Download PDF version Contact company

The Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organisation dedicated to improving the security of software, has released the latest 2017 OWASP Top 10. This list, produced every four years since 2003 consists of the ten most critical web application security risks and is complied with the aim of keeping pace with the ever higher demands on cyber security and interconnected operating systems.

The 2017 OWASP Top 10 list is based on the examination of over 2.3M vulnerabilities which have impacted 50,000 applications, and contains two large-scale vulnerability updates and updated attack scenarios. It serves as a standard guide of potential issues or all types of users, including those from the security industry since most video surveillance applications involve viewing of video over LAN/WAN using web browser while IP cameras and recorders have a web interface to initialise and configure the devices.

Cyber security risks

Among the Top 10 risks on the list, most of the known cyber security problems in security products can be linked to 5 entries

Among the Top 10 risks on the list, most of the known cyber security problems in security products can be linked to 5 entries (A2, A3, A5, A6, A9), including broken authentication and session management, sensitive data exposure, broken access control, security misconfiguration and using components with known vulnerabilities.

To cope with the aforementioned cyber security risks, Dahua Technology, a solution provider in the global video surveillance industry, has already taken the following measures:

  • Strengthened authentication and access control: Almost every IP video device has authentication in place but weak or broken authentication can be exploited by attackers to gain control of the device. Likewise with Broken Access Control, where restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorised functions and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users’ data, change access rights and so on. To strengthen authentication and access control, Dahua cyber security baseline has implemented the following measures. Firstly, a strong password consisting of 8-32 characters must be created. It automatically locks after multiple failed attempts. Secondly the IP address of log on clients is checked to see if they match with the session ID and can effectively filter requests not coming from the same client. In addition to that, idle sessions will be terminated to reduce risk due to users forgetting to log out. Moreover, there is a built-in mechanism to defend against brute force cracking of the session ID value.
    Dahua supports HTTPS encryption and prohibits unencrypted transmission of commands involving sensitive data
  • Guarding sensitive data : Sensitive Data is being stored and transmitted to run the application, attacker will attempt to steal sensitive information such as passwords, payment information and IDs. Dahua’s cyber security baseline implemented the following to protect sensitive data. First of all, Dahua supports HTTPS encryption and prohibits unencrypted transmission of commands involving sensitive data. Secondly, passwords stored in the device must be encrypted together with the device specific context to increase the difficulty to crack the encryption. Protect configuration data with encryption when stored, upload and download. Even authenticated users are not allowed to decode the data into clear text. Data integrity validation is conducted in both the upload and download process. 
  • Changes made to reduce misconfiguration : According to OWASP, security misconfiguration is the issue most commonly seen. Dahua has analysed past misconfiguration issues and made the following changes to reduce exposure to potential attacker. To start with, all default accounts are removed. Installer must set up a customised password during device initialisation. In addition all unused open ports are closed and an authentication mechanism is implemented to all remaining necessary open ports. Finally, Dahua has deployed cloud firmware upgrade feature to make it easier and more convenient for users to keep firmware up to date.
    Dahua has posted its Best Practices, a page offering useful tips and recommendations in detail that help to build a more secure security system
  • Human efforts to correct human errors : It is only through the combined forces of humans and machines, of customers and manufacturers and all related parties, that we can we most effectively deal with cybersecurity problems. Dahua has put a great deal of effort ensure customers will be given proper information, access to fix software and technical support to deal with vulnerability effectively. On the official website, Dahua has posted its Best Practices, a page offering useful tips and recommendations in detail that help to build a more secure security system. There is also a channel for Vulnerability Reporting, through which users and other related parties can share their clues on cybersecurity loopholes and these efforts will be rewarded after an assessment of the vulnerability.

New ecosystem of network security

Since video surveillance has become a core part of IoT, it’s not surprising that in recent years there have been an increasing amount of attacks targeting IP video devices. Thus Dahua has proposed to establish a new ecosystem of network security encompassing the end user, installers and manufacturers. In August 2017, Dahua shared a white paper regarding cybersecurity with its customers, and an updated version will be issued in early 2018.

In conclusion, Dahua has been well prepared for the battle of cyber security through the identification of application risks, potential attackers and other threats. With well thought-out precautionary plans and carefully designed coping mechanisms, Dahua can respond to risks in a quick and effective manner and solve the problems before they really become problems in most cases. With a mission to enable a safer society and smarter living, Dahua will continue to focus on “Innovation, Quality, and Service” to serve its partners and customers around the world.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

In case you missed it

How smart technology is simplifying safety and security in retirement villages
How smart technology is simplifying safety and security in retirement villages

James Twigg is the Managing Director of Total Integrated Solutions (TIS), an independent life safety, security and communication systems integrator, specialising in design & consultancy, technology and regulatory compliance. Total Integrated Solutions work primarily with retirement villages, helping to ensure the safety of residents in numerous retirement villages across the country. In this opinion piece, James shares how smart technology is helping security teams and care staff alike in ensuring the safety and security of their spaces, amid the COVID-19 pandemic and beyond. Impact of smart technology Smart technology is having an impact on pretty much every aspect of our lives Smart technology is having an impact on pretty much every aspect of our lives. From how we travel, to how we work, to how we run our homes. It’s not unusual to have Alexa waking us up and ordering our groceries or Nest to be regulating the temperature and energy in our homes. And while there’s a popular misconception that people in their later years are allergic to technology, retirement villages and care homes are experiencing significant innovation too. And the result is not only improved quality of life for residents, but also improved safety and security systems for management teams. Switching to converged IP systems I’ve been working in the life safety and security industry for over fifteen years. When I first joined TIS, much of the sector was still very analogue, in terms of the technology being installed and maintained. Slowly but surely, we’ve been consulting and advising customers on how to design, install and maintain converged IP systems that all talk to each other and work in tandem. I'm excited to say retirement villages are some of the top spaces leading the way, in terms of technological advancement. Improving the quality of life for residents A move into a retirement village can be daunting and one of the key concerns that we hear about is the loss of independence. No one wants to feel like they are being monitored or to have someone constantly hovering over them. One of the ways we’ve used smart technology to maintain residents' independence is through devices, such as health monitors and motion sensors. For example, instead of having a member of staff check-in on residents every morning, to ensure they are well, sensors and analytics can automatically detect changes in routine and alert staff to possible problems. Similarly, wearable tech, such as smart watches give residents a chance to let staff know they are okay, without having to tell them face-to-face. As our retirement village customers have told us, a simple ‘I’m okay’ command can be the difference between someone feeling independent versus someone feeling monitored. Simplifying and improving security systems Smart technology gives care staff and security oversight of the needs of residents For the teams responsible for the safety of the people, places and spaces within retirement villages, smart technology is helping to improve and simplify their jobs. Smart technology gives care staff and security oversight of the needs of residents, and ensures rapid response if notified by an emergency alert, ensuring they know the exact location of the resident in need. And without the need to go and physically check-in on every resident, staff and management can ensure staff time is being used effectively. Resources can be distributed where they are needed to ensure the safety and wellbeing of those residents who need extra consideration. 24/7 surveillance When planning the safety and security for retirement villages, and other residential spaces, it’s no use having traditional systems that only work effectively for 12 hours a day or need to update during the evening. Surveillance needs to be 24/7 and smart technology allows that without the physical intrusion into people’s spaces and daily lives. Smart technology ensures that systems speak to each other and are easily and effectively managed on one integrated system. This includes video surveillance, which has also become much more effective as a result of advanced video analytics, which automatically warn staff of suspicious behaviour. Securing spaces amid COVID-19 This year has, of course, brought new challenges for safety. COVID-19 hit the retirement and residential care sectors hard, first with the initial wave of infections in mid-2020 and then, with the subsequent loneliness caused by the necessary separation of families. As essential workers, we worked closely with our customers to make sure they had everything they needed As essential workers, we worked closely with our customers to make sure they had everything they needed during this time, equipping residents with tablet devices to ensure they could stay connected with their families and friends. It allowed residents to keep in touch without risking transferring the virus. Thermal cameras and mask detection And now that we’re emerging out of COVID-19 restrictions and most residents can see their families again, we’re installing systems like thermal cameras and mask detection, so as to ensure that security will be alerted to anyone in the space experiencing a high temperature or not wearing proper PPE. Such steps give staff and families alike, the peace-of-mind that operational teams will be alerted at the earliest possible moment, should a COVID-19 risk appear. Thinking ahead to the next fifteen years, I’m excited at the prospect of further technological advancements in this space. Because at the end of the day, it’s not about how complex your security system is or how you compete in the industry. It’s about helping teams to protect the people, spaces and places that matter. I see smart technology playing a huge role in that for years to come.

ASSA ABLOY’s Code Handle protects Fylab physiotherapy practice with secure PIN-operated handles
ASSA ABLOY’s Code Handle protects Fylab physiotherapy practice with secure PIN-operated handles

In all medical settings, people are coming and going all day. Therapists leave their personal belongings in changing rooms, patients want privacy in consulting rooms, open or unlocked doors can be an invitation to opportunists. Yet keeping track of mechanical keys can be a tiresome task for a small practice. There is a solution: the Code Handle PIN lock from ASSA ABLOY. In Irun, in Spain’s Basque country, Fylab sought easy electronic door security for their consulting rooms. These rooms house expensive specialist equipment for the various therapeutic disciplines offered by Fylab. Requirements were straightforward: a simple, secure, keyless access solution designed to work in a facility that gets a lot of daily traffic from professionals and the public. They needed a locking device that is easy to retrofit and incorporates a contemporary device design to match with Fylab’s modern medical workplace. Adding electronic security to room doors The Code Handle PIN-locking door handle added electronic security to three consulting-room doors at FylabThe Code Handle PIN-locking door handle added electronic security to three consulting-room doors at Fylab – without wires or cables. Two screws fit a Code Handle to almost any interior door (between 35mm to 80mm thick). One doesn’t even need to change their existing door cylinder. “I am no artist or handyman, but I managed to fit the handles within 10 minutes,” says Fylab founder, Borja Saldias Retegui. Code Handle adds electronic security to almost any interior door without disrupting its aesthetics. If one needs to secure a door facing a public space, Code Handle does it subtly and with zero hassle. At Fylab, Code Handle devices locks both wooden and glass doors, keeping equipment and therapists’ personal belongings safe. Allows up to 9 different PIN numbers “We like the solution a lot because we can do away with keys,” adds Borja. Code Handle removes the need to track cumbersome keys or install expensive access control. Because every Code Handle allows up to 9 different PIN numbers (4 to 6 digits), all authorised staff at Fylab can have their own security code. Two standard batteries (CR2) slot inside the handle, typically lasting 30,000 lock/unlock cycles before replacement The practice manager cancels or amends PINs at any time using the master PIN. Two standard batteries (CR2) slot inside the handle, typically lasting 30,000 lock/unlock cycles before replacement. It’s simple. “Code Handle is unique in comparison to common code door locks: it has the code function and battery incorporated inside its handle, so you don’t need to make extra modifications to your door,” explains Lars Angelin, Business Development Manager for Code Handle at ASSA ABLOY EMEA. Auto-locking feature of Code Handle Auto-locking is another helpful feature. When the door closes, Code Handle locks it automatically. One doesn’t need to put down whatever they are carrying, and no one can open it from the outside while they are not looking. To keep the door open briefly, one can simply hold Code Handle down for 5 seconds and it remains temporarily unlocked. For convenience, Code Handle always opens freely from the inside. “Code Handle provides the simplest solution for access control in a small facility,” says Borja. To learn more about Code Handle please visit: https://campaigns.assaabloyopeningsolutions.eu/codehandle

What are the challenges and benefits of mobile access control?
What are the challenges and benefits of mobile access control?

There is a broad appeal to the idea of using a smartphone or wearable device as a credential for physical access control systems. Smartphones already perform a range of tasks that extend beyond making a phone call. Shouldn’t opening the door at a workplace be among them? It’s a simple idea, but there are obstacles for the industry to get there from here. We asked this week’s Expert Panel Roundtable: What are the challenges and benefits of mobile access control solutions?