of the process or unless you have a specific need for them. 

Change Your Default Password 

One of the simplest ways to reduce vulnerability of a camera is to change the password of the default admin account. Passwords of at least 12 characters including numbers and both lower and uppercase letters are recommended. Avoid the use of real words or names in the password. 

Select a Secure Camera 

Ask the camera vendor for their security policy and recommendations. Avoid vendors who do not conduct security audits against their cameras or provide guidelines on secure configuration. 

Protect Against Physical Tampering

Physical tampering with a camera is the easiest way to compromise it. Consider using vandal resistant cameras where applicable and, when possible, mount cameras so they are out of reach without the aid of a ladder. 

Keep Firmware Up to Date 

An important part of preventing cyberattacks is keeping firmware updated to ensure the latest security patches are applied. 

Server Software 

The server software on the recorder is designed to provide a secure recording environment out of the box, but there are a few steps that can be taken to further ensure security. 

Change Your Default Password 

Similar to cameras, the simplest way to reduce recorder vulnerability is to change the default admin account password. Avoid using real words or names in the password and aim for 12-characters or higher, along with the inclusion of numbers, lower, and uppercase letters 

Avoid Local User Accounts 

Adding user accounts to local recorders increases the probability of orphaned or outdated user accounts remaining on systems and potentially compromising them. 

User account management via OpenEye Web Services is recommended as it allows for a single point of control for multiple recorders and easy configuration at a platform level. 

Keep Software Up to Date 

To keep your recording software protected against cyberattacks, the software should be consistently updated. 

Software updates can be automated for convenience. Additionally, updates are digitally signed and can easily be installed from a secure cloud server within the setup menu. 

Operating System 

The recording software is available on both Linux and Windows-based operating systems. Linux-based recorders are designed to run the operating system silently with no direct user interaction. Windows recorders are designed with flexibility in mind, giving installers several options during initial configuration to ensure platform security and compatibility within their existing IT infrastructure. 

Change the Window Password 

The default administrative password is easy to guess, so changing it to a secure custom password is strongly recommended. To change the password, do the following: 

1. Click Start > Control Panel > User Accounts 
2. Select Manage another account. 
3. Enter the NVRAdmin password (recorder serial number). 
4. Click on the NVRAdmin account. 
5. Click Change the Password. 
6. Enter the current password, the new (secure) password, then click Change Password. 
   • CAUTION: The operating system administrative account password cannot be retrieved; if lost, the only way to regain access is to run the factory recovery media, which will reset all settings to default (video is preserved). 

Turn On Windows Updates 

Enable Windows updates for critical security updates to ensure operating system vulnerabilities are quickly patched. Current model OpenEye devices ship with Windows updates enabled by default. 

To enable, click the Windows Update Utility icon on the recorder desktop to launch, and then click Enable to download updates automatically. Restart the recorder to complete the update. 

Install Anti-Virus Software 

Installing anti-virus software is an important part of mitigating security vulnerabilities. In addition to preventing infections on the recorder, anti-virus software also offers quick, automated mitigation to many security threats. 

Microsoft Defender and solutions from Webroot have been determined to work on recorders with no custom configuration. 

If the anti-virus solution includes a firewall, be sure to add exceptions for the OpenEye server software services and ports. 

If the anti-virus solution includes active network monitoring, be sure to filter out the recording software traffic to prevent video data transmission problems resulting from routing through anti-virus software. 

Remote Clients 

OpenEye Web Services (OWS) offers single sign-on and roaming profiles for all client applications, making it easy to access video, update settings, and receive real-time alert notifications wherever you are. To ensure your chosen client is secure, follow the recommended best practices below. 

Avoid Untrusted Networks 

When connecting to the recorder outside of the local network, be aware that not all networks are secure, and it is usually not possible to know if a public network has been compromised. 

Connect Through OWS 

Use OWS whenever connection to the recorder from outside the local network is necessary to ensure a secure connection. 

Use Only Trusted Devices 

Client systems that are infected with malware can have unpredictable results. Ensure all devices that connect to the recorder are running anti-virus software, have updated OS environments, and follow established security practices. 

Cloud 

To ensure your video is protected while stored in the cloud, utilize the following best practices to keep your data secure.

Use Multi-Factor Authentication 

Turn MFA on in OpenEye Web Services for all users for an additional layer of protection. 

Create a User Account for Each User 

Avoid sharing accounts between multiple users as this makes it difficult to restrict access to one of the users should the need arise. 

Manage User Access with Groups 

Set up user groups to manage your users by job description and level of access. Instead of setting up every user individually, user groups will not only save you time during initial setup and when making changes, but it will also improve security by ensuring that a single individual does not get left out of updates or changes. 

Monitor User Activity 

Account Activity enables administrators to monitor user activity by utilizing historical reports of account-based actions, providing greater insight into permissions and enabling audit trails to more easily identify user-created gaps in security. 

Manage Remote Client Access 

User access to remote clients should be restricted by need and location. Access to clients is managed in user groups and can be restricted both by client type and IP range. This gives administrators the flexibility to enforce policies such as preventing users from accessing video within the mobile app or preventing access to clients when a user is not on the corporate network.

Advanced Protection Steps 

There are a variety of more complex steps that can provide additional layers of security. These steps focus on further protecting the network environment and may be difficult to configure, so consulting an experienced IT professional is recommended.

• Keep the Recorder in an Access Controlled Location: Physical keys can be copied and do not leave a complete audit trail of who used them. An access-controlled door provides a clear audit trail of what user’s card accessed a door. 
• Configure a VLAN: Consider configuring a VLAN with network access restricted to authorized users and hosts on the local network to prevent unauthorized access to recorders. If cameras cannot be installed on an isolated network, consider configuring a VLAN to isolate camera traffic from the rest of the network. 
• Use a Network Proxy: A network proxy exists as an additional layer of protection between the Internet and local network. OpenEye recorders can be configured to use a proxy. To configure, go to Setup > Network Configuration, enter proxy settings, and click Save. 
• Enable Strong Password Policies (if Available): OWS has the option to allow system admins to set certain strong password requirements. This includes password length, minimum uppercase and lowercase characters, minimum numeric characters, and minimum special characters. Enabling this feature requires all system users to adhere to password best practices as determined by your organization. 

Ensure Your Cloud Video Surveillance is Secure 

When it comes to cybersecurity, the OpenEye Web Services (OWS) platform allows users to easily manage their video surveillance system and seamlessly integrate with existing IT infrastructure to improve cybersecurity and reduce risk. OWS provides users with the necessary tools to ensure their data and accounts are protected, so both internal and external risks are mitigated as much as possible. 

Interested in seeing how OWS offers a secure cloud video solution? Book an OpenEye demo today.