How to Create a More Secure Security System
Networked video surveillance is not immune to cyber risks, but taking basic steps toward protecting and strengthening networks and networked products will make them less susceptible to attacks. Below are some tips and recommendations on how to create a more secured security system.
Mandatory actions to be taken
Change Passwords and Use Strong Passwords
This should go without saying, but the number one reason a system gets “hacked” is due to weak or default passwords. We recommend never using a default password and choosing a strong password whenever possible. A strong password is at least 8 characters and is made up of a combination of special characters, numbers and upper & lower case letters.
As standard procedure, we recommend to keep your NVR, DVR, and IP camera firmware up-to-date to ensure the system includes the latest security patches and fixes. Check the firmware release of your running devices. Please check the product page for the latest firmware release.
Recommendations to improve your network security
Change Passwords Regularly
Regularly change the credentials of your devices to help ensure that only authorised users are able to access the system.
Change Default HTTP and TCP Ports
Change the default HTTP and TCP ports of your system. These are the two ports used to communicate and to view video feeds remotely.
Avoiding the default ports reduces the risk of others being able to guess which ports you are using.
Set up an SSL Certificate to enable HTTPS. This will encrypt all communication between your devices and recorder.
Enable IP Filter
Enabling your IP filter will prevent everyone, except those with specified IP addresses, from accessing the system.
Change ONVIF Password
On older IP Camera firmware, the ONVIF password does not change when you change the system’s credentials. You will need to either update the camera’s firmware to the latest revision or manually change the ONVIF password.
Forward Only Ports You Need
Only forward the HTTP and TCP ports that you need to use. Do not forward a huge range of numbers to the device.It is not advisable to use features such as DMZ.
You do not need to forward any ports for individual cameras if they are all connected to a recorder on site, just the NVR is needed.
Disable Auto-Login on SmartPSS
If you are using SmartPSS to view your system and you are on a computer that is used by multiple people, make sure auto-login is disabled. This adds a layer of security to prevent users without the appropriate credentials from accessing the system.
Use a Different Username and Password for SmartPSS
In the event that your other usernames & password are compromised, someone collecting those passwords could try them on your video surveillance system. Using a different username and password for your security system will make it more difficult for someone to guess their way into your system.
Limit Features of Guest Accounts
If your system is set up for multiple users, ensure that each user only has rights to features and functions they need to use to perform their job.
UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors. If you manually forwarded the HTTP and TCP ports in your router/modem this feature should be turned off regardless. Disabling UPNP is recommended when the function is not used.
Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.
Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but disabling it is recommended when the function is not used.
Check the Log
If you suspect that someone has gained unauthorised access to your system, you can check the system log. The system log will show you which IP addresses were used to login to your system and what was accessed.
Physically Lock Down the Device
Ideally, you want to prevent any unauthorised physical access to your system. The best way to achieve this is to install the recorder in a lockbox, locking server rack, or in a room that is locked.
Connect IP Cameras to the PoE Ports on the Back of an NVR
Cameras connected to the PoE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.
Isolate NVR and IP Camera Network
The network your NVR and IP camera resides on should not be the same network as your public computer network. This will prevent any visitors or unwanted guests from getting access to the same network the security system needs in order to function properly.
Use 888888 Accounts
These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts.