Difference between revisions of "Cyber Security/Best Practices"

Line 8: Line 8:
 
*Instructions: https://dahuawiki.com/Firmware/Update_Firmware_via_USB
 
*Instructions: https://dahuawiki.com/Firmware/Update_Firmware_via_USB
  
2. Change Passwords and Use Strong Passwords:
+
2. Change Passwords and Use Strong Passwords
  
 
This should go without saying, but the number one reason a system gets “hacked” is due to weak or default passwords. Dahua recommend never using a default password and choosing a strong password whenever possible. A strong password is at least 8 characters and is made up of a combination of special characters, numbers, and upper and lower case letters.
 
This should go without saying, but the number one reason a system gets “hacked” is due to weak or default passwords. Dahua recommend never using a default password and choosing a strong password whenever possible. A strong password is at least 8 characters and is made up of a combination of special characters, numbers, and upper and lower case letters.
Line 19: Line 19:
 
*Instructions: http://dahuawiki.com/NVR/Basic_Setup/Change_User_Name_or_Password
 
*Instructions: http://dahuawiki.com/NVR/Basic_Setup/Change_User_Name_or_Password
 
   
 
   
4. Disable UPNP:
+
4. Disable UPNP
  
 
UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.
 
UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.
Line 25: Line 25:
 
*Instructions: http://dahuawiki.com/Remote_Access/UPNP_Function
 
*Instructions: http://dahuawiki.com/Remote_Access/UPNP_Function
 
   
 
   
5. Disable P2P:
+
5. Disable P2P
*P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.
+
 
 +
P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#P2P_Setting
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#P2P_Setting
 
   
 
   
6. Disable SNMP:
+
6. Disable SNMP
*Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.
+
 
 +
Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.
 
*Instructions: http://dahuawiki.com/SNMP
 
*Instructions: http://dahuawiki.com/SNMP
 
   
 
   
7. Enable HTTPS/SSL:
+
7. Enable HTTPS/SSL
*Set up an SSL Certificate to enable HTTPS. This will encrypt all communication between your devices and recorder.
+
 
 +
Set up an SSL Certificate to enable HTTPS. This will encrypt all communication between your devices and recorder.
 
8Instructions: http://dahuawiki.com/Troubleshoot/NVR/Expired_Cert
 
8Instructions: http://dahuawiki.com/Troubleshoot/NVR/Expired_Cert
 
   
 
   
8. Change ONVIF Password:
+
8. Change ONVIF Password
*On older IP Camera firmware, the ONVIF password does not change when you change the system’s credentials. You will need to either update the camera’s firmware to the latest revision or manually change the ONVIF password.
+
 
 +
On older IP Camera firmware, the ONVIF password does not change when you change the system’s credentials. You will need to either update the camera’s firmware to the latest revision or manually change the ONVIF password.
 
*Instructions: http://dahuawiki.com/Software/Change_ONVIF_Password_via_ONVIF_Device_Manager
 
*Instructions: http://dahuawiki.com/Software/Change_ONVIF_Password_via_ONVIF_Device_Manager
 
   
 
   
9. Enable IP Filter:
+
9. Enable IP Filter
*Enabling your IP filter will prevent everyone, except those with specified IP addresses, from accessing the system.
+
 
 +
Enabling your IP filter will prevent everyone, except those with specified IP addresses, from accessing the system.
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#IP_Filter
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#IP_Filter
 
   
 
   
10. Disable Multicast:
+
10. Disable Multicast
*Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.
+
 
 +
Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#Multicast
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#Multicast
 
   
 
   
11. Change Default HTTP and TCP Ports:
+
11. Change Default HTTP and TCP Ports
*Change default HTTP and TCP ports for Dahua systems. These are the two ports used to communicate and to view video feeds remotely.
+
 
 +
Change default HTTP and TCP ports for Dahua systems. These are the two ports used to communicate and to view video feeds remotely.
 
*These ports can be changed to any set of numbers between 1025-65535. Avoiding the default ports reduces the risk of outsiders being able to guess which ports you are using.
 
*These ports can be changed to any set of numbers between 1025-65535. Avoiding the default ports reduces the risk of outsiders being able to guess which ports you are using.
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#Connection
 
*Instructions: http://dahuawiki.com/NVRiSettingNetwork#Connection
 
   
 
   
12. Check the Log:
+
12. Check the Log
*If you suspect that someone has gained unauthorized access to your system, you can check the system log. The system log will show you which IP addresses were used to login to your system and what was accessed.
+
 
 +
If you suspect that someone has gained unauthorized access to your system, you can check the system log. The system log will show you which IP addresses were used to login to your system and what was accessed.
 
*Instructions: http://dahuawiki.com/NVRiInfoLog
 
*Instructions: http://dahuawiki.com/NVRiInfoLog
 
   
 
   
13. Connect IP Cameras to the POE Ports on the Back of an NVR:
+
13. Connect IP Cameras to the POE Ports on the Back of an NVR
*Cameras connected to the POE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.
+
 
 +
Cameras connected to the POE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.
 
*Instructions: http://dahuawiki.com/NVR/Basic_Setup/Connect_IPC_to_NVR
 
*Instructions: http://dahuawiki.com/NVR/Basic_Setup/Connect_IPC_to_NVR
 
   
 
   
14. Physically Lock Down the Device:
+
14. Physically Lock Down the Device
*Ideally, you want to prevent any unauthorized physical access to your system. The best way to achieve this is to install the recorder in a lockbox, locking server rack, or in a room that is behind a lock and key.
+
 
 +
Ideally, you want to prevent any unauthorized physical access to your system. The best way to achieve this is to install the recorder in a lockbox, locking server rack, or in a room that is behind a lock and key.
 
   
 
   
 
15. Forward Only Ports You Need:
 
15. Forward Only Ports You Need:
*Only forward the HTTP and TCP ports that you need to use. Do not forward a huge range of numbers to the device. Do not DMZ the device's IP address.
+
 
 +
Only forward the HTTP and TCP ports that you need to use. Do not forward a huge range of numbers to the device. Do not DMZ the device's IP address.
 
*You do not need to forward any ports for individual cameras if they are all connected to a recorder on site; just the NVR is needed.
 
*You do not need to forward any ports for individual cameras if they are all connected to a recorder on site; just the NVR is needed.
 
*Instructions: http://dahuawiki.com/Remote_Access/Remote_Access_Setup_Port_Forwarding
 
*Instructions: http://dahuawiki.com/Remote_Access/Remote_Access_Setup_Port_Forwarding
 
   
 
   
 
16. Disable Auto-Login on SmartPSS:
 
16. Disable Auto-Login on SmartPSS:
*If you are using SmartPSS to view your system and you are on a computer that is used by multiple people, make sure auto-login is disabled. This adds a layer of security to prevent users without the appropriate credentials from accessing the system.
+
 
 +
If you are using SmartPSS to view your system and you are on a computer that is used by multiple people, make sure auto-login is disabled. This adds a layer of security to prevent users without the appropriate credentials from accessing the system.
 
   
 
   
 
17. Use a Different Username and Password for SmartPSS:
 
17. Use a Different Username and Password for SmartPSS:
*In the event that your social media, bank, email, etc. account is compromised, you would not want someone collecting those passwords and trying them out on your video surveillance system. Using a different username and password for your security system will make it more difficult for someone to guess their way into your system.
+
 
 +
In the event that your social media, bank, email, etc. account is compromised, you would not want someone collecting those passwords and trying them out on your video surveillance system. Using a different username and password for your security system will make it more difficult for someone to guess their way into your system.
 
   
 
   
 
18. Limit Features of Guest Accounts:
 
18. Limit Features of Guest Accounts:
*If your system is set up for multiple users, ensure that each user only has rights to features and functions they need to use to perform their job.
+
 
 +
If your system is set up for multiple users, ensure that each user only has rights to features and functions they need to use to perform their job.
 
*Instructions: https://dahuawiki.com/NVRiSettingSystem#Account
 
*Instructions: https://dahuawiki.com/NVRiSettingSystem#Account
 
   
 
   
 
19. Use 888888 and 666666 Accounts:
 
19. Use 888888 and 666666 Accounts:
*These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.
+
 
 +
These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.
 
   
 
   
 
20. Isolate NVR and IP Camera Network
 
20. Isolate NVR and IP Camera Network
*The network your NVR and IP camera resides on should not be the same network as your public computer network. This will prevent any visitors or unwanted guests from getting access to the same network the security system needs in order to function properly.
+
 
 +
The network your NVR and IP camera resides on should not be the same network as your public computer network. This will prevent any visitors or unwanted guests from getting access to the same network the security system needs in order to function properly.
  
  

Revision as of 20:24, 4 October 2016

How to Create a More Secure Security System

Cybersecurity is more than just a buzzword: it’s something that pertains to every device that is connected to the internet. IP video surveillance is not immune to cyber risks, but taking basic steps toward protecting and strengthening networks and networked appliances will make them less susceptible to attacks. Below are some tips and recommendations from Dahua on how to create a more secure security system.

1. Update Firmware

Keep your NVR, DVR, and IP camera firmware up-to-date to ensure the system is current with the latest security patches and fixes.

2. Change Passwords and Use Strong Passwords

This should go without saying, but the number one reason a system gets “hacked” is due to weak or default passwords. Dahua recommend never using a default password and choosing a strong password whenever possible. A strong password is at least 8 characters and is made up of a combination of special characters, numbers, and upper and lower case letters.

3. Change Passwords Regularly

Regularly change the credentials to your devices to help ensure that only authorized users are able to access the system.

4. Disable UPNP

UPNP will automatically try to forward ports in your router or modem. Normally this would be a good thing. However, if your system automatically forwards the ports, and you leave the credentials defaulted, you may end up with unwanted visitors.

5. Disable P2P

P2P is used to remotely access a system via a serial number. The possibility of someone hacking into your system using P2P is highly unlikely because the system’s user name, password, and serial number are also required.

6. Disable SNMP

Disable SNMP if you are not using it. If you are using SNMP, you should do so temporarily, for tracing and testing purposes only.

7. Enable HTTPS/SSL

Set up an SSL Certificate to enable HTTPS. This will encrypt all communication between your devices and recorder. 8Instructions: http://dahuawiki.com/Troubleshoot/NVR/Expired_Cert

8. Change ONVIF Password

On older IP Camera firmware, the ONVIF password does not change when you change the system’s credentials. You will need to either update the camera’s firmware to the latest revision or manually change the ONVIF password.

9. Enable IP Filter

Enabling your IP filter will prevent everyone, except those with specified IP addresses, from accessing the system.

10. Disable Multicast

Multicast is used to share video streams between two recorders. Currently there are no known issues involving Multicast, but if you are not using this feature, you should disable it.

11. Change Default HTTP and TCP Ports

Change default HTTP and TCP ports for Dahua systems. These are the two ports used to communicate and to view video feeds remotely.

12. Check the Log

If you suspect that someone has gained unauthorized access to your system, you can check the system log. The system log will show you which IP addresses were used to login to your system and what was accessed.

13. Connect IP Cameras to the POE Ports on the Back of an NVR

Cameras connected to the POE ports on the back of an NVR are isolated from the outside world and cannot be accessed directly.

14. Physically Lock Down the Device

Ideally, you want to prevent any unauthorized physical access to your system. The best way to achieve this is to install the recorder in a lockbox, locking server rack, or in a room that is behind a lock and key.

15. Forward Only Ports You Need:

Only forward the HTTP and TCP ports that you need to use. Do not forward a huge range of numbers to the device. Do not DMZ the device's IP address.

16. Disable Auto-Login on SmartPSS:

If you are using SmartPSS to view your system and you are on a computer that is used by multiple people, make sure auto-login is disabled. This adds a layer of security to prevent users without the appropriate credentials from accessing the system.

17. Use a Different Username and Password for SmartPSS:

In the event that your social media, bank, email, etc. account is compromised, you would not want someone collecting those passwords and trying them out on your video surveillance system. Using a different username and password for your security system will make it more difficult for someone to guess their way into your system.

18. Limit Features of Guest Accounts:

If your system is set up for multiple users, ensure that each user only has rights to features and functions they need to use to perform their job.

19. Use 888888 and 666666 Accounts:

These accounts can only be used to log in to the system using a monitor and mouse connected directly to the system. You cannot log in remotely using either of these accounts. That is why it is important to lock down the physical location of the device.

20. Isolate NVR and IP Camera Network

The network your NVR and IP camera resides on should not be the same network as your public computer network. This will prevent any visitors or unwanted guests from getting access to the same network the security system needs in order to function properly.