videoedge cybersecurity v4.6 - may 2015

VideoEdge CYBERSECURITY

VERSION 4.6

CYBERSECURITY

© 2015 Tyco International Ltd. and its respective companies. All rights reserved. May 2015

2

Product Mission Statement:

Provide unified cybersecurity solutions within our physical security

solutions that contain the latest, time-tested technology

complementary to the capabilities of our clients and supported for the

life of the solution.

Service Mission Statement:

Provide the dedication and accountability necessary for the ever-

changing field of cybersecurity, provide the documentation and

training necessary for our integrators to succeed, and as new threats

arise and new vulnerabilities are found, continue to provide sound

resolutions and timely responses.

CYBERSECURITY


3

“VSR observed a number of strengths in the VideoEdge NVR solution including: strong

protections for security communication protocols such as SSL & TLS; SSL certificate

validation between the Victor Client and VideoEdge NVR, and LDAP services if external

authentication has been configured; a minimal set of external facing network protocols;

configuration options to enable various security settings within the web user interface,

such as limiting communications to HTTPS, enforcing session timeouts, highly

configurable permissions and access controls; and lastly the support for external

authentication against LDAP and Active Directory systems with capability to use secure

SSL/TLS transport security, while applying Active Directory controls for account lockout

and password complexity.”

Virtual Security Research, LLC (VSR)

Penetration Testing Attestation Letter, Annex C

CYBERSECURITY


4

Executive Summary

Cybersecurity cannot be an afterthought. With every new vulnerability announcement, a

device thought secure yesterday can be compromised tomorrow. The only reliable and

sustainable solution is to have a program that designs security into the product and

maintains it throughout the product lifecycle. That is what we strive to achieve at Tyco

Security Products.

VideoEdge Network Video Recorders (NVRs) have received special attention of the

Tyco Security Products’ Product Security Team. VideoEdge NVRs have been

incorporated into installations ranging from a few cameras at small retail stores to

hundreds of cameras securing our nation’s critical infrastructure sites. With its

customized Linux operating system, American Dynamics is able to secure the entire

appliance and add custom security features to enhance its overall performance.

Some of the features included in VideoEdge NVRs to help prevent a cybersecurity

attack:

Access control features to comply with most security policies

Ability to change default ports and disable remote access protocols

Digital certificate support to authenticate the device

Customized operating system to ensure only required components are present

Encrypted communication between the NVR and victor Client

Additionally, to help detect and recover from an attack, the VideoEdge NVR also

supports:

Failover and backup capabilities for robustness and quick recovery

Auditing and configurable real time alerts

Camera tamper detection

To validate these features and ensure the VideoEdge NVR does not contain any

security vulnerabilities, the VideoEdge NVR undergoes internal vulnerability testing as

CYBERSECURITY


5

part of the overall secure development process. Furthermore, the NVR has undergone

penetration testing from an independent lab. With some simple hardening steps

described in this document, the lab attest that they were unable to:

Exploit the VideoEdge NVR; even with direct access to the network

Gain access to an intentionally vulnerable camera on the camera LAN

In its many forms, the VideoEdge NVR offers a secure platform that can be customized

to meet the security policies of almost an installation with a dedicated support team to

address vulnerabilities and other security issues as they arise. This document serves to

answer cybersecurity questions and identify the many security features VideoEdge

NVRs offer. However, if questions or issues do arise, please contact your American

Dynamics representative or myself.

William L Brown Jr. / Sr. Engineering Manager /

/ Regulatory and Product Security / / [email protected] /

CYBERSECURITY


6

Contents

VideoEdge Network Video Recorders (NVRs) ................................................................ 9

Introduction .................................................................................................................. 9

Network Architecture ................................................................................................... 9

Risk Assessment ........................................................................................................... 10

Introduction ................................................................................................................ 10

Impact Levels............................................................................................................. 10

Information Types ...................................................................................................... 11

Robustness ................................................................................................................... 15

Backup / Restore ....................................................................................................... 15

Failover ...................................................................................................................... 15

Recovery / Factory Reset .......................................................................................... 16

Access Control .............................................................................................................. 17

Linux User Accounts .................................................................................................. 17

Separation of Responsibilities ................................................................................... 17

NVR Administration Roles ......................................................................................... 17

VideoEdge Local Client Roles ................................................................................... 17

Enhanced Password Validation ................................................................................. 18

Locking User Accounts .............................................................................................. 18

Automatic Logout ....................................................................................................... 19

Advanced Access Control .......................................................................................... 20

Remote Access Control ............................................................................................. 21

System Use Banner ................................................................................................... 22

Ports .............................................................................................................................. 23

Port Map .................................................................................................................... 23

CYBERSECURITY


7

Port Selection ............................................................................................................ 23

Device Authentication and Certificates .......................................................................... 24

Digital Certificate Support .......................................................................................... 24

Encryption Ciphers .................................................................................................... 24

Operating System.......................................................................................................... 25

SUSE Enterprise Linux .............................................................................................. 25

Updates ..................................................................................................................... 25

System and Communication Protection ........................................................................ 25

OpenSSL ................................................................................................................... 25

Configurable HTTP and HTTPS support ................................................................... 26

Cameras ........................................................................................................................ 26

Network Protection .................................................................................................... 26

Tamper Detection ...................................................................................................... 26

Auditing and Alerts ........................................................................................................ 27

Enhanced Security Logging, Audit Trail, and Email Alerts ......................................... 27

Alerts ......................................................................................................................... 28

Security Approvals and Certifications ............................................................................ 29

FISMA ........................................................................................................................ 29

Internal Vulnerability Testing ......................................................................................... 29

Overview and Process ............................................................................................... 29

Reporting ................................................................................................................... 29

Findings Summary ..................................................................................................... 30

Third Party Penetration Testing ..................................................................................... 32

Overview .................................................................................................................... 32

Key Findings: ............................................................................................................. 32

CYBERSECURITY


8

ANNEX A – Tyco Security Products Product Security Program .................................... 33

Product Security Team .............................................................................................. 33

Cybersecurity Mission ................................................................................................ 33

Secure Development Life Cycle................................................................................. 34

Cyber-Response Team .............................................................................................. 35

For More Information / Point of Contact ..................................................................... 35

ANNEX B – Internal Vulnerability Test Report .............................................................. 36

1. Executive Summary ............................................................................................... 36

2. Discovered Systems .............................................................................................. 37

3. Discovered and Potential Vulnerabilities ................................................................ 37

3.1. Critical Vulnerabilities ......................................................................................... 37

3.2. Severe Vulnerabilities ......................................................................................... 37

3.3. Moderate Vulnerabilities ..................................................................................... 39

ANNEX C – Third Party Penetration Letter ................................................................... 44

APPENDIX – Resources and References ..................................................................... 54

External Resources ................................................................................................... 54

Tyco Documents ........................................................................................................ 54

Laws and Regulations ............................................................................................... 55

OMB Circulars ........................................................................................................... 55

FIPS Publications ...................................................................................................... 55

NIST Publications ...................................................................................................... 56

CYBERSECURITY


9

VideoEdge Network Video Recorders (NVRs)

Introduction

One of the fastest and most powerful NVRs in the industry, VideoEdge is available with

a full range of intuitive clients to manage surveillance in very active environments,

onsite and remotely. Scalable from a single NVR to a large, multi-site architecture,

users can easily deploy any number of cameras, adding licenses at any time. Built-in

intelligence allows users to receive multiple video streams for live, record, alarm, and

meta-data collection, all tailored to viewing conditions. The end result is superior video

with significantly reduced network bandwidth, CPU resources, and memory usage.

Multicast video streams further reduce the bandwidth required for streaming high-quality

video.

Using the victor Client with VideoEdge NVRs allows the operator to leverage high-

performance video streaming, audio, motion meta-data and an expansive feature set.

Visit the victor web page for more information on the power of the victor solution.

Network Architecture

CYBERSECURITY


10

Risk Assessment

Introduction

The intent of this risk assessment is to help identify the information on the VideoEdge

NVR and help assess the risk to the organization if that information is compromised by

a malicious party. This assessment may assist in identifying the security controls and

features necessary to protect that information.

For a system required to comply with the Federal Information System Modernization Act

(FISMA), an assessment is done as part of a FIPS-199 Categorization necessary for the

System Owner and Authorizing Official to determine the system’s ability to host

components and data at that category.

Impact Levels

Impact levels are determined for each information type based on the security objectives:

confidentiality, integrity, availability.

Confidentiality - “Preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and proprietary

information…” [44 U.S.C., Sec. 3542]

Integrity - “Guarding against improper information modification or destruction,

and includes ensuring information non-repudiation and authenticity…” [44 U.S.C.,

Sec. 3542]

Availability - “Ensuring timely and reliable access to and use of information…”

[44 U.S.C., SEC. 3542]

CYBERSECURITY


11

The potential impact is LOW if:

− The loss of confidentiality, integrity, or availability could be expected to have a limited

adverse effect on organizational operations, organizational assets or individuals.

The potential impact is MODERATE if:

− The loss of confidentiality, integrity, or availability could be expected to have a serious

adverse effect on organizational operations, organizational assets or individuals.

The potential impact is HIGH if:

− The loss of confidentiality, integrity, or availability could be expected to have a severe

or catastrophic adverse effect on organizational operations, organizational assets or

individuals.

Information Types

The scope of a FIPS-199 Categorization includes information type categories as defined

in the NIST Special Publication 800-60 Volume 2 Revision 1. The information types

identified on the VideoEdge NVR are as follows:

C.3.5.5 Information Security Information Type

Information included on the device about the system itself including policies and

controls, identification, authentication and network information.

NIST SP 800-60 Recommended Impact Level

Confidentiality Integrity Availability

Low Moderate Low

For VideoEdge NVRs, this may include:

IP addresses and locations of devices

Port and interface settings

Certificates

Device names

CYBERSECURITY


12

Protocols

Licenses

User credentials

Remote access settings

Authentication schemes

C.3.5.8 System and Network Monitoring Information Type

Information included on the device that helps determine the performance and

status of the system or network.



Moderate Moderate Low


Camera status

NVR status

Alarms

User status

System statistics

System logs

Audit logs

Camera logs

Storage statistics

System backup file

Active victor Clients

C.3.1.3 Security Management Information Type

Information available on the device related to the security of an organization’s

personnel, assets, and facilities.

CYBERSECURITY


13



Moderate Moderate Low


NVR location

Identities of security personnel and corresponding facial image data

Active victor Clients

Stored video

Number and location of cameras

Alarm configuration

Camera scheduling

Camera connection statistics

D.16.2 Criminal Investigation and Surveillance Information Type

This describes information available on the device that may be used as evidence

for determining responsibility of a crime.



Moderate Moderate Moderate


Recorded video

Analytics metadata

System logs and audit data

Camera connection statistics

CYBERSECURITY


14

D.16.5 Property Protection Information Type

Information related to the protection of the physical property.



Low Low Low


Alarm configuration

Camera scheduling

Number and location of cameras

NVR location

CYBERSECURITY


15

Robustness

Backup / Restore

In the event of a system failure, recovery of the NVR server’s configuration data is

possible via a system backup file stored to a USB or local disk. The backup file can be

imported to the NVR to restore the saved configuration.

The following settings can be saved:

1. Device Settings

2. System Settings

3. User Information

4. DHCP Settings

5. NTP Settings

6. Failover Settings

7. VideoEdge Client Settings

8. Discovery Settings

9. System Security Settings

10. Network Interface Settings

11. victor Web Settings

While Operating System (OS) settings cannot be stored in the configuration backup file,

the system will automatically export a text file containing the OS settings. The text file

can be used as reference for manually configuring the OS settings.

Failover

A VideoEdge NVR can act as a failover NVR or secondary NVR. When configured as a

secondary NVR, it will monitor the other VideoEdge NVRs on the network that have

been added to its server monitoring list.

CYBERSECURITY


16

The secondary VideoEdge NVR will continuously monitor all primary NVRs. In the event

that a primary NVR fails, the secondary NVR will detect the failure after approximately

30 seconds and will initiate assuming the role of the primary NVR.

Recovery / Factory Reset

VideoEdge provides multiple options for resetting the NVR to its initial factory

conditions, some while maintaining recorded media.

CYBERSECURITY


17

Access Control

Linux User Accounts

Linux is a general-purpose operating system that has several user accounts with well-

known default passwords. The VideoEdge operating system contains only those

accounts necessary for operation. VideoEdge allows the system administrator account

(known as “root” in Linux) password to be changed.

Separation of Responsibilities

The VideoEdge server separates roles based on responsibilities such as operator

access, general system configuration, software installation, access to PTZ and clip

export features.

NVR Administration Roles

admin Allows viewing and editing of the VideoEdge Administration Interface and full functionality of the VideoEdge Client.

operator Allows viewing of the VideoEdge Administration Interface and full functionality of the VideoEdge Client.

softwareadmin Allows access to the software update page only. This credential is used solely for carrying out software updates and installing camera handler packs.

support The support user role is solely for the use of American Dynamics Technical Support. The password for this account is unique to each NVR and is derived by American Dynamics Technical Support from the platform's support ID. The password cannot be changed. However, remote access can be prevented by disabling the SSH remote access.

VideoEdge Local Client Roles

viewer1 Allows full functionality of the VideoEdge Client. Unable to view or edit the VideoEdge Administration Interface.

viewer2 Allows full functionality of the VideoEdge Client with exception of Analog (Real) PTZ. Unable to view or edit the VideoEdge Administration Interface.

viewer3 Allows full functionality of the VideoEdge Client with exception of Analog (Real) and Digital PTZ, Still Image Capture and Clip Export. Unable to view or edit the VideoEdge Administration Interface.

CYBERSECURITY


18

Enhanced Password Validation

VideoEdge NVRs ship with preset passwords on all accounts. When activated, the

VideoEdge Administrator Interface advises users that these passwords should be

changed. The enhanced password validation feature enforces restrictions when setting

or changing passwords:

Passwords must be different than the previous three passwords

Passwords must differ from the previous password by a minimum of three

characters

Passwords must be a minimum of seven characters long and must contain a mixture

of upper and lower case letters, numbers, and special characters

Locking User Accounts

User accounts for VideoEdge Administrator Interface and VideoEdge Client may be set

to permanently or temporarily lock after a configurable number of invalid login attempts.

Accounts may also be set to automatically lock if not used within a set period of time,

e.g., to ensure ex-employee accounts are disabled. When login is attempted after this

time period, the account is locked and may only be unlocked by an administrator.

Permanent and temporary account lockouts are capable of generating an email alert.

CYBERSECURITY


19

Administrator View of Users

Automatic Logout

VideoEdge Administrator Interface user accounts can be configured to automatically log

out the user after a configurable period of inactivity (between 5 and 60 minutes).

CYBERSECURITY


20

Advanced Access Control

LDAP (Lightweight Directory Access Protocol) is a centralized way of managing user

groups and accounts and security permissions. LDAP allows an organization to enforce

permissions and access policies across all computers on a network, and to provide

centralized backup of account information. Granting or revoking a user or group access

to IT assets can be more easily accomplished if permissions are stored centrally. For

example, if a guard is relocated from one prison to another, a simple LDAP account edit

will immediately revoke his access to the NVRs in the old prison and reassign access to

the new ones.

The Solution is designed to seamlessly integrate with existing Domain security

capabilities, including LDAP-based domain controllers. It supports:

Use of a X.509 certificate for communication via TLS

Query, Base, and Administrator distinguished names (DN)

VideoEdge NVRs:

LDAP authentication and authorization for admin GUI

OpenLDAP and Microsoft Active Directory

Secure connections using TLS

CYBERSECURITY


21

victor Client:

LDAP authentication and authorization

OpenLDAP and Microsoft Active Directory

Secure connections using TLS

Remote Access Control

VideoEdge systems support SNMP, SSH, VNC, and XRDP protocols, which can be

enabled or disabled at configuration.

Remote web access to the VideoEdge Administration Interface can be restricted or

deactivated. The configuration allows external web and mobile device access to be

disabled and concurrent web sessions to be restricted.

CYBERSECURITY


22

System Use Banner

The System Use Banner can be configured to display an approved system use

notification message or banner before the user logs on to the system either locally or

remotely. It also can be used to provide privacy and security notices consistent with

applicable federal laws, executive orders, directives, polices, regulations, standards,

and guidance.

CYBERSECURITY


23

Ports

Port Map

The RTSP (port 554) and RTP/RTCP video data is not encrypted. Encryption of video

requires processing power and time that would seriously impact system performance

and video quality. By default, the video stream is only accessible to authenticated

devices. However, if additional security is required, the video transmission may be

secured using SSH tunneling, but this also would impact performance.

Port Selection

The HTTP, HTTPS, RTSP, and SNMP ports may be changed from their default values.

CYBERSECURITY


24

Device Authentication and Certificates

Digital Certificate Support

HTTPS encrypts web traffic but does not verify the identity of the remote host without a

properly configured digital certificate. VideoEdge NVRs allow you to create a certificate

that is tailored to the individual NVR so that its identity can be verified by your web

browser or victor Client. The certificate can be self-signed, or for more security-

conscious customers, it can be signed by a trusted certificate authority such as Thawte

or Verisign. VideoEdge certificates use 2048-bit keys.

victor Client can use the digital certificate feature in VideoEdge to ensure that

communications are secure and to verify the identity of recorders added to victor Client.

Encryption Ciphers

When HTTPS is enabled, web GUI commands are transferred using TLS (Transport

Layer Security) with AES 256 bit encryption. Data is transferred using SSL (Secure

Socket Layer) with AES 256 bit encryption

The minimum supported encryption key strength in VideoEdge NVRs is 128 bits.

Export ciphers are disabled by default.

RC4 cipher may be disabled.

CYBERSECURITY


25

Operating System

SUSE Enterprise Linux

VideoEdge is an embedded video server appliance built upon the SUSE Linux

Enterprise Server (SLES). SLES is supported by Novell and the Linux development

community that quickly respond to vulnerabilities through upgrades and patches.

The distribution used in VideoEdge NVRs is customized JeOS (Just Enough Operating

System) tailored to contain only the components and services needed for operation.

The number of vulnerabilities is reduced as more unnecessary components are

removed.

Updates

Software updates, patches and updated camera handler packs can be applied to the

NVR manually or by using the Push Update feature of victor Unified Client.

System and Communication Protection

OpenSSL

The VideoEdge operating system uses the industry-standard OpenSSL platform to

provide SSL connections for communications such as SSH, HTTPS, and TLS LDAP

sessions.

CYBERSECURITY


26

Configurable HTTP and HTTPS support

VideoEdge systems may be configured to disable HTTP access to ensure that only

encrypted web sessions can be used. Changing the HTTP and HTTPS ports improves

the system security because unsophisticated attackers are likely to try the default ports.

Cameras

Network Protection

A VideoEdge NVR has multiple network interface controllers (NICs). This allows the

cameras to be installed on a separate network using the NVR as a firewall to protect

potentially vulnerable cameras from external attack. The NICs are both physically and

logically separated by default and can only be bridged by a Linux administrator. This

isolation allows the NVR to protect vulnerable cameras on the camera LAN. This

protection was validated through third party penetration testing (see Annex B).

Tamper Detection

To help determine if and when a camera has been tampered with, the NVR

automatically performs an image detection test on every camera to determine if a

camera has gone dark or is broadcasting black video. It can also send alerts when a

camera reboots or goes offline.

CYBERSECURITY


27

Auditing and Alerts

Enhanced Security Logging, Audit Trail, and Email Alerts

Logs track general system operation and are useful for troubleshooting and incident

investigation. The VideoEdge system generates a number of different log files to track

areas such as general system operation, web server operation, web server errors, and

Network time Protocol (NTP) operation. These logs are useful in monitoring the general

operation of the Linux system. The VideoEdge system also generates a number of

application-specific log files to aid in diagnosing areas such as camera communication

and video playback events. Log backup to an external server is supported.

Audit trails keep track of system configuration operations including the configuration of

information security controls. This aspect of the VideoEdge system is being continually

improved. An audit log interrogation tool is provided as part of the VideoEdge

Administrator Interface. This allows audit events to be queried by severity and searched

using a text filter.

CYBERSECURITY


28

Alerts

Alerts can be generated via email and victor Client under various configurable

categories. Email alerts can use authenticated SMTP servers (including Microsoft

Exchange) and can encrypt emails using SSL or TLS. These alerts can be configured to

assist or expand the capabilities of existing security policies including video data

retention, camera malfunction, and user access control.

CYBERSECURITY


29

Security Approvals and Certifications

FISMA

A VideoEdge system includes technical controls necessary to support overall FISMA

compliance. These controls include:

Authenticated system access

Account login/logout management

Role-based separation of capabilities, permissions, and privileges

System event and configuration change auditing, alerting, and management

Restriction of ports, protocols, and services to only those required to support

VideoEdge functionality

For more information, see the VideoEdge FISMA-Ready white paper.

Internal Vulnerability Testing

Overview and Process

Vulnerability testing is performed on all versions of VideoEdge NVRs prior to release.

The system is tested in multiple configurations with credentialed and non-credentialed

scans. Additional penetration testing and exploit efforts based on those vulnerabilities

are also performed.

Before a release is approved, all vulnerabilities classified as critical or severe must be

resolved. The resolution may be dependent upon the installation. For example,

vulnerabilities often are found due to the configuration of the operating system. When

this occurs, the resolution is to provide configuration guidance.

Reporting

This document includes some of the results from the internal assessment for the

VideoEdge system. The included report is for a non-credentialed, vulnerability scan

CYBERSECURITY


30

results that best indicate how the system may be vulnerable to a network-level attack

with limited device hardening.

Findings Summary

The following vulnerabilities may be seen during a vulnerability scan of a VideoEdge

NVR. Each of these may be mitigated through configuration.

Simple Network Management Protocol (SNMP)

SNMP governs network management and monitors network devices. It is used

on the VideoEdge NVR to monitor the NVR’s status for victor Client health

monitoring and failover functionality. The default credentials used to access the

SNMP information on the NVR are common and may be guessed, but the SNMP

service has been configured to be read only, and the information cannot be

altered. However, if further mitigation is required, SNMP may be disabled through

the Security Configuration menu.

Virtual Network Computing (VNC)

VNC is a desktop sharing system. Its primary purpose on the VideoEdge NVR is

for remote access of the American Dynamics technical support team. To prevent

unauthorized access, VNC may be disabled though the Security Configuration

menu.

Certificate Vulnerabilities

There are many vulnerabilities related to the certificate that may be discovered,

especially if using the self-signed certificate. Most of these vulnerabilities may be

acceptable in most applications. However, if additional security is required, then

a certificate from a trusted certificate authority may be used.

CYBERSECURITY


31

SSLv3 (POODLE)

POODLE is a vulnerability that takes advantage of weak encryption ciphers used

in SSL version 3 (SSLv3). It allows an attacker capable of performing a man-in-

the-middle-style attack to force the use of the weaker ciphers and eventually view

and alter data between the client and server devices. The only solution is to

disallow the use of SSL and force communication through the more secure TLS

protocol. Instructions to resolve this vulnerability are available in the VideoEdge

Security User Guide.

RC4 Cipher Algorithm

The RC4 cipher algorithm has known vulnerabilities and can be compromised.

VideoEdge NVRs do possess the RC4 cipher algorithm. The procedure to

disable the algorithm is available in the VideoEdge Security User Guide.

Secure Cookie Flag

A secure cookie flag forces communication through HTTPS. VideoEdge NVRs do

not force the use of this flag by default. The procedure to enable the secure

cookie flag is available in the VideoEdge Security User Guide.

TCP Timestamp

A TCP timestamp response can be used to approximate the device’s uptime,

potentially aiding in further attacks. Additionally, some operating systems can be

fingerprinted based on the behavior of their TCP timestamps. To disable the TCP

timestamp in VideoEdge NVRs, open a terminal, log in as root, and enter the

following command: sysctl -w net.ipv4.tcp_timestamps=0

CYBERSECURITY


32

Third Party Penetration Testing

Overview

American Dynamics has engaged a third-party security firm to perform penetration

testing on the VideoEdge NVR (version 4.6). The scope and findings of this testing is

included in Annex C.

Key Findings:

1) The NVR was able to protect an intentionally vulnerable camera placed on the

camera LAN from network activity performed on the external LAN. The testers

were unable to access the camera from the external LAN.

2) With all of its security controls enabled, critical and high vulnerabilities are

mitigated.

The test system configuration:

1) Disable SSLv3

2) Disable external web UI

3) Remote access protocols disabled

4) Change CouchDB credentials

5) Change root default password

6) Activate self-signed certificate

7) Enable secure cookie

8) Disable Apache RC4 ciphers

The procedure for each can be found in the VideoEdge Security User Guide.

CYBERSECURITY


33

ANNEX A – Tyco Security Products Product Security Program

Product Security Team

The Tyco Security Products’ Product Security Team is responsible for the physical and

cyber security and government approvals of American Dynamics and Software House

products. Responsibilities include product security assessment, creation and support of

documentation, training, and support of government approvals including FISMA, NERC,

and CPNI.

Cybersecurity Mission

As there is more to cybersecurity than the device alone, the Product Security Team has

adopted multiple mission statements.

Product Mission Statement:

Provide unified cybersecurity solutions within our physical security solutions that

contain the latest, time-tested technology complementary to the capabilities of

our clients and supported for the life of the solution.

Service Mission Statement:

Provide the dedication and accountability necessary for the ever-changing field of

cybersecurity, provide the documentation and training necessary for our

integrators to succeed, and as new threats arise and new vulnerabilities are

found, continue to provide sound resolutions and timely responses.

CYBERSECURITY


34

Secure Development Life Cycle

The security team is involved at every level of the VideoEdge development life cycle:

Requirements

Security requirements and controls are provided by the security team during the

early product definitions phase and are included in the engineering design

specifications.

Design

The security team works with the development team to validate the design of

security features.

Development

Source code is strictly controlled and monitored. Automated tools are used to

evaluate the vulnerability of open source software. Vulnerability testing is also

performed during this time. When found, vulnerabilities are logged into the bug

CYBERSECURITY


35

tracking system. Security bugs are assessed by the security team, and solutions

can only be accepted when validated by the security team.

Testing

Regular vulnerability testing is performed throughout the development process by

the security and development teams. When a representative build is available,

the team also performs in-depth vulnerability and penetration testing.

Deployment

Deployment cannot be approved until after the security assessment. After

deployment, the security team performs regular testing to ensure that no updates

or configurations generate vulnerabilities.

Cyber-Response Team

An installation cannot rely solely on device hardening. Any device that is secure today

may be vulnerable tomorrow pending the announcement of a new vulnerability. Tyco

Security Products’ Cyber Response Team quickly responds to these announcements.

Team members are comprised of security, development, and quality assurance

engineers who are the most knowledgeable about specific product lines. While team

members also have other responsibilities, their highest priority is to address critical

security issues. By having dedicated and knowledgeable engineers, the team is often

able to generate a cybersecurity advisory the same day a new vulnerability is

announced. Patches for critical vulnerabilities such as Heartbleed and Shellshock have

been developed, tested, and released in as little as two weeks

For More Information / Point of Contact

For more information about the Cybersecurity Program, security features, or assistance

with secure installation, contact:

William L. Brown Jr., Sr. Engineering Manager - Regulatory and Product Security

[email protected]

CYBERSECURITY


36

ANNEX B – Internal Vulnerability Test Report

1. Executive Summary

This report represents a security audit performed by Nexpose from Rapid7 LLC.

Target: VideoEdge NVR version 4.6

Configuration:

Credentials: None

SNMP: disabled

VNC: disabled

Certificate: self-signed

SSLv3: disabled

There were three vulnerabilities found during this scan.

No critical vulnerabilities were found. Critical vulnerabilities require immediate

attention. They are relatively easy for attackers to exploit and may provide them

with full control of the affected systems.

One vulnerability was severe. Severe vulnerabilities are often harder to exploit

and may not provide the same access to affected systems.

There were two moderate vulnerabilities discovered. These often provide

information to attackers that may assist them in mounting subsequent attacks on

your network. These should also be fixed in a timely manner, but are not as

urgent as the other vulnerabilities.

There were one occurrences of the ssl-self-signed-certificate, tls-server-cert-sig-alg-

sha1 and generic-tcp-timestamp vulnerabilities, making them the most common

CYBERSECURITY


37

vulnerabilities. There were three vulnerabilities in the Network category, making it the

most common vulnerability category.

The ssl-self-signed-certificate vulnerability poses the highest risk to the organization

with a risk score of 246. Risk scores are based on the types and numbers of

vulnerabilities on affected assets.

One operating system was identified during this scan.

There were 3 services found to be running during this scan.

The HTTP, HTTPS and rtsp (Real Time Stream Control Protocol) services were found

on one system, making them the most common services.

2. Discovered Systems

Node Operating System Risk Aliases

Node Operating System Risk Aliases

<TARGET> Linux 2.6.32 464 VideoEdge NVR

3. Discovered and Potential Vulnerabilities

3.1. Critical Vulnerabilities

No critical vulnerabilities were reported.

3.2. Severe Vulnerabilities

3.2.1. Self-signed TLS/SSL certificate (ssl-self-signed-certificate)

CYBERSECURITY


38

Description:

The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be

trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use

self-signed certificates to eavesdrop on TLS/SSL connections.

Affected Nodes:

Affected Nodes Additional Information

<TARGET>:443 TLS/SSL certificate is self-signed.

References:

None

Vulnerability Solution:

Obtain a TLS/SSL digital certificate from a Certificate Authority (i.e., not self-signed) and

install it on the server. The exact instructions for obtaining a new certificate depend on

your organization's requirements. Generally, you will need to generate a certificate

request and save the request as a file. This file is then sent to a Certificate Authority

(CA) for processing. Your organization may have its own internal Certificate Authority. If

not, you may have to obtain a certificate from a trusted external Certificate Authority,

such as Thawte or Verisign.

CYBERSECURITY


39

3.3. Moderate Vulnerabilities

3.3.1. SHA-1-based Signature in TLS/SSL Server X.509 Certificate (tls-server-cert-sig-

alg-sha1)

Description:

The SHA-1 hashing algorithm has known weaknesses that expose it to collision attacks,

which may allow an attacker to generate additional X.509 digital certificates with the

same signature as an original.

Affected Nodes:

Affected Nodes Additional Information

<TARGET>:443 SSL certificate is signed with SHA1withRSA

References:

Source Reference

URL https://technet.microsoft.com/en-us/library/security/2880823.aspx

URL https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-

based-signature-algorithms/

URL http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html

URL https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html


When obtaining a new certificate, ensure that it uses a SHA-2 (SHA-224, SHA-256,

SHA-384, SHA-512, SHA-512/224, SHA-512/256) hash function. Additional guidance is

available from public certificate providers.

CYBERSECURITY


40

3.3.2. TCP timestamp response (generic-tcp-timestamp)

Description:

The remote host responded with a TCP timestamp. The TCP timestamp response can

be used to approximate the remote host's uptime, potentially aiding in further attacks.

Additionally, some operating systems can be fingerprinted based on the behavior of

their TCP timestamps.

Affected Nodes:

Affected Nodes: Additional Information:

<TARGET> Apparent system boot time: Sun Nov 30 20:00:12 EST 2014

References:

Source Reference

URL http://uptime.netcraft.com

URL http://www.forensicswiki.org/wiki/TCP_timestamps

URL http://www.ietf.org/rfc/rfc1323.txt


Disable TCP timestamp responses on Linux as follows:

Set the value of net.ipv4.tcp_timestamps to 0 by running the following

command:

sysctl -w net.ipv4.tcp_timestamps=0

CYBERSECURITY


41

4. Discovered Services 4.1. HTTP

HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the

World Wide Web. The multimedia files commonly used with HTTP include text, sound,

images and video.

4.1.1. General Security Issues

Simple authentication scheme

Many HTTP servers use BASIC as their primary mechanism for user authentication.

This is a very simple scheme that uses base 64 to encode the cleartext user id and

password. If a malicious user is in a position to monitor HTTP traffic, user ids and

passwords can be stolen by decoding the base 64 authentication data. To secure the

authentication process, use HTTPS (HTTP over TLS/SSL) connections to transmit the

authentication data.

4.1.2. Discovered Instances of this Service

Device Protocol Port Vulnerabilities Additional Information

<TARGET> tcp 80 0 Apache HTTPD

http.banner: Apache

http.banner.server: Apache

<TARGET> tcp 5984 0 CouchDB 1.5.0

http.banner: CouchDB/1.5.0 (Erlang

OTP/R16B03)

http.banner.server: CouchDB/1.5.0

(Erlang OTP/R16B03)

verbs-1: GET

verbs-2: HEAD

verbs-count: 2

CYBERSECURITY


42

4.2. HTTPS

HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange

multimedia content on the World Wide Web using encrypted (TLS/SSL) connections.

Once the TLS/SSL connection is established, the standard HTTP protocol is used. The

multimedia files commonly used with HTTP include text, sound, images and video.



<TARGET> tcp 443 2 Apache HTTPD

http.banner: Apache

http.banner.server: Apache

ssl: true

ssl.cert.issuer.dn: CN=<TARGET>,

C=US

ssl.cert.key.alg.name: RSA

ssl.cert.key.rsa.modulusBits: 2048

ssl.cert.not.valid.after: Thu, 03 Dec

2015 13:05:12 EST

ssl.cert.not.valid.before: Wed, 03 Dec

2014 13:05:12 EST

ssl.cert.selfsigned: true

ssl.cert.serial.number:

14911825832090137520

ssl.cert.sig.alg.name: SHA1withRSA

ssl.cert.subject.dn: CN=<TARGET>,

C=US

ssl.cert.validsignature: true

CYBERSECURITY


43

4.3. rtsp (Real Time Stream Control Protocol)



<TARGET> tcp 554 0

5. Discovered Users and Groups

No user or group information was discovered during the scan.

6. Discovered Databases

No database information was discovered during the scan.

7. Discovered Files and Directories

No file or directory information was discovered during the scan.

8. Policy Evaluations

No policy evaluations were performed.

9. Spidered Web Sites

No web sites were spidered during the scan.

CYBERSECURITY


44

ANNEX C – Third Party Penetration Letter

CYBERSECURITY


45

CYBERSECURITY


46

CYBERSECURITY


47

CYBERSECURITY


48

CYBERSECURITY


49

CYBERSECURITY


50

CYBERSECURITY


51

CYBERSECURITY


52

CYBERSECURITY


53

CYBERSECURITY


54

APPENDIX – Resources and References

External Resources

https://www.suse.com/

http://www.rapid7.com/

https://www.openssl.org/

http://www.nist.gov/

Virtual Security Research, LLC

http://www.vsecurity.com/

Tyco Documents

The following documents are available in the Technical Library at

www.AmericanDynamics.net

VideoEdge NVR Security User Guide

VideoEdge NVR Installation and User Guide

VideoEdge, victor, and C•CURE Port Map

FISMA-Ready: VideoEdge System

FISMA-Ready: victor System

FISMA-Ready: C•CURE 9000 System

https://www.suse.com/

http://www.rapid7.com/

https://www.openssl.org/

http://www.nist.gov/

http://www.vsecurity.com/

http://www.americandynamics.net/

CYBERSECURITY


55

The following documents are available upon request [email protected] :

Cybersecurity Program Overview

Laws and Regulations

Federal Information Security Management Act of 2002

Federal Information System Modernization Act of 2014

Consolidated Appropriations Act of 2005, Section 522.

USA PATRIOT Act (P.L. 107-56), October 2001.

OMB Circulars

OMB Circular A-130, Management of Federal Information Resources, November

2000.

OMB Memorandum M-05-24, Implementation of Homeland Security Presidential

Directive (HSPD) 12—Policy for a Common Identification Standard for Federal

Employees and Contractors, August 2005.

OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June,

2006.

FIPS Publications

FIPS PUB 199, Standards for Security Categorization of Federal Information and

Information Systems

FIPS PUB 200, Minimum Security Requirements for Federal Information and

Information Systems

mailto:[email protected]

CYBERSECURITY


56

NIST Publications

NIST 800-18, Guide for Developing Security Plans for Information Technology

Systems

NIST 800-26, Security Self-Assessment Guide for Information Technology

Systems

NIST 800-30, Risk Management Guide for Information Technology Systems

NIST 800-34, Contingency Planning Guide for Information Technology Systems

NIST 800-37, Guide for Applying the Risk Management Framework to Federal

Information Systems: A Security Life Cycle Approach

NIST 800-47, Security Guide for Interconnecting Information Technology

Systems

NIST 800-53 Rev3, Recommended Security Controls for Federal Information

Systems and Organizations

NIST 800-53A Rev1, Guide for Assessing the Security Controls in Federal

Information System and Organizations

NIST 800-60 Rev1, Guide for Mapping Types of Information and Information

Systems to Security

NIST 800-63, Electronic Authentication Guideline: Recommendations of the

National Institute of Standards and Technology

NIST 800-64, Security Considerations in the Information System Development

Life Cycle

Framework for Improving Critical Infrastructure Cybersecurity

videoedge cybersecurity v4.6 - may 2015

Documents

custom security features

videoedge nvrs

cybersecurity attack

physical security solutions

videoedge nvr solution

field of cybersecurity

various security settings

virtual security research