Milestone Systems have outlined nine fundamental steps that can to help you mitigate the risk of an attack on your video security setup.
Many European organisations are currently auditing their security setups as a response to the European Union’s NIS2 mandate. This mandate provides legal measures to boost the overall level of cybersecurity in the EU.
And it comes into effect October 2024. But double and triple-checking that the fundamentals are in place isn’t specific to Europe. It’s relevant to all organisations that utilise video security (or CCTV, if you prefer).
Additionally, most of the work that goes into securing the setup happens outside of the actual video management software (VMS). In other words, this article is for all security and IT professionals, even if you’re not a Milestone customer.
Each item on this list relates to either asset management or access management. These are two distinct but closely related concepts.
Asset management involves identifying, categorising, and managing hardware (e.g., security cameras and recording servers) software (e.g., VMS and Active Directory) and even employees. Meanwhile, access management is about controlling who can interact with the aforementioned physical and virtual assets.
Asset management
- Update the firmware of each and every camera to the latest version. Quite a bit of time can pass between a camera coming out of the factory and its installation. Older firmware might have security vulnerabilities, hence the need to stay updated.
- Update camera drivers to the latest version in your VMS. Video device drivers are used to control and communicate with the cameras connected to a recording server. In addition to fixing compatibility issues, frequent updates include enhanced protection against various cyber threats.
- Disable any built-in admin accounts for your cameras (or change the passwords). The more modern and more expensive the camera, the less likely that it ships with a factory admin account and password. But it’s worth being certain, as any unchanged passwords make it easy for unauthorised individuals to tamper with settings and/or disable critical features. Most default passwords are easily found in online documentation.
- Ensure that all cameras only allow HTTPS. HTTPS encrypts communication between the security camera and the server or client. This means that any video feeds and configuration settings cannot be easily intercepted by bad actors.
- Keep your Windows Operating System updated. In the case of Milestone’s XProtect VMS, the software runs exclusively on desktop computers or Windows Server environments. As with keeping camera firmware and drivers up-to-date, updating your Windows OS means getting security patches that protect against malware and cyber attacks.
Access management
- Create user credentials for each person accessing your VMS. Just because it’s simple, doesn’t mean it’s easy. Password sharing is more common than most of us would like to admit. But without unique login credentials, you can’t track who’s doing what. Meaning a slim chance of recourse. In the case of XProtect, the Management Server syncs with Active Directory for user authentication and authorisation.
- Safeguard the room where your VMS servers are installed. The media often portrays cyber attacks as a remote exercise. But in the real world, cybersecurity has to begin with a lock and key.
- Limit the number of people with access to the server room. We can’t provide a magic number. But if someone’s role isn’t directly related to the maintenance, administration or security of the VMS, their access should potentially be revoked.
- Limit the number of people with admin rights for the servers. Admin accounts have elevated privileges, and each additional account increases the risk of exploitation if credentials are compromised.
On March 12th, Milestone will be hosting a live training session at 10am Central European Time. The topics for training are:
- Using VLANs to separate your VMS network from your corporate network
- Encrypting your recording server’s media database
- Best practices for device management and user access management in Milestone XProtect
To read more Milestone news, click here. During April 30-May 2, Milestone will also be exhibiting at The Security Event 2024 and can be found on stand 5/P75 and 5/P80.
To read more news from The Security Event and the exhibitors there, click here.