Hardening system components

To harden system components, you change configurations to reduce the risk of a successful attack. Attackers look for a way in, and look for vulnerabilities in exposed parts of the system. Surveillance systems can involve 100s or even 1000s of components. Failure to secure any one component can compromise the system.

The need to maintain configuration information is sometimes overlooked. XProtect VMS provides features for managing configurations, but organizations must have a policy and process in place, and commit to doing the work.

Hardening requires that you keep your knowledge about security up-to-date:

• Be aware of issues that affect software and hardware, including operating systems, mobile devices, cameras, storage devices, and network devices. Establish a point-of-contact for all of the components in the system. Ideally, use reporting procedures to track bugs and vulnerabilities for all components.
• Keep current on Common Vulnerabilities and Exposures (CVEs) (described in Common Vulnerabilities and Exposures (https://cve.mitre.org/)) for all system components. These can relate to the operating systems, devices that have hard-coded maintenance passwords, and so on. Address vulnerabilities for each component, and alert manufacturers to vulnerabilities.
• Review Milestone Knowledge Base (KB) articles, and regularly review logs for signs of suspicious activity. For more information, see the Milestone Knowledge Base (https://force.milestonesys.com/support/MccKnowledgeBase).
• Maintain up-to-date configuration and system documentation for the system. Use change-control procedures for the work you perform, and follow best practices for configuration management, as described in SP 800-128 (https://csrc.nist.gov/publications/detail/sp/800-128/final).

The following sections provide basic and advanced hardening and security recommendations for each system component. The sections also contain examples of how these relate to specific security controls described in the NIST Special Publication 800-53 Revision 4, titled Security and Privacy Controls for Federal Information Systems and Organizations.

In addition to the NIST document, the following sources are referenced:

• Center for Internet Security
• SP 800-53
• ISO 27001
• ISO/IEC 15408 (also known as Common Criteria, ISO/IEC 15408-1:2022 (https://www.iso.org/standard/72891.html)) .

Appendix 1 - Resources in this document provides recommendations from camera manufacturers. This is a relatively new effort from manufacturers, so limited resources are available. For the most part, the recommendations can be generalized across camera manufacturers.