How to protect your video security setup from a cyber attack: the fundamentals 

February 26, 2024

This article explains nine fundamental steps to help mitigate the risk of an attack on your video security setup.

Many European organizations are currently auditing their security setups as a response to the European Union’s NIS2 mandate. This mandate provides legal measures to boost the overall level of cybersecurity in the EU. And it comes into effect October 2024. But double and triple-checking that the fundamentals are in place isn’t specific to Europe. It’s relevant to all organizations that utilize video security (or CCTV, if you prefer). Additionally, most of the work that goes into securing the setup happens outside of the actual video management software (VMS). In other words, this article is for all security and IT professionals, even if you’re not a Milestone customer.  

Each item on this list relates to either asset management or access management. These are two distinct but closely related concepts. Asset management involves identifying, categorizing, and managing hardware (e.g., security cameras and recording servers) software (e.g., VMS and Active Directory) and even employees. Meanwhile, access management is about controlling who can interact with the aforementioned physical and virtual assets. 


Asset management  

  1. Update the firmware of each and every camera to the latest version. Quite a bit of time can pass between a camera coming out of the factory and its installation. Older firmware might have security vulnerabilities, hence the need to stay updated.
  2. Update camera drivers to the latest version in your VMS. Video device drivers are used to control and communicate with the cameras connected to a recording server. In addition to fixing compatibility issues, frequent updates include enhanced protection against various cyber threats. 
  3. Disable any built-in admin accounts for your cameras (or change the passwords). The more modern and more expensive the camera, the less likely that it ships with a factory admin account and password. But it’s worth being certain, as any unchanged passwords make it easy for unauthorized individuals to tamper with settings and/or disable critical features. Most default passwords are easily found in online documentation. 
  4. Ensure that all cameras only allow HTTPS. HTTPS encrypts communication between the security camera and the server or client. This means that any video feeds and configuration settings cannot be easily intercepted by bad actors.
  5. Keep your Windows Operating System updated. In the case of Milestone’s XProtect VMS, the software runs exclusively on desktop computers or Windows Server environments. As with keeping camera firmware and drivers up-to-date, updating your Windows OS means getting security patches that protect against malware and cyber attacks. 


Access management  

  1. Create user credentials for each person accessing your VMS. Just because it’s simple, doesn’t mean it’s easy. Password sharing is more common than most of us would like to admit. But without unique login credentials, you can’t track who’s doing what. Meaning a slim chance of recourse. In the case of XProtect, the Management Server syncs with Active Directory for user authentication and authorization.
  2. Safeguard the room where your VMS servers are installed. The media often portrays cyber attacks as a remote exercise. But in the real world, cybersecurity has to begin with a lock and key.
  3. Limit the number of people with access to the server room. We can’t provide a magic number. But if someone’s role isn’t directly related to the maintenance, administration or security of the VMS, their access should potentially be revoked. 
  4. Limit the number of people with admin rights for the servers. Admin accounts have elevated privileges, and each additional account increases the risk of exploitation if credentials are compromised.


Join our free cybersecurity training  

Milestone has been in the VMS business for more than 25 years. We’re also a CVE Numbering Authority (CNA); the CVE system provides a common identifier for publicly known cybersecurity vulnerabilities, making it easier for organizations and individuals to share information about security issues. We have a lot to share on the topic and we’re eager to do so.  

Which is why on March 12th, we’ll be hosting a live training session at 10 am Central European Time. We’ll go beyond the “why” of cybersecurity to cover the “how” of: 

  • Using VLANs to separate your VMS network from your corporate network
  • Encrypting your recording server’s media database
  • Best practices for device management and user access management in Milestone XProtect

For those who can’t join live due to time zone differences or other scheduling reasons, please sign up anyway to get the recording

Ready to see what we have to offer with smart video technology?
book a demo
You will be logged out in
5 minutes and 0 seconds
For your security, sessions automatically end after 15 minutes of inactivity unless you choose to stay logged in.