Over the last 15 years, we have seen numerous CCTV and Access Control Networks; the common trait that we found? They are the networks that we invest significantly into to protect your physical assets but we don’t invest enough into protecting them. Below we have put together a list of 10 security controls that can be implemented to help protect the assets that protect you.
Harden Servers and Networked Devices
Follow manufacture provided hardening guides for cameras, CCTV systems, network devices, access control panels and more. A lot of quality manufactures publish hardening guides or tools meant to help you secure your assets.
Using Firewalls and VPNs for Remote Connections
Use firewalls and other gateway technologies to isolate and secure the security networks. Use and deploy VPNs to enable secure remote access to the networks that you need to access. Make sure to limit access to the internet, use a whitelist only methodology on rules only allowing internet access to systems that require it. For updates, look into deploying an update server or a central management server to have limited internet access. (This will help with updates) Your devices shouldn’t have a need to call home.
Change Default Passwords (Update them too)
New device or new install? Means a new password. Change all passwords from defaults. Ask your providers to constantly update their passwords and access. Use a password manager like 1Password or similar to keep your passwords safe. Ask that your vendors update their passwords regularly, better yet, only have their account active when needed.
Setup logging for authentication and connections. Have events forwarded to a central logging service. Not only is this an important security control but it can be an excellent troubleshooting tool.
Isolate and Segment Networks
Maintain a clear separation between corporate networks and security networks. Implement network segmentation to isolate devices related to physical security from regular business operations, reducing the potential attack surface and limiting the spread of threats. Use either VLANs or physical switch separation.
Use 2FA / MFA
Use Multi-Factor Authentication wherever it is possible to be used. Not only does this help with securing access but it prevents unauthorized access to systems especially in the event of password compromise. Yes, even with AD.
Use Central AAA (Authentication | Authorization | Accounting)
Deploy, integrate, and use Microsoft Active Directory where possible to allow for centralized management of users and access. This provides a massive increase in security for most networks. In addition, use 802.1x and RADIUS where possible for network access and management.
Harden and Secure AD
They say once Active Directory is compromised, burn it all down. This is true for the most part. Active Directory serves as the central authority for authentication and authorization on most enterprise networks. Yes, you should use AD, but you need to secure and remove the low hanging fruit. You can make sure that if an attack does gain access to the network, they have a hard time compromising AD. This should also be pointed to a central logging service so that in the event compromise does occur, you know the 5 “W’s of the compromise.
Patch and Update EVERYTHING
Whether it is your CCTV system, access control panels or Windows. Make sure you stay current on your updates and security patches. In the event the software is no longer supported, its time to update or look into compensating controls if necessary. For systems that are isolated or more critical, look into using the Windows 10/11 Enterprise LTSC or Long Term Servicing Branch which is designed to be more stable and require less updates.
Backup Important Systems And Configurations
I want you to take a minute and think. What systems you can’t go without or would be a pain to reimplement… can you restore them? Are these critical to your operations.
If you even thought yes, it time to think of a backup. Just think about losing an entire cardholder/credential database for your facility or camera system configurations. Configurations and systems should be backed up routinely and those backups should be tested. Also, consider a offsite backup. Encrypt your backups where possible especially if offsite.
Finally, Endpoint Management and Security
Gain visibility into your endpoints and servers, monitor devices and whatever you can connected to your network. Look for anomalies when it comes to things on your networks. Having a good endpoint management setup allows you to have the visibility needed and the control of what is doing what where. Also, your workstations and servers should have some sort of protection engine installed, whether it is a complete MDR/XDR solution or just a standard central managed anti-malware or HIPS (Host Based Intrusion Protection), make sure it is configured properly and tested. Early detection could be the key to successfully stopping a security event.
Have questions or need a hand? Get in contact with us.