Is your AV equipment putting your company's cyber security at risk?

"The change and transformation that AV brings is fantastic, but it’s all a potential proxy for the bad guys to get into an organisation"
Author:
Publish date:
cyber-security-1784985-1024x745

Earlier this year, I had an interesting chat with a man who’s job was to re-stock vending machines around the country.

He explained to me that his job is now made much easier because he is able to strategically decide, which machines he needs to visit first (if at all) and how much stock he needs to carry in his van.

This is because the machines he checks are now connected to a network, with each machine providing real time data on sales and stock levels. This information helps to enhance revenue opportunities (no empty shelves) and removing wasted journeys.

However, he explained that the machines being connected is not without risk, reciting a story how one company (he asked we didn't name them) experienced a major cyber attack, with criminals gaining access to its confidential files (data), through weaknesses in the vending machine’s security.

"Anyone with a digital display, or does video conferencing, uses microphones and has speakers are potentially at risk"

ransomware-2321110_1920-1-1024x678

If a vending machine can provide a doorway for criminals, how about connected AV equipment?

“Any "smart" device (i.e. vending machine) is a computer with an OS that controls and operates a technological process," leading security software firm Kaspersky Lab told AVTE. "Usually, smart devices are based on the Linux OS and have external network connections via HTTP/HTTPS (standard Web interface), FTP, Telnet or SSH. For some reason, in some companies, such devices are part of an internal network with other classical computers.

“Also, in some cases, such smart devices have Internet connections to a cloud service, and this results in the following: there is a Linux-based computer with possibly out-dated or vulnerable software installed (and usually these types of devices are not being sufficiently updated) and that are connected both to the Internet and internal network. This can serve as a perfect entry point for criminals.”

"Every piece of equipment that’s connected to a network is a potential doorway for a hacker"

Jason Hart, CTO, data protection at Gemalto – a world leader in digital security – agreed, stating that any piece of connected AV equipment creates added opportunities for cyber criminals to gain access to your precious data.

“Anyone with digital signage, uses digital displays, does video conferencing, uses a microphone and has speakers are all potentially at risk," he explained.“Every piece of equipment that’s connected to a network is a potential doorway for a hacker. Anyone with a digital display, or does video conferencing, uses microphones and has speakers are potentially at risk. Think about all the information displayed on an interactive whiteboard? Your entire business strategy might have been outlined, containing highly confidential information. That whiteboard is recording everything electronically and storing it on a computer and that computer is backing it up to the cloud. If I was a bad guy and could access that information, the ramifications could be enormous.

"Statistically, the threat levels are growing. Figures from the Online Trust Alliance (OTA), place the number of reported cyber attacks on businesses in 2017 as just shy of 160,000 – that’s double the figure in 2015. Combined with unreported cases, the OTA puts the figure closer to 350,000 – the population of Bristol."

He continued: "What about a lawyer or a legal council using forms of AV technology, such as conference calling? What if I could find that conference calling system online and listen in to the calls without them even knowing?

"The change and transformation that AV brings is fantastic, but it’s all a potential proxy for the bad guys to get into an organisation."

Every company a target

Statistically, the threat levels are growing. Figures from the Online Trust Alliance (OTA), place the number of reported cyber attacks on businesses in 2017 as just shy of 160,000 – that’s double the figure in 2015. Combined with unreported cases (quick fixes, embarrassment, ransom paid), the OTA puts the figure closer to 350,000 – the population of Bristol. 

It’s not just small companies either. Many highly successful and highly resourced companies have made the headlines in recent years due to vulnerabilities in their security. Equifax, Uber, Verizon, Yahoo, Vodafone, Carphone Warehouse, AA, Deloiite, NHS, and Playstation – the list goes on. Hacks come in many different forms. For some hackers, it’s the thrill and the self-satisfaction of being able to gain access to something they shouldn’t. Some just want to be a nuisance.

"Perhaps the most startling figure is that 93 per cent of all breaches in 2017 could have been avoided by using common and simple security practices"

Take last year’s attack on Union Station in Washington DC for example, when a large advertising display was hacked during rush hour to display pornographic content. Embarrassment aside (and a few difficult questions from children) the hack was harmless – a warning to up their security at worst.

On the flipside, some hackers – “the bad guys” – do it for personal gain. A career in targeting your data to use, sell, manipulate or hold to ransom. Such incidents can cause irreparable damage to a company or an individual (remember all the angry wives after the Ashley Madison hack?)

Perhaps the most startling figure is that 93 per cent of all breaches in 2017 could have been avoided by using common and simple security practices.

password-64047_1280-1024x722

Username and password 

Hart, a self labelled ‘ethical hacker’ – using his skills to help protect businesses stay protected – went onto explain that the biggest way for hackers to gain access to a company’s data begin with a standard username and password login.

He said  many products, noting digital signage as a prime example, often include a default manufacturers password, which can be found with simple online search. Examples of this have made the headlines in recent years, most notably at Union Street Station, where a hacker  was able to access a display to stream pornographic content during rush hour.

"Everyone’s password is unique and almost always has a meaning to them. So the probability is your password is linked to a family name, an interest or a hobby"

When targeting individuals, usernames, he suggests, are very simple to obtain, often being the employees email address. Passwords however provide more work and skill, with hackers using various techniques to gain access. These include profiling an individual’s life on sites such as Facebook to learn more about their life (football team, child’s name, a pet etc.) as well as blogs and personal websites

“I’d start with doing a bit of digging on you. It would be very simple,” Hart explained. “I have your email address already, I know who you work for, so I’d be able to find some form of digital footprint online. Very quickly I’d be able to automate that and find out your hobbies and interests plus potentially some family linkage as well.

“Everyone’s password is unique and almost always has a meaning to them. So the probability is your password is linked to a family name, an interest or a hobby. That would be my starting point.

“Once in, the second step I’d take is to quickly map your email address to any other associations online you use it for. Accounts such as Twitter, Facebook, LinkedIn, Google and all the usual suspects. I can quickly establish the relationship between your email addresses and your online accounts. Passwords are often the same across every account, or adjusted by a capital or number added at the end. From there, I can create a profile of you as an individual and look at your business associations and your business life. I have enough information to start conducting direct attacks against you without you even knowing.

"The world is reliant on passwords. If we remove the need for a password, we remove 80-90 per cent of every breach that occurs. Every major breach that occurs starts with the compromise of a username and password"

“I could send you an email from a fake account, which you would believe has come from a family member or someone you work with and trust. It could ask you to check something via a familiar link, which you have no reason to doubt, is genuine. That link would take you to a site you use and will willingly enter your email. Unbeknown to you, I’ve been the man in the middle and I’ve captured your information.”

Hart said a company or individual is far less likely to become a victim of an online attack, if they change their security, temporary one-time passwords.

“The world is reliant on passwords. If we remove the need for a password, we remove 80-90 per cent of every breach that occurs. Every major breach that occurs starts with the compromise of a username and password. So, why not eradicate passwords and replace them with one-time passwords? In the event of a bad guy capturing a password that he or she believes you’re using, it immediately becomes invalid. This technology exists today. People sometimes portray security as a black art. It’s really not. It should be at the forefront of every individual. It doesn’t need to be complicated.”

"Any devices that are using network connections should be separated from the main corporate network"

Art Weeks, IP product manager at ZeeVee added: “Users that don’t take the time to modify the default passwords associated with the system put the system at risk. Changing passwords doesn’t guarantee that someone can’t access the control system for the AV over IP deployment, but it’s certainly better than leaving the easily guessed defaults.”

Kaspersky added that every business, big or small, should conduct a thorough security assessment, whilst also recommends deploying a separate network for specific needs and where security risks may be higher – ensuring that, should an attack take place, the most sensitive data is not being exposed.

“In order to keep your network safe, separation is key,” the firm said. “Any devices that are using network connections should be separated from the main corporate network. Secondly, the company needs to update all software installed on all devices on a regular basis, even the smart coffee machine, and always change the default password. As for industrial control systems (ICS), it is highly recommended to use special security network monitoring solutions to prevent a potentially catastrophic event."

Related