The Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organisation dedicated to improving the security of software, has released the latest 2017 OWASP Top 10. This list, produced every four years since 2003 consists of the ten most critical web application security risks and is complied with the aim of keeping pace with the ever higher demands on cyber security and interconnected operating systems.

The 2017 OWASP Top 10 list is based on the examination of over 2.3M vulnerabilities which have impacted 50,000 applications, and contains two large-scale vulnerability updates and updated attack scenarios. It serves as a standard guide of potential issues or all types of users, including those from the security industry since most video surveillance applications involve viewing of video over LAN/WAN using web browser while IP cameras and recorders have a web interface to initialise and configure the devices.

Cyber security risks

Among the Top 10 risks on the list, most of the known cyber security problems in security products can be linked to 5 entries

Among the Top 10 risks on the list, most of the known cyber security problems in security products can be linked to 5 entries (A2, A3, A5, A6, A9), including broken authentication and session management, sensitive data exposure, broken access control, security misconfiguration and using components with known vulnerabilities.

To cope with the aforementioned cyber security risks, Dahua Technology, a solution provider in the global video surveillance industry, has already taken the following measures:

  • Strengthened authentication and access control: Almost every IP video device has authentication in place but weak or broken authentication can be exploited by attackers to gain control of the device. Likewise with Broken Access Control, where restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorised functions and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users’ data, change access rights and so on. To strengthen authentication and access control, Dahua cyber security baseline has implemented the following measures. Firstly, a strong password consisting of 8-32 characters must be created. It automatically locks after multiple failed attempts. Secondly the IP address of log on clients is checked to see if they match with the session ID and can effectively filter requests not coming from the same client. In addition to that, idle sessions will be terminated to reduce risk due to users forgetting to log out. Moreover, there is a built-in mechanism to defend against brute force cracking of the session ID value.
    Dahua supports HTTPS encryption and prohibits unencrypted transmission of commands involving sensitive data
  • Guarding sensitive data : Sensitive Data is being stored and transmitted to run the application, attacker will attempt to steal sensitive information such as passwords, payment information and IDs. Dahua’s cyber security baseline implemented the following to protect sensitive data. First of all, Dahua supports HTTPS encryption and prohibits unencrypted transmission of commands involving sensitive data. Secondly, passwords stored in the device must be encrypted together with the device specific context to increase the difficulty to crack the encryption. Protect configuration data with encryption when stored, upload and download. Even authenticated users are not allowed to decode the data into clear text. Data integrity validation is conducted in both the upload and download process. 
  • Changes made to reduce misconfiguration : According to OWASP, security misconfiguration is the issue most commonly seen. Dahua has analysed past misconfiguration issues and made the following changes to reduce exposure to potential attacker. To start with, all default accounts are removed. Installer must set up a customised password during device initialisation. In addition all unused open ports are closed and an authentication mechanism is implemented to all remaining necessary open ports. Finally, Dahua has deployed cloud firmware upgrade feature to make it easier and more convenient for users to keep firmware up to date.
    Dahua has posted its Best Practices, a page offering useful tips and recommendations in detail that help to build a more secure security system
  • Human efforts to correct human errors : It is only through the combined forces of humans and machines, of customers and manufacturers and all related parties, that we can we most effectively deal with cybersecurity problems. Dahua has put a great deal of effort ensure customers will be given proper information, access to fix software and technical support to deal with vulnerability effectively. On the official website, Dahua has posted its Best Practices, a page offering useful tips and recommendations in detail that help to build a more secure security system. There is also a channel for Vulnerability Reporting, through which users and other related parties can share their clues on cybersecurity loopholes and these efforts will be rewarded after an assessment of the vulnerability.

New ecosystem of network security

Since video surveillance has become a core part of IoT, it’s not surprising that in recent years there have been an increasing amount of attacks targeting IP video devices. Thus Dahua has proposed to establish a new ecosystem of network security encompassing the end user, installers and manufacturers. In August 2017, Dahua shared a white paper regarding cybersecurity with its customers, and an updated version will be issued in early 2018.

In conclusion, Dahua has been well prepared for the battle of cyber security through the identification of application risks, potential attackers and other threats. With well thought-out precautionary plans and carefully designed coping mechanisms, Dahua can respond to risks in a quick and effective manner and solve the problems before they really become problems in most cases. With a mission to enable a safer society and smarter living, Dahua will continue to focus on “Innovation, Quality, and Service” to serve its partners and customers around the world.

Download PDF version

In case you missed it

2018 FIFA World Cup Russia integrates safety, security and service
2018 FIFA World Cup Russia integrates safety, security and service

The 2018 FIFA World Cup tournament is bringing 32 national teams and more than 400,000 foreign football fans from all over the world to 12 venues in 11 cities in Russia. Fans are crowding into cities including Moscow, St. Petersburg and Kazan. Given continuing global concerns about terrorism, security is top-of-mind. Protection of the World Cup games in Russia is focusing on an “integrated safety, security and service approach,” according to officials. Combining the term “security” with the terms “safety” and “service” is not an accident. An aggressive security stance is necessary, but at the end of the day, fan safety is paramount, and a service-oriented approach ensures a positive fan experience. Medical responders will be working side-by-side with police and antiterrorism personnel. Risk management best practices We asked Sean T. Horner and Ben Joelson, directors of the Chertoff Group, a global advisory firm focused on best practices in security and risk management, to comment on security at FIFA World Cup 2018. Although not involved in securing the 2018 World Cup, the Chertoff Group is experienced at securing large events and enterprises using risk management, business practices and security. Integration is another important aspect of protecting the games, says Horner. The use of multiple resources, including Russian military, intelligence and law enforcement, will be closely integrated to provide the best security for the large-scale event in each of the host cities, he says. The approach will be centralised and flexible, with resource deployment guided by effective situational awareness.Primary security and emergency operations centres will be dispersed throughout each host city “There is a unified command structure at the Russian Federation level, and they will keep resources in reserve and shift them as needed to various events and venues based on any specific intelligence, in effect deploying resources where threats are greatest,” says Joelson. “There will also be some regional commands, and resources will incorporate a spectrum of police and military personnel ranging from the ‘cop on the beat’ to the Spetsnaz, the Russian ‘special forces'.” Primary security and emergency operations centres will be dispersed throughout each host city, and additional forces can be shifted as necessary, he notes. Role of law enforcement In Russia, the lines of separation between law enforcement and the military are not as stark as in the United States, for example, where military forces are restricted from deployment for domestic law enforcement by the Posse Comitatus Act. In Russia, there is no such restriction.  A broad range of technology will play a role at the World Cup, Horner and Joelson agree. Technology will be used primarily as a force multiplier and a decision-support tool for security personnel. There are robust CCTV systems in many Russian cities, and mobile CCTV systems, such as camera towers or mobile security centres on wheels, will also be deployed. Technologies will include infrared cameras, flood lights, and ferromagnetic screening systems to scan hundreds of individuals as they walk by. In some locations, facial recognition systems will be used, tied into various intelligence, military and law enforcement databases of known bad actors. Behaviour analytics will be used as a decision-support tool. In addition to security in public areas, private CCTV systems in hotels, at transportation hubs, and inside the venues themselves will be leveraged. Video analytics and detection will help personnel review live view of people who may be acting suspiciously or who leave a bag unattended. In some locations, facial recognition systems will be used, tied into various intelligence, military and law enforcement databases of known bad actors Rigorous anti-terrorism measures A Fan ID card is required to enter the 2018 World Cup Tournament, even for Russian residents. The Russians have an aggressive stance against domestic terrorism, which will also help ensure the safety of the World Cup games, say Horner and Joelson. Terrorist group ISIS has promised “unprecedented violence” at the games, but they make similar threats at every major global event. Russia has been an active force disrupting ISIS in Syria, and experts suggest that losing ground geographically could lead to addition “asymmetric” terrorist attacks. However, Russia is leveraging all their intelligence resources to identify any plots and deploying their security apparatus to disrupt any planned attacks, experts say. Russia’s rigorous anti-terrorism measures include a total ban on planes and other flying devices (such as drones) around the stadiums hosting the World Cup. Private security In addition to military, intelligence and law enforcement personnel, private security will play a have a high profile during the 2018 World Cup in Russia. Private security personnel will be on the front lines in hotels and in “fan zones.” They will operate magnetometers at entrances, perform bag checks, enforce restrictions on hand-carried items, etc. Private security will be especially important to the “guest experience” aspects of protecting the games.Private security will be especially important to the “guest experience” aspects of protecting the games Another private security function at the World Cup is executive protection of dignitaries and high-net-worth individuals who will be attending. Executive protection professionals will arrive early, conduct advanced security assessments before VIPs arrive, and secure trusted and vetted transportation (including armoured cars in some cases.) VIPs will include both Russian citizens and foreign (including U.S.) dignitaries attending the games. Private security details will be out in force. Aggressive security approach Overeager and outspoken fans are a part of the football culture, but Russia will deploy a near-zero tolerance policy against hooliganism and riots. An overwhelming force presence will take an aggressive approach to curbing any civil disturbances, and offenders will be removed quickly by Russian security forces. Strict restrictions on the sale and consumption of alcohol will be enforced in the venue cities before and after the matches. Officials will also be cognisant of the possibility of a riot or other event being used as a distraction to draw attention from another area where a terrorist event is planned. It will be a delicate balance between deploying an aggressive security approach and preserving the fan experience. Joelson notes that freedom of speech is not as valued in Russia as in other parts of the world, so the scales will be even more tipped toward security. “The last thing they want is for things to get out of control,” says Horner. “The event is putting Russia on the world stage, and they want visitors to walk away safely after having a great time and wanting to go back in the future.”Attendees should also have good situational awareness, and keep their heads up, scanning crowds and identifying unsafe situations" Precautions for World Cup attendees Attendees to the World Cup in Russia should take some basic precautions, Horner and Joelson agree. For example, Russia requires a translated, notarised letter explaining any prescription drugs. The country has a more aggressive foreign intelligence environment, so visitors cannot depend on their data being private. Joelson recommends the usual “social media hygiene” and privacy settings. Visitors should not post information about their travel plans or locations, and it’s best to travel with a disposable mobile phone that does not contain personal information. Location tracking should be deactivated. Travellers should also beware of talking and sharing information with others, or of saying anything derogatory. “They should also have good situational awareness, and keep their heads up, scanning crowds and identifying unsafe situations,” says Joelson. “If you bring a personal electronic device, you should expect that it has been compromised,” says Horner. Text messages and email will not be private, and he suggests creating an email address used only for travel. Don’t leave drinks unattended. Travellers from the U.S. should register at the Smart Traveler Enrollment Program (STEP) operated by the U.S. State Department. “Plan before you travel and before you get to the airport,” says Horner.

The benefits and challenges of in-camera audio analytics for surveillance solutions
The benefits and challenges of in-camera audio analytics for surveillance solutions

Audio is often overlooked in the security and video surveillance industry. There are some intercom installations where audio plays a key role, but it’s not typically thought about when it comes to security and event management. Audio takes a back seat in many security systems because audio captured from a surveillance camera can have a different impact on the privacy of those being monitored. Audio surveillance is therefore subject to strict laws that vary from state to state. Many states require a clearly posted sign indicating audio recording is taking place in an area before a person enters. Analytic information derived from audio can be a useful tool and when implemented correctly, removes any concerns over privacy or legal compliance. Audio analytics on the edge overcomes legal challenges as it never passes audio outside of the camera Focused responses to events Audio analytics processed in the camera, has been a niche and specialised area for many installers and end users. This could be due to state laws governing audio recording, however, audio analytics on the edge overcomes legal challenges as it never passes audio outside of the camera Processing audio analytics in-camera provides excellent privacy since audio data is analysed internally with a set of algorithms that only compare and assess the audio content. Processing audio analytics on the edge also reduces latency compared with any system that needs to send the raw audio to an on-premises or cloud server for analysis. Audio analytics can quickly pinpoint zones that security staff should focus on, which can dramatically shorten response times to incidents. Audio-derived data also provides a secondary layer of verification that an event is taking place which can help prioritise responses from police and emergency personnel. Having a SoC allows a manufacturer to reserve space for specialised features, and for audio analytics, a database of reference sounds is needed for comparison Microphones and algorithms Many IP-based cameras have small microphones embedded in the housing while some have a jack for connecting external microphones to the camera. Microphones on indoor cameras work well since the housing allows for a small hole to permit sound waves to reach the microphone. Outdoor cameras that are IP66 certified against water and dust ingress will typically have less sensitivity since the microphone is not exposed. In cases like these, an outdoor microphone, strategically placed, can significantly improve outdoor analytic accuracy. There are several companies that make excellent directional microphones for outdoor use, some of which can also combat wind noise. Any high-quality external microphone should easily outperform a camera’s internal microphone in terms of analytic accuracy, so it is worth considering in areas where audio information gathering is deemed most important. In-built audio-video analytics Surveillance cameras with a dedicated SoC (System on Chip) have become available in recent years with in-built video and audio analytics that can detect and classify audio events and send alerts to staff and emergency for sounds such as gunshots, screams, glass breaks and explosions. Having a SoC allows a manufacturer to reserve space for specialised features. For audio analytics, a database of reference sounds is needed for comparison. The camera extracts the characteristics of the audio source collected using the camera's internal or externally connected microphone and calculates its likelihood based on the pre-defined database. If a match is found for a known sound, e.g., gunshot, explosion, glass break, or scream, an event is triggered, and the message is passed to the VMS. If a match is found for a known sound, e.g., gunshot, explosion, glass break, or scream, an event is triggered, and the message is passed to the VMS Configuring a camera for audio analytics Audio detectionThe first job of a well-configured camera or camera/mic pair is to detect sounds of interest while rejecting ancillary sounds and noise below a preset threshold. Each camera must be custom configured for its particular environment to detect audio levels which exceed a user-defined level. Since audio levels are typically greater in abnormal situations, any audio levels exceeding the baseline set levels are detected as being a potential security event. Operators can be notified of any abnormal situations via event signals allowing the operator to take suitable measures. Finding a baseline of background noise and setting an appropriate threshold level is the first step. Installers should be able to enable or disable the noise reduction function and view the results to validate the optimum configuration during setup Noise reductionA simple threshold level may not be adequate enough to reduce false alarms depending on the environment where a camera or microphone is installed. Noise reduction is a feature on cameras that can reduce background noise greater than 55dB-65dB for increased detection accuracy. Installers should be able to enable or disable the noise reduction function and view the results to validate the optimum configuration during setup. With noise reduction enabled, the system analyses the attenuated audio source. As such, the audio source classification performance may be hindered or generate errors, so it is important to use noise reduction technology sparingly. Audio source classificationIt’s important to supply the analytic algorithm with a good audio level and a high signal-to-noise ratio to reduce the chance of generating false alarms under normal circumstances. Installers should experiment with ideal placement for both video as well as audio. While a ceiling corner might seem an ideal location for a camera, it might also cause background audio noise to be artificially amplified. Many cameras provide a graph which visualises audio source levels to allow for the intuitive checking of noise cancellation and detection levels. Analytics take privacy concerns out of the equation and allow installers and end users to use camera audio responsibly Messages and eventsIt’s important to choose a VMS that has correctly integrated the camera’s API (application programming interface) in order to receive comprehensive audio analytic events that include the classification ID (explosion, glass break, gunshot, scream). A standard VMS that only supports generic alarms, may not be able to resolve all of the information. More advanced VMS solutions can identify different messages from the camera. Well configured audio analytics can deliver critical information about a security event, accelerating response times and providing timely details beyond video-only surveillance. Analytics take privacy concerns out of the equation and allow installers and end users to use camera audio responsibly. Hanwha Techwin's audio source classification technology, available in its X Series cameras, features three customisable settings for category, noise cancellation and detection level for optimum performance in a variety of installation environments.

How important is packaging in the commercial security market?
How important is packaging in the commercial security market?

High-quality products are the building blocks of successful physical security systems. How they are packaged may sometimes be seen as an unimportant detail or an afterthought. But should it be? Effective packaging can serve many functions, from creating a favorable customer impression to ensuring the product isn’t damaged in transit. Packaging can also contribute to ease of installation. On the negative side, excess packaging can be an environmental concern, especially for customers who are sensitive to green factors or to minimising waste. We asked this week’s Expert Panel Roundtable: Is packaging of products important in the commercial security market? Why or why not?