VideoEdge Cybersecurity v4.6 - May 2015
-
Upload
william-l-brown-jr -
Category
Documents
-
view
18 -
download
0
Transcript of VideoEdge Cybersecurity v4.6 - May 2015
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
2
Product Mission Statement:
Provide unified cybersecurity solutions within our physical security
solutions that contain the latest, time-tested technology
complementary to the capabilities of our clients and supported for the
life of the solution.
Service Mission Statement:
Provide the dedication and accountability necessary for the ever-
changing field of cybersecurity, provide the documentation and
training necessary for our integrators to succeed, and as new threats
arise and new vulnerabilities are found, continue to provide sound
resolutions and timely responses.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
3
“VSR observed a number of strengths in the VideoEdge NVR solution including: strong
protections for security communication protocols such as SSL & TLS; SSL certificate
validation between the Victor Client and VideoEdge NVR, and LDAP services if external
authentication has been configured; a minimal set of external facing network protocols;
configuration options to enable various security settings within the web user interface,
such as limiting communications to HTTPS, enforcing session timeouts, highly
configurable permissions and access controls; and lastly the support for external
authentication against LDAP and Active Directory systems with capability to use secure
SSL/TLS transport security, while applying Active Directory controls for account lockout
and password complexity.”
Virtual Security Research, LLC (VSR)
Penetration Testing Attestation Letter, Annex C
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
4
Executive Summary
Cybersecurity cannot be an afterthought. With every new vulnerability announcement, a
device thought secure yesterday can be compromised tomorrow. The only reliable and
sustainable solution is to have a program that designs security into the product and
maintains it throughout the product lifecycle. That is what we strive to achieve at Tyco
Security Products.
VideoEdge Network Video Recorders (NVRs) have received special attention of the
Tyco Security Products’ Product Security Team. VideoEdge NVRs have been
incorporated into installations ranging from a few cameras at small retail stores to
hundreds of cameras securing our nation’s critical infrastructure sites. With its
customized Linux operating system, American Dynamics is able to secure the entire
appliance and add custom security features to enhance its overall performance.
Some of the features included in VideoEdge NVRs to help prevent a cybersecurity
attack:
Access control features to comply with most security policies
Ability to change default ports and disable remote access protocols
Digital certificate support to authenticate the device
Customized operating system to ensure only required components are present
Encrypted communication between the NVR and victor Client
Additionally, to help detect and recover from an attack, the VideoEdge NVR also
supports:
Failover and backup capabilities for robustness and quick recovery
Auditing and configurable real time alerts
Camera tamper detection
To validate these features and ensure the VideoEdge NVR does not contain any
security vulnerabilities, the VideoEdge NVR undergoes internal vulnerability testing as
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
5
part of the overall secure development process. Furthermore, the NVR has undergone
penetration testing from an independent lab. With some simple hardening steps
described in this document, the lab attest that they were unable to:
Exploit the VideoEdge NVR; even with direct access to the network
Gain access to an intentionally vulnerable camera on the camera LAN
In its many forms, the VideoEdge NVR offers a secure platform that can be customized
to meet the security policies of almost an installation with a dedicated support team to
address vulnerabilities and other security issues as they arise. This document serves to
answer cybersecurity questions and identify the many security features VideoEdge
NVRs offer. However, if questions or issues do arise, please contact your American
Dynamics representative or myself.
William L Brown Jr. / Sr. Engineering Manager /
/ Regulatory and Product Security / / [email protected] /
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
6
Contents
VideoEdge Network Video Recorders (NVRs) ................................................................ 9
Introduction .................................................................................................................. 9
Network Architecture ................................................................................................... 9
Risk Assessment ........................................................................................................... 10
Introduction ................................................................................................................ 10
Impact Levels............................................................................................................. 10
Information Types ...................................................................................................... 11
Robustness ................................................................................................................... 15
Backup / Restore ....................................................................................................... 15
Failover ...................................................................................................................... 15
Recovery / Factory Reset .......................................................................................... 16
Access Control .............................................................................................................. 17
Linux User Accounts .................................................................................................. 17
Separation of Responsibilities ................................................................................... 17
NVR Administration Roles ......................................................................................... 17
VideoEdge Local Client Roles ................................................................................... 17
Enhanced Password Validation ................................................................................. 18
Locking User Accounts .............................................................................................. 18
Automatic Logout ....................................................................................................... 19
Advanced Access Control .......................................................................................... 20
Remote Access Control ............................................................................................. 21
System Use Banner ................................................................................................... 22
Ports .............................................................................................................................. 23
Port Map .................................................................................................................... 23
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
7
Port Selection ............................................................................................................ 23
Device Authentication and Certificates .......................................................................... 24
Digital Certificate Support .......................................................................................... 24
Encryption Ciphers .................................................................................................... 24
Operating System.......................................................................................................... 25
SUSE Enterprise Linux .............................................................................................. 25
Updates ..................................................................................................................... 25
System and Communication Protection ........................................................................ 25
OpenSSL ................................................................................................................... 25
Configurable HTTP and HTTPS support ................................................................... 26
Cameras ........................................................................................................................ 26
Network Protection .................................................................................................... 26
Tamper Detection ...................................................................................................... 26
Auditing and Alerts ........................................................................................................ 27
Enhanced Security Logging, Audit Trail, and Email Alerts ......................................... 27
Alerts ......................................................................................................................... 28
Security Approvals and Certifications ............................................................................ 29
FISMA ........................................................................................................................ 29
Internal Vulnerability Testing ......................................................................................... 29
Overview and Process ............................................................................................... 29
Reporting ................................................................................................................... 29
Findings Summary ..................................................................................................... 30
Third Party Penetration Testing ..................................................................................... 32
Overview .................................................................................................................... 32
Key Findings: ............................................................................................................. 32
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
8
ANNEX A – Tyco Security Products Product Security Program .................................... 33
Product Security Team .............................................................................................. 33
Cybersecurity Mission ................................................................................................ 33
Secure Development Life Cycle................................................................................. 34
Cyber-Response Team .............................................................................................. 35
For More Information / Point of Contact ..................................................................... 35
ANNEX B – Internal Vulnerability Test Report .............................................................. 36
1. Executive Summary ............................................................................................... 36
2. Discovered Systems .............................................................................................. 37
3. Discovered and Potential Vulnerabilities ................................................................ 37
3.1. Critical Vulnerabilities ......................................................................................... 37
3.2. Severe Vulnerabilities ......................................................................................... 37
3.3. Moderate Vulnerabilities ..................................................................................... 39
ANNEX C – Third Party Penetration Letter ................................................................... 44
APPENDIX – Resources and References ..................................................................... 54
External Resources ................................................................................................... 54
Tyco Documents ........................................................................................................ 54
Laws and Regulations ............................................................................................... 55
OMB Circulars ........................................................................................................... 55
FIPS Publications ...................................................................................................... 55
NIST Publications ...................................................................................................... 56
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
9
VideoEdge Network Video Recorders (NVRs)
Introduction
One of the fastest and most powerful NVRs in the industry, VideoEdge is available with
a full range of intuitive clients to manage surveillance in very active environments,
onsite and remotely. Scalable from a single NVR to a large, multi-site architecture,
users can easily deploy any number of cameras, adding licenses at any time. Built-in
intelligence allows users to receive multiple video streams for live, record, alarm, and
meta-data collection, all tailored to viewing conditions. The end result is superior video
with significantly reduced network bandwidth, CPU resources, and memory usage.
Multicast video streams further reduce the bandwidth required for streaming high-quality
video.
Using the victor Client with VideoEdge NVRs allows the operator to leverage high-
performance video streaming, audio, motion meta-data and an expansive feature set.
Visit the victor web page for more information on the power of the victor solution.
Network Architecture
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
10
Risk Assessment
Introduction
The intent of this risk assessment is to help identify the information on the VideoEdge
NVR and help assess the risk to the organization if that information is compromised by
a malicious party. This assessment may assist in identifying the security controls and
features necessary to protect that information.
For a system required to comply with the Federal Information System Modernization Act
(FISMA), an assessment is done as part of a FIPS-199 Categorization necessary for the
System Owner and Authorizing Official to determine the system’s ability to host
components and data at that category.
Impact Levels
Impact levels are determined for each information type based on the security objectives:
confidentiality, integrity, availability.
Confidentiality - “Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information…” [44 U.S.C., Sec. 3542]
Integrity - “Guarding against improper information modification or destruction,
and includes ensuring information non-repudiation and authenticity…” [44 U.S.C.,
Sec. 3542]
Availability - “Ensuring timely and reliable access to and use of information…”
[44 U.S.C., SEC. 3542]
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
11
The potential impact is LOW if:
− The loss of confidentiality, integrity, or availability could be expected to have a limited
adverse effect on organizational operations, organizational assets or individuals.
The potential impact is MODERATE if:
− The loss of confidentiality, integrity, or availability could be expected to have a serious
adverse effect on organizational operations, organizational assets or individuals.
The potential impact is HIGH if:
− The loss of confidentiality, integrity, or availability could be expected to have a severe
or catastrophic adverse effect on organizational operations, organizational assets or
individuals.
Information Types
The scope of a FIPS-199 Categorization includes information type categories as defined
in the NIST Special Publication 800-60 Volume 2 Revision 1. The information types
identified on the VideoEdge NVR are as follows:
C.3.5.5 Information Security Information Type
Information included on the device about the system itself including policies and
controls, identification, authentication and network information.
NIST SP 800-60 Recommended Impact Level
Confidentiality Integrity Availability
Low Moderate Low
For VideoEdge NVRs, this may include:
IP addresses and locations of devices
Port and interface settings
Certificates
Device names
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
12
Protocols
Licenses
User credentials
Remote access settings
Authentication schemes
C.3.5.8 System and Network Monitoring Information Type
Information included on the device that helps determine the performance and
status of the system or network.
NIST SP 800-60 Recommended Impact Level
Confidentiality Integrity Availability
Moderate Moderate Low
For VideoEdge NVRs, this may include:
Camera status
NVR status
Alarms
User status
System statistics
System logs
Audit logs
Camera logs
Storage statistics
System backup file
Active victor Clients
C.3.1.3 Security Management Information Type
Information available on the device related to the security of an organization’s
personnel, assets, and facilities.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
13
NIST SP 800-60 Recommended Impact Level
Confidentiality Integrity Availability
Moderate Moderate Low
For VideoEdge NVRs, this may include:
NVR location
Identities of security personnel and corresponding facial image data
Active victor Clients
Stored video
Number and location of cameras
Alarm configuration
Camera scheduling
Camera connection statistics
D.16.2 Criminal Investigation and Surveillance Information Type
This describes information available on the device that may be used as evidence
for determining responsibility of a crime.
NIST SP 800-60 Recommended Impact Level
Confidentiality Integrity Availability
Moderate Moderate Moderate
For VideoEdge NVRs, this may include:
Recorded video
Analytics metadata
System logs and audit data
Camera connection statistics
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
14
D.16.5 Property Protection Information Type
Information related to the protection of the physical property.
NIST SP 800-60 Recommended Impact Level
Confidentiality Integrity Availability
Low Low Low
For VideoEdge NVRs, this may include:
Alarm configuration
Camera scheduling
Number and location of cameras
NVR location
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
15
Robustness
Backup / Restore
In the event of a system failure, recovery of the NVR server’s configuration data is
possible via a system backup file stored to a USB or local disk. The backup file can be
imported to the NVR to restore the saved configuration.
The following settings can be saved:
1. Device Settings
2. System Settings
3. User Information
4. DHCP Settings
5. NTP Settings
6. Failover Settings
7. VideoEdge Client Settings
8. Discovery Settings
9. System Security Settings
10. Network Interface Settings
11. victor Web Settings
While Operating System (OS) settings cannot be stored in the configuration backup file,
the system will automatically export a text file containing the OS settings. The text file
can be used as reference for manually configuring the OS settings.
Failover
A VideoEdge NVR can act as a failover NVR or secondary NVR. When configured as a
secondary NVR, it will monitor the other VideoEdge NVRs on the network that have
been added to its server monitoring list.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
16
The secondary VideoEdge NVR will continuously monitor all primary NVRs. In the event
that a primary NVR fails, the secondary NVR will detect the failure after approximately
30 seconds and will initiate assuming the role of the primary NVR.
Recovery / Factory Reset
VideoEdge provides multiple options for resetting the NVR to its initial factory
conditions, some while maintaining recorded media.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
17
Access Control
Linux User Accounts
Linux is a general-purpose operating system that has several user accounts with well-
known default passwords. The VideoEdge operating system contains only those
accounts necessary for operation. VideoEdge allows the system administrator account
(known as “root” in Linux) password to be changed.
Separation of Responsibilities
The VideoEdge server separates roles based on responsibilities such as operator
access, general system configuration, software installation, access to PTZ and clip
export features.
NVR Administration Roles
admin Allows viewing and editing of the VideoEdge Administration Interface and full functionality of the VideoEdge Client.
operator Allows viewing of the VideoEdge Administration Interface and full functionality of the VideoEdge Client.
softwareadmin Allows access to the software update page only. This credential is used solely for carrying out software updates and installing camera handler packs.
support The support user role is solely for the use of American Dynamics Technical Support. The password for this account is unique to each NVR and is derived by American Dynamics Technical Support from the platform's support ID. The password cannot be changed. However, remote access can be prevented by disabling the SSH remote access.
VideoEdge Local Client Roles
viewer1 Allows full functionality of the VideoEdge Client. Unable to view or edit the VideoEdge Administration Interface.
viewer2 Allows full functionality of the VideoEdge Client with exception of Analog (Real) PTZ. Unable to view or edit the VideoEdge Administration Interface.
viewer3 Allows full functionality of the VideoEdge Client with exception of Analog (Real) and Digital PTZ, Still Image Capture and Clip Export. Unable to view or edit the VideoEdge Administration Interface.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
18
Enhanced Password Validation
VideoEdge NVRs ship with preset passwords on all accounts. When activated, the
VideoEdge Administrator Interface advises users that these passwords should be
changed. The enhanced password validation feature enforces restrictions when setting
or changing passwords:
Passwords must be different than the previous three passwords
Passwords must differ from the previous password by a minimum of three
characters
Passwords must be a minimum of seven characters long and must contain a mixture
of upper and lower case letters, numbers, and special characters
Locking User Accounts
User accounts for VideoEdge Administrator Interface and VideoEdge Client may be set
to permanently or temporarily lock after a configurable number of invalid login attempts.
Accounts may also be set to automatically lock if not used within a set period of time,
e.g., to ensure ex-employee accounts are disabled. When login is attempted after this
time period, the account is locked and may only be unlocked by an administrator.
Permanent and temporary account lockouts are capable of generating an email alert.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
19
Administrator View of Users
Automatic Logout
VideoEdge Administrator Interface user accounts can be configured to automatically log
out the user after a configurable period of inactivity (between 5 and 60 minutes).
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
20
Advanced Access Control
LDAP (Lightweight Directory Access Protocol) is a centralized way of managing user
groups and accounts and security permissions. LDAP allows an organization to enforce
permissions and access policies across all computers on a network, and to provide
centralized backup of account information. Granting or revoking a user or group access
to IT assets can be more easily accomplished if permissions are stored centrally. For
example, if a guard is relocated from one prison to another, a simple LDAP account edit
will immediately revoke his access to the NVRs in the old prison and reassign access to
the new ones.
The Solution is designed to seamlessly integrate with existing Domain security
capabilities, including LDAP-based domain controllers. It supports:
Use of a X.509 certificate for communication via TLS
Query, Base, and Administrator distinguished names (DN)
VideoEdge NVRs:
LDAP authentication and authorization for admin GUI
OpenLDAP and Microsoft Active Directory
Secure connections using TLS
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
21
victor Client:
LDAP authentication and authorization
OpenLDAP and Microsoft Active Directory
Secure connections using TLS
Remote Access Control
VideoEdge systems support SNMP, SSH, VNC, and XRDP protocols, which can be
enabled or disabled at configuration.
Remote web access to the VideoEdge Administration Interface can be restricted or
deactivated. The configuration allows external web and mobile device access to be
disabled and concurrent web sessions to be restricted.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
22
System Use Banner
The System Use Banner can be configured to display an approved system use
notification message or banner before the user logs on to the system either locally or
remotely. It also can be used to provide privacy and security notices consistent with
applicable federal laws, executive orders, directives, polices, regulations, standards,
and guidance.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
23
Ports
Port Map
The RTSP (port 554) and RTP/RTCP video data is not encrypted. Encryption of video
requires processing power and time that would seriously impact system performance
and video quality. By default, the video stream is only accessible to authenticated
devices. However, if additional security is required, the video transmission may be
secured using SSH tunneling, but this also would impact performance.
Port Selection
The HTTP, HTTPS, RTSP, and SNMP ports may be changed from their default values.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
24
Device Authentication and Certificates
Digital Certificate Support
HTTPS encrypts web traffic but does not verify the identity of the remote host without a
properly configured digital certificate. VideoEdge NVRs allow you to create a certificate
that is tailored to the individual NVR so that its identity can be verified by your web
browser or victor Client. The certificate can be self-signed, or for more security-
conscious customers, it can be signed by a trusted certificate authority such as Thawte
or Verisign. VideoEdge certificates use 2048-bit keys.
victor Client can use the digital certificate feature in VideoEdge to ensure that
communications are secure and to verify the identity of recorders added to victor Client.
Encryption Ciphers
When HTTPS is enabled, web GUI commands are transferred using TLS (Transport
Layer Security) with AES 256 bit encryption. Data is transferred using SSL (Secure
Socket Layer) with AES 256 bit encryption
The minimum supported encryption key strength in VideoEdge NVRs is 128 bits.
Export ciphers are disabled by default.
RC4 cipher may be disabled.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
25
Operating System
SUSE Enterprise Linux
VideoEdge is an embedded video server appliance built upon the SUSE Linux
Enterprise Server (SLES). SLES is supported by Novell and the Linux development
community that quickly respond to vulnerabilities through upgrades and patches.
The distribution used in VideoEdge NVRs is customized JeOS (Just Enough Operating
System) tailored to contain only the components and services needed for operation.
The number of vulnerabilities is reduced as more unnecessary components are
removed.
Updates
Software updates, patches and updated camera handler packs can be applied to the
NVR manually or by using the Push Update feature of victor Unified Client.
System and Communication Protection
OpenSSL
The VideoEdge operating system uses the industry-standard OpenSSL platform to
provide SSL connections for communications such as SSH, HTTPS, and TLS LDAP
sessions.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
26
Configurable HTTP and HTTPS support
VideoEdge systems may be configured to disable HTTP access to ensure that only
encrypted web sessions can be used. Changing the HTTP and HTTPS ports improves
the system security because unsophisticated attackers are likely to try the default ports.
Cameras
Network Protection
A VideoEdge NVR has multiple network interface controllers (NICs). This allows the
cameras to be installed on a separate network using the NVR as a firewall to protect
potentially vulnerable cameras from external attack. The NICs are both physically and
logically separated by default and can only be bridged by a Linux administrator. This
isolation allows the NVR to protect vulnerable cameras on the camera LAN. This
protection was validated through third party penetration testing (see Annex B).
Tamper Detection
To help determine if and when a camera has been tampered with, the NVR
automatically performs an image detection test on every camera to determine if a
camera has gone dark or is broadcasting black video. It can also send alerts when a
camera reboots or goes offline.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
27
Auditing and Alerts
Enhanced Security Logging, Audit Trail, and Email Alerts
Logs track general system operation and are useful for troubleshooting and incident
investigation. The VideoEdge system generates a number of different log files to track
areas such as general system operation, web server operation, web server errors, and
Network time Protocol (NTP) operation. These logs are useful in monitoring the general
operation of the Linux system. The VideoEdge system also generates a number of
application-specific log files to aid in diagnosing areas such as camera communication
and video playback events. Log backup to an external server is supported.
Audit trails keep track of system configuration operations including the configuration of
information security controls. This aspect of the VideoEdge system is being continually
improved. An audit log interrogation tool is provided as part of the VideoEdge
Administrator Interface. This allows audit events to be queried by severity and searched
using a text filter.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
28
Alerts
Alerts can be generated via email and victor Client under various configurable
categories. Email alerts can use authenticated SMTP servers (including Microsoft
Exchange) and can encrypt emails using SSL or TLS. These alerts can be configured to
assist or expand the capabilities of existing security policies including video data
retention, camera malfunction, and user access control.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
29
Security Approvals and Certifications
FISMA
A VideoEdge system includes technical controls necessary to support overall FISMA
compliance. These controls include:
Authenticated system access
Account login/logout management
Role-based separation of capabilities, permissions, and privileges
System event and configuration change auditing, alerting, and management
Restriction of ports, protocols, and services to only those required to support
VideoEdge functionality
For more information, see the VideoEdge FISMA-Ready white paper.
Internal Vulnerability Testing
Overview and Process
Vulnerability testing is performed on all versions of VideoEdge NVRs prior to release.
The system is tested in multiple configurations with credentialed and non-credentialed
scans. Additional penetration testing and exploit efforts based on those vulnerabilities
are also performed.
Before a release is approved, all vulnerabilities classified as critical or severe must be
resolved. The resolution may be dependent upon the installation. For example,
vulnerabilities often are found due to the configuration of the operating system. When
this occurs, the resolution is to provide configuration guidance.
Reporting
This document includes some of the results from the internal assessment for the
VideoEdge system. The included report is for a non-credentialed, vulnerability scan
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
30
results that best indicate how the system may be vulnerable to a network-level attack
with limited device hardening.
Findings Summary
The following vulnerabilities may be seen during a vulnerability scan of a VideoEdge
NVR. Each of these may be mitigated through configuration.
Simple Network Management Protocol (SNMP)
SNMP governs network management and monitors network devices. It is used
on the VideoEdge NVR to monitor the NVR’s status for victor Client health
monitoring and failover functionality. The default credentials used to access the
SNMP information on the NVR are common and may be guessed, but the SNMP
service has been configured to be read only, and the information cannot be
altered. However, if further mitigation is required, SNMP may be disabled through
the Security Configuration menu.
Virtual Network Computing (VNC)
VNC is a desktop sharing system. Its primary purpose on the VideoEdge NVR is
for remote access of the American Dynamics technical support team. To prevent
unauthorized access, VNC may be disabled though the Security Configuration
menu.
Certificate Vulnerabilities
There are many vulnerabilities related to the certificate that may be discovered,
especially if using the self-signed certificate. Most of these vulnerabilities may be
acceptable in most applications. However, if additional security is required, then
a certificate from a trusted certificate authority may be used.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
31
SSLv3 (POODLE)
POODLE is a vulnerability that takes advantage of weak encryption ciphers used
in SSL version 3 (SSLv3). It allows an attacker capable of performing a man-in-
the-middle-style attack to force the use of the weaker ciphers and eventually view
and alter data between the client and server devices. The only solution is to
disallow the use of SSL and force communication through the more secure TLS
protocol. Instructions to resolve this vulnerability are available in the VideoEdge
Security User Guide.
RC4 Cipher Algorithm
The RC4 cipher algorithm has known vulnerabilities and can be compromised.
VideoEdge NVRs do possess the RC4 cipher algorithm. The procedure to
disable the algorithm is available in the VideoEdge Security User Guide.
Secure Cookie Flag
A secure cookie flag forces communication through HTTPS. VideoEdge NVRs do
not force the use of this flag by default. The procedure to enable the secure
cookie flag is available in the VideoEdge Security User Guide.
TCP Timestamp
A TCP timestamp response can be used to approximate the device’s uptime,
potentially aiding in further attacks. Additionally, some operating systems can be
fingerprinted based on the behavior of their TCP timestamps. To disable the TCP
timestamp in VideoEdge NVRs, open a terminal, log in as root, and enter the
following command: sysctl -w net.ipv4.tcp_timestamps=0
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
32
Third Party Penetration Testing
Overview
American Dynamics has engaged a third-party security firm to perform penetration
testing on the VideoEdge NVR (version 4.6). The scope and findings of this testing is
included in Annex C.
Key Findings:
1) The NVR was able to protect an intentionally vulnerable camera placed on the
camera LAN from network activity performed on the external LAN. The testers
were unable to access the camera from the external LAN.
2) With all of its security controls enabled, critical and high vulnerabilities are
mitigated.
The test system configuration:
1) Disable SSLv3
2) Disable external web UI
3) Remote access protocols disabled
4) Change CouchDB credentials
5) Change root default password
6) Activate self-signed certificate
7) Enable secure cookie
8) Disable Apache RC4 ciphers
The procedure for each can be found in the VideoEdge Security User Guide.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
33
ANNEX A – Tyco Security Products Product Security Program
Product Security Team
The Tyco Security Products’ Product Security Team is responsible for the physical and
cyber security and government approvals of American Dynamics and Software House
products. Responsibilities include product security assessment, creation and support of
documentation, training, and support of government approvals including FISMA, NERC,
and CPNI.
Cybersecurity Mission
As there is more to cybersecurity than the device alone, the Product Security Team has
adopted multiple mission statements.
Product Mission Statement:
Provide unified cybersecurity solutions within our physical security solutions that
contain the latest, time-tested technology complementary to the capabilities of
our clients and supported for the life of the solution.
Service Mission Statement:
Provide the dedication and accountability necessary for the ever-changing field of
cybersecurity, provide the documentation and training necessary for our
integrators to succeed, and as new threats arise and new vulnerabilities are
found, continue to provide sound resolutions and timely responses.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
34
Secure Development Life Cycle
The security team is involved at every level of the VideoEdge development life cycle:
Requirements
Security requirements and controls are provided by the security team during the
early product definitions phase and are included in the engineering design
specifications.
Design
The security team works with the development team to validate the design of
security features.
Development
Source code is strictly controlled and monitored. Automated tools are used to
evaluate the vulnerability of open source software. Vulnerability testing is also
performed during this time. When found, vulnerabilities are logged into the bug
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
35
tracking system. Security bugs are assessed by the security team, and solutions
can only be accepted when validated by the security team.
Testing
Regular vulnerability testing is performed throughout the development process by
the security and development teams. When a representative build is available,
the team also performs in-depth vulnerability and penetration testing.
Deployment
Deployment cannot be approved until after the security assessment. After
deployment, the security team performs regular testing to ensure that no updates
or configurations generate vulnerabilities.
Cyber-Response Team
An installation cannot rely solely on device hardening. Any device that is secure today
may be vulnerable tomorrow pending the announcement of a new vulnerability. Tyco
Security Products’ Cyber Response Team quickly responds to these announcements.
Team members are comprised of security, development, and quality assurance
engineers who are the most knowledgeable about specific product lines. While team
members also have other responsibilities, their highest priority is to address critical
security issues. By having dedicated and knowledgeable engineers, the team is often
able to generate a cybersecurity advisory the same day a new vulnerability is
announced. Patches for critical vulnerabilities such as Heartbleed and Shellshock have
been developed, tested, and released in as little as two weeks
For More Information / Point of Contact
For more information about the Cybersecurity Program, security features, or assistance
with secure installation, contact:
William L. Brown Jr., Sr. Engineering Manager - Regulatory and Product Security
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
36
ANNEX B – Internal Vulnerability Test Report
1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC.
Target: VideoEdge NVR version 4.6
Configuration:
Credentials: None
SNMP: disabled
VNC: disabled
Certificate: self-signed
SSLv3: disabled
There were three vulnerabilities found during this scan.
No critical vulnerabilities were found. Critical vulnerabilities require immediate
attention. They are relatively easy for attackers to exploit and may provide them
with full control of the affected systems.
One vulnerability was severe. Severe vulnerabilities are often harder to exploit
and may not provide the same access to affected systems.
There were two moderate vulnerabilities discovered. These often provide
information to attackers that may assist them in mounting subsequent attacks on
your network. These should also be fixed in a timely manner, but are not as
urgent as the other vulnerabilities.
There were one occurrences of the ssl-self-signed-certificate, tls-server-cert-sig-alg-
sha1 and generic-tcp-timestamp vulnerabilities, making them the most common
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
37
vulnerabilities. There were three vulnerabilities in the Network category, making it the
most common vulnerability category.
The ssl-self-signed-certificate vulnerability poses the highest risk to the organization
with a risk score of 246. Risk scores are based on the types and numbers of
vulnerabilities on affected assets.
One operating system was identified during this scan.
There were 3 services found to be running during this scan.
The HTTP, HTTPS and rtsp (Real Time Stream Control Protocol) services were found
on one system, making them the most common services.
2. Discovered Systems
Node Operating System Risk Aliases
Node Operating System Risk Aliases
<TARGET> Linux 2.6.32 464 VideoEdge NVR
3. Discovered and Potential Vulnerabilities
3.1. Critical Vulnerabilities
No critical vulnerabilities were reported.
3.2. Severe Vulnerabilities
3.2.1. Self-signed TLS/SSL certificate (ssl-self-signed-certificate)
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
38
Description:
The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be
trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use
self-signed certificates to eavesdrop on TLS/SSL connections.
Affected Nodes:
Affected Nodes Additional Information
<TARGET>:443 TLS/SSL certificate is self-signed.
References:
None
Vulnerability Solution:
Obtain a TLS/SSL digital certificate from a Certificate Authority (i.e., not self-signed) and
install it on the server. The exact instructions for obtaining a new certificate depend on
your organization's requirements. Generally, you will need to generate a certificate
request and save the request as a file. This file is then sent to a Certificate Authority
(CA) for processing. Your organization may have its own internal Certificate Authority. If
not, you may have to obtain a certificate from a trusted external Certificate Authority,
such as Thawte or Verisign.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
39
3.3. Moderate Vulnerabilities
3.3.1. SHA-1-based Signature in TLS/SSL Server X.509 Certificate (tls-server-cert-sig-
alg-sha1)
Description:
The SHA-1 hashing algorithm has known weaknesses that expose it to collision attacks,
which may allow an attacker to generate additional X.509 digital certificates with the
same signature as an original.
Affected Nodes:
Affected Nodes Additional Information
<TARGET>:443 SSL certificate is signed with SHA1withRSA
References:
Source Reference
URL https://technet.microsoft.com/en-us/library/security/2880823.aspx
URL https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-
based-signature-algorithms/
URL http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
URL https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
Vulnerability Solution:
When obtaining a new certificate, ensure that it uses a SHA-2 (SHA-224, SHA-256,
SHA-384, SHA-512, SHA-512/224, SHA-512/256) hash function. Additional guidance is
available from public certificate providers.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
40
3.3.2. TCP timestamp response (generic-tcp-timestamp)
Description:
The remote host responded with a TCP timestamp. The TCP timestamp response can
be used to approximate the remote host's uptime, potentially aiding in further attacks.
Additionally, some operating systems can be fingerprinted based on the behavior of
their TCP timestamps.
Affected Nodes:
Affected Nodes: Additional Information:
<TARGET> Apparent system boot time: Sun Nov 30 20:00:12 EST 2014
References:
Source Reference
URL http://uptime.netcraft.com
URL http://www.forensicswiki.org/wiki/TCP_timestamps
URL http://www.ietf.org/rfc/rfc1323.txt
Vulnerability Solution:
Disable TCP timestamp responses on Linux as follows:
Set the value of net.ipv4.tcp_timestamps to 0 by running the following
command:
sysctl -w net.ipv4.tcp_timestamps=0
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
41
4. Discovered Services 4.1. HTTP
HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the
World Wide Web. The multimedia files commonly used with HTTP include text, sound,
images and video.
4.1.1. General Security Issues
Simple authentication scheme
Many HTTP servers use BASIC as their primary mechanism for user authentication.
This is a very simple scheme that uses base 64 to encode the cleartext user id and
password. If a malicious user is in a position to monitor HTTP traffic, user ids and
passwords can be stolen by decoding the base 64 authentication data. To secure the
authentication process, use HTTPS (HTTP over TLS/SSL) connections to transmit the
authentication data.
4.1.2. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
<TARGET> tcp 80 0 Apache HTTPD
http.banner: Apache
http.banner.server: Apache
<TARGET> tcp 5984 0 CouchDB 1.5.0
http.banner: CouchDB/1.5.0 (Erlang
OTP/R16B03)
http.banner.server: CouchDB/1.5.0
(Erlang OTP/R16B03)
verbs-1: GET
verbs-2: HEAD
verbs-count: 2
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
42
4.2. HTTPS
HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange
multimedia content on the World Wide Web using encrypted (TLS/SSL) connections.
Once the TLS/SSL connection is established, the standard HTTP protocol is used. The
multimedia files commonly used with HTTP include text, sound, images and video.
4.2.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
<TARGET> tcp 443 2 Apache HTTPD
http.banner: Apache
http.banner.server: Apache
ssl: true
ssl.cert.issuer.dn: CN=<TARGET>,
C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Thu, 03 Dec
2015 13:05:12 EST
ssl.cert.not.valid.before: Wed, 03 Dec
2014 13:05:12 EST
ssl.cert.selfsigned: true
ssl.cert.serial.number:
14911825832090137520
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn: CN=<TARGET>,
C=US
ssl.cert.validsignature: true
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
43
4.3. rtsp (Real Time Stream Control Protocol)
4.3.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
<TARGET> tcp 554 0
5. Discovered Users and Groups
No user or group information was discovered during the scan.
6. Discovered Databases
No database information was discovered during the scan.
7. Discovered Files and Directories
No file or directory information was discovered during the scan.
8. Policy Evaluations
No policy evaluations were performed.
9. Spidered Web Sites
No web sites were spidered during the scan.
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
44
ANNEX C – Third Party Penetration Letter
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
45
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
46
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
47
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
48
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
49
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
50
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
51
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
52
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
53
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
54
APPENDIX – Resources and References
External Resources
https://www.suse.com/
http://www.rapid7.com/
https://www.openssl.org/
http://www.nist.gov/
Virtual Security Research, LLC
http://www.vsecurity.com/
Tyco Documents
The following documents are available in the Technical Library at
www.AmericanDynamics.net
VideoEdge NVR Security User Guide
VideoEdge NVR Installation and User Guide
VideoEdge, victor, and C•CURE Port Map
FISMA-Ready: VideoEdge System
FISMA-Ready: victor System
FISMA-Ready: C•CURE 9000 System
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
55
The following documents are available upon request [email protected] :
Cybersecurity Program Overview
Laws and Regulations
Federal Information Security Management Act of 2002
Federal Information System Modernization Act of 2014
Consolidated Appropriations Act of 2005, Section 522.
USA PATRIOT Act (P.L. 107-56), October 2001.
OMB Circulars
OMB Circular A-130, Management of Federal Information Resources, November
2000.
OMB Memorandum M-05-24, Implementation of Homeland Security Presidential
Directive (HSPD) 12—Policy for a Common Identification Standard for Federal
Employees and Contractors, August 2005.
OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June,
2006.
FIPS Publications
FIPS PUB 199, Standards for Security Categorization of Federal Information and
Information Systems
FIPS PUB 200, Minimum Security Requirements for Federal Information and
Information Systems
CYBERSECURITY
© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015
56
NIST Publications
NIST 800-18, Guide for Developing Security Plans for Information Technology
Systems
NIST 800-26, Security Self-Assessment Guide for Information Technology
Systems
NIST 800-30, Risk Management Guide for Information Technology Systems
NIST 800-34, Contingency Planning Guide for Information Technology Systems
NIST 800-37, Guide for Applying the Risk Management Framework to Federal
Information Systems: A Security Life Cycle Approach
NIST 800-47, Security Guide for Interconnecting Information Technology
Systems
NIST 800-53 Rev3, Recommended Security Controls for Federal Information
Systems and Organizations
NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal
Information System and Organizations
NIST 800-60 Rev1, Guide for Mapping Types of Information and Information
Systems to Security
NIST 800-63, Electronic Authentication Guideline: Recommendations of the
National Institute of Standards and Technology
NIST 800-64, Security Considerations in the Information System Development
Life Cycle
Framework for Improving Critical Infrastructure Cybersecurity