Every year there's hacking conference called DEFCON, this year, 2 conferences demonstrated potential attack to Security systems.
Hijack Cisco IP Video stream
http://www.wired.com/threatlevel/2009/07/video-hijack/
Man-in-the-middle attack against HID and CBORD’s Squadron access control system
http://www.wired.com/threatlevel/2009/08/open-sesame/
These 2 attacks and other undiscovered threats rely on the fact that they had access to the IP network.
Some of you might not be totally aware about how Hackers can break into your facility. So I compiled a list of advices that minimizes the risk by making Hacker's life harder.
Never run network cables outside your facility walls
If you have to install cameras in the parking lot or outside your building. Avoid wired technologies, someone could unplug your device and get instant access to your corporate LAN or even tap on the cable without being noticed.
Secure your Wireless Network
If you need to install outside cameras, wireless is a better solution than wires if your secure your network properly.
- Use WPA2 Encryption or better and do not divulge your passkey.
- DO NOT use WEP encryption, it's been broken and widely documented.
- Disable SSID broadcast in the Access Point, it will presence to simple discovery
- Run your Security Device on different access point using different pass key than your corporate wireless users to avoid loosing video stream because of wireless congestion.
- When using a different access point, you can filter MAC Address since they are fixed.
Use a different VLAN for security device, servers and security workstations
If a hacker find a way to enter on your corporate network, you can still protect you physical security by installing critical Security components on a separate VLAN without limiting operations by enabling routing between your security VLAN and corporate network.
If a hacker find a way to enter on your corporate network, you can still protect you physical security by installing critical Security components on a separate VLAN without limiting operations by enabling routing between your security VLAN and corporate network.
- IP cameras
- Gard's workstation
- Security Servers
- IP Access Control Device
VLAN will protect your system against typical ARP poisoning and man in the middle attack.
Never put a IP cameras in a DMZ without firewalls, use VPN
There's a simple rule in IT Security: never install a computer directly on the Internet without a firewall.
IP Cameras are computers that sit on your security network that could be used to run malicious code. On top of it, it's very easy to find them with google.
Example try this search in google inurl:view/index:shtml
You will see an impressive list Axis cameras installed on the Internet, some might have a firewall some might not... Port scanning utilities allows Hackers to figures this out quickly.
If you need to connect IP cameras across the Internet use a VPN instead to create an encrypted WAN between your different networks segment.
Jo
Posts
0 comments:
Post a Comment