STANDARD CYBER PROTECTION
STANDARD CYBER PROTECTION
By Fred Juhlin, Global Senior Consultant, Axis Communications
Computer networks are constantly under attack. However, only a small number of these attacks are successful. The majority of cyber-attacks are opportunistic, not targeting a specific victim, but just poking and prodding by scanning for open networks/ports; trying easy-to-guess passwords; identifying unpatched network services or sending phishing emails. The attackers don’t want to spend any time or effort on a failed attack, so they will just move along to the next potential victim.
If you think of it as the equivalent of a car thief wandering down a road trying door handles until he finds a car that has been left unlocked, then similarly it is easy to protect yourself from opportunistic attacks by following some standard cyber hardening recommendations – i.e.,that don’t leave your car door unlocked! Having a router with a firewall built-in, using hard-to-guess passwords on your computer and keeping your OS and software up to date are simple things you can do at home. Other things that hopefully have been drummed into us in the last two decades include: don’t open attachments from unknown senders; install anti-malware; don’t install software from untrusted sites and don’t insert that USB-stick you just happen to find on the street or at an event.
So, what about IP-enabled cameras and what are the risks, if any, when you install them? Thankfully, cameras are not subject to the same threats as a PC. A camera doesn’t have users that log in, install software, visit web-pages or open email attachments. However, a camera DOES have services that an attacker may want to use as a platform for other attacks. The explosion of the ‘Internet of Things’ has led to many insufficiently hardened and Internet-exposed devices, including camera which are easy targets for hacker groups to ‘enslave’ into botnets.
So, here are a few simple recommendations that will mitigate the risks from opportunistic attackers:
Reduce Network Exposure
Basically, don’t attach something to the internet unless it really needs to be. And if you do, then understand that making that step requires it to be sufficiently hardened before you hook it up.
The challenge with network cameras is that many people want to be able to remotely access the video. IP-enabled cameras have a web server, and video can often be accessed just by using a web browser. It may seem like a good idea to poke a hole in the router/firewall (known as port-forwarding) and use a web browser as the primary video client, but this adds unnecessary risks, so we don’t recommend it.
In the interests of openness, we should note that Axis cameras have historically supported UPnP NAT traversal, a service that simplifies the router port-forwarding configuration process.
However, it isn’t enabled by default, and we don’t recommend you enable it. It is a legacy feature that will be removed in future products. There are better and more secure ways to get remote video access. For individuals and small organizations that do not have a VMS (Video Management System), Axis recommends using AXIS Companion client free of charge, which enables secure remote video access without exposing the camera (as a device) to the Internet. For systems that use a VMS, we recommended you follow your VMS vendors’ recommendations for remote video access. If your video is streamed to the public, e.g., a web attraction, then we suggest you use a media proxy with a properly configured Internet web server. And if you have multiple remote sites, then you would be best to use a VPN (Virtual Private Network).
As with almost every other internet-enabled device, a password is the camera’s primary protection to prevent unauthorized access to its data and services. There is much debate about the definition of what a strong password is. One common recommendation is to use least eight characters long with a mix of upper/lower letters, numbers and special characters. A brute-force-login-attack is not practical on strong passwords as it would take thousands of years. In a VMS environment, authentication is primarily machine-machine, since users don’t access the cameras directly. Adding login-failure-delay in a VMS environment may increase the risk of locking yourself out. In smaller organizations, clients often connect directly to the camera (human-machine-authentication), so we recommend using hard-to-guess but easy-to-remember passwords. Use long passphrases as passwords such as “this is my camera passphrase.” Yes, space is allowed. But, whatever you do, don’t just use the factory default password.
Firmware and Software Patching
The software is made by human beings and human beings, are still fallible (for now!). So, new vulnerabilities are regularly discovered and will continue to do so, even while we do our best to catch them before the software goes live. Most aren’t critical, but some may be, so always keep your firmware and software updated and check for new versions at regular intervals. When a critical vulnerability is discovered there is a good chance that someone will exploit it, assuming it is economically viable to do so. If an attacker has access to an unpatched network service, it is very likely they will succeed, which is one reason why it is important to reduce those opportunities.
Enterprise and critical infrastructure organizations are subject to not just opportunistic but also targeted attacks. These will use the same low-cost vectors as before. However, a targeted attacker has more time, resources and determination as there is more value at stake. To determine what security controls should be used to reduce your risks, it is important to undertake threat modeling and risk analysis.
About Axis Communications
Axis offers intelligent security solutions that enable a smarter, safer world. As the market leader in network video, Axis is driving the industry by continually launching innovative network products based on an open platform – delivering high value to customers through a global partner network. Axis has long-term relationships with partners and provides them with knowledge and ground-breaking network products in existing and new markets.
Axis has more than 2,700 dedicated employees in more than 50 countries around the world, supported by a global network of over 90,000 partners. Founded in 1984, Axis is a Sweden-based company listed on NASDAQ Stockholm under the ticker AXIS.
For more information about Axis, please visit our website www.axis.com