As we’ve seen, integrators need to make their systems as secure as is reasonably practicable. For the second part of this special report, we ask: what can manufacturers do – in terms of either design of products or provision of information – to help? Steve Montgomery reports.
In an age of ever-increasing security threats, the number of attempted and successful attempts to break into IT networks has never been greater. At the same time more devices are being connected to networks and users expect to be able to use them seamlessly, without having to go through rigorous security procedures and set-ups in order to make them work. This puts IT and AV system integrators and administrators in a quandary: how can they ensure simple and widespread access to controlled and uncontrolled devices, while ensuring total security from external – and in some cases internal – threats?
Part of that strategy is aided by the range of security measures and procedures integral to the AV devices used; and those are the responsibility of the equipment manufacturers. No network-based system can be totally secure, no matter what level of security is included, and this is compounded by the ongoing demand from users to add devices, including uncontrolled personal ones, together with the need to access the outside world through internet browsers and email connections. However heightened security measures increase cost and complexity and reduce user convenience.
“With any kind of security system, IT or otherwise, the main issue being discussed is a balance between what could happen: the hazard, against risk: the chance that something might happen, weighed against the cost to prevent or mitigate that risk,” says Chris Fitzsimmons, product manager, video products, Biamp Systems. “There is never a black and white answer, just increasing levels of confidence in a system based on the steps taken to mitigate high-value items.”
Before customers even talk to a manufacturer, they should have a clear understanding of what they are trying to avoid or prevent.
Chris Fitzsimmons, Biamp
With the increasing sophistication of AV devices and the associated network connectivity, AV systems must include comprehensive security procedures to reduce the risk of cyber attack from both external and internal sources. Terry Galvin, managing director of Indigo IT, explains the implications: “AV devices are no different from any other device or IP-based equipment on a network, in that the network manager has to control the environment’s security and ensure that compliance to the networks security policy is met.”
Ensuring system security is not a one-time operation, but a continuous process that starts during planning and continues for the lifetime of the devices or system. Says Fitzsimmons: “Before customers even talk to a manufacturer, they should have a clear understanding of what they are trying to avoid or prevent. There is no such thing as a perfect security solution. In fact, security risks are a moving target, and what is safe today will not be safe tomorrow. Security policies and mitigation strategies should be viewed as an ongoing effort, not a ‘one and done’ approach. Strategies need to be continuously re-assessed in the face of new information. This requires continuous dialogue with the manufacturer and a commitment in response that they will support this ongoing effort.”
There are essentially three main areas of security that should be considered by all AV system integrators planning to install complex, network-based systems. Each of these can be addressed in conjunction with device manufacturers to check their adherence to standard IT security procedures and commitment to ensuring the highest level of robust operation and resilience to cyber attack.
- The inherent network security itself and the manner in which AV devices are allowed onto that network;
- The operation of the device, including the firmware, operational procedures and facilities it offers; and
- The methodology of storing data internally and transmitting it over networks from device to device.
Each of these three is affected by the character of the device, which is a fundamental element of the design implemented and supported by the manufacturer.
“AV devices that are permanently connected to a network need to be treated in the same way as any other device on the network,” points out Galvin. “They should be allocated static IP addresses with the MAC address defined on the network so that it is always assigned the same IP address, which effectively locks it down and only authorised users can connect to it.” That MAC address needs to be given to the IT manager so that a unique IP address can be allocated.
Beyond that, system integrators should ensure that sufficient authentication procedures are in place, combined with multi-level password protection, particularly for shared devices. According to Spiros Andreou, service delivery manager for system integrator CDEC: “Most networked AV devices now will support some form of authentication standard, either LDAP, Active Directory or a ‘create your own user’ option. The most problematic devices from a security standpoint only have an Admin account, which means passwords have to be shared widely and any user with the password can make wide-ranging changes to the configuration of that device. The best AV devices will support LDAP or AD authentication with multiple roles, meaning that granular access controls can be defined for administrators, users and read-only and that access can be audited. Check that the supplier implements the ISO27001 standard which requires these controls to be implemented, specified in Annexe A.12 (operations security) and A.9 (access control).”
Connection certification is also important. Andreou continues: “Most AV devices allow HTTPS connections. However maintaining and improving that security standard is still important to prevent attackers from stealing credentials, disrupting the network and compromising devices. With a large number of meeting rooms, each with a conference bridge or switcher/scaler, purchasing certificates for each device is not viable; however, most large organisations will have their own PKI (public key infrastructure) with which they can create either individual or wildcard security certificates for AV devices.
“This prevents the practice of users skipping through certificate warning messages on browsers and can also detect man-in-the-middle attacks, in which a nefarious user attempts to obtain the password to devices by listening to the communications between the user and the device. Where a device has a hard-coded certificate or comes with its own self-signed certificate and cannot be changed, the certificates should be installed into the certificate store on users’ computers and devices to make sure they are trusted, and expiry dates of those certificates monitored. Again, this is covered in ISO27001.”