Dahua Technology Ltd

The Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organisation dedicated to improving the security of software, has released the latest 2017 OWASP Top 10. This list, produced every four years since 2003 consists of the ten most critical web application security risks and is complied with the aim of keeping pace with the ever higher demands on cyber security and interconnected operating systems.

The 2017 OWASP Top 10 list is based on the examination of over 2.3M vulnerabilities which have impacted 50,000 applications, and contains two large-scale vulnerability updates and updated attack scenarios. It serves as a standard guide of potential issues or all types of users, including those from the security industry since most video surveillance applications involve viewing of video over LAN/WAN using web browser while IP cameras and recorders have a web interface to initialise and configure the devices.

Cyber security risks

Among the Top 10 risks on the list, most of the known cyber security problems in security products can be linked to 5 entries

Among the Top 10 risks on the list, most of the known cyber security problems in security products can be linked to 5 entries (A2, A3, A5, A6, A9), including broken authentication and session management, sensitive data exposure, broken access control, security misconfiguration and using components with known vulnerabilities.

To cope with the aforementioned cyber security risks, Dahua Technology, a solution provider in the global video surveillance industry, has already taken the following measures:

  • Strengthened authentication and access control: Almost every IP video device has authentication in place but weak or broken authentication can be exploited by attackers to gain control of the device. Likewise with Broken Access Control, where restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorised functions and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users’ data, change access rights and so on. To strengthen authentication and access control, Dahua cyber security baseline has implemented the following measures. Firstly, a strong password consisting of 8-32 characters must be created. It automatically locks after multiple failed attempts. Secondly the IP address of log on clients is checked to see if they match with the session ID and can effectively filter requests not coming from the same client. In addition to that, idle sessions will be terminated to reduce risk due to users forgetting to log out. Moreover, there is a built-in mechanism to defend against brute force cracking of the session ID value.
    Dahua supports HTTPS encryption and prohibits unencrypted transmission of commands involving sensitive data
  • Guarding sensitive data : Sensitive Data is being stored and transmitted to run the application, attacker will attempt to steal sensitive information such as passwords, payment information and IDs. Dahua’s cyber security baseline implemented the following to protect sensitive data. First of all, Dahua supports HTTPS encryption and prohibits unencrypted transmission of commands involving sensitive data. Secondly, passwords stored in the device must be encrypted together with the device specific context to increase the difficulty to crack the encryption. Protect configuration data with encryption when stored, upload and download. Even authenticated users are not allowed to decode the data into clear text. Data integrity validation is conducted in both the upload and download process. 
  • Changes made to reduce misconfiguration : According to OWASP, security misconfiguration is the issue most commonly seen. Dahua has analysed past misconfiguration issues and made the following changes to reduce exposure to potential attacker. To start with, all default accounts are removed. Installer must set up a customised password during device initialisation. In addition all unused open ports are closed and an authentication mechanism is implemented to all remaining necessary open ports. Finally, Dahua has deployed cloud firmware upgrade feature to make it easier and more convenient for users to keep firmware up to date.
    Dahua has posted its Best Practices, a page offering useful tips and recommendations in detail that help to build a more secure security system
  • Human efforts to correct human errors : It is only through the combined forces of humans and machines, of customers and manufacturers and all related parties, that we can we most effectively deal with cybersecurity problems. Dahua has put a great deal of effort ensure customers will be given proper information, access to fix software and technical support to deal with vulnerability effectively. On the official website, Dahua has posted its Best Practices, a page offering useful tips and recommendations in detail that help to build a more secure security system. There is also a channel for Vulnerability Reporting, through which users and other related parties can share their clues on cybersecurity loopholes and these efforts will be rewarded after an assessment of the vulnerability.

New ecosystem of network security

Since video surveillance has become a core part of IoT, it’s not surprising that in recent years there have been an increasing amount of attacks targeting IP video devices. Thus Dahua has proposed to establish a new ecosystem of network security encompassing the end user, installers and manufacturers. In August 2017, Dahua shared a white paper regarding cybersecurity with its customers, and an updated version will be issued in early 2018.

In conclusion, Dahua has been well prepared for the battle of cyber security through the identification of application risks, potential attackers and other threats. With well thought-out precautionary plans and carefully designed coping mechanisms, Dahua can respond to risks in a quick and effective manner and solve the problems before they really become problems in most cases. With a mission to enable a safer society and smarter living, Dahua will continue to focus on “Innovation, Quality, and Service” to serve its partners and customers around the world.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Dahua Technology Ltd news

Dahua Technology UK & Ireland announces the launch of a new Consultants’ Support Programme to support CCTV and security consultants

A new initiative designed to deliver unprecedented levels of support for CCTV and security consultants has been unveiled by Dahua Technology UK & Ireland. The Key Consultants Programme for the UK and Irish markets will see Dahua harness its technical and product expertise to keep consultants up-to-date with developments in security technology, including regular and informative product and technology updates, training and CPD opportunities, and help with specifying the best equipment for the...

Dahua Technology obtains ISO/IEC 27701 Certificate from British Standards Institution

Dahua Technology, a video-centric smart IoT solution and service provider, is honoured to announce that it has obtained ISO/IEC 27701 Certificate from British Standards Institution (BSI). Formed in 1901, BSI was the first National Standards Body. Representing UK interests at the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and the European Standards Organizations (CEN, CENELEC and ETSI), BSI aims help improve the quality and safety of...

Dahua Technology supports the public through charity sales and Dahua Charity Fund

This year has witnessed an array of unprecedented crises that disrupted people's lives around the world. Nevertheless, despite challenges and difficulties, people and organisations around the world are pulling together to help those in need. It could be a donation of clothing and food, or just a simple word of encouragement and support. Regardless of nationality, race, ethnicity and other differences the world has, every person stands together. As a front runner of video-centric smart IoT solut...

Dahua Technology Ltd case studies

Dahua Technology installs HD CCTV cameras with smart analytics using AI to secure iconic Battle of Britain Bunker

An important heritage site which played a key role in protecting the UK during World War II is itself being made safe and secure with the installation of a comprehensive and fully integrated security system, including more than 75 Dahua HD CCTV cameras. Battle of Britain Bunker The Battle of Britain Bunker is an underground operations room in Uxbridge, formerly used by No. 11 Group Fighter Command during the Second World War, most notably in the Battle of Britain and on D-Day. The operations...

Dahua Technology deploys networked video surveillance system at Petwood Hotel, formerly The Dambusters home

A networked surveillance system has been installed at Petwood Hotel in Lincolnshire, the former home of members of 617 Squadron, more famously known as The Dambusters, during World War 2. The hotel, situated in the village of Woodhall Spa, was originally built in 1905, as a country house for a wealthy Baroness, and after serving as a military convalescence hospital during World War 1, was converted into a hotel in 1933. Located among magnificent lawns and landscaped gardens, the Grade II-listed...

Dahua provides its Mobile Solution to enhance patrolling services for the Buenos Aires police

As one of the most important provinces of Argentina, Buenos Aires Province has been seeking to improve work efficiency and emergency response speed of its police force. However, the local police was always lacking of evidence when performing legal actions towards violence, traffic accidents, and other social incidents. This created temporary loopholes in law enforcement that criminals and erring people took advantage of in order to escape legal sanctions. For this reason, the Ministry of Securi...