11 minute read
Meet the installer
CYBER
How to secure security systems
Advertisement
Cybersecurity is never far from the headlines and the results of bad practise can be severely damaging. Here, Dahua explains how to secure your networked security system
Modern video security systems are more secure than ever. Gone are the days when network video recorders and cameras were allowed to be default credentials (like a 12345 password), which attackers used to mobilise tens of thousands (or more!) devices in a botnet. It’s important to remember that security at times can be simple. Just requiring login credentials to be changed upon first use resulted in a drastic reduction of compromised security systems. But simple doesn’t always mean ‘easy’. Attackers adapt, and defenders need to do their best to stay ahead. The best systems are designed to make it easier for defenders than for attackers, and there’s a lot that can be done with some additional (and simple) configuration decisions.
In a typical small security system, you may have a dozen or more IP cameras connected to Network Video Recorders (NVR). Best practice configurations usually place the IP cameras on a network subnet; that allows you to disable access from the internet and keep bandwidth intensive IP cameras streams from interfering with other traffic. However, to access the NVR from outside your network, you’d have to expose it to the internet. Doing so potentially puts your assets at risk, as hackers can more easily use the open internet to break into your system.
Anatomy of a hack
Any IP device that’s remotely accessible from the Internet is potentially at risk. Many times the device is available from a network that has a fixed IP address and port. If so, that’s easily detectable from anywhere in the world by using port scanning (Port scanning is a standard technique that is used to determine what ports a target system may be listening on). This can help attackers determine as well what services may be running on the system, because certain ports are usually associated with particular services. If the device is an NVR for example, it’s likely to have Port 80 open, so the legitimate user can access the NVR’s web interface. But to the hacker, an open Port 80 is a big clue that the device has a web server running on it. Port scanning is essentially a way of ‘fingerprinting’ the remote operating system to understand what services and software versions are running on the target. This is a problem because if there are known exploits of that version of an OS or particular services, then its good news for the attacker if your device is not up-to-date on patches or otherwise unprotected.
However, there are a number of practical ways to minimise that risk. Most NVRs have a mobile app that can connect via Peer-to-Peer (P2P). This setup uses an intermediary server to query the NVR, and request a port to be opened. Once that occurs, the Mobile app connects to the NVR. When the connection is closed, the port is closed. The big advantage of this approach is the port is open only for the duration of the session. At any other time, a port scanning won’t reveal much of anything to a potential attacker. It’s the equivalent of opening your garage door when you pull up to your house, then shutting it right after you pull your car in, and leaving it shut until you need to take your car out again.
Another way to minimise exposure is to use IP address blocking. Also known as a Geolocation feature in many firewalls, this allows you to block access to your system from a range of IP addresses. Some allow you to block access from IP addresses in specific countries. Any IP device that’s remotely accessible from the Internet is potentially at risk. Many times the device is available from a network that has a fixed IP address and port
CYBER
Some security experts believe this is a very blunt instrument to deploy, so it’s fair to ask if IP address blocking is worthwhile to do. Let’s site a scenario to better understand this matter:
A manager periodically checks the logs, which gives great insight especially when things aren’t working correctly. By doing so, he noticed abnormal numbers of admin login attempts from a specific IP address in less than one day. It turns out that the recorded IP address is from a city that famously hosts a troll farm which the security community strongly suspects is engaged in online influence operations on behalf of business and political interests from a particular country. Since the manager’s website serves only users in North America, they chose to block the entire domain of IP addresses in that geographical area. What he did won’t prevent whoever it was from initiating a brute force password attempt again, but it makes it considerably less convenient. And that’s a win on their part.
For many businesses, it’s far easier to secure access to your NVR because it’s likely there are only a few people who are authorised to access it. In that case, you can change the default and setup an IP allow list, which will block all access attempts unless they come from the IP addresses specified. That makes it even harder on attackers.
Meet the installer Security life with Paul Gillings of Monatrix based in Gloucester
What would be a typical project for you? Of course, no two projects or clients are the same, whether it’s a small family run businesses or a fortune 500 company, all our clients can benefit from decades of security experience we hold. We typically get involved right from the design stage and follow the project through from installation right up to after-sales and maintenance. Whether it’s integrating with an existing system or creating something new and bespoke, each project goes through a rigours compliance procedure, to ensure that the final product is truly suitable for the client and exceeds expectation.
Do you have any ‘go to’ technology and manufacturers? We have a quite a few depending on the requirements! For truly bespoke solutions we partner with Tyco – Software House, we’re a C*Cure Advanced Integrator and have been for over 8 years. For traditional security products we work closely with Gallagher, Pelco and Avigilon. For cloud-based products we have some exciting partnerships with Rhombus, Cisco Meraki and Openpath. We have seen that the traditional security manufacturers are now developing cloudbased solutions so it will be great to see what they come up with and how we can strengthen our relationships with them.
What is the best thing about working in this industry? I know it sounds cliché, but I’d say the best thing about the industry is the people and the variety of the sites that we service. Every site and person we interact with has a story, getting to be a part of that is inspiring!
Is third party accreditation beneficial to you? Absolutely! It shows our clients and partners that we take security seriously. The NSI Gold accreditation is confirmation of our high standards and gives our clients confidence that they will receive a well-designed and installed system. It also means that our systems processes and procedures are properly audited by a third party again ensuring our systems and services remain at the highest standards.
Do you think there is an engineer skills shortage? Any trouble recruiting? We have found it difficult to find experienced engineers; we are seeing experienced engineers in huge demand which has caused us issues in the past. We are now working strategically with select agencies to ensure that we find and retain the very best, and because of this we have just hired three experienced engineers. We have also seen engineers turning to other industries, so there are many years of fire and security knowledge that have disappeared almost overnight.
The other issue we have come across is a shortage of young people turning to the fire and security industry, we feel this is because we don’t shout enough about the possibilities within our
Name: Paul Gillings Job title: CEO Time in security/fire: 27 years Company: Monatrix Location: Gloucester
Areas of expertise: Access control, CCTV, intercom, intruder detection, C*Cure, cloud-based Accreditation: NSI Gold, Security Institute Corporate Partner
(continued from p43)
industry! Our corporate partners, Security Institute are working hard to showcase the possibilities of the industry and we will, of course, do our bit for the sector and have recently employed our first apprentice to help tackle this issue. Our apprentice is very much the Monatrix “Guinea Pig” at the moment, and we will be monitoring and supporting his progress over the next few years with a view to bringing on more apprentices and support our existing engineers on an apprenticeship journey.
Are there any common requests from customers that give you problems? I think the main issue we see time and time again, is the speed in which they expect systems to be designed, priced and installed. It can take months to actually receive the order from the customer who then expect you to drop everything and get their long-awaited system installed. We have to remind them that we install quality systems, that are installed following best practices and to the highest standards and this can take time. I think this might just be the way we are programmed nowadays as human beings; when I started in the industry the customer had to wait for the proposal and quotation to be typed, printed and posted, but now after a survey you can be chased for an email that must go out today.
What is the industry’s biggest myth? Security systems stop crime. Security systems do not stop crime they act as a deterrent and can capture and record crime. Installing a system and acting as a deterrent probably means we are just moving the crime to somewhere else. I remember many years ago there was a real issue with car crime at hotel car parks and we moved the crime issue from one hotel to the next along the road as we installed CCTV in each car park in turn.
What impact has smart/home automation had on your business? Commercially speaking smart technology was and has been slow to take off, but we are seeing a rise in enquiries and projects with AI and cloud-based technologies being specified and installed and we think these products will only become more in demand over the next few years. As a society we are moving into the era of the smart city, home and office, in which Monatrix are lucky to be partnered with some world class developers in next level smart security products, so having their support, workshops and training has been a welcome addition for our office staff and our engineers. More importantly, clients that have implemented this technology are saving time and money without compromising on security, and honestly what’s better than finding a solution that does all three?
What would make your job easier? About ten extra hands and five extra hours in the day, and a robotic coffee machine that follows me around during the day checking in on me, is that so much to ask for?! If not additional office staff and engineers are always welcomed!
What is your ultimate/fantasy electronic security/fire product? If you had asked me ten years ago, I would have said a dash cam! Today I would say, CCTV cameras that can see through clothing which would eliminate the possibility of hiding identity behind hoodies, balaclavas, masks, and cap peaks. It would also allow you to see hidden weapons, but this technology would probably be abused for the wrong reasons and could be considered a GDPR breach, so won't be allowed.
What advice would you give to a younger version of yourself? Work less, spend more time with your family and live each day. Life is too short and I think the last few years has shown that to all of us.
Will England ever win the World Cup again? I have every hope they will, it might take a few more years, but if they don’t I’m sure the women’s team will!
If you won £25,000 what would you do with the money? With it being our 20th Anniversary next year, I’d take the team on a weekend away to celebrate Monatrix and the past 20 years!
