1. Operating Systems and Software

Install and use current operating systems, ensure that they are patched and up-to-date. Make sure that there are procedures in place to keep operating systems updated and/or patched.

Any operational software should be treated in the same manner, use the latest version available from your vendor and make a plan to keep the software updated, if there are associated costs with updates, then factor that into the systems overall cost of ownership.

If there are outside connections being made to the system, make sure that you understand what those connections are for, how many of them there are and if they are necessary. Do not turn off firewalls, instead leave firewalls up and set exceptions for applications within the firewalls. Interconnectivity between devices within a closed network offer a lower security risk than interconnectivity between devices on a LAN and a source that is external to the LAN, never defeat firewalls at this level, consult a network security expert if you need help connecting an external(internet) system to a LAN and always consult with site IT before making changes.

Install anti-virus software on PC’s and servers, choose a reputable product that can detect spyware, ransomware and malware and has the ability to send alerts.

Dedicate PC hardware, if the PC is to be used as a video recorder, then use it only as a recorder, do not add superfluous software or tools, do not allow an employee to use the Server/PC as a mail reading tool or internet surfing tool, disable RDP connections or support software that allow remote access, isolate your equipment from the outside world as much as possible. Some IT departments completely disable internet connectivity to dedicated access control/Video servers, giving them the peace of mind that a security breach is unlikely to originate there. If you absolutely need an outside connection to the system such as in the case for remote viewing of video, use a VPN and ensure that strong security protocols are implemented on the remote connection, there is absolutely no point having great security when your remote user has a login credentials of ‘1234’.

If using a web-based client, wherever possible, use a TLS certificate to insure enable HTTPS browser connections, this encrypts the traffic between your client browsers and server/website.

Set up IP whitelisting for systems that require external connections, this will help to narrow the field of exposure to your internal LAN.

2. Separation of Infrastructure

Create dedicate networks for equipment, place cameras, access control panels and other necessary devices on their own internal network that communicates only with the server/PC that

controls/monitors that equipment, this will further decrease the possibility that a breach at a hardware level will result in an overall network breach.

Not only does this make sense from a security standpoint, but also from a bandwidth point of view; 500 5MP cameras connected to the client network are going to have a substantial impact on the the efficiency of that network.

3. Credential Management

Use strong passwords for operating system logins and for application/device logins, do not repeat passwords across sites, change vendor generated default logins immediately.

If possible, set up a password policy, forcing users to regularly change login passwords, always using strong, complex strings. It is recommended that a password contain a combination upper and lower case letters, numbers and special characters, passwords should have no fewer than 8 characters.

Minimize the number of credentials assigned to operating systems, use only one or two administrator profiles and protect those accounts with strong passwords. Use deprecated accounts for system users and limit users’ abilities to make OS or security changes.

Use separate user accounts for all users to ensure separation of risk in case a single user account is compromised.

4. Recovery Plan

Set up a back-up policy that includes secure, daily off-site backup and regularly test that the policy is being implemented correctly. Off site back-ups can be encrypted for an extra level of security.

Create a comprehensive plan for disaster recovery, consider how the site is going to return to full functionality after a catastrophic event. Having a well-defined plan will minimize downtime and give clear direction during a typically chaotic time.

5. User Training and Awareness

Ensure that users understand the system they are working with, train them to minimize internet interaction on mission-critical devices. Make users aware of threats such as phishing and other social engineering attacks and help them to understand these threats and how to avoid them. Always think twice before inserting a memory stick into a mission-critical device.

Further reading available: https://www.cisa.gov/cyber-essentials