Applies to Models: WAVE 4.2 and Above
Summary:
Hanwha designs our software products to provide high levels of protection against external and internal cybersecurity threats. This document outlines the most common types of cybersecurity threats, the technologies and process methods we use to secure WAVE systems, and some proactive environmental approaches our customers can take to prevent the most common types of cyber threats.
What is a Cyber Attack?
A cyberattack is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization.
Why do people/organizations launch Cyber Attacks?
Individuals and organizations have different motivations for launching cyberattacks against vulnerable business systems. According to Cisco, often, cyberattacks are used for ransom, with 53% of cyberattacks resulting in damages of $500,000 or more. Cyberattacks are sometimes initiated as a form of “hacktivism” to disrupt normal business operations. In the IP Video world, cyberattacks are often executed to cover up criminal behavior that has been captured.
What are the common types of Cyber Attacks?
There are many different types of cyberattacks. Some of the most common types include:
Malware:
Malicious software that installs on computers through a vulnerability in an operating system or a piece of software.
- Malware could intercept user credentials and video streams or cause the user’s WAVE System to function poorly due to interruption in a system or network resources caused by the Malware.
Phishing (aka Social Engineering):
Also known as “Social Engineering.” Phishing is a method of sending fraudulent communications, usually email, which mimic a reputable source to obtain login credentials.
- Phishing attacks could inadvertently cause WAVE System users to give their login credentials to nefarious actors. The WAVE Sync Secure Password Reset functionality ensures passwords can be reset and recovered quickly in such an instance.
Man-in-the-Middle Attack:
This attack occurs when the attackers insert themselves into the middle of communications between two parties to intercept sensitive data. Typically, this is accomplished by monitoring network traffic or using Malware.
- WAVE's secure communications capabilities - including OpenSSL connections, HTTPS communications, and encrypted video traffic - were engineered to address these attacks.
Distributed Denial of Service Attack (DDOS):
These attacks are designed to flood systems, servers, or networks with traffic to exhaust resources, effectively killing the system’s ability to perform normally.
- WAVE secure communications (SSL, HTTPS, Cloud Proxy, Secure Connections, and Encrypted Video) help to prevent DDoS attacks, and server health monitoring provides the ability for operators to diagnose DDoS attacks in real time.
SQL Injection:
SQL injection occurs when a malicious actor inserts code into a server running an SQL database that forces the server to reveal information.
- WAVE utilizes the OWASP standard to prevent SQL injection attacks and employs additional obfuscation techniques.
Password Cracking:
In password-based attacks, hackers use software and brute force attacks to access secure accounts.
- WAVE has minimum password size and complexity standards, an invalid login timeout, and a secure password reset/recovery method for WAVE Sync Systems.
What are the Cyber Security Protections in WAVE?
The Wisenet WAVE VMS is continually improved to address the cybersecurity threats listed above by using a combination of secure technology and process measures outlined below.
User Rights Management
WAVE has advanced User Rights capabilities that allow Administrators to implement strict controls over what operators can accomplish in the system and which resources they can configure and interact with.
User Rights
- Single System Owner with Super User rights
- Customizable User Rights & Roles allow customizable access restrictions
Audit Trail
- All user actions are logged for review by system administrators
Video Overlay Watermark
- To deter the unauthorized or unwanted distribution of video recordings, it is possible to add a watermark to video playback. The watermark consists of the user login as a semi-transparent overlay repeated across the entire image. When enabled, viewing and exporting video without the watermark for any user except an Administrator or Owner is impossible.
Limit session duration
- Client connections can be limited to a specified duration to ensure remote connections are not left open for long periods. In addition, session durations ensure that workstations are not left logged in when they should not be showing critical data, such as after shifts, etc.
Password Protections
WAVE requires a minimum level of security when creating passwords.
Password Security
- Minimum password length and complexity during account creation
- Secure password reset via WAVE Sync
- Complex Multi-Level Salted/Hash password storage
- Must not match any of the 1000 most popular passwords (updated with each release)
User Enumeration Detection
- WAVE Server and Sync applications detect and prevent user enumeration (brute force attacks, guess and confirm attacks) through timeouts.
Integration with LDAP
- Integration with LDAP enables centralized management/reset of IT credentials by IT, administrators.
Two Factor Authentication (2FA)
- WAVE Sync Cloud-connected systems can utilize 2-factor authentication for more secure access. 2FA provides an extra layer of identity protection in case of a leaked password, validating access to an authenticator app on a previously configured device.
Data Integrity Checks
WAVE also includes key technologies to ensure the integrity of information within and produced by a system. These include:
Archive Integrity Check
- WAVE notifies operators when the archived video has been modified or tampered with indirectly (e.g., deleted/replaced files).
Watermarking Chain of Custody
- WAVE has built-in watermarking, allowing operators or viewers to check the authenticity of a video exported from a system that prevents the manipulation of evidential video. Watermarking can be validated in the proprietary NOV files using the client or standalone EXE player and with open file formats, such as MP4, MKV, and AVI.
Archive Encryption
- Archive encryption secures the recorded video files from a local server or remote network access. The video files are encrypted on disk at rest with a system password key. The video is only viewable from the WAVE clients, ensuring file security. Archives are encrypted using AES 128 in counter mode, using OpenSSL EVP.
Secure System Communications
WAVE includes many protections for system communications over secured (e.g., LAN/WAN/VPN) and unsecured (e.g., Internet) networks.
Single Port for all communications
Wisenet WAVE requires only a single port, 7001, for access through a firewall, router, or VLAN. This port can be changed from the default as desired. While it is recommended that WAVE Sync be used for secure cloud access to the system without the need for port forwarding, DDNS, or a static WAN IP address, remote access or access through a Layer 3 network and VLANs can be obtained by providing access to the server port.
OpenSSL for Network Connections
-
By default, we disable deprecated and insecure protocols and use only TLS v1+. The Transport Layer Security protocol aims primarily to provide privacy and data integrity between two communicating computer applications.
-
Server -> Client (Mobile, Desktop, Web) Communications
HTTPS is used by default for all connections. -
Email - TLS / SSL
TLS is the default option for the Email Server.
-
Server -> Client (Mobile, Desktop, Web) Communications
Hardened secure connections
- All WAVE Server connections use SSL/TLS Certificate pinning to render man-in-the-middle attacks impossible. VMS Servers and Clients also use new session-based (bearer token) authentication by default.
Encrypted Client-Server Communications
- System administrators can choose to encrypt VMS communications with the “Force servers to accept only encrypted connections” option in System Administration > Security settings.
Encrypted Video Traffic
- System administrators can choose to encrypt all video traffic between Clients and Servers with the “encrypt video traffic” option.
Force HTTPS for camera communications
- Cameras are typically connected to a VMS on a secure network segment; however, in some cases, an administrator may wish to require the use of HTTPS connections to the camera, restricting access from unsecured connections. Some older cameras may negotiate to unsecured connections, possibly disclosing usernames and passwords to attackers. Many attackers look to exploit systems that permit unsecured HTTP connections to gain valuable data or introduce man-in-the-middle attacks.
Custom SSL Certificates
- WAVE supports the use of Custom SSL certificates.
WAVE Sync Cloud Connection Proxy
- WAVE Sync securely proxies remote connections to systems, removing the need to open or forward ports on secure networks.
Risk Prevention Methods
Hanwha also institutes processes to ensure threat assessment and resolution are part of our core culture. These steps include:
Extensive Quality Assurance Testing
The Wisenet WAVE VMS undergoes rigorous Quality Assurance testing before release to identify and remedy vulnerabilities.
External Security Auditing
Regular external security testing and auditing are performed on the Wisenet WAVE VMS.
Online Support Portal
Hanwha maintains a global presence with an active support portal and Knowledge Base at https://support.hanwhavisionamerica.com. Customers and partners are encouraged to report issues and work with proactive support team members who can assist customers with any issue remotely.
Regular Patches
Hanwha provides regular patches at https://wavevms.com/release-notes/, which address emerging security threats and reported bugs.
Cybersecurity Landing Page
Hanwha Vision provides a dedicated website landing page at https://www.hanwhasecurity.com/cybersecurity dedicated to cybersecurity activities. Resources such as hardening guides, cybersecurity whitepapers, and more are posted. In the case of a reported vulnerability, it will be quickly posted on the risks and mitigation procedure.
Questions
If you have any questions about this topic, don't hesitate to contact our team at https://support.hanwhavisionamerica.com or reach out to your local reseller.