Security

Wavestore operates an ongoing security hardening program for its VMS.

Many of its security features are pre-configured as standard and do not require the user to set them up, offering protection from the moment the system is switched on.

Wavestore’s VMS is embedded into a Linux operating system which offers a host of security benefits over Windows™ based counterparts. For example, Wavestore is not impacted by Windows vulnerabilities and there are no time-consuming Windows updates that require the VMS to be off-line these updates are applied.

Wavestore also has full control over which specific components of the Linux operating system it uses and disables all non-essential areas to greatly reduce the threat of potential vulnerability.

Click here to download our latest brochure on Cybersecurity Features from Wavestore.

No back-door login access

Some vendors have generic back-door access called a ‘root login’ which is always open. This is to provide them with access to the system for trouble shooting and technical support issues, but it is also a potential security threat. At Wavestore we don’t have an unsupervised back-door to the system. Instead, if an authorised administrator decides to grant us access for remote diagnostics, they must be physically with the Wavestore server to provide support staff with a temporary administration account and password that the administrator is firmly in control of. After the diagnostics process is finished, the administrator can close the remote access and delete the temporary administration account.

Video, data and password encryption

Wavestore offers up to 4096bit encryption for video, allowing if required the option for secure public keys to be used when encoding and decoding video. In addition, Wavestore enables passwords to be encrypted. This means that when video evidence is being exported, the secure public key details do not need to be handed over to the recipient of the export.

Built-in firewall

Wavestore’s preconfigured firewall, provided as standard within its VMS, locks down ports and helps prevent unauthorised connection to its servers.

Restricting IP addresses

Wavestore can restrict access to all but authorised IP addresses to eliminate the risk of unauthorised users logging in from other remote computers.

Protection against ‘Man-in-the-middle’ attacks

Login details are always encrypted using very strong password hashes and Wavestore provides ‘man-in-the-middle’ protection as standard. We can ensure that stringent password policies are enforced, e.g. users must change the default password on their first log in and enter a mix of letters, characters and numbers to a required length to make their password more secure.

No applications can be run on Wavestore’s server

No other applications can be run on Wavestore servers/NVRs/HVRs, meaning that no malicious programs can be loaded and executed.

Privilege separation

Wavestore operates ‘privilege separation’ which makes user accounts more secure. Users can be separated into groups and the relevant privileges set. For example, the ‘Install’ group may have set-up rights while the ‘User’ group only has day-to-day operation functions made available to them. This has a high level of granularity; for example normal users can view live but cannot play back footage or export it, whereas an admin user could do both.

Wavestore is compatible with LDAP and Active Directory to assist in the management of systems with many users.

WaveView client software inactivity time out

Wavestore’s WaveView client software can be set to automatically log out after a defined time period if there is no user activity. This is especially useful if the client is being operated in a space that may be easily accessible, such as a reception area, or where policy dictates that user must log out after each use.

On-going protection

Wavestore operates an on-going third-party security program which purposefully tests for vulnerabilities with the system to give us confidence that the solutions we are providing are as secure as possible with today’s threats in mind.

Best security practice for all IP security installations

1. Always change the default passwords when commissioning your system. This is a common oversight that affects thousands of installations. Default passwords for a wide range of equipment from the world’s leading vendors can easily be found on the internet and this can lead to your system being compromised.
2. Prevent unauthorised physical access to your server. Always keep your recording and management equipment in a secure room, locked cupboard or area that is not accessible to unauthorised persons. If somebody has physical access your server then they may be able to damage or remove hard disks from your server.
3. Secure your network appropriately. Good network design and security across your entire network is essential.