In the first part of this cybersecurity feature we revealed the three main areas of security that integrators need to consider to ensure systems are as secure as possible. In the final part Steve Montgomery looks at port management and how data integrity can be maintained in transit.
“The question of which ports a product uses should be asked, and for what,” says Chris Fitzsimmons, product manager, video products, Biamp Systems. “A good manufacturer will provide a list of ports that the product needs to have open to operate. This allows a customer to track expected and unexpected port traffic using common network security tools. Biamp’s Tesira devices have multiple network ports or NICs, designed so that it is impossible to directly route traffic from one to the other. The network interfaces are physically isolated from one another.”
The internal operation of the device is one area in which device manufacturers have complete control and can aid integrators in their quest for system security. At the base level, most equipment is built around a commercial operating system; commonly Linux, Unix or Windows Embedded. Each of these has known vulnerabilities and offers openings for hackers to penetrate. Manufacturers should provide information on the OS used and their support procedures to update it, along with the device firmware, which can also be compromised. This often goes beyond the commercial availability of an individual product: despite a component becoming obsolete, its actual usage will continue, often for many years. Manufacturers must assure operators that it will be supported with new patches and firmware as and when necessary. The mitigation for device firmware hacking is for the code to be cryptographically signed, and the signing key to be kept secret by the software authors.
Most, if not all, devices include features that are not needed by many users. These can also present opportunities for malicious activity. As Spiros Andreou, service delivery manager for CDEC, explains: “Many networked AV devices will feature a range of administration options depending on their complexity and usage. One of the most common is Telnet, which is completely insecure and utilises no encryption whatsoever. It is probably the most forgotten-about protocol, which many integrators will install without even changing the default password, allowing any attacker with network access to instantly compromise the device and potentially launch further attacks on other targets, monitor data or disrupt the network. It is important to understand what protocols are in use and what level of encryption they support. A remote or on-site attacker should find that any unneeded services like Telnet and VNC are disabled on the device, with strong access required to re-enable them.”
It’s not always obvious to users what information a device might be sharing
Paul Lipman, BullGuard
Maintaining the integrity of data during processing and in transit is essential. Integrators should gain agreement from manufacturers that internally stored data is not accessible to outsiders. Some AV devices, such as signage players, may contain cached content that would be classed as a breach under the General Data Protection Regulation if stolen. If devices are destined to have data stored on them, the internal disks should be encrypted with a FIPS-140-2 (the US government cryptographic minimum standards) encryption scheme. Andreou points out that: “Cryptography is hard to implement while maintaining functionality and usability unless it is designed into the device. This should be considered carefully when selecting a product. Under ISO27001 this control would be covered by A.9 (access control) A.11 (physical security) and A.10 (cryptography).”
Lack of encryption of audio streams passing across a network is a particular concern of Roland Hemming, consultant at RH Consulting: “Audio networks transmit unencrypted streams that could be accessed anywhere in the building, by anyone with a suitable network connection. This is a danger in both commercial systems from sensitive meetings and entertainment systems with risk to intellectual property. The industry chose convenience over security a long time ago and it will take a massive effort to transition to secure systems with such a legacy, but something we should be demanding from manufacturers. Although the encryption process adds unwelcome complexity and delay, I believe that is a price worth paying. There is sufficient headroom in audio systems that currently have a latency of just 1-2ms to include it, even if the delay is more. It is manageable and won’t be noticed. The benefits to the industry are immense.”
If AV data is encrypted before going onto the network, you enjoy one more layer of protection
Justin Kennington, SDVoE Alliance
Justin Kennington, president, SDVoE Alliance, suggests that: “For AV distribution products, the question of what level of encryption is used to protect data should be asked. This is important because data thieves can attack the network and record sensitive video such as camera feeds and confidential PowerPoint presentations. If AV data is encrypted before going onto the network, you enjoy one more layer of protection.”
A further issue is the return of live operational system data to manufacturers. “Many devices are designed to send information back to the manufacturer. This is a form of digital feedback, and according to manufacturers, helps them understand how their products are being used and refine their development,” says Paul Lipman, CEO at consumer cybersecurity company BullGuard. “It’s also a privacy question. It’s not always obvious to users what information a device might be sharing. However, in terms of data travelling over the internet the big question is whether it is secured with encryption so if it’s intercepted it can’t be read. Also, some projects use the cloud to gather, store and analyse data. It’s an efficient, scalable and affordable way to both manage devices and handle all the information that comes from devices. This will be done via a cloud management interface but it needs to be secure.”
Once the three main areas of consideration have been addressed, integrators are advised to test, monitor and review system operation – in conjunction with suppliers where necessary. Fitszimmons offers these words of advice: “Ask the manufacturer to provide a device to run a penetration test on. It’s a win for both parties. The manufacturer gains information about potential vulnerabilities in its product, and the customer IT team gains prima facie evidence of the robustness, or not, of the product.”
An ongoing dialogue between the integrator and manufacturer is essential in ensuring the long-term security of AV network-based systems. As Andreou sums up: “Integrators can help manage the increasingly treacherous world of AV device security, working closely with network administrators and suppliers. From the manufacturer’s perspective, maintaining a proactive security posture as a manufacturer may be the golden ticket to successful supply tenders at security-conscious businesses.”