Cybersecurity Recommendations
VIII
Change ONVIF Password
Older IP camera firmware does not automatically change the ONVIF password when
the system credentials are changed. Update the camera’s firmware to the latest
revision or manually change the ONVIF password.
Forward Only Ports You Need
Forward only the HTTP and TCP ports that are requited. Do not forward a wide range
of numbers to the device. Do not DMZ the device's IP address.
Do not forward any ports for individual cameras if they are all connected to a recorder
on site. Simply forward the NVR port.
Disable Auto-Login on SmartPSS
Disable the Auto-Login feature on SmartPSS installed on a computer that is used by
multiple people. Disabling auto-login prevents users without the appropriate
credentials from accessing the system.
Use a Different Username and Password for SmartPSS
Do not a username/password combination that you have in use for other accounts,
including social media, bank account, or email in case the account is compromised.
Use a different username and password for your security system to make it difficult for
an unauthorized user to gain access to the IP system.
Limit Features of Guest Accounts
Ensure that each user has rights to features and functions they need to perform their
job.
Disable Unnecessary Services and Choose Secure Modes
Turn off specific services, such as SNMP, SMTP, and UPnP, to reduce network
compromise from unused services.
It is recommended to use safe modes, including but not limited to the following
services:
SNMP: Choose SNMP v3 and set up strong encryption passwords and authentication
passwords.
SMTP: Choose TLS to access a mailbox server.
FTP: Choose SFTP and use strong passwords.
AP hotspot: Choose WPA2-PSK encryption mode and use strong passwords.
Multicast
Multicast is used to share video streams between two recorders. Currently there are
no known issues involving Multicast. Deactivate this feature if not in use to enhance
network security.
Check the Log
The information stored in the network log file is limited due to the equipment’s limited
storage capacity. Enable the network log function to ensure that the critical logs are
synchronized to the network log server if saving log files is required.
Check the system log if you suspect that someone has gained unauthorized access to
the system. The system log shows the IP addresses used to login to the system and
the devices accessed.
Physically Lock Down the Device
Perform physical protection to equipment, especially storage devices. For example,
place the equipment in a special computer room and cabinet, and implement access
control permission and key management to prevent unauthorized personnel from
accessing the equipment.
