Network administrators are under significant and increasing pressure to make sure their networks are designed and operated securely. So it is important that they have the right knowledge and tools to manage cybersecurity throughout the life cycle of all devices in the system. In this post, we will explore the cybersecurity best practices specific to managing their network devices as well as how device management software can empower administrators to efficiently achieve their cybersecurity goals on their own.
As the sheer numbers of network devices continue to grow so too does the workload of a network administrator. Often, this not only adds to already stretched work and time schedules but can potentially result in compromising security. Recent Axis field tests compared the time required to carry out some basic device management tasks on a network of 200 cameras. These basic tasks – installing add-on applications (ACAPs), upgrading firmware, configuring devices and hardening devices – took 106 hours to complete when manually using a camera web interface. However, the time required was reduced to just 30 minutes when using device management software.
Constantly seek awareness of the vulnerabilities your business faces
Broadly speaking, businesses should approach cybersecurity readiness in two steps. Awareness is step one. If your business is not aware of potential cyber vulnerabilities within your surveillance solution – for instance devices using older version of firmware – along with new and emerging threats, it cannot do anything to prevent them. This requires businesses to adopt a continuous learning and improvement mentality. It is about continually educating yourself and embracing a good cybersecurity culture within your organization. In this context, suppliers need to work according to clear vulnerability management policies, processes and best practices. Equally important is using the tools that give visibility into the status of all devices connected to the solution.
Get help to mitigate the risks
Step two is mitigation: once aware of a potential problem, what can your business do to resolve it? Assuming a business cannot fix something by itself, outside support and assistance are often required. A good starting point when selecting vendors and partners is to look at those that have a track record of cyber maturity. The ones that understand the threats and ways to counter those threats. The ones that have control over their own offerings, have experience and apply best practice routines properly when needed. The ones that are open, transparent and provide long-term support of patching firmware for the products you have selected. As important, the ones that are able to offer tools that enable you to apply the security controls you need to mitigate threats you face. Through device hardening and device management, for example.
Keeping a complete device inventory
A fundamental aspect of ensuring the security of an enterprise network is maintaining a complete inventory of the devices on it. When creating or reviewing an overall security policy, it is important to have knowledge and clear documentation about each device and not just critical assets. That is because any single overlooked device can be a means of entry for attackers. You can’t protect devices which you overlook or are not fully aware of.
Device management software gives network administrators an automated means to gain access to a real-time inventory of network devices. It lets them automatically identify, list and sort the devices on a network. As part of this, the software can highlight devices that are no longer supported or have been discontinued by the manufacturer, along with warranty information, which can create new vulnerabilities over time if left unaddressed.
Account and password policy
Authentication and privilege control are important parts of protecting network resources. Implementing an account and password policy helps reduce the risk of accidental or deliberate misuse over a longer period of time. While one of the fundamentals of this policy should always be to create strong passwords, a key part is to reduce the risk of those passwords being compromised – particularly your administrative password. When they are, you lose control over who may access your services and resources.
Device passwords tend to be shared within an organization. For example, employees occasionally need to adjust, optimize or troubleshoot a camera. The whole organization may eventually know the camera password which could result in deliberate or accidental misuse. One way of addressing this issue is to create a multi-layered system of accounts with varying privilege levels, creating temporary accounts to grant temporary access as required – instead of sharing a single account. This would be a time-consuming process to handle manually, but device management software lets you easily manage these multiple accounts and passwords.
Protecting against new vulnerabilities
New vulnerabilities are continuously being discovered. While most are non-critical, occasionally a critical vulnerability is discovered. A camera, like any other software-based device, needs to be patched to prevent adversaries exploiting known vulnerabilities. It’s important that network administrators stay on top of these threats by staying up-to-date with new developments and following industry best practice. Responsible manufacturers will release firmware to counter known vulnerabilities and engage in an open conversation about cybersecurity to improve knowledge amongst their customers.
It is essential to always update quickly once this firmware becomes available, as attackers may try to exploit any vulnerabilities that have been discovered. Patching firmware in a system that is operational could introduce unexpected behavioral issues. Where this is a concern, it is recommended to use LTS (Long-Term-Support) firmware for security patching - versions that only include bug fixes and security patches, rather than versions with all new features and functionality.
Once again, the larger the network the more effort it will take to update all your devices. Axis field tests revealed that on a network of 200 cameras, upgrading the firmware using a manual web interface would take 1000 minutes compared to just 10 using device management software. In addition to the time saved, automatic notifications of new patch releases help ensure that the software is updated promptly – minimizing your network’s exposure to attack.
Cost-efficient HTTPS management
Video systems may be subject to policy or regulations that require encrypting traffic between the clients and the camera, preventing network eavesdropping. There may also be a threat of spoofing, where a malicious computer on the network tries to impersonate a network device. These threats are countered with HTTPS.
HTTPS uses certificates and the vast number of cameras can make the management costly in both deployment and lifecycle maintenance. Device management software can reduce this cost to a fraction, managing certificates and HTTPS configuration for all cameras. They can act as a local Certificate Authority (CA) for cameras. By installing the root certificate in the Video Management Software (VMS) server it will secure that the VMS server can detect if it is accessing a legitimate camera or not.
The root certificate can also be installed in additional administrative clients. Video clients will not (and should not) access cameras directly. They do not need to have the certificate installed. End-to-end encryption will require that the VMS server has a CA certificate to provide a trusted connection to its video clients.
Effective device management
Effective device management software not only helps to ensure cybersecurity but delivers efficiencies that grow exponentially as you add more devices to your network. By saving your network administrator time managing the network, you can free them up to fulfil other aspects of their job role and use their expertise to deliver additional benefits to your business. They will also have more time to stay on top of industry best practice and emerging threats – an essential part of maintaining a secure network.