Configuración de Cookies

Utilizamos cookies propias y de terceros para analizar nuestros servicios y mostrarte publicidad relacionada con tus preferencias en base a un perfil elaborado a partir de tus hábitos de navegación (por ejemplo, páginas visitadas). Puedes aceptar todas estas cookies pulsando el botón ACEPTAR o configurarlas o rechazar su uso clicando en el apartado CONFIGURACIÓN DE COOKIES.

Si quieres más información, consulta la Política de Cookies y Lista de Cookies de nuestra página web.

Sus preferencias





Selecting a video recorder with built-in cybersecurity features

Antonio Marco
IT & Cybersecurity Manager
March 13, 2023

Share

Any device enabling remote access is vulnerable to cyberattacks, and surveillance systems are no exception.

To mitigate the risk and impact of such attacks, surveillance devices must be capable of preventing and responding to threats swiftly and effectively. This article explores the functional aspects of a cybersecurity-focused video recorder.

Table of Contents

1. Video recorders with operating systems other than Windows

Microsoft Windows is the world’s most widely used operating system, serving as the foundational architecture for many NVR devices. However, being the flagship product of a tech giant, it also attracts the attention of malware developers due to its extensive user base.
Video recorders not reliant on this popular OS enjoy several advantages:

– They are protected against the most common and harmful attacks.

– They require fewer security updates.

– Moreover, the malware landscape for proprietary operating systems remains comparatively limited.

The corporate network and the VLAN of the Lanaccess video recorder operate independently, ensuring that any attacks on the corporate network do not result in damage transfer. Moreover, the video recorders implement protocols such as 802.1X, enabling authentication for access to the corporate network.

2. Encrypted firmware

Encrypted firmware ensures confidentiality and integrity for every system image on the device. This method allows only authorised firmware to run on the hardware platform, thereby ensuring the authenticity of the executed programme.

Consequently, it’s a critical security measure to prevent attackers from reverse engineering our machines.

The Lanaccess VMS allows for the configuration of granular privileges to profiles, which can then be assigned to different users. These granular privileges encompass a range of permissions, from various actions to controlling access to specific devices.

3. Secure protocols

Opt for video recorders, such as those offered by Lanaccess, which exclusively employ two types of protocols:
 
Standard protocols boasting high-level security. Typically, these include HTTPS, FTPS and SSH.
  • HTTPS (Hypertext Transfer Protocol Secure): This protocol is employed for data transfer on the web. In video surveillance, it encrypts communication between the camera and the video recorder.

  • FTPS (File Transfer Protocol Secure): Used for file transfer, FTPS encrypts both commands and data exchanged between the camera and the video recorder.

  • SSH (Secure Shell): SSH facilitates secure and encrypted communication between a client and a remote server. In video surveillance, SSH is utilised for remote management of video recorders, enabling secure access through encrypted connections. It offers key authentication and end-to-end encryption, ensuring connection security and preventing unauthorised Access.

Proprietary encrypted protocols, which require high levels of authentication for accessing sensitive information such as video extraction or forensic searches.

The Lanaccess VMS is designed with security in mind, incorporating the MFA system. In addition, the login password is linked to the active directory, thereby adhering to and respecting the security criteria of each company.

4. Devices designed to prevent DDoS attacks

A Distributed Denial of Service (DDoS) attack is a common type of cyber threat that aims to temporarily incapacitate the video recorder by inundating it with a large number of illegitimate requests. This overload renders it inaccessible to legitimate users.

If you’re seeking a video recorder equipped with all the cybersecurity measures outlined in this article, opt for Lanaccess equipment, a European manufacturer of secure video recorders for over 25 years.

5. Threat awareness equipment

Outfitting devices with threat awareness involves equipping them with a keen sense of vigilance against potential threats. A properly secured device will also trigger an alarm to the Central Receiving Alarm (CRA) when the system’s security is compromised.
 
Operators will therefore be alerted to ongoing attacks, which may include:

  • Unopened UDP/TCP ports.

  • The proliferation of infinite sockets targeting the system.

  • DDoS attacks.

  • Loggings of failed attempts during firmware updates.

In response, operators can:

  • Notify of the attack.

  • Block the attacker’s MAC address.

  • Impose limits on the number of allowed authentication errors.

  • Enhance password security measures.

6. Firewall functions

For a video recorder to be inherently cyber-secure, its firewall should be integrated within the device itself. Typically, a firewall serves as a barrier between trusted and untrusted networks.
This functionality allows for the selective maintenance of essential communication ports, enabling the system to accept or block access with varying levels of precision, ranging from individual machines to specific IP ranges or all IPs.

7. Integrated PoE switch in the device

For enhanced security, it’s recommended to directly connect cameras and other IP devices, like intercoms, to the video recorder’s integrated PoE switch. This adds an extra layer of security to the system, as devices with this connection will operate within a private network, isolating them from the corporate IP network.
 
Choose a manufacturer, such as Lanaccess, which integrates switches with advanced management and control features into the device’s architecture. These features include remote rebooting of connected devices, power consumption monitoring, camera scheduling and automatic device detection. The latter is critical for detecting sabotage attempts, such as camera substitution (grade 4).

8. Devices enabling a restrictive user management policy

We recommend that the video recorder enables a set of users with different permissions. For example:

  • Superusers with full system access. This type is restricted to administrators as it allows configuration changes.

  • Users with exclusive video access.

  • Users with exclusive recording access.

  • Temporary users, for occasional technicians with more restricted access.

As a general rule, adhering to the principle of least privilege is recommended, aimed at minimising the risk of internal breaches. This principle dictates that the system should default to a restrictive access role for all users, with the administrator enabling only the necessary permissions when justified.