Hacking utilities are readily available on the Internet for performing denial of service attacks, meaning that it doesn’t take a high level of knowledge for a hacker to implement. But such onslaughts are fairly simple to prevent with proper network design and readily available firewall technology.
A vulnerability to a denial of service attack was found in the NVR server software of Taiwan-based ACTi. In that case, researchers reported that the vulnerability would allow attackers to create, delete, or corrupt application files simply by executing a specific URL through a browser. The company says that it has fixed the weakness, and management emphasizes that it releases regular patches and service packs for its products.
The U. S. Computer Emergency Readiness Team, part of the Department of Homeland Security, also lists a denial of service vulnerability identified by researchers testing the DVR 3000 and 4000 models of Ottawa-based March Networks Corp. March Networks, however, disputes the finding, saying that it tested the vulnerabilities internally and with a third-party and found no such vulnerability, according to spokesperson Peter Wilenius.
Fortunately, network security protections are available and relatively easy to get right. Network designers help secure networks by properly segmenting the network to protect sensitive data from unauthorized access.
Virtual networks, or VLANs, can be established to isolate the video network from the rest of the back office. Physical segmentation of the network can be accomplished with routers that only allow certain traffic to pass through, again having the effect of isolating network sections. In both cases, this segmentation can prevent a breach from spreading from the video network to other parts of the network or vice versa.
The next step in secure network design is to actively prevent unauthorized access to network resources. Firewalls provide the first line of defense against attack by disallowing traffic that originates from an unauthorized or suspicious client. Firewalls can also effectively combat denial of service attacks because they are able to recognize that a large amount of traffic is coming from a small number of sources, at which point they block access.
Access control systems on the network are another way to manage network user and resource access. These systems, known as Authentication Authorization Accounting (AAA) servers, manage credentials of allowed system users and can actively block access by anyone who is not explicitly allowed.
Many companies supplement firewalls with intrusion detection and intrusion prevention systems (IDS/IPS). They are effective at guarding commonly used hardware and software platforms, but do not yet specifically address potential security problems in networked security products such as IP cameras, DVRs, and NVR servers.
No matter how well a company secures its network, the bottom line is that it has to allow Internet traffic in and out for business purposes, including remote viewing of surveillance video. That means that there is the potential that an unauthorized outsider will gain security equipment access remotely via the network. A second layer of protection at the application level can reduce that risk.
Application security issues are code-level problems within the products that are installed as part of the video surveillance system. Cross-site scripting is an example of an application code-level vulnerability that can be exploited with dire consequences.
In cross-site scripting, an attacker injects malicious code into a Web page that would be executed on a victim’s PC. If it were the page a manager used to access a company surveillance camera, the attacker would be able to steal the victim’s login credentials as they were entered on the Web site, thereby gaining the ability to access the camera.