Cyber security measures on IP cameras

sunhux
sunhux used Ask the Experts™
on
http://avigilon.com/products/video-security/cameras/

We're installing IP cameras, yet to determine which model.

What are the cybersecurity measures we ought to take?

Q1:
Any hardenings that can be done?  Any other cyber measures
to take?

Q2:
Cameras to be connected to user VLANs or a totally dedicated
VLAN by itself or ??

Q3:
The recorded videos will be archived to a server?  Encrypt it with
which encryption & any other handling methods?

Q4:
Reckon IP cameras are treated as IOTs so in the event they need
to be connected to Internet, what further measures ought to be
taken?

Q5:
Should we do a pentest using Tenable/nessus against it?  I recall
we ever did it with a PABX (which runs a custom RHEL & many of
the vulnerabilities of RHEL are applicable)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018
Commented:
Security relates to specific camera, as the packet flow off camera is always the weak point.

All WiFi protocols can be cracked using simple Aircrack software available for download.

As I recall, last time I read specs, a minimum packet flow of 85K packets is required to crack WPA2.

This means only HTTPS cameras (using strong TLS security or the equivalent) will truly be secure, as this means the WiFi layer can be hacked, just no data can be decrypted. This also means your capture system must be completely HTTPS encapsulated, so no decrypted packets ever leak in any way.

A good starting point will be to search Amazon using - https ip camera - as a search criteria. Then choose whatever resolution + features you require. There are so many variations, best use your feature set requirements to scope down your choice set.
Principal Software Engineer
Commented:
Put the cameras on their own, hard-wired LAN.  WiFi will not do. Chinese cameras have multiple backdoors and once the WiFi password is out (which it will be very quickly, either by humans or by the cameras leaking secure information) anyone can subvert the cameras.

Do not allow the camera LAN to have access to the internet.  Again, Chinese cameras have multiple backdoors and many of them continuously try to "phone home" to announce where they are and what they are doing.

All Chinese-made cameras -- and all IP cameras are made in China -- should be treated as virus-infected systems which cannot be cleaned and can infect anything connected to the same LAN at any time.  Buying more expensive cameras is not a guarantee of security, and a seller will tell you anything because it's not their neck in the noose.  "Oh no, there are no backdoors in our cameras, the firmware is six years old and has never needed a patch."

Which reminds me, all camera firmware needs patching and updates from time to time and if there are no patches in the last two years for a particular model ... look at something else.

If you keep in mind that you will be dealing with the equivalent of a pit full of snakes ready to bite you, then you can establish a useful modus vivendi ... so long as you hold the upper hand.

Author

Commented:
Any comment on Q3?

Btw, specific to avigilon brand in the link I gave above,
is that a  made in China camera?

One thing about these IOT devices: there's no central
authentication or central password management (like
Windows AD) or is there?   Would like to disable the
local accounts & centrally manage the authentication
& login credentials  with password policy enforcement
(eg: complex password, password expiry etc)
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Adam DiStefano, M.S, CEH, CISSPTrusted Security Advisor
Commented:
My recommendation is find a camera that uses PoE as opposed to wireless. Ensure that you change all default passwords as well. I know that sounds obvious, but I cannot express to you how often I have seen tech savvy individuals put all the security controls in place and forget to change the default passwords. Happens more times than you would care to know.

I would also ensure that you segment these devices from the network and put them on their own VLAN. Limit administrator access and also enforce MFA if supported. You should change all the default ports required for the NVR and cameras as well and ensure that external access to any part of the system is limited and mechanisms are in place for monitoring access.
1 ) Buy a camera with power over Ethernet of Good branded company.
2) Change the default password with strong one.
3) If option is available to change the default port to listen on different port as you choose, This would be great also.
4) Regularly check the updates and news regarding that band name.
5) If it offers to log  all connections made from outside world, this would be also better.Because you can check all history of logged in IP addresses.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
Q3) The recorded videos will be archived to a server?  Encrypt it with
which encryption & any other handling methods?

This is better asked in another question, as this is an entirely new (non-camera) conversation.

Encrypting videos is usually overkill, because encryption/decryption for a large video can take minutes to hours.

If you must encrypt videos, just use openssl, which provides encryption/decryption used on 1,000,000s of sites daily.

# To encrypt...
openssl aes-256-cbc -salt -in movie.mp4 -out movie.mp4.encrypted

# To decrypt
openssl aes-256-cbc -d -in movie.mp4.encrypted -out movie.mp4

Open in new window


Here's the problem. Doing your encrypt/decrypt step requires a password which you'll input by hand or arrange to inject mechanically using a script. The security of your entire project now revolves around how you manage these passwords. If you lose them, then you'll never be able to decrypt your videos again.

Tip: Rather then trying to secure each video with encryption, just ensure your entire machine is secure, so you control access to your videos.

Suggestion: If you require more information about video storage, best open another question, as my comment has just scratched the surface of many video transcoding, storage, playback (streaming or download) considerations.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
Note: One last consideration about encrypt/decrypt logic for large files I've been thinking about for a while.

If I had to do encrypt/decrypt repeatedly for large files, like .mp3 + .mp4 files, I'd likely write script using...

1) split - split the large files into a number of files matching number threads on machine, so 8x cores + hyperthreading == 16 files.

2) openssl - run nice -19 openssl on each of the files creating in #1, as openssl is single threaded, so this would use all threads with no effect on other processes, due to using nice -19.

3) tar - then archive all the files into a file like videoname.splitcrypt.tar to designate this was an encrypted split tarball, as a hint for future untar + decrypt.

Just a thought, if you have to do this type of task repeatedly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial