Why security gear gets attacked
IP cameras, access panels, and recorders are full computers on the network, and they often ship with weak defaults. A neglected camera is a foothold. The steps below are ordered roughly by impact and map to CIS Controls v8, the NIST Cybersecurity Framework, and guidance from the Canadian Centre for Cyber Security.
Change default credentials
This is the single most common failure. Replace every default username and password before a device touches a live network. Use unique, long passphrases per device or per device class, stored in a password manager, not a spreadsheet on a tech’s laptop. Disable any built-in accounts you do not use. This is CIS Control 5 (Account Management) and a Cyber Centre baseline control.
Signed firmware and updates
Run current firmware. Vendors patch authentication bypasses and remote code execution in cameras and recorders regularly. Prefer devices that verify signed firmware images so a tampered update will not install. Keep an inventory of model, firmware version, and patch date for every device. Set a recurring schedule to review and apply updates. This covers CIS Control 7 (Continuous Vulnerability Management) and CIS Control 2 (Inventory of Software Assets).
Disable unused services
Cameras and panels enable services you will never use: UPnP, Telnet, FTP, SSH, ONVIF discovery, cloud relay, and unencrypted HTTP. Turn off what you do not need. Each open service is one more thing to patch and one more way in. Keep HTTPS for the web interface and disable plain HTTP. This is part of CIS Control 4 (Secure Configuration).
802.1X port-based access control
IEEE 802.1X authenticates a device before the switch port carries traffic. An unauthenticated device plugged into a hardened port gets nothing, or lands in a restricted VLAN. For field devices that cannot do 802.1X supplicants, use MAC Authentication Bypass against a known device list, and physically secure those ports. This stops someone unplugging a camera to gain network access, a real risk for outdoor and lobby cabling.
Certificates
Use certificates rather than shared secrets where the gear supports it. EAP-TLS for 802.1X uses device certificates instead of passwords. For management interfaces, install proper TLS certificates so technicians are not training themselves to click through browser warnings, which hides real man-in-the-middle attacks.
Network segmentation
Put security systems on dedicated VLANs and enforce least-privilege routing between them. Segmentation limits how far an attacker moves after compromising one device. This is CIS Control 12 (Network Infrastructure Management) and aligns with the Protect function of the NIST CSF. See the companion article on VLAN design for the layout.
Logging and monitoring
Send switch, firewall, and device logs to a central collector. You cannot investigate what you did not record. Capture authentication events, configuration changes, and 802.1X failures. Set time synchronization (NTP) across all gear so timestamps line up during an incident. This is CIS Control 8 (Audit Log Management) and the Detect function of the NIST CSF.
Mapping summary
| Hardening step | CIS Controls v8 | NIST CSF function |
|---|---|---|
| Change defaults | Control 5 | Protect |
| Signed firmware, patching | Controls 2, 7 | Protect, Identify |
| Disable services | Control 4 | Protect |
| 802.1X, certificates | Controls 4, 6 | Protect |
| Segmentation | Control 12 | Protect |
| Logging | Control 8 | Detect |
Where to start
If a site has none of this in place, fix credentials and firmware first, then segment, then add logging and 802.1X. The Canadian Centre for Cyber Security baseline controls are a good plain-language reference for small and medium organizations that need a defensible starting point.
References
Last updated 2026-06-14.