Reminder To Apply Known-Vulnerability Patch
Early in March 2017, Reports made aware of a privilege – escalation vulnerability in certain IP cameras. A firmware update that resolves the issue has been available on the our website since mid-March. We will continue remind customers to update all equipment to the latest available firmware. This is an effective way to safeguard your equipment from cyber attacks and we strongly urge the owners of all vulnerable devices to immediately apply the latest firmware update. See Below from some best practices and configuration tips to secure your surveillance equipment.
Best Practices
Making smart choices about cybersecurity will help you more effectively protect the valuable assets you are already guarding with physical security. Here are ten tips to help guard against a potential cyber attack.
1. Keep appliances current: update software and firmware regularly. As vendors find issues, manufacturers work to create fixes that will help prevent issues later. Your due diligence is required.
2. Passwords as a minimum should be at least 8 characters long and be a combination of letters, numbers, and special characters. Everyone should be assigned their own username and password. This ensures accountability
3. Each user account should only be given the authority to access the resources required to fulfill their specific responsibilities.
4. Every transaction that occurs on the appliance should be logged so that there is a record kept for forensics later. This accounting is a must.
5. Whenever possible, use a firewall appliance between your IT assets and the Internet. At the very least use NAT at your Internet gateway.
6. Use uncommon ports: “security through obscurity.” This creates an additional step when someone is trying to access your appliances.
7. When possible, put your network and IT assets behind locked doors to limit unnecessary access.
8. Make sure you are using password lock-out features for invalid login attempts and if possible, receive notifications of these attempts.
9. Design a plan of who to notify in the instance of your appliances being compromised (or simply if you suspect that they have).
10. If you suspect a vulnerability is due to a flaw with the manufacturer, notify the manufacturer so that they can test. If an issue is found they can also work to fix it.
Configuration Tips
Passwords:
How to create a strong password?
We all know the common guidelines for choosing a strong password:
•Include numbers, symbols, uppercase and lowercase letters
•Password should be more than eight characters long.
•Avoid any password based on repetition, dictionary words, letter or number sequences, usernames,relative or pet names, or biographical information (birthday).
The Password Phrase Method:
The phrase method is an easy way to remember complicated passwords that are hard to crack.
Use the Password Phrase Method:
•Choose a phrase that has numbers.
•Use only the first letter in each word.
•Use the proper case for each letter, just as it appears in the phrase.
•Use actual numbers whenever possible. Use “2” for “two” or “to” and “4” for “four” or “for.”
•Include punctuation.
Let’s take the following phrase as an example:
“My flight to New York will leave at three in the afternoon!”
Using the Password Phrase method explained above, the password becomes:
“MftNYwla3ita!”
Some general password/security tips
•Avoid using dictionary words in any language
•Avoid sequences or repeated characters
•Change your password on a schedule.
•Do not allow Internet Explorer to store passwords.
•Do not type passwords on computers that you do not control.
•Never provide your password via email.
•Never respond to an email asking for personal information (Banks will never ask you for your personal information in an email.)
•Patch and update the software you use on a regular basis.
•Use caution when opening email attachments.
•Limit the amount of personal information you post about yourself
What is a firewall?
The short answer is this: A firewall intercepts all communications between you and the Internet,and decides if the information is allowed to pass through to you.
Most firewalls, by default, will block all traffic both in and out. This is what we call “Deny all by Default.” In this default state, it is as if your computer is not even connected to the Internet. While this is a very safe state to be in, it is not very useful. So, we have to create a set of rules to tell the firewall what we consider safe. Everything else is, by default,considered not safe.
As you create rules to allow traffic in and out, you are creating tiny holes in your firewall for the traffic to flow through. That is why many Internet users call “creating rules pinholing your firewall.” The more pinholes you create in your firewall, the less secure your network becomes. You should only create as many pinholes, or rules ,as you need.
Standard Configuration
This is the standard configuration for homes , office or small business. Configurations will be different based on the network the size of the system you are installing.
This is the minimum recommended for small monitoring system.
1. Activate the device by setting a strong password
You are required to activate the device first by setting a strong password for it before you can use the device.
Activation via web browser, Activation via SADP, and Activation via client software are all supported.
2. System restoring and upgrading
Firmware is the software that enables and controls the functionality of network devices. Always use the latest firmware so that you get all possible security updates and bug fixes.
Check the current firmware version in page:
Configuration > Maintenance> Upgrade & Maintenance
Upgrade the device to a certain version:
1. Select Firmware or Firmware Directory to locate the upgrade file.
Firmware: Locate the exact path of the upgrade file.
Firmware Directory: Only the directory the upgrade file belongs to is required.
2. Click Browse to select the local upgrade file and then click Upgrade to start remote upgrade.
3. Restore default settings
If you are not sure about what has been changed to the device, you can always set it to the default settings to make it in a known status
Enter the Maintenance interface: Configuration> System> Maintenance> Upgrade & Maintenance.
Restore: Reset all the parameters, except the IP parameters and user information, to the default settings.
Default: Restore all the parameters to the factory default.
Note: After restoring the default settings, the IP address is also restored to the default IP address, please be careful with this action.
4. Configure basic network settings
1. Go to Configuration> Network> Basic Settings> TCP/IP.
2. Specify the IP address, subnet mask and Default Gateway.
3. Save parameters.
5. Enable encryption
HTTPS provides authentication of the website and its associated web server, which protects against man-in-the-middle attacks. Perform the following steps to set the port number of HTTPS. E.g., If you set the port number as 443 and the IP address is 192.168.1.64, you may access the device by inputting https://192.168.1.64:443 via the web browser.
1. Enter the HTTPS settings interface.Configuration > Network > Advanced Settings > HTTPS
2. Check the checkbox of Enable to enable the function.
3. Create the self-signed certificate or authorized certificate.
•Create the self-signed certificate
(1) Select Create Self-signed Certificate as the Installation Method.
(2) Click Create button to enter the creation interface.
(3) Enter the country, hostname/IP, validity and other information.
(4) Click OK to save the settings.
Note: If you already had a certificate installed, the Create Self-signed Certificate is grayed out.
•Create the authorized certificate
(1) SelectCreate the certificate request first and continue the installation as the Installation Method.
(2) Click Create button to create the certificate request. Fill in the required information in the popup window.
(3) Download the certificate request and submit it to the trusted certificate authority for signature.
(4) After receiving the signed valid certificate, import the certificate to the device.
4. There will be the certificate information after you successfully create and install the certificate.
5. Click the Save button to save the settings
6. User access control
Always Set permission level to users
When you add and modify user settings, you can set the permission level for each user to set limitations on the device control.
Steps:
1. Go to Configuration > System>User Management.
2. Click Add or Modify to add a user or modify a user.
3. Set User Name, Level and Password.
4. Check or uncheck the permissions.
5. Click OK to finish the user addition.
7. Disable UPnP
Universal Plug and Play (UPnP™) is a networking architecture that provides compatibility among networking equipment, software and other hardware devices. The UPnP protocol allows devices to connect seamlessly and to simplify the implementation of networks in the home and corporate environments. If the device is not connected to a hosted video service, disable UPnP.
1. Go to Configuration > Network > Basic Settings> NAT.
2. Uncheck the checkbox to disable the UPnP™ function
8. Disable QoS
QoS is suggested to be disabled, if Quality of Services is not being used
1. Go to Configuration > Network>Advanced Settings>QoS
2.To disable QoS, enter the value zero in the QoS DSCP Settings fields.
9. Disable multicast video
If multicast is not being used, it should be disabled.
1. Goto Configuration > Network > Basic Settings>TCP/IP
2. Clear Enable Multicast Discovery
3. Click Save
10. Set IP address filter
Enabling IP filtering for authorized clients will prevent the device from being accessed by any other unauthorized clients.
1. Go to Configuration> System> Security> IP Address Filter
2. Check the checkbox of Enable IP Address Filter.
3. Select the type of IP Address Filter in the drop-down list,Forbidden and Allowed are selectable.
4. Set the IP Address Filter list
(1) Click the Add to add an IP.
(2) Input the IP Address.
(3) Click the OK to finish adding.
11. Lock illegal login IP address
The IP address will be locked if the admin user performs seven failed username/password attempts (five times for the operator/user)
1. Go to Configuration> System> Security> Security Service.
2. Check the checkbox of Enable Illegal Login Lock, and then the IP address will be locked if the admin user performs seven failed username/password attempts (five times for the operator/user).
Note: If the IP address is locked, you can try to login the device only after 30 minutes
12. Disable SSH
All device s support Secure Shell and is disabled by default. Make sure it is disabled by checking the security service configuration interface:
Configuration> System> Security> Security Service.
Note: For devices without this configuration interface, SHH is disabled by default.
13. Choose SNMP V3
1. Go to Configuration > Network > Advanced Settings > SNMP.
2. Check the checkbox of Enable SNMPv1, Enable SNMP v2c, Enable SNMPv3 to enable the feature correspondingly.
3. Configure the SNMP settings.
Note: The settings of the SNMP software should be the same as the settings you configure here.
4. Click Save to save and finish the settings.
Notes:
• A reboot is required for the settings to take effect.
• To lower the risk of information leakage, you are suggested to enable SNMP v3 instead of SNMP v1 or v2.
14. Firewall setup on router
Please keep in mind that all firewall setups are different. The examples below are intended to give a general example and overview of what ports should be setup in a firewall.
(1). Go to the port forwarding section in your router configuration
Port forwarding should only be used when devices need to be accessed via the Internet. To ensure proper security configuration, please carefully follow instructions below:
1. Minimize the port numbers exposed to the Internet. Port forwarding should only be configured when absolutely necessary. For example, to use web service, only port 443 should be forwarded.
2. Avoid common ports and reconfigure them to customized ports. For example, port 80 is commonly used for HTTP. It is recommended that the user change to a customized port on the device other than port 80 for the designated service, following TCIP/IP port rule (1–65535).
