Another day, another crippling global cybersecurity breach. Just as these words are being written, the world is reeling from the current cyberattack of the moment, the so-called WannaCry malware. An estimated 200,000 victims were cited across 150 countries by the European police agency Europol. The auto manufacturer Renault shut down, and hospital computers across the United Kingdom were frozen. As per usual, the pundits are calling it a teachable moment, but how many such learning experiences are really needed before the world at large takes serious action in defense of data and information security?
With AV’s continued migration to IP infrastructure (AV over IP), suffice it to say that the risk is clear and present, and the need to secure AV systems from malicious software is critical. Cybersecurity for audiovisual systems is new territory for the AV integration community, but you don’t need to be a security expert to implement key safeguards from the outset of your system designs.
“AV security issues are mainly focused around network segmentation and management—if they are focused on security at all,” said Theresa Payton, CEO of Fortalice Solutions and former White House chief information officer. “The main priority is the network traffic for audiovisual data and ensuring delivery and quality. However, as my team has seen through experience, that lack of security makes them extremely easy to disrupt.”
Many of the basic steps to help protect AV systems data are simply a matter of taking the time and adding an extra step. Changing default passwords is a top recommendation—so basic, it’s often overlooked. “If you need remote access, make sure it is secure. Even small changes to the firewall could expose your customer to gaping security holes with a huge impact, so you need to understand them intricately,” advised Kirk Nesbit, vice president, design and support services, SYNNEX Corporation. “A best practice would be to have the firewall administrator give you SSL VPN access to the network, and then you administer your device instead of poking holes in the firewall for direct access.”
While IoT has dramatically changed the game for information security, it presents a host of challenges. “It is best to install only devices for which the manufacturers have provided a way for resellers to perform updates to underlying OS for security in addition to feature enhancements,” Nesbit added. “Then, have a plan to apply security patches on a regular basis. Many IoT devices released to the public can’t be updated, and could be running some three-year-old unpatched version of Linux—the lowest hanging fruit for hackers.”
A close examination of the customer’s network should be made in order to make recommendations that apply to their specific needs, noted Scott Allard, managing partner, AVNOC, a remote monitoring and service management software solution provider. Ingress and egress—or inbound and outbound network access either by an automated device or manually by a person—or accessing the customers network by using tunneling products should be avoided if not approved by the customer. “Those products allow access to a network basically undetected and information can travel without encryption,” he said. “Although it’s usually just to an AV system, it still can leave opportunity for undesirables. There are more secure solutions for remote access that give the end customer full control without providing VPN or allowing a remote desktop to exist in their network.”
Specifics of the use case are a key consideration for Josh Srago, audiovisual design consultant, TEECOM. “Understanding the needs of the client and the devices when it comes to which require access to a network that touches the outside world versus those that can remain self-contained is vital,” he said. “Is the device using Microsoft Exchange for access? And don’t forget, there’s still the physical element—how does the client handle physical loss of a device with access to networked systems?”
Beyond the usernames, passwords, and controlling access, paying attention to methods or remote access for control, service, and support are top priorities, according to Mike Maniscalco, vice president of product, Ihiji, a remote monitoring SaaS provider for AV integrators. “Additionally, integrators should be sure to disable insecure communication protocols like telnet, HTTP, and unencrypted VPN, and opt for more secure protocols such as SSH, HTTPS, and SSL.”
Oftentimes end users can be their own worst enemies in the world of information security. Everyone wants the AV at work to function like the gadgets they know and love at home. The harsh reality is that this presents difficulties when a company’s intellectual property and means for conducting business could be held at ransom. Talking to clients about the risks their devices of choice present and the necessary precautions they need to take can be a delicate dance.
“Client education is key because ‘wetware,’ or the human-factor, is often the biggest risk to security,” Maniscalco said. “Limiting physical and remote access to devices is a best practice for securing any system. Be sure to educate clients on proper passwords and password management. Lastly, talk to your clients about the phishing schemes and the risk they pose to account security. These types of schemes can result in costly breaches and ransomware attacks.”
Srago starts by talking to clients about how they want to use IoT in their workspace. “Once it’s established what systems they want to interact, it becomes an exercise in working with the IT department to determine how to mitigate as much risk as possible.”
He explicitly calls out the fact that a 100 percent secure network does not exist. “If a device is connected, it is a potential vulnerability. This doesn’t mean that if you connect a smart device to the network, they will get your private data, but it doesn’t mean they won’t, either.”
Working with IT and not attempting to work around them is a crucial strategy for Srago when it comes to isolating systems through VPNs or VLANs or using their existing firewalls to your advantage, instead of seeking ways through it. “Knowing things like what ports are being used by the manufacturers and whether that’s going to be in conflict with other systems on the company network if the port number can be reassigned, is something simple that we can do to help make deployments easier and show that we are their partners with their best interests in mind.”
One simple add-on service integrators can provide or help facilitate is a vulnerability assessment or penetration test. “At SYNNEX, we have been running free vulnerability assessments for our resellers and their customers for up to five public IPs,” Nesbit said. “The results have been bittersweet: after running several hundred scans, we’ve found only two percent of the networks were secure and had no vulnerabilities. This has opened the eyes of many resellers, and they are now actively incorporating vulnerability assessments into their projects.”
The harsh reality is that no system can be considered beyond breach. This admission can be the first line of defense, followed by detailed action plans to have ready for not if, but when. Making false promises to clients about their systems’ security is a dangerous path down an inevitably precarious journey. A good dose of common sense, practical precautions, and informed processes will go a long way in the battle for cybersecurity.
What Questions Do You Need to Ask Your Vendors?
AV manufacturers have an important role in promoting network security. For many of them, it’s just as new and different a skill to employ as it is for integrators. Communication among all parties is necessary to ensure AV systems are capable of supporting clients’ information security needs. The process requires due diligence, and integrators and consultants need to hold their vendors accountable.
The experts interviewed for this article provided a wide range of questions for integrators and consultants with which to query their vendors.
- Does your product support secure communications?
- Are logins encrypted?
- Can the devices be updated?
- Can the underlying OS and applications be updated?
- Do firmware updates break any pre-existing security setups?
- What data is being tracked, polled, or accessed by your products? Is that information being stored somewhere? If so, is it on premises, or are you storing it on your own servers or cloud service? Who has access to that information at your company? How are you using that data?
- Are you encrypting any data being transported?
- Can credential names and passwords be changed on the devices?
- If accessing via a web browser, are you masking the device’s IP address?
- Are you using two-factor authentication for access to admin accounts?
- How do you build security into your devices?
- How long after a vulnerability is discovered in the underlying OS or applications will the vendor have a patch available?
- If a security researcher discovers a vulnerability on your product, is there a way for them to report it to you? Is that process documented?
- How do you disclose and communicate known security exploits with your devices?
In many cases, there are a lot of manufacturers to choose products from, and that selection involves new requirements with network security considerations. “AV professionals should evaluate vendors for patching frequency, and understand the lead times and testing required before critical security patches can be deployed on AV networks. They’ll want to be sure that they are carefully managing applications that can be deployed on those networks that could cause network traffic and interference with time sensitive AV data.
With technology evolving at breakneck speed, integrators should always consider what’s next when selecting products. “Looking toward the future, which really is here now, the integration of home automation and voice-activated systems with AV systems means that there are increasingly major privacy issues with these systems, as they may capture personal information or conversations that need to be protected,” said Max Everett, managing director of Fortalice Solutions and former White House chief information officer. “So AV professionals need to be sure to ask vendors about the privacy implications of these systems. Who is protecting customer data? This is especially important as data is now more likely to be passed to cloud services.”