Cybersecurity FAQs for video management software

July 08, 2024

This article answers some of the many cyber-related questions that IT and security professionals are asking. These are questions that we’ve seen come up in Google searches, Reddit communities and our own cybersecurity webinars.  

Why take cybersecurity advice from Milestone Systems?

Before we dive in, let’s answer a pre-requisite question: Why should you trust the information in this article? The answer is that we’ve been in the video security business for more than 25 years, and we’ve adapted our product and services as cybersecurity standards have evolved.  

But don’t just take our word for it. Instead, feel free to check out the Vulnerability and Exposures (CVE®) Program that has authorized Milestone as a CVE Numbering Authority (CNA). Their stamp of approval is hopefully enough to assure you that 1) we know what we’re talking about and 2) we’re transparent when it comes to reporting vulnerabilities and shipping patches for our own products.  

Okay, let’s dive in. We’ll refer to Milestone’s XProtect® VMS in some of the answers. Generally speaking though, the answers are applicable to all video security setups. Also, our customers sometimes use different terms: CCTV, video surveillance, video management systems, video management software, etc. For the sake of this article, all refer to the same thing.

What are the cyber threats to video management software?

When we talk about “VMS cybersecurity”, we’re really referring to every part of a video security system. The software itself is one part of the system. 

Key threats include: 

  • Unauthorized access: Attackers may gain access to the VMS and its associated cameras, allowing them to view, manipulate and/or delete video feeds. Weak passwords and unpatched vulnerabilities are common entry points.
  • Data breaches: Sensitive video data can be intercepted or stolen during transmission or from storage. This can lead to privacy violations and the exposure of confidential information. 
  • Malware and ransomware: Malicious software can infect VMS systems, disrupting operations or encrypting data until a ransom is paid. Malware can spread through phishing attacks or compromised devices.
  • Denial of service (DoS) attacks: Attackers may overload the VMS with excessive traffic, rendering it unusable and disrupting surveillance operations. 
  • Man-in-the-middle (MitM) attacks: Cybercriminals can intercept and alter communications between cameras and the VMS, potentially tampering with video feeds or injecting false data. 
  • Exploits of software vulnerabilities: Unpatched software vulnerabilities in the VMS can be exploited by attackers to gain control over the system or access sensitive data. 
  • Insider threats: Employees or contractors with access to the VMS may intentionally misuse their privileges to manipulate or steal video data. 
  • Physical security compromises: Physical access to network infrastructure or devices can allow attackers to bypass cyber defenses and directly compromise the VMS. 
  • Credential theft: Through techniques like phishing, keylogging or brute force attacks, cybercriminals can steal login credentials, granting them unauthorized access to the VMS. 
  • Network intrusions: If the network supporting the VMS is not adequately secured, intruders can penetrate it and disrupt VMS operations or access its data. 

There are cyber-resilient steps you can take to minimize the chances of these threats compromising your setup. Some of the steps can be taken within the VMS software itself, but many steps lie outside of the software. 

What are the challenges to being cyber-resilient?

The main challenge is two-pronged. One part of the challenge is that it’s easy to be complacent because it’s human nature to prioritize the problems on our table right now instead of being proactive about a threat that hasn’t happened yet. The other part of the challenge is that many IT and security professionals don’t feel confident enough to know whether they’ve got their bases covered or whether there are major flaws in their setup. This is why we do our best to provide clear-cut advice to our customers, partners and anyone else in the VMS market. Speaking of, please check out the “Learn more” section at the end of the article.

Is it necessary to regularly update all devices, including cameras, servers, applications, switches, etc.? It seems that most end users lack awareness regarding these security requirements.

Yes. IT systems get sand in the gears. New, unknown threats will appear all the time and if you’re not keeping systems updated, you won’t be protected against them. You’re probably used to Windows having an update every month and your smartphones and apps are being regularly updated. Would you service your car if it’s running well? Yes, because you want it to continue to run well.  

In terms of frequency, twice per year is a good general rule, but you should really be updating whenever a release is out. Milestone’s own frequency for our VMS is 2-3 updates per year, with each update tackling issues and vulnerabilities. Companies like Milestone openly report vulnerabilities on the CVE. Hackers can also read vulnerability reports and target VMS customers in hopes that they haven’t updated yet. There are also laws and regulations (e.g., GDPR, NIS2) that you must follow when it comes to updating. There could be hefty fines if data is lost due to not updating on time. 

Do I really need separate VLANs for my cameras and my video management clients?

Yes. Even if your cameras are already blocking internet access, you should still put them on their own VLAN.

Here’s why: 

  • It’s safer. Separating cameras from VMS clients reduces the risk of unauthorized access to the camera feeds. If one VLAN is compromised, the others remain protected.
  • It helps ensure decent network performance. Cameras typically generate high amounts of data traffic. Isolating this traffic on a separate VLAN ensures that it won’t interfere with the performance of the VMS clients and other critical applications on the network. 
  • It makes troubleshooting easier. It’s easier to identify and isolate network issues when different types of devices are segregated into specific VLANs.  

You can create the camera and client VLANs with a managed switch and configure both to “talk” to your VMS server. Security operators can view camera streams via this secure communication. Here’s an example of what this setup looks like:  

Should I separate my VMS from the office network?

Yes. All the same reasons in the previous answer apply here. Network separation can happen physically or virtually. If done the right way, virtual separation can be a whole lot cheaper, as you can utilize the devices and infrastructure that you already have. Assuming you’re going the virtual route, you want to have the same camera and VMS client VLANs that we talked about, plus a third VLAN for all office laptops, printers, etc. Here’s what that looks like:

Why use a VPN for remote operators using the Management Client and Smart Client when a HTTPS connect is possible for both? It only exposes port 443 to the internet.

No, that wouldn’t work. The reason is that you have more than one endpoint to connect to. In a larger installation, you might have 10 or 20 different servers. Those servers need to be resolved within server names and that’s not accessible on the internet. Furthermore, each of the servers will have several ports open for streaming, sending communication, etc. In other words, exposure won’t be limited to port 443, which is only used for the initial authentication and token exchange. Once you send media, alarms and so forth, you’ll run into all kinds of ports AND on multiple servers.  

It wouldn’t be practical to port forward 50 ports or more, plus resolve the names so that the client knows which addresses to connect to. It comes down to scalability. When using VMS clients, operators are looking at video from multiple cameras and recording servers, and that’s not going through a single gateway point. You talk directly to the servers. And that’s why you don’t do this over the internet. Granted, HTTPS works for the XProtect Mobile Server (used for our Mobile Client and Web Client) because it works as a gateway—a single endpoint—for transmission. However, the Management Client and Smart Client do not go through the Mobile Server and that’s not going to change. So, a VPN is the way to go. 

Is it possible to integrate a two-factor authentication (2FA) solution with Milestone’s VMS?

Yes, but 2FA solutions (e.g., Okta) usually rely on internet access. Many XProtect installations either don’t have internet access or they’re blocking connections to all kinds of services. It’s up to you to decide whether integrating with a managed identity provider is feasible. Working with a provider can be a great way to get all the bells and whistles of authentication from a company that is solely focused on this area of security. When integrated with XProtect (see our guide here), two-factor authentication works with the Smart Client, Web Client, Management Client, SDK, etc. 

Can you recommend any third-party monitoring software for a system with 25 servers and 500 devices?

We can’t recommend anything specific, but we encourage you to look to the IT world for an answer. Talk to colleagues across IT departments about what they use to monitor their servers, storage and network. Examples include Microsoft’s SCOM and Splunk, which can monitor many different components, but you need to find the one that you prefer. Once you choose a system, it can help trigger events from the camera side as well as monitor the CPU load on your cameras and servers.  

Can you recommend a CM (Configuration Management) solution to provide an audit trail with periodic security alerts?

An example is Palo Alto, but there are many viable options, and we can’t vouch for any specific CM solution. Your IT department needs to decide. 

What devices do you recommend for indicating a brute force attack?

We support thousands of such devices, and we can’t promote any specific one. Look at the professional, larger companies and see what they use. 

What’s your advice for using virus scanners?

We talk about virus scanners in our hardening guide. The short answer is that yes, you should have a virus scanner for your servers. However, you should disable scanning of some specific file types in the folders where you store the media database. Otherwise, it might impact the performance of your VMS. The VMS writes so much data and the files are accessed so often that if you have a virus scanner in between, it can ruin the system's performance.  

Moreover, the risk of not scanning those folders is low, because it’s only a specific few file types that you need to disable scanning for in a single specific location. The risk of a virus coming in and writing a file in that storage location with a file name that our database uses is next to nonexistent. We don’t recommend any specific virus scanners. There are so many options, and we don’t have any favorites, so it’s up to our customers to choose for themselves.  

IEEE 802.1X is great, but how many customers are using it in the real world?

It depends on the nature of your business; security requirements differ across sectors and organization sizes. For lower-risk installations, ticking the boxes of 1) high complexity passwords for cameras and 2) using HTTPS/secure streaming protocols might be enough. But if you work in a larger and/or more regulated field, please consider 802.1X. If you end up implementing it, then a redundant domain controller and a Network Policy Server (NPS) can significantly help your 802.1x authentication run smoothly. 

How does SSL encryption work with Milestone XProtect? Should SSL certificates be signed by third-party certificate authorities?

Self-signed certificates are often the right choice for XProtect customers. They take work to set up, but our certificate guide gives sample scripts that you can modify with your network and server names. 

  • Self-signed certificates are free and can save a lot of money for large projects. CA (third-party certificate authorities) are paid.  
  • Self-signed certificates work when there’s no internet access, which is the case for many of our customers. Meanwhile, many CAs can’t validate without an internet connection.  
  • Self-signed certificates can be a real pain for smartphones, so it might make sense to go for a combination of self-signed and CA certificates.  
Which software do you use to create self-signed certificates?

PowerShell is generally available on most modern Windows operating systems, so you shouldn’t need any external software. You can run the scripts we have in our guide in PowerShell.  

What procedure do you suggest for changing certificates for 20 servers and services? Doing it one-by-one is not fun.

You have two alternatives: 

  • Add the servers to an Active Directory (AD). By adding servers to an AD domain, you can leverage Group Policy to deploy and manage certificates automatically. 
  • Use a Public Key Infrastructure (PKI) in your network somewhere that you trust. A PKI provides a framework for managing digital certificates and public-key encryption. Using a PKI in your network can automate and centralize certificate management. 
What’s your opinion on tunneling video from cameras via HTTPS? Any downside?

No, do it. There’s no downside.  

Can you put any numbers on CPU load when it comes to encryption?

No, because it’s variable. It depends on the computer, processor and bitrate. It’s an annoying answer, but that’s the way it is. 

If we use strong media database encryption, can we balance out the CPU load by activating the compression format on the video stream coming from the camera?

No, because encryption takes place independently of the video compression codec format. Whatever data we get in any format, we will encrypt it when it goes into the media database. 

With encryption, how much time does the Web Client or the Smart Client need to decode and display the view in live mode (especially for PTZ cameras)?

So, there are two layers of encryption: 

  • On the media database: Decrypting from the media database before sending it to the client doesn’t take any more time than reading the data. Encryption takes a bit more time, but decryption doesn’t really take any extra time. It’s negligible; microseconds, if even that much. 
  • On HTTPS: Decrypting that is handled on the network layer, and that’s not noticeable either. You won’t see a delay in displaying and controlling PTZ cameras; decryption doesn’t have any impact whatsoever. Any delays will come from encoding the video in the camera and decoding the video in the client. But that’s not encryption. 
Is there a “best practice” design for how to separate database servers for the management of cameras?

No, there’s no one best design. A couple of general guidelines are that you shouldn’t have the clients running on the recording servers because they can interfere with recording, and they might stop the service or shut down the computers. You should install the servers in a secure location and make sure there’s limited access. 

When it comes to whether you should have separate servers for recording servers, management servers, event servers etc., it depends on your needs. How critical it is for your system to be running all the time? How many cameras do you have and how big are your servers?  

  • For 1,000 cameras, we’d suggest separating the management server and event server and having a dedicated SQL server. You should have a few recording servers running 250-300 cameras each, plus a bunch of failover servers. 
  • For 10 cameras, you can run everything (except the clients) on one server. 
Is cybersecurity applicable to all variants and versions of XProtect?

Yes. Cybersecurity is applicable to anything that communicates on a network. All variants of XProtect are secure by design. Among other things, they all support: 

  • HTTPS encryption between the cameras and the recording server, preventing unauthorized access to the streamed video. 
  • Network separation, making it possible to separate the camera network from the client network and the core server network. 
  • Media database encryption and digital signing, preventing unauthorized access directly to video recordingNote that advanced recording features are exclusive to XProtect Expert and XProtect Corporate.
Learn more

We’ve written three articles that describe respective steps for different levels of cyber-resilience for your video security: 

Get in touch

If you have any questions or if you’d like to see Milestone’s XProtect VMS in action, please send us a message or book a demo.  

Ready to see what we have to offer with smart video technology? 
Book a demo
Related content
The most advanced steps to protect your security system from a cyber attack
VMS cybersecurity: all about cameras
Beyond the basics: cybersecurity for video management software
You will be logged out in
5 minutes and 0 seconds
For your security, sessions automatically end after 15 minutes of inactivity unless you choose to stay logged in.