Security in anything network connected has always been important. It doesn’t matter if it’s a big corporation or a simple baby monitor at home.
This is a text about common sense but also my personal opinions. It’s not a comprehensive guide or an answer to everything yu ever wanted to know on any topic whatsoever. But it is, according to me, some things you should consider when designing a solution or choosing products for your customers.
Unfortunately, a lot of us still doesn’t see it and I am afraid they won’t see it until it is to late. Perhaps by being subject to an attack because the home NAS wasn’t firmware updated or because there was a deliberate but ill-considered opening of the company firewall. No matter what, the human factor was probably in play. Either because of lack of interesting (the that won’t happen to me attitude) or because of lack of resources to do more in the local network. Because lets face it, it’s a lot to keep track of nowadays!
It was more than 20 years since the first products in ProAV got network connected and it was a time when the climate was less harsh and connecting a device wasn’t considered a risk nor for that matter, a necessity. After all, most products back then could be controlled using point-to-point methods like RS-232 or IR.
But things evolve and we are probably more security conscious than ever today in some areas but in other areas we put our heads in the sand and hope for the best. The best being that noone notices how bad we are at security in todays IoT world. We put methods in place to secure our personal online presence like MFA (Multi Factor Authentication) for e-mail and social media accounts but the password to login to a ProAV device like a scheduling panel or an MTR (Microsoft Teams Room) system can remain the default.
Some manufacturers force us to set a password by removing the default one or even let us choose the default administrator username (in the hope that we don’t choose admin). It may be another thing we have to document and keep safe for the next time we need to access the system but it should not be seen as a problem to do so!
Tip number one:
Make sure you choose products that require passwords to access.
Also make sure to use unique passwords for each installation or maybe even each product in an installation!
In a modern IT network and IT environment there are plenty of mechanisms and features to make sure a product is as safe as it can be and we in the ProAV business must simply face it; we are today a part of those networks and we need to step up our game when it comes to these features! Saying “that’s the network guys’ problem” isn’t going to cut it in the future.
What we will look for here is first and foremost products that at the very least implement encryption. Make sure the products can be accessed using HTTPS and that HTTP is turned of or force forward the user to the HTTPS page on the product. Also make sure the product uses SSH instead of Telnet and SFTP or FTPS instead of FTP if it can receive files.
Also, make it a habit to choose products that will support 802.1x (sometimes refered to other names like dot1x or similar) using certificates. 802.1x is a protocol used to make sure only authorised devices gain access to the VLANs in the network we want to protect. It is likely that many networks where we install products today in themselves doesn’t support 802.1x for network authentication but I would still recommend choosing them. The reason is simple, if the manufacturer chose to implement certificate based 802.1x in the product, they are probably more serious than those that do not when it comes to other aspects of security in their products.
Tip number two:
Make sure your products support encryption and authentication! Don't leave it to the network department to sort out security but make it a priority to use products where the manufacturer chose to care about security!
Next, lets make sure we help the end customer keep the systems secure by keeping them well informed of new firmware releases containing essential new features. And since security in itself should be seen as a high priority feature, the customer should always be informed when a firmware addressing a security issue is released!
Some, but not all, manufacturers have really excellent web pages or micro sites addressing security questions like if they are affected by a specific vulnerability that is currently actively exploited by malicious actors. Check with the manufacturer how you can stay informed about these issues along with when new firmwares are released that are important to your customers.
If a products is stated as End of Support by the manufacturer or no firmware release has been published in a long time and you use HTTPS or SSH to access it, you can probably assume it is not secure anymore since there have been several vulnerabilities in protocols like SSH over the past years.
Tip number three
Familiarise yourself with how a manufacturer publishes information about security before specifying their products in a project. It's probably a lot easier to get these questions answered before a purchase than as a support case afterwards.
Also, make sure to update products in your installations when a new firmware is released
A lot of products today uses cloud services for different purposes. Sometimes there are clear explanations for how these work, where data is sent, where it is stored and for how long. Here in Europe (where we love our regulations for good and for bad) we have GDPR regulating this, meaning it’s up to us to always be able to answer these questions. Some think an american or other cloud storage isn’t allowed to be used because of GDPR but that isn’t the case, the regulation is there mainly because we have to be able to answer the questions why, what, where and for how long will we store data. Yes, some data is more sensitive than other but there really shouldn’t be a reason for us to store that kind of data outside of the EU.
Also, is there always a reason for storing data somewhere outside of the customer site? In some cases, yes, of course, like when you use a cloud service for scheduling panels. But is there really a reason in other cases? Remember that data is the new gold and companies will go far to get hold of your data for their own internal use (remember the saying “it the service is free, you are the product”). If you are the least bit paranoid, check that any kind of cloud service can be turned off in the product and then do a wireshark to see if the product still tries to send data somewhere. Some products do… and it’s hard to find out if the data is encrypted. But at the very least, make sure the transfer of data from your products can be turned of if you don’t need the service.
Tip number four
Make sure you are up to date with local regulations.
Also make sure products doesn't send data to the manufacturer or someone else when there is no reason for it!
Now and then when I am in a call with a customer or visit them to discuss their solutions from a network perspective, we end up in very interesting discussions. Often, we all know we can do more but it is always a fine balancing act to do enough for the particular installation while at the same time making sure things are secure enough.
A customer can for example talk at length about how much they have done to make sure their laptops, servers and printers secure so that noone can unplug the devices and gain access to the network by hooking up a simple dumb switch and then start scanning the network. But when asking how they secured the signage display in the lobby or in some other common are, the room tend to go silent. No one want to open that can of worms with monitors or TVs that was bought 4-6 years ago and no one even thought about them that much… But with the ever increasing number of products we add to our installations, our IoT networks, bringing our private devices to the office for convenience, the more complex the envirmonment gets. The more attack vectors are introduced. And before long it’s getting out of hand and we feel like we lose control.
Because after all, we don’t even know it there has been a firmware release for that old monitor in the lounge, if the employees secure their laptops with firewalls, antivirus or even updated it properly for the past years. Or even worse, did they just connect their own laptop in our corporate network, left it there over night turned on and possibly with something malicious on it?