How Secure is DW Spectrum IPVMS?

-----------------------------------

Affected Roles:  All Users

Related Digital Watchdog VMS Apps:  DW Spectrum® IPVMS

Software Version:  DW Spectrum® IPVMS v5.0

Last Edit:  October 6, 2022

-----------------------------------

 

Peace of Mind

Occasionally, Digital Watchdog (DW) Sales and Support team members will be asked how DW Spectrum® IPVMS platform is kept secure.  With the assumption that an attacker is intimately familiar with how DW Spectrum operates, Digital Watchdog takes steps to include code reviews and automated testing to ensure that there are no known encryption keys, backdoors, or hidden hacks in our code.  This ensures that the security of a system is as secure as the user makes it.

This article will describe Digital Watchdog’s security philosophy and how Digital Watchdog ensures that your DW Spectrum System is secure.

• Related Article:  Cyber Security and DW Spectrum

 

**NOTE:  It is recommended to consult with a Network Security professional if additional network and data protection beyond the services provided by DW Spectrum IPVMS is needed.

 

DW Spectrum’s Cyber Security Features

The DW Spectrum IPVMS software platform includes several safeguards and security features that can be enabled to assist customers with meeting the need for reliable cybersecurity methods and protection.

Some of these features include:

• Data Encryption – (see Enabling Archive Encryption) – ensure that your video surveillance is protected from being accessed, such as by an eavesdropping hacker, by encrypting your DW Spectrum System’s camera streams. By encrypting video streams, data is secured by preventing access to individuals who do not possess an authorized decryption key.
• Server SSL/TLS Certificate Validation – (see Obtaining and Installing Authorized Certificates) – DW Spectrum Servers will automatically generate a self-signed certificate for authorizing secure connections to the DW Spectrum System.
• Access Control – (see Users and User Roles) – prevent unauthorized users from viewing video surveillance and limit unwanted user access to your DW Spectrum System by assigning role-based user profiles and creating unique login credentials for each user.
• Two Factor Authentication (2FA) – (see Setting Up 2 Factor Authentication) – requires that devices attempting to connect to your DW Spectrum System enter a user login and that the user to provide a pin code that has been generated by an external authentication application (e.g. Google Authenticator, Microsoft Authenticator) for an added layer of security.
• Audit Control – (see Audit Trail of user Actions) – ensure that unauthorized users are not accessing your video surveillance and that authorized users are not abusing their user privileges. Administrators can track user access to data with an audit log that can be used to establish the regular data access patterns of employees. If it is found that an employee is accessing the System outside of the norm, it may mean that an employee is abusing their user privileges or that an intruder may have obtained an employee’s login credentials (username/password).
• Automatic Logoff – (see Limit Session Length) – prevent unauthorized users from using unattended devices to access the DW Spectrum System. Set a time limit for how long a user may stay logged in before they are automatically logged out for inactivity.

 

Data Encryption

What Data Is Encrypted in DW Spectrum?

System Administrators may define custom encryption keys and enable encryptions for all recorded video archives, rendering them safe even in situations where a perpetrator may have direct physical access to the Server machine.

The following components are either encrypted by default or can be encrypted by enabling settings within the Security tab of the System Administration menu:

• Management of network traffic/data
• IP camera video streams
• Recorded video archives
• User login authorization tokens

 

DW Spectrum Encryption Technologies

The following encryption technologies are used:

• SSL/TLS AES-256
• HTTP Digest-MD5
• HTTP Cookie Sessions
• HTTPS

 

SSL/TLS Certificate Pinning

DW Spectrum Servers will automatically generate a self-signed certificate to be used when validating encrypted connections between Clients and the System.

Servers exchange certificates when merged into a multi-server environment, which are validated whenever a client attempts to connect to the System.

Desktop and Mobile Clients pin certificates upon first connecting with the System, which are then validated against the Server’s certificate for every subsequent connection.

Clients that are connecting through the DW Cloud connection service are validated through DW Cloud.

• Related Article:  DW Spectrum IPVMS SSL Certificate Management

 

**NOTE: A self-signed 2048-bit SSL certificate with 256-bit encryption is automatically generated when the DW Spectrum Server is initially created.  You can replace the SSL certificate with one provided by a Certification Authority (recommended for any public servers that you may have within the system).

 

Encrypted Archives

DW Spectrum System Owners and Administrators have the option to encrypt the recorded video archive so that recorded video can only be viewed when using the DW Spectrum Desktop Client, DW Spectrum Mobile Client, or with the Web Admin.

The Archive Encryption feature uses 128-AES encryption, which uses ten (10) transformation rounds to encrypt data and is approved by the National Security Agency to protect information. When encrypting the archives is combined with encrypted communications, organizations create end-to-end encryption to protect all video streams, recorded video archives, and video stream data.

 

Setting Up Data Protection

To enable the optional encryption options through an instance of the DW Spectrum® Client:

1. Open the Main Menu and click on “System Administration”, then select the Security tab.
2. In the Security menu, adjust the Data Protection settings as needed.

• Use only HTTPS to connect to cameras – enable this setting to limit the end-to-end connections between cameras and the DW Spectrum Server to only HTTPS connections.
• Force Servers to accept only encrypted connections – (default) enable this setting to limit the end-to-end connections between the DW Spectrum Server and connecting clients to only HTTPS connections.
• Encrypt video traffic to desktop and mobile clients – enable this setting to prevent video streams (live and playback) from being intercepted by eavesdropping parties.
• Display watermark with username over video – enable this setting to add a watermark to video playback. The watermark is an overlay containing the viewing user’s login (username), which will displayed when viewing any video playback and in exported video.

 

**NOTE:  Encrypting video traffic will increase the CPU usage of the DW Spectrum® Server machine as more processing resources will be needed.

 

 

User Access Control

Login Credentials

User connections are validated through session-based (bearer token) authentication by default. This prevents man-in-the-middle attacks and

• DW Spectrum Server local user accounts – utilizes a ‘salted’ MD5 hash to prevent malicious use of dictionaries containing common passwords.
• DW Cloud user accounts – utilizes “OAuth2 authentication” by default when connecting, a complex multi-level hash, to prevent hackers from retrieving cleartext credentials and its conversion back to reverse engineer the original user password.

 

Two Factor Authentication (2FA)

The Two Factor Authentication (2FA) security feature can be implemented as an additional layer of cyber security. When someone tries to gain access to a DW Spectrum System using 2FA, they will be required to enter a password when initially connecting (1st factor) then will be required to enter a pin code (2nd factor) that has been generated from an authentication application.

• Related Article:  Enabling Two Factor Authentication (2FA) for DW Spectrum IPVMS

 

Session-Based Authentication (Bearer Token)

DW Spectrum uses session-based (bearer token) authentication by default for improved end-to-end encryption between user client connections and the DW Spectrum System.

The previous authentication method for local users is now disabled by default to prevent MD5 password storage in the local DB.

DW Cloud users use “OAuth2 authentication” by default to prevent compromising a user’s DW Cloud password and to render Offline DW Cloud Login attacks impossible.

It is recommended to enable Two Factor Authentication to add an additional layer of protection for the OAuth2 authentication.

 

Email Notifications

Email Server options include TLS (Transport Layer Security) as the default option to protect Internet communication by creating a secure connection by encrypting the communication that is transmitted between a DW Spectrum Server and its clients, preventing potential eavesdropping.

 

OS Level Security and Advanced Settings

Service Permissions

The DW Spectrum® Server software runs on the server computer as a service and has administrator permissions.  To protect DW Spectrum® Server data from being overwritten by other applications on the same server, we highly recommend that these other applications are not provided with administrator privileges and do not have access to the DW Spectrum® Server archive storage.

 

OpenSSL Configuration for Network Connections

Digital Watchdog uses the OpenSSL library whenever something needs to be encrypted.  Although the DW Spectrum® Server can utilize all the hash algorithms that OpenSSL is capable of, we disable deprecated and insecure protocols that have known security vulnerabilities (such RC4 and 3DES ciphers).  The Transport Layer Security (TLS) protocol aims to provide privacy and data integrity between two communicating computer applications.

The default OpenSSL cipher setting “High:!RC4:!3DES” is used, but the cipher can be changed manually to be even more secure.  We support TSL1.2 by default, but other options can be enabled by modifying the parameter “allowedSslVersions”.