Cyber Security and DW Spectrum
-----------------------------------
Affected Roles: Administrator, Owner, Viewer(s)
Related Digital Watchdog VMS Apps: DW Spectrum® IPVMS
Complexity: High
Software Version: DW Spectrum® IPVMS v5.0
Last Edit: October 6, 2022
-----------------------------------
Fundamentals of DW Cyber Protection
Digital Watchdog’s Spectrum® IPVMS platform was designed to provide high levels of protection against both external and internal cybersecurity threats.
To ensure that your video surveillance system is protected against tampering and damage, additional defensive measures can be taken by your administrator to mitigate and prevent such events. For example, placing equipment inside of hardened, locked cabinets and using vandal resistant camera housings can help to prevent physical damage to your system and devices.
In addition to these conventional, physical threats, IP video systems are also at risk of virtual attack through network connections, particularly when connected to the Internet. Digital Watchdog has taken steps to ensure that your surveillance systems are protected against such attacks. However, additional system hardening measures can be taken to reduce the likelihood of system tampering through a cyberattack.
Article Content
This article will outline the most common forms of cybersecurity threats, the technology and processes implemented to secure the DW Blackjack system, and additional proactive approaches that customers may take to mitigate and prevent common cyberattacks.
- Cyberattacks 101
- Cyber Security Protections of DW Spectrum
- Additional System Hardening Recommendations
- Process and Services
Supported/Affected Devices:
- DW Blackjack® Server Series
Cyberattacks 101
What is a Cyberattack?
A cyberattack is a malicious and deliberate attempt to breach the information system of another individual or organization. These attacks can be performed from either an outside party to the system, or by an individual within the targeted system itself.
What is the Purpose of a Cyberattack?
Malicious actors have different motivations for launching cyberattacks against vulnerable business systems. According to Cisco, cyberattacks are often used for ransoming systems – 53% of cyberattacks can result in damages of $500,000 and upwards.
Cyberattacks are also sometimes initiated as a form of “hacktivism” with a goal of disrupting normal business operations. In the IP video world, cyberattacks are often executed in an effort to cover up criminal behavior that may have been captured by a security system.
Common Types of Cyberattacks
There are many different types of cyberattacks. Some of the most common types include:
- Malware – malicious software that installs itself on computers by exploiting vulnerabilities within an operating system or software.
- Malware can be used to intercept user credentials and video streams, cause the DW Spectrum System to function poorly through interruption of service, or consume network resources to slow down IP systems.
- Phishing (aka Social Engineering) – also known as “social engineering”; a method of sending fraudulent communication (typically email) which mimics a reputable source to obtain personal information, such as login credentials.
- Phishing attacks can be used to trick DW Spectrum users to inadvertently provide login credentials to nefarious actors. It is recommended that users refrain from providing login credentials in response to emails whenever possible. The DW Spectrum Secure Password Reset feature allows System Administrators to reset the system password in such a case.
- Man-in-the-Middle Attack – this type of attack occurs when the attackers insert themselves into the middle of communications between two parties in order to intercept sensitive data. Typically, this is accomplished by monitoring network traffic through the use of Malware.
- DW Spectrum features are equipped with secure communication capabilities including OpenSSL connections, HTTPS communications, and encrypted video traffic – features engineered to address this type of cyberattack.
- Distributed Denial of Service Attack (DDOS) – this type of attack is designed to flood systems, servers, or networks with traffic in an effort to exhaust system resources, effectively rendering the system’s ability to perform processing services normally.
- DW Spectrum communications (SSL, HTTPS, Cloud Proxy, Secure Connections, and Encrypted Video) help to mitigate and prevent DDoS attacks. Server Health Monitoring features also provide operators with the ability to diagnose DDoS attacks in real-time.
- SQL Injection – occurs when a malicious actor inserts code into a server that is running an SQL database, forcing the server to reveal information.
- DW Spectrum utilizes the OWASP standard for prevention of SQL injection attacks and employs additional obfuscation techniques.
- Zero-Day Exploit – this type of attack strikes after a network vulnerability is announced, but before a patch or solution is ready for implementation.
- Digital Watchdog monitors market news regularly and updates our customers about Zero-Day vulnerabilities as they emerge, are documented, and addressed.
- Password Cracking – in password-based attacks, hackers use software and brute force attacks to access secure attacks.
- DW Spectrum requires users to follow a set of minimum password standards, has an invalid login timeout, and a secure password reset/recovery method for DW Cloud connected systems.
Cyber Security Protections of DW Spectrum
DW Spectrum IPVMS is continuously being improved to address cybersecurity threats by using a combination of secure technology and process countermeasures.
User Access Rights Management
DW Spectrum allows Administrators to control the permissions and access that users have within the IPVMS system, such as which menus that they may access, camera viewing permissions, and other privileges as well.
- Each DW Spectrum is limited to one (1) System Owner with super-user rights, while also allowing the creation of Administrator accounts as well.
- User rights and roles are completely customizable by Administrators.
- DW Spectrum Server local user accounts utilize a ‘salted’ MD5 hash to prevent malicious use of dictionaries containing common passwords.
- DW Cloud user accounts utilize “OAuth2 authentication” by default when connecting, a complex multi-level hash, to prevent hackers from retrieving cleartext credentials and its conversion back to reverse engineer the original user password.
Two Factor Authentication (2FA)
The Two Factor Authentication (2FA) security feature can be implemented as an additional layer of cyber security. When someone tries to gain access to a DW Spectrum System using 2FA, they will be required to enter a password when initially connecting (1st factor) then will be required to enter a pin code (2nd factor) that has been generated from an authentication application.
For instructions on how to set up 2FA, please read the Enabling Two Factor Authentication (2FA) for DW Spectrum IPVMS article.
Audit Trail
DW Spectrum creates logs that can be used to analyze who is accessing the system and monitor past activity within the server. These logs offer information that can be used diagnose server issues and to secure the system as what is deemed appropriate.
To view the Audit Trail log, open the Main Menu and select “Audit Trail”.
There are two summary panels, Sessions and Cameras, with a related Details panel to the right. Use these tabs to navigate viewing between the summary of activities during a user’s session (Sessions) and of the devices that were used (Cameras).
Event Log
The Event Log displays system events that have occurred within DW Spectrum. This can be used to search through past system activity to diagnose device or server issues.
To view this log:
- Open the Main Menu and click on “System Administration”.
- From the General tab, click on the “Event Log” tile.
Use the Event Log to view occurrences of default and custom system events (Event Rules).
Limited Client Access Points
Certain administrative actions can only be adjusted at the DW Spectrum Server itself. This limits the access points to your system without sacrificing conventional operation.
The default security settings vary depending on the component that is being accessed (⮀ = signifies an end-to-end connection between the two denoted components).
Spectrum Server ⮀ Spectrum Server
- Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
- Video streams – not encrypted by default, but optional TLS encryption can be enabled (under System Administration Menu à General à Security)
- Authorization – utilizes HTTP Digest-MD5 cryptographic hashing
Spectrum WebAdmin ⮀ Spectrum Server
- Data Traffic – not encrypted by default, but can be forced to do so (found in the Settings menu under the System tab)
- Video Streams – not encrypted by default, but optional TLS encryption can be enabled (under Settings à System à Traffic encryption)
- Authorization – HTTP Cookie Sessions
Spectrum Desktop/DW Mobile ⮀ Spectrum Server
- Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
- Video Streams – not encrypted by default, but optional TLS encryption can be enabled (under System Administration Menu à General à Security)
- Authorization – utilizes HTTP Digest-MD5 cryptographic hashing
DW Cloud ⮀ Spectrum Server
- Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
- Video Streams – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
- Authorization – utilizes HTTP Digest-MD5 cryptographic hashing
Spectrum Desktop/DW Mobile ⮀ DW Cloud
- Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
- Authorization: utilizes HTTP Digest-MD5 cryptographic hashing
3rd Party Integrations ⮀ Spectrum Server
- Data Traffic – not encrypted, but optional TLS encryption can be enabled
- Video Streams – not encrypted, but optional TLS encryption can be enabled
- Authorization – HTTP Digest-MD5, HTTP Cookie Sessions, or URL-parameter
Password Security
DW Spectrum requires a minimum level of security when creating passwords to mitigate the risk of brute force attacks.
- Minimum password strength during account creation
- Must use at least 8 characters
- Must contain at least two variations of lowercase, uppercase, numbers, or non-roman symbols
- Must not match any of the 1000 most popular passwords (blocklist is updated with each software release)
- Secure password reset through DW Cloud
- Complex multi-level salted/hash password storage
User Enumeration Detection
The DW Spectrum Server and DW Cloud applications detect and prevent user enumeration (brute force attacks, guess and confirm attacks) by using timeouts.
LDAP Integration
System Administrators have the option of integrating the DW Spectrum system with an LDAP server to enable centralized management or reset of IT credentials by their IT Administrator.
Data Integrity Checks
DW Spectrum includes key technologies to ensure the integrity of information within and produce by the system.
This includes:
- Archive Integrity Check – DW Spectrum notifies operators when archived video has been modified indirectly (e.g. deleted/replaced files)
- Watermarking for Chain of Custody – DW Spectrum has built-in watermarking, allowing operators or viewers to check the authenticity of a video exported from a system which prevents the manipulation of video evidence.
- Signed Software – Direct reception of data files from our FTP server mitigates the ability of malicious agents from intercepting and spoofing data files when updating the software.
Automatic Software Update Prompts
Bug fixes and detection of possible exploits are regularly assessed by our software developers. The DW Spectrum IPVMS platform includes a default option for informing users when an update has been released and is available for installation, ensuring that the system is protected and kept up to date.
Secure System Communications
DW Spectrum utilizes a variety of system communication protection methods for use on both secure (private, LAN/WAN/VPN) and unsecure networks (Internet).
- Hypertext Transfer Protocol Secure (HTTPS) extensions – HTTPS creates secure communication over a computer network, requiring authentication between devices, preventing data eavesdropping and tampering.
- Secure Socket Layer (SSL) protocols – SSL certificates pair public and private keys to encrypt communication between devices to create a secure connection and a trusted environment for your system.
- By default, deprecated and insecure protocols are disabled, only using TLS v1+. The TLS protocol aims to provide privacy and data integrity between two communicating computer applications such as Server to Client communication or Email notifications.
- Cloud Connection Proxy – DW Cloud securely proxies remote connections to systems, removing the need to open or to forward ports on secure networks. However, allowlisting may be necessary if a SonicWall is in use.
Encrypted Archives
DW Spectrum System Owners and Administrators have the option to encrypt the recorded video archive so that recorded video can only be viewed when using the DW Spectrum Desktop Client, DW Spectrum Mobile Client, or with the Web Admin.
The Archive Encryption feature uses 128-AES encryption, which uses 10 transformation rounds to encrypt data and is approved by the National Security Agency to protect information. When encrypting the archives is combined with encrypted communications, organizations create end-to-end encryption to protect all video streams, recorded video archives, and video stream data.
Setting Up Data Protection
To enable the optional encryption options through an instance of the DW Spectrum® Client:
- Open the Main Menu and click on “System Administration”, then select the Security tab.
- In the Security menu, adjust the Data Protection settings as needed.
- Use only HTTPS to connect to cameras – enable this setting to limit the end-to-end connections between cameras and the DW Spectrum Server to only HTTPS connections.
- Force Servers to accept only encrypted connections – (default) enable this setting to limit the end-to-end connections between the DW Spectrum Server and connecting clients to only HTTPS connections.
- Encrypt video traffic to desktop and mobile clients – enable this setting to prevent video streams (live and playback) from being intercepted by eavesdropping parties.
- Display watermark with username over video – enable this setting to add a watermark to video playback. The watermark is an overlay containing the viewing user’s login (username), which will displayed when viewing any video playback and in exported video.
**NOTE: Encrypting video traffic will increase the CPU usage of the DW Spectrum® Server machine as more processing resources will be needed.
Additional System Hardening Recommendations
As the configurations and layout of your network are unique to meet the needs of your business, Digital Watchdog allows the additional customization of security methods without limiting your hardening options.
In addition to the default defensive measures of the DW Blackjack Series and DW Spectrum IPVMS platform, the following security hardening methods are recommended.
**NOTE: While these additional methods may be used to harden the security options of your surveillance system for increased cyber protection and data integrity, please be aware that alterations to factory settings of the DW Blackjack Server and its operating system may cause communication issues for the DW Spectrum IPVMS platform and its connected devices.
Implement a Firewall or SonicWall Setup to Shield Against External Cyberattacks
When combined with good access control, such as port forwarding, allow-listing, and disabling open ports (router default), you can strengthen your network security without sacrificing all of your external access.
Enforce Recommended Password Strength Protocols
Create unique passwords by requiring a minimum character count, use of special characters, and the use of numbers in password configurations.
Additionally, discourage the sharing of user profiles and password information between users.
Remove and Replace Default User Profile Configurations
Change the default login of your DW Blackjack Server’s OS, the default Administrator profile configuration of DW Spectrum IPVMS, and the default login for your Digital Watchdog cameras to mitigate the possibility of a malicious agent guessing the common login. Digital Watchdog tries to make this process simple by providing easy-to-use means, such as the DW IP Finder software, which can be used to change the passwords of your IP cameras in bulk, directly from your IPVMS server.
Limit Access to External Websites from your DW Blackjack Server
If Internet access is needed for your server due to limited means and resources, you may consider the use of an antivirus program for the server’s OS. However, please be aware that antivirus programs may inadvertently block the processes or resources of DW Spectrum IPVMS.
Keep the IP Camera Network Configuration Separate From the Main Network
Limiting external network (Internet) access to only terminals on your main network, separate from your DW Blackjack Server and your IP camera network, reduces the access points that malicious agents can use to attack your system. While this additional security option may seem inconvenient, limiting the DW Blackjack Server and DW Spectrum IPVMS to their intended purposes only increases your cybersecurity and peace of mind.
Process and Services
As Digital Watchdog is a security solution company and not a full-time surveillance company, we institute procedures to ensure that threat assessment and resolution is addressed as part of our culture.
Quality Assurance Testing
DW Spectrum IPVMS undergoes rigorous quality assurance testing prior to each software release to identify and remedy vulnerabilities through external security audits with our partners.
Online Support Portal
Digital Watchdog maintains a global support presence with an active support portal and community forum. Customers and partners are encouraged to report issues and work with our support team members.
Patch Releases
Patches that address emerging security threats and reported bugs can be provided. It is recommended to use patches only as needed.