How Avigilon is Protecting Against Cyber Vulnerabilities
As the number of internet protocol (IP) connected devices in physical security systems increases, conversations about information security are a natural part of the sales process. Organizations such as the National Institute of Standards and Technology (NIST) are actively proposing an Identify-Protect-Detect-Respond-Recover framework for cybersecurity.
The NIST framework advocates the identification of key business risks due to cyber threats; the protection of data, devices, and services from these threats; continuous monitoring to enable detection of cybersecurity events as they happen; and the development of a clear response and recovery process.
The Three Layers of Avigilon Cyber Protection
The protection of data, devices, and services can be successful only if the network-connected software and hardware implement an appropriate amount of defensive measures to ensure integrity, confidentiality, and availability.
The integrity of a system is compromised when the software is maliciously modified or taken over by an attacker who has learned an administrator-level password. Software defects that permit buffer overflow, database code injection, and cross-site scripting vulnerabilities can also cause a loss of integrity.
Goal: To ensure data and the function of the system are not maliciously or inadvertently manipulated.
• No backdoor administrative or maintenance access accounts
• Signed and encrypted firmware
• Disabling access to the operating system
• Fully encrypted control communication
• Transport Layer Security Secure Remote Password (TLS-SRP) for client-server connections
• Automatic firmware updates
A system's confidentiality is compromised when users circumvent a system's access controls to gain unauthorized access to the data it contains. Most often, a breach in confidentiality is the result of an attacker guessing or obtaining a legitimate user's password to access the system.
Goal: To keep information private and secure.
• Centralized user control through Active Directory integration and/or parent/child user sharing
• Password strength enforcement
• Ability to bulk-change camera passwords from Avigilon Control Center (ACC)™ video management software
• Lock-out on multiple invalid login attempts
In addition to loss of confidentiality and integrity, the availability of a system and its data can be compromised by external attacks. These usually take the form of a denial of service (DoS) attack where an attacker bombards a system with requests. Although it is difficult to protect against all forms of these attacks, the effect is usually temporary.
Goal: To ensure system uptime and continuity of function.
• Progressive back-off on multiple invalid login attempts
• Separate, limited-access gateway for thin client (web and mobile) access to video
• 802.1x device authentication