The security of AV endpoints is steadily improving. But dangerous loopholes remain that could potentially spell serious trouble for the corporate network. Paul Bray finds out how to close them, and what steps can be taken to help keep the whole infrastructure safe.
Crestron technology is useed at 16 Air Assault Brigade’s 4GD SmartFacility
The Corporate IT Network
Connecting AV devices to a network makes them easier to access, easier to share and easier to manage. Done well it can bring enhanced flexibility, greater scalability and reduced cost. But done badly it can compromise security. Poorly secured AV systems are now seen as a potential back door into the corporate IT network itself.
The first line of defence is often the security features built into the AV endpoint – assuming there are any. “Security features and accommodations vary wildly among AV products,” says Trent Wagner, senior product manager at Q-Sys. “Often the bare minimum may be a means for single level (admin) access control. It’s not uncommon to find devices that still have insecure protocols such as FTP or Telnet enabled by default.”
However, more fully-featured devices may have more standard security functionality in place, such as multi-user role-based access with strong password policies. The ability to install corporate certificates, 802.1x support, and being able to utilise secure protocols, such as SSH, SFTP and HTTPS.
“Security is becoming a priority for manufacturers of AV and networking products,” adds Matthew Hale, pre-sales and technical support engineer at Kramer. “It’s not uncommon to see encryption, strong authentication, secure boot, firmware integrity checks, automatic updates, and network access control (NAC).”
“The most prevalent generic security feature is authentication,” says Graham Agambar, director of integrator, Tateside. “This can range from the usual name and password to the platform undertaking two-factor authentication, by issuing a token or, more rarely, using biometric checks.”
“Products increasingly have the ability to enforce password complexity requirements and leverage external authentication through solutions such as Microsoft Active Directory,” says Brandon Leiker, principal solutions architect at 11:11 Systems.
Datapath’s Aetria solution has been designed to benefit operators and control room managers
Products are coming with their initial default configurations leveraging secure protocols such as HTTPS and SSH. As well as providing best practice and hardening guides with instructions on appropriately securing the product. In addition, they often have privacy covers and indicator lights to let users know if the device is on and active.
It is important to choose reputable manufacturers that prioritise security in their products, according to Chris Vaughan, vice-president of technical account management at Tanium. Look for companies with a strong track record of implementing robust security measures and regularly releasing firmware updates to address any vulnerabilities that may arise.
Reputable manufacturers often undergo third-party security audits and obtain certifications, such as ISO 27001 or SOC 2. Levels of encryption and authentication protocols can also be checked (eg. strong encryption algorithms such as AES-256 which protect data in transit and at rest). And manufacturers’ support and community forums can provide valuable information from other users about the overall security and reliability of the products you’re considering.
Provenance can be important, too. “Suppose you’re connecting an AV device that’s authorised in all respects, but it contains a bit of dodgy code that the manufacturer didn’t know was there because of where it was made,” says Rob Moodey, strategic partnerships manager at Matrox. “There are very good reasons why some user organisations are fussy about the country of origin.”
“Check the manufacturer’s documentation to ensure product functions and specifications meet expectations for deployment in the intended application or environment,” advises Wagner. “Manufacturers may also be able to provide internal or independent penetration testing results and mitigation steps for any open vulnerabilities. Best practices for deployment supplied by the manufacturer should be taken into consideration in conjunction with established corporate policies.”
Another thing you can do is ask manufacturers what ports their devices use, adds Moodey. “Once you know that, then close all the other ones.”
Do your research well and you should have a product estate with up-to-date security, properly applied. But this is by no means the end of the story. “While built-in security features can significantly improve the security of AV products, they’re not a substitute for good security practices within the organisation,” cautions Hale.
The first step is to know what you are up against. “Keeping up-to-date with the evolving threat landscape is often challenging, but it’s critical,” says Hale. “So regularly review industry publications, threat reports and vendor updates, and engage with cybersecurity experts who can provide insights into current and emerging threats.”
Security should be front-of mind from the start. “The security of AV networks is often an afterthought, so follow the principle of ‘security by design’ and incorporate security considerations from the start of the design process,” says Hale . “This can include choosing secure hardware and software, designing for secure data transmission, and incorporating features such as encryption and strong authentication.”
Know all your endpoints
If you don’t know what you have, you can’t protect it. “To identify the various components that make up an AV network, organisations must ensure that they’re fully informed on the number of endpoints (laptops, projectors, displays and IoT devices),” says Vaughan.
Standard perimeter defences, such as a firewall, should be a given these days, along with intrusion detection or intrusion prevention (the former identifies and reports potential threats, the latter can also block them automatically). But ring fencing the network is no longer considered sufficient.
Most organisations have now realised that it is almost impossible just to install a firewall and assume everything inside it is safe, according to Moodey. “So the next step is to adopt a zero trust policy inside the network. Everyone has to identify themselves all the time for everything. All devices must be on a list of things that are allowed to be on the network, and they can only connect to things they’re allowed to connect to. That’s a big change.”
Trust and access
“Dividing the network into different VLANs, segments or zones, with varying levels of trust and access, limits the impact of a potential breach and ensures that AV systems are isolated and protected,” adds Richard Jonker, vice-president of commercial business development at Netgear.
‘Air gapping’ is an increasingly popular technique, according to Moodey. This introduces a path into a workflow that’s specifically not a network path. An example is IP KVM. Remote computers are connected to their own data by a network, but users are connected to the computers through their USB and graphics ports and don’t have network access to the computers.
“Similarly, you might connect networks that are being used for media transfer. They move AV from A to B through the network, but by introducing a gateway between networks, anything that goes wrong with the first network can’t spread to the next. We see ultra low-latency codecs such as JPEG XS being used as an air gap.”
“It’s always worth checking that all streams are protected by encryption and have dynamic key management to ensure that they remain secure over time,” says John Storey, CTO at Datapath. “But that’s of no value if the control interfaces (also network connected) don’t support authentication and even higher levels of encryption. A basic Telnet interface doesn’t cut it today. All control interfaces should at least have the sort of HTTPS/TLS security that we expect of any public website.”
Access to the network via AV endpoints (and, for that matter, all other endpoints) should be strictly controlled. “Role based access, based on the principle of least privilege, and multi-factor authentication (MFA) should be implemented where supported, to reduce potential misuse and unauthorised access,” says Leiker.
“Unique usernames, MAC addresses or strong passwords should be enforced for network devices, AV systems and applications,” adds Jonker.
Emory University School of Medicine has standardised on Lightware Taurus UCX for unified connectivity on mobile professional AV carts
Change default passwords
Default passwords in equipment and applications should always be changed, and factory settings should be reviewed. For example, Vaughan reminds us that built-in microphones in AV kit may be listening to and recording audio, unrelated to their primary function. This should be disabled.
Because security threats evolve all the time, it is vital to keep systems up-to-date. “Take all the firmware upgrades that manufacturers offer, and perform prompt upgrades of operating systems and applications,” advises Moodey. “We see too many reports about exploited vulnerabilities that could have been avoided if a fix had been installed.”
Even with robust security measures in place, it is crucial to regularly monitor and audit AV systems for any signs of unusual activity or unauthorised access, advises Hale.
This can involve regularly checking system logs, conducting security audits, and monitoring intrusion detection or prevention systems. Regular audits can also help identify any security weaknesses, including checking device configurations, reviewing access control policies, and inspecting firewall rules. And penetration testing (simulating an attack on your system) can reveal vulnerabilities that might be missed during a security audit and test the effectiveness of your security measures.”
The Weakest Link
Often the weakest link in the security chain is human. “Take time to educate employees about the importance of AV network security and provide training on best practices,” advises Vaughan. “This includes raising awareness about phishing attacks, social engineering and other common tactics used by would-be attackers.”
One further issue remains to be considered: the wholesale shift to remote and hybrid working in recent years. “The expanded attack surface resulting from remote work and personal device usage increases the risk of unauthorised access and compromises in AV systems,” says Gergely Vida, CEO of Lightware Visual Engineering. “Home networks, often less secure than corporate networks, pose vulnerabilities that can be exploited.
“Organisations need to adapt their AV security strategies to address the specific challenges introduced by the shift towards remote working. This includes implementing robust security controls, providing employee training, securing remote access, and ensuring privacy compliance to protect AV systems and sensitive data in the evolving work environment, including secure devices.”
Control room computers at the Smart Campus of Wiener Netze GmbH were moved to a technical room and connected to KVM matrix switches from G&D
Remote external access security
External access to the network from remote users should also be encrypted, and local authentication, firewalls and VPNs be employed.
“The risk of eavesdropping has driven demand for AV solutions that are as secure as possible to avoid jeopardising data and confidential information, while giving users the freedom to work from any location,” says Nigel Dunn, vice-president and MD for EMEA north at Jabra. Examples include professional headsets with ultra-secure wireless connections, the highest levels of DECT security, and FIPS military-grade 256-bit encryption.
In this, as in other respects, the drive to remote working seems actually to have benefited AV security.
“We’ve seen increased attention paid to securing remote connectivity and all the devices a remote worker may use to access corporate resources and services,” says Wagner. “It’s everything from enforcing SSO (single sign-on) and MFA to adopting new services, often cloud-based, that are easier to manage and that enforce good practice for remote access. It’s often made mandatory for any device to opt in to a corporate policy when accessing these services, even with personal devices.”
The growing dependence on IP-based meeting and conferences platforms to interact and conduct business has increased demand for scalable and ubiquitous software-as-a-service solutions able to provide security and ease of use, adds Leiker. “As a result, AV solutions have been the target of increased scrutiny, and the publicising of security concerns and issues has driven the industry to step up its game.”
Thanks AV Magazine for the coverage in the August/September issue!
If you would like to discuss your networking options, contact us!