ManualsPro AXIS AXIS Cybersecurity Questions and Answers User Manual

AXIS Cybersecurity Questions and Answers User Manual

June 9, 2024
AXIS

AXIS Cybersecurity Questions and Answers

General questions

What is cybersecurity?
Cybersecurity is the protection of computer systems and services from cyberthreats. Cybersecurity practices include processes for preventing damage and restoring computers, electronic communications systems and services, wire and electronic communications, and stored information to ensure their availability, integrity, safety, authenticity, confidentiality, and nonrepudiation. Cybersecurity is about managing risks over a longer period of time. Risks can never be eliminated, only mitigated.

What is generally involved in managing cybersecurity?
Cybersecurity is about products, people, technology and ongoing processes. It will, therefore, involve identifying and evaluating various aspects of your organization, including doing an inventory of devices, systems, software, and firmware; establishing mission-critical objectives; documenting procedures and security policies; applying a risk-management strategy and continuously performing risk assessments related to your assets. It will involve implementing security controls and measures to protect the data, devices, systems, and facilities that you’ve identified as priorities against cyber attacks. It will also involve developing and implementing activities that help you detect cyber attacks so you can take timely actions. This could, for instance, involve a Security Information and Event Management (SIEM) system or a Security Orchestration, Automation and Response (SOAR) system that manages data from network devices and management software, aggregates data about abnormal behavior or potential cyber attacks, and analyzes that data to provide real-time alerts. Axis devices support the SYS Logs and Remote SYS Logs that are the primary source of data for your SIEM or SOAR system.
Cybersecurity management also involves developing and implementing procedures to respond to a cybersecurity incident once it is detected. You should take into account local regulations and internal policies, as well as requirements for disclosure of cybersecurity incidents. Axis offers an AXIS OS Forensic Guide that will help you understand if an Axis device has been compromised during a cybersecurity attack. Developing and implementing activities to maintain plans for resilience and to recover or restore any capabilities or services impaired due to a cybersecurity incident will also be important. AXIS Device Manager, for instance, makes it easy to restore Axis devices by supporting restore points, which are saved “snapshots” of system configuration at a point in time. In the absence of a relevant restore point, the tool can help return all devices to their default states and push out saved configuration templates via the network.

What are the cybersecurity risks?
Cybersecurity risks (as defined by RFC 4949 Internet Security Glossary) is an expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. It is important to define clear system policies and processes in order to achieve adequate risk reduction over the long term. A recommended approach is to work according to a well-defined IT protection framework, such as ISO 27001, NIST or similar. While this task may be overwhelming for smaller organizations, having even minimal policy and process documentation is far better than having nothing at all. For information on how to assess risks and prioritize them, see Cybersecurity reference guide.

What are the threats?
A threat can be defined as anything that can compromise or cause harm to your assets or resources. In general, people tend to associate cyber threats with malicious hackers and malware. In reality, negative impact often occurs due to accidents, unintentional misuse or hardware failure. Attacks can be categorized as opportunistic or targeted. The majority of attacks today are opportunistic: attacks that occur just because there is a window of opportunity. Such attacks will use low-cost attack vectors such as phishing and probing. Applying a standard level of protection will mitigate most risks related to opportunistic attacks. It is harder to protect against attackers who target a specific system with a specific goal. Targeted attacks use the same low-cost attack vectors as opportunistic attackers. However, if the initial attacks fail, they are more determined and are willing to spend time and resources to use more sophisticated methods to achieve their goals. For them, it is largely about how much value is at stake.

What are the most common threats and how can they be addressed?
Deliberate or accidental misuse of a system People who have legitimate access to a system is one of the most common threats to any system. They can be accessing services that they are not authorized to. They may steal or cause deliberate harm to the system. People can also make mistakes. In trying to fix things, they may inadvertently reduce system performance. Individuals are also susceptible to social engineering; that is, tricks that make legitimate users give away sensitive information. Individuals may lose or displace critical components (access cards, phones, laptops, documentation, etc). People’s computers may be compromised and unintentionally infect a system with malware.
Recommended protections include having a defined user account policy and process, having a sufficient access authentication scheme, having tools to manage user accounts and privileges over time, reducing exposure, and cyber awareness training. Axis helps counter this threat with hardening guides, and tools like AXIS Device Manager and AXIS Device Manager Extend.

Physical tampering and sabotage
Physically exposed equipment may be tampered with, stolen, disconnected, redirected or cut. Recommended protections include placing network gear (for example, servers and switches) in locked areas, mounting cameras so they are hard to reach, using protected casing when physically exposed, and protecting cables in in walls or conduits.
Axis helps counter this threat with protective housing for devices, tamper- resistant screws, cameras with the ability to encrypt SD cards, detection for camera view tampering, and detection for an open casing.

Exploitation of software vulnerabilities
All software-based products have vulnerabilities (known or unknown) that could be exploited. Most vulnerabilities have a low risk, meaning it’s very hard to exploit, or the negative impact is limited. Occasionally, there may be discovered and exploitable vulnerabilities that have a significant negative impact. MITRE hosts a large database of CVE (Common Vulnerabilities & Exposures) to help others mitigate risks. Recommended protections include having a continuous patching process that helps minimize the number of known vulnerabilities in a system, minimizing network exposure in order to make it harder to probe and exploit known vulnerabilities, and working with trusted sub-suppliers who work according to policies and processes that minimize flaws, and who provide patches and are transparent about discovered critical vulnerabilities. Axis addresses the threat with the Axis Security Development Model, which aims to minimize exploitable vulnerabilities in Axis software; and with the Axis Vulnerability Management Policy, which identifies, remediates and announces vulnerabilities that customers need to be aware of in order to take appropriate actions. (As of April 2021, Axis is a Common Vulnerability and Exposures Numbering Authority for Axis products, allowing us to adapt our processes to MITRE Corporation’s industry standard process.) Axis also provides hardening guides with recommendations on how to reduce exposure and add controls to reduce the risk of exploitation. Axis offers users two different tracks of firmware to keep the firmware of an Axis device up to date:

  1. The active track provides firmware updates that support new features and functionalities, as well as bug fixes and security patches.
  2. The long-term support (LTS) track provides firmware updates that support bug fixes and security patches while minimizing risks of incompatibility issues with third-party systems.

Supply chain attack

A supply chain attack is a cyberattack that seeks to damage an organization by targeting less secure elements in the supply chain. The attack is achieved by compromising software/firmware/products and luring an administrator to install it in the system. A product may be compromised during shipment to the system owner. Recommended protections include having a policy to only install software from trusted and verified sources, verifying software integrity by comparing the software checksum (digest) with the vendor’s checksum before installation, checking product deliveries for signs of tampering. Axis counters this threat in a number of ways. Axis publishes software with a checksum in order for administrators to validate the integrity before installing it. When new firmware is to be loaded, Axis networked devices accept only firmware that is signed by Axis. Secure boot on Axis networked devices also ensure only Axis signed firmware runs the devices. And each device has a unique Axis device ID, which provides a way for the system to verify that the device is a genuine Axis product. Details about such cybersecurity features are found in the whitepaper Cybersecurity features in Axis products (pdf). For more details about threats, see the Cybersecurity Reference Guide of Terminology and Concepts.

What are vulnerabilities?
Vulnerabilities provide opportunities for adversaries to attack or gain access to a system. They can result from flaws, features or human errors. Malicious attackers may look to exploit any known vulnerabilities, often combining one or more. The majority of successful breeches are due to human errors, poorly configured systems, and poorly maintained systems – often due to lack of adequate policies, undefined responsibilities, and low organizational awareness.

What are the software vulnerabilities?
A device API (Application Programming Interface) and software services may have flaws or features that can be exploited in an attack. No vendor can ever guarantee that products have no flaws. If the flaws are known, the risks may be mitigated through security control measures. On the other hand, if an attacker discovers a new unknown flaw, the risk is increased as the victim has not had any time to protect the system.

What is the Common Vulnerability Scoring System (CVSS)?
The Common Vulnerability Scoring System (CVSS) is one way to classify the severity of a software vulnerability. It’s a formula that looks at how easy it is to exploit and what the negative impact may be. The score is a value between 0-10, with 10 representing the greatest severity. You will often find CVSS number in published Common Vulnerability and Exposure (CVE) reports. Axis uses CVSS as one of the measures to determine how critical an identified vulnerability in the software/product may be.

Questions specific to Axis

What training and guides are available to help me understand more about cybersecurity and what I can do to better protect the products and services from cyber incidents?
The Resources web page gives you access to hardening guides (e.g- AXIS OS Hardening Guide, AXIS Camera Station System Hardening Guide and Axis Network Switches Hardening Guide), policy documents and more. Axis also offers an e-learning course on cybersecurity.

Where can I go to find the latest firmware for my device?
Go to Firmware and search for your product.

How can I easily upgrade the firmware on my device?
To upgrade your device firmware, you can use Axis video management software like AXIS Companion or AXIS Camera Station, or tools like AXIS Device Manager and AXIS Device Manager Extend.

If there are disruptions to Axis services, how can I be informed?
Visit status.axis.com.

How can I be notified of a discovered vulnerability?
You can subscribe to the Axis Security Notification Service.

How does Axis manage vulnerabilities?
See the Axis Vulnerability Management Policy.

How does Axis minimize software vulnerabilities?
Read the article Making cybersecurity integral to Axis software development.

How does Axis support cybersecurity throughout a device lifecycle?
Read the article Supporting cybersecurity throughout the device lifecycle.
What are the cybersecurity features that are built into Axis products?
Read more:

  • Built-in cybersecurity features
  • Cybersecurity features in Axis products (pdf)
  • Supporting cybersecurity throughout the device lifecycle

Is Axis ISO certified and what other regulations is Axis compliant with?
Visit the Compliance web page.

Cybersecurity Q &As
© Axis Communications AB, 2023

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

AXIS User Manuals

AXIS TU1001-VE Microphone Instructions
AXIS
AXIS Q6054-E Mk 3 PTZ Camera User Manual
AXIS
AXIS Radar Autotracking for PTZ User Manual
AXIS
AXIS P3727-PLE Network Camera Instruction Manual
AXIS
AXIS Q1656-DLE Radar Video Fusion Box Camera Installation Guide
AXIS
AXIS COMMUNICATIONS M1075-L Box Camera User Manual
AXIS COMMUNICATIONS
AXIS COMMUNICATIONS W102 Body Worn Camera Installation Guide
AXIS COMMUNICATIONS
AXIS M2025-LE Network Camera User Manual
AXIS
AXIS P1455-LE Network Camera User Manual
AXIS
AXIS COMMUNICATIONS TU1002-VE Microphone Kit Installation Guide
AXIS COMMUNICATIONS
AXIS Optimizer Body Worn Extension User Manual
AXIS
AXIS COMMUNICATIONS M7116 Video Encoder User Manual
AXIS COMMUNICATIONS
AXIS Network Switches Hardening User Manual
AXIS
AXIS P13 Network Series Explosion Protected Camera User Manual
AXIS
AXIS T8705 Video Decoder User Manual
AXIS
AXIS Security Development Model Software User Manual
AXIS
4-Axis Aerocraft Aerial Photography Drone Instruction Manual
AXIS
AXIS P3245-LVE-3 License Plate Verifier Kit User Manual
AXIS
AXIS 5503-741 3.5mm Cabinet Gasket A, 10-Pack Instructions
AXIS
AXIS M5000-G PTZ Camera Installation Guide
AXIS

Related Manuals

V I V O DESK-VE42B Electric Desk Riser Instruction Manual
V I V O
Fores 305250 Bath Wall Cupboard Instruction Manual
Fores
SSV WORKS X3-R1 2017 Plus Can Am Maverick X3 JVC MR1 Upgrade Kit Installation Guide
SSV WORKS
AIGOSTAR 12m 2700K Solar Staring Light User Manual
aigostar
SK Pang electronics RSP-PICANFDLIN PICAN FD and LIN-Bus Board for Raspberry Pi User Guide
SK Pang electronics
CARSON Clip n’ Clean MF-50AS All In One Lens and Screen Cleaning Kit Instructions
Carson
nedis BTSW30BK Smart Life Smartwatch Instruction Manual
nedis
ALLVIEW 50ePlay6100-U 4K Ultra HD Smart TV Android User Guide
ALLVIEW
WIGAM AZ200-50 Nitrogen Regulator Instruction Manual
WIGAM
First Co CW-HW(X) Fan Coil Units Installation Guide
First Co
SIEMENS HM736G1.1S Oven User Manual
SIEMENS
jura Payment Connect Coffee Machine Easier Instructions
Jura
BENETECH GM86 Micro Power Monitor Instruction Manual
BENETECH
serenelife SLTET30 Party Tent Commercial Instant Shelter with 8 Walls User Manual
serenelife
Waveshare 7.9inch DSI LCD User Manual
WAVESHARE
PHILIPS BP02013 Adtraxion Player Owner’s Manual
Philips
AJAX 8219 FireProtect Wireless Fire Detector User Manual
ajax
IKEA SKUFFEN Shoe Box Instruction Manual
Ikea
NETGEAR GS305 FE and GE Unmanaged Switches User Guide
NETGEAR
Klipsch PM21BT Wired Computer Speaker Owner’s Manual
Klipsch
velleman HPG1MK2 Battery-powered 1 Hz Channel Sinus User Manual
Velleman
Philips Hue 802033 Lucca White Outdoor Wall Light User Manual
Philips Hue
AUO C27C4 27 Inch All In One WorkStation User Manual
AUO
NITEforce Outlaw 30MP 4G 4K Video Wireless Camera User Manual
NITEforce
ACURITE 00590A1 Wireless Thermometer and Self-Setting Clock Instruction Manual
Acurite
MAXIM E30184-01BK Tower Outdoor Wall Sconce User Manual
MAXIM
AVA CT1820 Wireless Streaming Station User Guide
AVA
Aero-Fan V-12 12 Inch Aero Fan Inline Duct Ventilation Fan Instruction Manual
Aero-Fan
STARLINK Wedge Flat High Performance Kit with Mount User Manual
Starlink
MCO Home Micro Dimmer MH-P220 Manual
MCO HOME
Contact Us   Privacy Policy   3.803ms