Cyber-security has increasingly become a topic of global concern. Especially after being attacked by a large-scale DDoS, the global public security network almost paralysed. Dahua insists on creating safety value, and trying to call attentions to establish a global new network security ecosystem, protecting network security for end users, installers and device manufacturers.

Security policies for IoT protection

It is not an exaggeration to say that the world is in deep crisis caused by “Network Security Gate”. Especially, in 2016, an American website for online jewellery sales was attacked by hackers. The website was working at its usual rate of 3500 times per second in the HTTP request (garbage request). Following analysis of the original data package by a security researcher, it was found that these HTTP requests were all from IP cameras. A DDoS attack launched by a botnet consisting of 25000 cameras was the biggest CCTV (closed-circuit television camera) botnet. Last October, America suffered the largest DDoS attack, leading to website crashes along the entire east coast of the country. Within 24 hours, the pages were not visible. Ultimately, this was found that caused by a botnet, which was made up of cameras and other intelligence devices.

A couple of network security events occurred last year had brought challenges to the IoT, network security. Governments all around the world have issued laws and guidelines to achieve IoT protection. It shows that IoT network security incidents are closely related to video surveillance systems, and most IoT devices problems are caused by the cyber security video surveillance issues. Therefore, in the foreseeable future, foreign hackers will make full use of video surveillance system to initiate DDos attacks.

Global security industry development

2010 was a watershed year for development of the global security industry. When monitoring devices are used independently, there aren’t any security laws. However, video surveillance is now becoming a core part of the IoT system. Video surveillance equipment not only started to make progress on high definition, but also experienced the reform of from conventional analogy monitoring to network monitoring.

With IP cameras, NVR and IP storage server listing, video surveillance has been witnessed rapidly advanced networking

With IP cameras, NVR and IP storage server listing, video surveillance has been witnessed rapidly advanced networking. In the technical architecture of IoT and big data, cyber video surveillance has reached a new stage. However, it faces many problems:

  • Potential vulnerability to hackers
    Firstly, video surveillance products have become increasingly necessary in many fields. Driven by security concerns and cost improvements, standard equipment can be found in most retail stores and offices. Video surveillance equipment connected with infiltrating broadband and mobile Internet, lowering the cost of bandwidth and data usage. Remote monitoring and alarming systems are now common used with a mobile APP that comes from video devices. However, that has resulted in many video devices becoming exposed to potential hackers online.
  • Cyber security regulations
    Secondly, cyber security lacks comprehensive regulations regarding the building of projects. In global security projects, referring to the standard controls, design, construction or acceptance, cyber security is ignored with a lack of regulation. To this extend, there is a lot of work in the field of cyber security to develop the security industry.
  • Security awareness
    Thirdly, users often lack security awareness. Many IP camera users just set simple passwords, such as 1234 admin and so on, while some of them even use a null password or a default password. Thus, hackers easily take control of the system and make a further use of it.
  • Security device interoperability
    Finally, many network monitoring devices manufacturers have exported a large volume of products to other countries. In order to save costs, some of the manufacturers use generic and open source firmware, or adopt OEM products without any security reinforcement. As a result, devices with different brands are set up with default passwords and share the same flaws. Once the vulnerabilities have been exposed, it is hard to upgrade and fix them. Meanwhile, manufacturer has faced the similar problems in terms of technology.

Network security ecosystem

Since a large scale of DDoS attacks that caused interruption to public Internet service in 2016, IoT device cyber security is growingly caught attention. Video devices are a big proportion of the demanding. How to prevent data and information from being stolen, protect the video surveillance against sabotaging, and prevent attacks from botnet are serious problems to be solved urgently. It’s not difficult to see that every link in the network security is weak, so establishing a new ecosystem for network security is crucial in order to resist attacks.

In the construction of projects, installer plays an important role of a bridge and link between end users and manufacturer

Defence mechanisms against hackers

Globally, whether at home or for commercial application, all network monitoring devices exposed to the Internet will be at risk of hacker attacks. Therefore, users have two methods of defence: one strategy is to be invisible to auto attack tools. Connect IP cameras to the embedded PoE port of NVR (usually these ports were isolated from outside network), change ports in both the NVR and the mobile app. Another strategy is to follow all the simple steps to enhance immunity, no network knowledge required: default password, weak password, create user account (no admin privilege) for use on mobile app and remote viewing, check & upgrade to the latest firmware, do not let outsiders see your video equipment brand & model. Customer can use a compound of letters, special symbols, numbers, in order to enhance the security levels. When you type passwords, you should be careful as you type your bank account password to avoiding other people seeing. You can also choose a safer account. Regularly check whether devices exhibit possible vulnerabilities, and try your best to avoid deploying network video surveillance equipment on the Internet. Instead, you can deploy on a private network or connect through a VPN. When you transfer data to the cloud, you have to use safe network connections, not store sensitive data like account numbers and passwords on the phone or other control equipment, for fear of risk by malicious intrusions on phone. You should also download the latest patches and firmware timely. When choosing a brand, it is best to choose well-known brands because they always do well in product tests.

Installers- bridging the gap between end users and manufacturers

In the construction of projects, installer plays an important role of a bridge and link between end users and manufacturer. They need to master all the defensive measures in cyber security, and educate end user about the importance of cyber security. In this way, end users will be aware of the importance of safety. It suggests that engineers offer regular testing services, such as perfect the system, check system log, complete firmware update, check cyber security risks, and update the status of firewall. Whether users can isolate video equipment from other network equipment, especially WiFi accessible network (VLAN or separate network switch using different network segment), disabling UPnP and common mistakes of end user & mitigation. This is not only responsible behaviour towards end users with the quality of service improved, but will also lead to greater profits. Some of the monitoring devices can change their settings through the command access port and data access port, since engineers operate some cipher modifications. It demands strict control for verifying the identification of installers, to avoid users’ privacy being disclosed. Meanwhile, if engineers have been using passwords such as 66666666 or 888888 during installation, it is quite easy to be invaded. This not only means to network monitoring, but also for other security devices, thus it’s necessary to complete the secondary encryption.

Training and management for cyber devices

Due to specialty of security equipment application, once equipment attacked by hacker, it could cause damage to individual privacy, social information, and even national production safety. In order to promote global network monitoring, Dahua Technology has put a lot of efforts into establishing a leading cyber-security structure and system. Considering a lot about cyber security in product development, for the end users, Dahua will teach customers to keep good habit of using cyber devices, especially managing well and resetting password regularly, and caring about the cyber environment safety. For installers, Dahua not only creates a market in the service programs which installers provide regular maintenance check, raises their awareness of end users’ products safety, but also train installers how to avoid the DDoS attack. Dahua is considering setting up a standard testing scheme for network monitoring devices, and add QA processes. There is no doubt all of these intentions demand Dahua invest more on research and development, train professional contingents, and implement strict management and control.

Regardless of national policies or industry development, network security is here for the long-term schedule

Security audits and verifications

Some small-scale enterprises may realise it is a significant impact, and fail to continue technology iteration and development. Manufacturers should incorporate various network security elements into the R&D process, apply protection technology to product functionality starting from the initial R&D, and guarantee the quality of development to a high standard, then eliminate any known security weaknesses. Based on security audits, this ensures the safety of final issued products. For instance, Dahua uses security-testing tools to analyse the network protocol safety, toughness and reliability of all products, and discover the vulnerability. At the same time, Dahua uses validators to guarantee all its products verified by professional team of cyber security before issued. Besides, Dahua communicates and exchanges ideas frequently with users and engineers to get feedback from the market. Facing with IoT and big data, Dahua has boundary-crossing cooperation with IT industry, to promote the security testing methods, testing tools and safety standards of related security products together.

Furthermore, manufacturers also need to communicate extensively with users and engineers to collect market feedback. Faced with the IoT and big data, the network monitoring devices manufacturers start cross-border cooperation with IT industry. With these new opportunities, enterprises will create greater value.

Spreading public awareness

Compared to the IT and telecommunication industry, public awareness of network security seems to be far behind. Regardless of national policies or industry development, network security is here for the long-term schedule. However, Dahua has grasped the opportunity to create much more value.

Attacked by DDoS and safety problems that exist in video surveillance based on IoT system, have been attracted the attention to the cyber security. However, cyber security needs a joint effort from all levels, involving how to establish a global new network security ecosystem becomes the breakthrough in ecological chain. Dahua Technology, with its value proposition of “Innovation, Quality and Services”, has presented unprecedented importance to cyber security. Moreover, Dahua Technology is making a full of efforts to provide innovative and reliable security technology to establish a global new network security ecosystem, realising the mission of “Safer Society, Smarter Living”.

Download PDF version

In case you missed it

BCDVideo signs OEM deal with Dell EMC: positive impact for surveillance storage
BCDVideo signs OEM deal with Dell EMC: positive impact for surveillance storage

In a significant move for the video security market, BCDVideo has announced that it is set to become Dell EMC’s OEM partner in the video surveillance space. For nearly a decade, the Chicago-based company has been known as a key OEM partner of Hewlett Packard Enterprise (HPE), providing storage and networking technology to security integrators on a global scale. This latest partnership will allow BCDVideo to take their offerings to the next level. BCDVideo Vice President Tom Larson spoke to SourceSecurity.com to discuss the reasoning behind the deal, and how the programme will benefit partners, integrators, and end-users alike. Expanding BCDVideo's product offering For BCDVideo, the HPE OEM programme has been widely acknowledged as a success, allowing the company to leverage a globally recognised brand and provide high-quality, reliable solutions across video networking and access control. Nevertheless, explains Larson, HPE server solutions are primarily suited to large-scale enterprise projects, and are therefore unable to accommodate for the growth in small- and medium-sized surveillance applications. The global collaboration with Dell EMC will allow BCDVideo to open up a broader product offering, building on success in the larger enterprise market to offer tailored solutions to SMEs. Our aim is to look at all best of breed technology to serve the video surveillance marketplace, and that means multiple partnerships” Support for integrators By leveraging Dell EMC’s sophisticated digital storage platforms, BCDVideo will now be able to offer a more cost-effective solution to integrators, without sacrificing the resilience and IT-level service that BCDVideo is known for. With access to Dell EMC’s expansive global sales and technical teams, the company hopes to expand its reach, all-the-while providing partners with around-the-clock technical support and a five-year on-site warranty. Customers should be reassured that BCDVideo will continue to offer HPE platforms, service, and support. “Our aim is to look at all best-of-breed technology to serve the video surveillance marketplace, and that means multiple partnerships,” says Larson.  “The addition of Dell EMC to our portfolio is a major win for BCDVideo, for Dell EMC, and for our integrators.” The global collaboration with Dell EMC will allow BCDVideo to open up a broader product offering Meeting surveillance market demands At the technology level, assures Larson, Dell EMC’s server offering is well suited to handle the increasing video resolution and growing camera count demanded by the surveillance industry. At the larger end of the spectrum, the company’s Isilon Scale-Out NAS solution can handle tens of petabytes of data, making it ideal for large-scale security applications such as city-wide surveillance and airport security. Dell EMC storage solutions are already proving successful at major international airports including Dubai and Abu Dhabi, each with a camera count in the 1000s.Dell EMC and BCDVideo together are ensuring our customers get the right solutions designed for the surveillance market” For Dell EMC, the new partnership means the ability to expand on this success in the enterprise market, leveraging BCDVideo’s surveillance expertise and high-level customer service to offer tailored solutions for lower-volume applications. Since its inception, BCDVideo has differentiated itself in the security space by providing a high level of IT service to integrators making the transition to IP systems. By combining resources, the partners will be able to service VMS and analytics companies, software vendors, and access control providers, as well as traditional business integrators. Ken Mills, General Manager Dell EMC Surveillance, explains: “Surveillance storage is not just about capacity, it is also about performance and reliability. Dell EMC and BCDVideo together are ensuring our customers get the right solutions designed for the surveillance market.” Accomodating for growth BCDVideo is well placed to accommodate this anticipated growth. Last year, the company opened a new 51,000-square-foot global headquarters in Illinois, home to 90 separate stations within their Innovation Center where each system is customised according to integrator needs. The new facility allows for expanding business with new and existing partners in the security market.

How to manage physical security data in compliance with EU GDPR
How to manage physical security data in compliance with EU GDPR

Until recently, data laws have differed from one country to the next. This meant that for those organisations conducting business or protecting assets abroad, they needed to localise both their infrastructure and policies dependant on the country they were operating in. However, with the impending arrival of the EU GDPR (General Data Protection Regulation), which comes in to force on the 25th May this year, all of that will need to change. Data management in CCTV surveillance Surprisingly, despite the fact that much has been written about the impending EU GDPR, very little attention has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data. As this includes such a large scope of data, any public or even private organisation using CCTV to monitor publicly-accessible areas must pay attention, as monitoring the public on a large scale is by default considered a high-risk activity. This includes information that shows who a person is, where they are and any other specifics about them.We have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies According to numerous market research studies, many organisations are yet to take the necessary steps in order to review the new regulations and ensure the necessary changes are made to meet these obligations. To date, we have seen organisations defining corporate standards for their physical security systems based around IT standards and technologies. With the implementation deadline of the new regulations fast approaching, these should be in a better state of readiness, with standardised processes, common organisational approach and technology. Enhancing industry awareness of compliance  What’s more, a lot of legacy systems or disparate systems are still out there, and these may still have been entirely commissioned and operated by location-specific security teams. Regardless as to where your organisation stands in terms of technology, it is important to participate in the GDPR review with a greater sense of urgency.  The EU GDPR dictates that businesses adhere to specific governance and accountability standards with regards to the processing of all data Tony Porter, the UK’s Surveillance Camera Commissioner, has been incredibly vocal in recent months with regards to making security system operators aware that their activities will be subject to the GDPR and to signpost them to relevant guidance from the ICO. For those actively seeking to ensure their businesses are compliant, his organisation’s independent third-party certification is a great place to start. However, with just a few months until the regulation comes into force, it is unfortunate that his organisation is not yet in a position to confirm this will be sufficient to demonstrate compliance with the EU GDPR. Ensuring regulatory preparedness With this being said, there are still a number of steps organisations can take to ensure they are well-prepared when the law comes into play: Get involved in the GDPR discussion If you haven’t already, proactively initiate a GDPR discussion with your legal team and ask for their guidance. Conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulation. Then engage your consultants, integrators and manufacturers who should be able to advise on appropriate solutions. In the vast majority of cases, it should be possible to upgrade the existing system rather than ‘rip out and replace’.The appropriate use of encryption and automated privacy tools is a logical step Adopt privacy by design Under the terms of the EU GDPR, data that is anonymised or pseudonymised is likely to be low-risk. The appropriate use of encryption and automated privacy tools is therefore a logical step. For example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimise the dangers of having security cameras deployed in public spaces. Seek out certified and sanctioned organisations, such as the European Privacy Seal group ‘EuroPriSe’, a professional organisation whose purpose is to ensure companies meet the ‘GDPR-ready’ privacy compliance standards. Consider cloud-based services Owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider it is possible to offload some of these responsibilities. For example, we partner with Microsoft Azure to offer these systems ‘as a service’. This pathway significantly reduces the customer’s scope of activities required to ensure compliance and is highly cost-effective. Yet it is important to realise it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices.  With data laws changing around the world, businesses need to seriously consider how their security technology investments will help them manage risks in order to keep pace. With the GDPR deadline approaching, it is the ideal time to re-evaluate practices, partner with forward-thinking vendors and adopt technologies that will help meet privacy and data protection laws. This way, businesses can minimise risk, avoid costly penalties and be ready for anything.

How should your security company measure total cost of ownership (TCO)?
How should your security company measure total cost of ownership (TCO)?

How much does a security system cost? We all know that total costs associated with systems are substantially higher than the “price tag.” There are many elements, tangible and intangible, that contribute to the costs of owning and operating a system. Taking a broad view and finding ways to measure these additional costs enables integrators and users to get the most value from a system at the lowest total cost of ownership (TCO). However, measuring TCO can be easier said than done. We asked this week’s Expert Panel Roundtable to share the benefit of their collective expertise on the subject. Specifically, we asked: How should integrators and/or end users measure total cost of ownership (TCO) when quantifying the value of security systems?