Dahua Technology Seeing the Relevance of OWASP Top 10 to Security Industry

Information Technology Press Releases Monday December 25, 2017 18:12
Bangkok--25 Dec--Dahua Technology

HANGZHOU, China /December 21, 2017 The Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization dedicated to improving the security of software, has released the latest 2017 OWASP Top 10 last month. This list, produced every four years since 2003 consists of the ten most critical web application security risks and is complied with the aim of keeping pace with the ever higher demands on cybersecurity and interconnected operating systems.

The 2017 OWASP Top 10 list is based on the examination of over 2.3M vulnerabilities which have impacted 50,000 applications, and contains two large-scale vulnerability updates and updated attack scenarios. It serves as a standard guide of potential issues or all types of users, including those from the security industry since most video surveillance applications involve viewing of video over LAN/WAN using web browser while IP cameras and recorders have a web interface to initialize and configure the devices.

Among the Top 10 risks on the list, most of the known cybersecurity problems in security products can be linked to 5 entries (A2, A3, A5, A6, A9), including Broken Authentication and Session Management, Sensitive Data Exposure, Broken Access Control, Security Misconfiguration and Using Components with Known Vulnerabilities.

OWASP's Ten Most Critical Web Application Security Risks To cope with the aforementioned cybersecurity risks, Dahua Technology, the leading solution provider in the global video surveillance industry, is has already taken the following measures:

Strengthened Authentication and Access Control Almost every IP video device has authentication in place but weak or broken authentication can be exploited by attackers to gain control of the device. Likewise with Broken Access Control, where restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functions and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users' data, change access rights and so on.

To strengthen authentication and access control, Dahua cybersecurity baseline has implemented the following measures. Firstly, a strong password consisting of 8-32 characters must be created. It automatically locks after multiple failed attempts. Secondly the IP address of log on clients is checked to see if they match with the session ID and can effectively filter requests not coming from the same client. In addition to that, idle sessions will be terminated to reduce risk due to users forgetting to log out. Moreover, there is a built-in mechanism to defend against brute force cracking of the session ID value.

Guarding Sensitive Data

Sensitive Data is being stored and transmitted to run the application, attacker will attempt to steal sensitive information such as passwords, payment information and IDs. Dahua cybersecurity baseline implemented the following to protect sensitive data

First of all, Dahua supports HTTPS encryption and prohibits unencrypted transmission of commands involving sensitive data. Secondly, passwords stored in the device must be encrypted together with the device specific context to increase the difficulty to crack the encryption. Protect configuration data with encryption when stored, upload and download. Even authenticated users are not allowed to decode the data into clear text. Data integrity validation is conducted in both the upload and download process.32

Changes Made to Reduce Misconfiguration
According to OWASP, security misconfiguration is the issue most commonly seen. Dahua has analyzed past misconfiguration issues and made the following changes to reduce exposure to potential attacker:

To start with, all default accounts are removed. Installer must set up a customized password during device initialization. In addition all unused open ports are closed and an authentication mechanism is implemented to all remaining necessary open ports. Finally, Dahua has deployed cloud firmware upgrade feature to make it easier and more convenient for users to keep firmware up to date.

Human Efforts to Correct Human Errors

It is only through the combined forces of humans and machines, of customers and manufacturers and all related parties, that we can we most effectively deal with cybersecurity problems. Dahua has put a great deal of effort ensure customers will be given proper information, access to fix software and technical support to deal with vulnerability effectively.

On the official website, Dahua has posted its Best Practices, a page offering useful tips and recommendations in detail that help to build a more secure security system. There is also a channel for Vulnerability Reporting, through which users and other related parties can share their clues on cybersecurity loopholes and these efforts will be rewarded after an assessment of the vulnerability.

Since video surveillance has become a core part of IoT, it's not surprising that in recent years there have been an increasing amount of attacks targeting IP video devices. Thus Dahua has proposed to establish a new ecosystem of network security encompassing the end user, installers and manufacturers. In August 2017, Dahua shared a white paper regarding cybersecurity with its customers, and an updated version will be issued in early 2018.

In conclusion, Dahua has been well prepared for the battle of cybersecurity through the identification of application risks, potential attackers and other threats. With well thought-out precautionary plans and carefully designed coping   mechanisms, Dahua can respond to risks in a quick and effective manner and solve the problems before they really become problems in most cases. With a mission to enable a safer society and smarter living, Dahua will continue to focus on "Innovation, Quality, and Service" to serve its partners and customers around the world.

32
32
32

Latest Press Release

Vymo Wins Ocean of Opportunities CRM Track for Enhancing Customer Relationships and Mobilizing Sales Force

AI-enabled Mobile Personal Assistant lends greater visibility into customer engagement and improves operational efficiency Vymo ( www.getvymo.com ), a New York-based next-generation CRM startup, that uses mobility and intelligence as key levers to...

Siri Co-Founder Tom Gruber Joins Sherpa.ai as Strategic Advisor

Digital assistant pioneer will help Sherpa.ai, the predictive Digital Assistant, continue to build leading proactive and predictive AI features Sherpa.ai, one of the leading companies in predictive Digital Assistants and Artificial Intelligence, has...

TrueMoney showcases top-level e-wallet security technology at Bangkok Fintech Fair 2019 and pilots the fast and highly-accurate #e-KYC system at 9 selective branches of 7-Eleven

Deploy world class biometrics and facial recognition technology to verify and authenticate real user identity of TrueMoney Wallet users Set a high-level security standard benchmark for Thailand's e-financial industry TrueMoney recently showcased...

OpenAI forms exclusive computing partnership with Microsoft to build new Azure AI supercomputing technologies

Multiyear partnership founded on shared values of trustworthiness and empowerment, and an investment of $1 billion from Microsoft, will focus on building a platform that OpenAI will use to create new AI technologies and deliver on the promise of...

For Blockchain, ARPA#s Privacy Computing is the Next Big Thing

Blockchain immutably records information, but ventures such as ARPA are committed to protecting business and people's privacy. The first-ever privacy-computation network and the world's first China-South Korea joint initial exchange offering (IEO)...

Related Topics