Milestone offers checklist on mitigating VMS cyber risks

0
169

Many European organisations are currently auditing their security setups as a response to the European Union’s NIS2 mandate. This mandate comes into effect October 2024 and provides legal measures to boost the overall level of cyber security in the EU. Here, experts from Milestone offer advice on the subject and explain the basics of mitigating the risk of your video management system (VMS) being compromised.

The process of double and triple-checking that the fundamentals are in place isn’t specific just to Europe. It’s relevant to all organisations that utilise video security worldwide. Additionally, according to Milestone, most of the work that goes into securing the setup happens outside of the actual video management software. In other words, this article is for all security and IT professionals, and not just for Milestone technology users.

Each item on the following list relates to either asset management or access management. These are two distinct but closely related concepts. Asset management involves identifying, categorising, and managing hardware (e.g., security cameras and recording servers) software (e.g., VMS and Active Directory) and even employees. Meanwhile, access management is about controlling who can interact with the aforementioned physical and virtual assets.

Asset management
● Update the firmware of each and every camera to the latest version. Quite a bit of time can sometimes pass between a camera coming out of the factory and its installation. Older firmware might have security vulnerabilities, hence the need to stay updated.
● Update camera drivers to the latest version in your VMS. Video device drivers are used to control and communicate with the cameras connected to a recording server. In addition to fixing compatibility issues, frequent updates include enhanced protection against various cyber threats.
● Disable any built-in admin accounts for your cameras (or change the passwords). The more modern and more expensive the camera, the less likely that it ships with a factory admin account and password. But it’s worth being certain, as any unchanged passwords make it easy for unauthorised individuals to tamper with settings and/or disable critical features. Most default passwords are easily found in online documentation.
● Ensure that all cameras only allow HTTPS. HTTPS encrypts communication between the security camera and the server or client. This means that any video feeds and configuration settings cannot be easily intercepted by bad actors.
● Keep your Windows Operating System updated. In the case of Milestone’s Xprotect VMS, for example, the software runs exclusively on desktop computers or Windows Server environments. As with keeping camera firmware and drivers up-to-date, updating your Windows OS means getting security patches that protect against malware and cyber attacks.

Access management
● Create user credentials for each person accessing your VMS. Just because it’s simple, doesn’t mean it’s easy. Password sharing is more common than most of us would like to admit. But without unique login credentials, you can’t track who’s doing what. Meaning a slim chance of recourse. In the case of Xprotect, the Management Server syncs with Active Directory for user authentication and authorisation.
● Safeguard the room where your VMS servers are installed. The media often portrays cyber attacks as a remote exercise. But in the real world, Milestone suggests that cyber security has to begin with a lock and key.
● Limit the number of people with access to the server room. There is no minimum or maximum magic number. But if someone’s role isn’t directly related to the maintenance, administration or security of the VMS, their access should potentially be revoked.
● Limit the number of people with admin rights for the servers. Admin accounts have elevated privileges, and each additional account increases the risk of exploitation if credentials are compromised.

Cyber security training
Milestone has been in the VMS business for more than 25 years. The company is also a CVE Numbering Authority (CNA); the CVE system provides a common identifier for publicly known cyber security vulnerabilities, making it easier for organisations and individuals to share information about security issues. As such the company has a lot to share on the topic and is eager to demonstrate this. Hence, later this month the company will be hosting a live training session on the subject of cyber security covering topics such as, using VLANs to separate your VMS network from your corporate network; encrypting your recording server’s media database; and best practices for device management and user access management in Milestone Xprotect.