Security of Security. Cyber-Secure? Is Your Security. Mark Bonde Parallel Technologies. Wednesday, Dec. 5, :00 a.m. 11:00 a.m.

Size: px

Start display at page:

Download "Security of Security. Cyber-Secure? Is Your Security. Mark Bonde Parallel Technologies. Wednesday, Dec. 5, :00 a.m. 11:00 a.m."

Roland Powers
5 years ago
Views:

2 Security of Security Is Your Security Cyber-Secure? Wednesday, Dec. 5, :00 a.m. 11:00 a.m. Mark Bonde Parallel Technologies

of Sales and Operation EMEA/APAC - Connex International Training and Professional Services Division of Milestone Systems Sr.

3 Mark Bonde Publisher IPVS Magazine Publication Focused on the transition from Analog to IP (12 issues) Security Consultants International Clients included: Acti, Agent Vi, Allina Health, Axis Communication, BriefCam, Cernium, Firetide, Microsoft VP of Sales and Operation EMEA/APAC - Connex International Training and Professional Services Division of Milestone Systems Sr. Manage Business and Partner Development EMEA/APAC - Milestone Systems Sr. Account Manager Parallel Technologies Physical Security

4 Presentation Overview Current physical security cyber-threat The history of physical security technology Camera risks and best practices Physical security system essentials

5 The Latest Headlines - IPVM.COM Dahua Suffers Second Major Vulnerability, Silent Hacked Cameras, DVRs Powered Today s Massive Internet Outage Ransomware killed 70% of Washington DC CCTV ahead of inauguration ONVIF Widely Used Toolkit gsoap Vulnerability Discovered Hikvision Privilege-Escalating Security Vulnerability Hikvision Backdoor Confirmed Hanwha Recorder Vulnerability

6 A Growing Response Awareness to the vulnerability of physical security devices is growing Many manufacturers are increasing advocacy for securing security devices Publishing system and devices hardening guides Cyber-security training courses

Increasing Public Pressure A Hikvision camera system was initially installed to monitor non-sensitive electrical closets for theft prevention.

7 Increasing Public Pressure A Hikvision camera system was initially installed to monitor non-sensitive electrical closets for theft prevention. The procurement in question was to either expand this or to install a new system. The procurement was cancelled September 2016 and the previously installed cameras were removed. -US State Department

8 Video Surveillance Past to Present

9 Surveillance Past Stand alone systems (i.e. no communication between applications) Non-network based technology (aka Analog) Proprietary systems Plug and forget Limited use and planning Non-strategic application in most settings Highly fragmented market Non-sophistication use cases and applications

10 A New Era Emerges The Rise of the Network!!! Invention of the IP Camera Power over Ethernet Processor Development Software Development

11 Reference Architecture 6 S Reference Architecture is an easy way to think about video surveillance solutions Each of the 6 S represent a critical component of the solution o Surveillance o Structured Cabling o Switches o Servers o Software o Storage You cannot have a video surveillance without having each of these elements

12 More!!! More!!! More!!! The market continue to demand more from its video surveillance solution. More includes: More cameras More resolution More retention time More connections to other systems More strategic applications and use cases More Users More devices with greater complexity can come with more risk

More Risk More devices with greater complexity can come with more risk More malevolent actors are becoming more sophisticated More systems are interconnected

13 More Risk More devices with greater complexity can come with more risk More malevolent actors are becoming more sophisticated More systems are interconnected With more surveillance being delivered the risks associated with these systems and devices needs to be addressed by manufacturers, integrators and end users.

14 Who Are They? Host of internal and external threats to organizations: Global terrorism Local terrorism Organized Crime Corporate Espionage Internal threats: Disgruntled employees Negligence employees Opportunistic employees

15 Convenience vs. Security Tradeoff "Security is always excessive until it's not enough." Robbie Sinclair More security requires more time and more restrictions Overall risk to the enterprise will vary based on the clients operation and risk profile

16 The Basics Secure your server and keep critical patches up to date (OS and Application) Secure your switch and network Use VLANs for Security Network

17 Camera Vulnerabilities and Best Practices

risks include: Visibility into the environment Extraction of video Access to the security

18 Camera Basics Cameras require user names and passwords to configure and manage Access to camera can be gain visa-vi user name and password If access is gained to a camera the risks include: Visibility into the environment Extraction of video Access to the security system Access to the broader network Hijacking of the device for nefarious uses (DDOS attacks)

19 Managing Camera Passwords Common for manufacturers to have common user name and default passwords that do not need to be changed Default passwords are accessible online Common for installers not to reset factory default passwords Installers often use very basic passwords

20 Password Vulnerabilities Password hacking tools available that can run a list of common passwords against devices No factory timeout periods for camera manufacturers Brute force attacks Previous vendors and employees can have passwords

21 Password Best Practices Use passwords that are unique using a password generator Reset cameras to factory default on semiregular basis or as vendors change to reset camera users Isolate cameras on a VLAN

22 Vulnerabilities Abound July Dahua(5) - Buffer overflow vulnerability in password field July Axis(3) - Buffer overflow vulnerability in 3rd party software toolkit used for ONVIF May Hanwha - User can exploit cached data from a previous session to gain access to certain recorders March Hikvision(4) - Backdoor allows unauthorized access to admin interface March Axis(2) - Multiple vulnerabilities related to CSRF attacks March Dahua(4) - Backdoor allows attacker to read user/password list March Ubiquiti - Command injection vulnerability February Geutebrück - Authentication bypass. February Dahua(3) - Multiple vulnerabilities in DHI-HCVR7216A-S3 recorderd December Sony - Attackers can remotely enable telnet on cameras. December Hikvision(3) - hik-online.com servers susceptible to XXE exploit. November Milesight - Cameras have a number of vulnerabilities that allow remote exploit. November Siemens - Remote privilege escalation possible via exploiting web interface. October NUUO(2) - Insecure default credentials. October Dahua*(2), XiongMai - Mirai botnet. September AVer - EH6108H+ DVR Multiple vulnerabilities August NUUO(1) - Remote root exploit and remote command injection vulnerability. July Axis(1) - Remote root exploit. July Pelco - Digital Sentry hard coded username/password backdoor. March TVT* - Remote code execution. March HID - Command injection vulnerability allows attacker full control of device. Febrary Unknown DVR OEM - Authentication bypass, other issues. August Dedicated Micros - Devices have no default password, allowing full access. June 2015 Avigilon - ACC - Allows attackers to read arbitrary files. October Bosch - 630/650/670 Recorders - Multiple exploits allow an attacker to get root console and also retrieve config data. September Hikvision(2) series NVRs - Buffer overflow to gain root access. November Dahua*(1) - DVR's/NVR's - Execute admin commands without authentication November Vivotek - RTSP stream authentication can be bypassed. August Hikvision(1) - IP Cameras - Remote root exploit

23 Firmware One Impacts Many Writing the code for cameras Problems extend to products across the manufacturer line

24 OEM Channel Creates Multiplier Manufacturers sell to other organizations around the world Security Problems are dismissed or take time to filter through the supply chain. Cameras remain vulnerable

25 Firmware Management Use reputable firms that communicate Avoid firms that are silent on security breaches Stay abreast of manufacturer updates and security breaches Update firmware when issues become known

26 Authentication, Authorization and Encryption

27 Multi-layered Model Authentication Encryption Authorization Who is allowed to access the system and how do they gain access? How is data protected or hidden from unauthorized users? Once users have access, what can users see and do?

Authentication Process of determining whether an entity is who they claim to be Authentication is used to prevent unauthorized access by providing access only to known entities and

28 Authentication Process of determining whether an entity is who they claim to be Authentication is used to prevent unauthorized access by providing access only to known entities and for which we can verify their identity. Authentication in physical security Claims-Based Authentication Authenticating the client/server communications Authenticating the edge devices

29 Encryption Encryption is the process of transforming information to make it unreadable for unauthorized users. Encryption ensure privacy and protection of your data

Authorization The function of specifying access rights someone has over resources, data, applications Authorization is needed to have control and flexibility over what users or entities can see and

30 Authorization The function of specifying access rights someone has over resources, data, applications Authorization is needed to have control and flexibility over what users or entities can see and what users or entities can do once authenticated to the system Authorization in physical security: User and user group management. Restricting an operators scope of activities. Partitions. Determine what users can see. Privileges. Determine what users can do

31 Watching the Watchers Oversight on those that are using and managing video surveillance systems will become more important. Developing of policies and procedures around video surveillance usage and review will become more common.

32 Conclusion Physical security systems and devices are being compromised Understanding the evolution of the security is important to know how we got here Assessing the risks and costs to secure those risk is a critical part of the process There are some basic steps that can be taken to more effectively manage security devices and systems.

33 Thank you! Mark Bonde Parallel Technologies

34 WE VALUE YOUR INPUT Please complete the session evaluation in the conference app: 1. Open your app and open the Schedule tab 2. Find and open this session 3. Click the Session Evaluation link and complete! Thank you!

The Future of Campus Video Surveillance

The Future of Campus Video Surveillance Thursday, Dec. 6, 2018 08:30 a.m. 09:30 a.m. Mark Bonde Parallel Technologies Mark Bonde Publisher IPVS Magazine Publication Focused on the transition from Analog