Like peeling away layers of an onion, securing today’s networks means understanding A/V.
After spending millions to lock down the security of routers, switches, firewalls, and servers, did you think to check the teleconferencing system?
Let’s be realistic, no hacker is going to break into a network just to make the motorized window shades go up and down. Or to find out when a projector lamp or printer toner cartridge is due for replacement. Though the customer database and credit-card data or employee master payroll file constitute more likely targets, wreaking havoc with lighting, HVAC, and facilities management applications is no less tempting a target — at least for the recreational hacker or so-called hacker-in-training.
However the threat matrix appears, playing a strong defense is the best offense. So, who ya gonna call? It won’t be Ghostbusters. We opted for a security expert.
Phillip Mahan is director of Risk Services for the Continuous Security and Compliance practice of Williams & Garcia, an Atlanta-based technology solution provider. He has plenty to say and lots of stories to tell.
“A lot of the security breaches that I see boils down to failures of the simplest kind. I see crucial networking hardware in production with the default user name and password still in place. In corporate conference rooms and even boardrooms, I see user names and passwords for accessing the network or A/V controllers written on yellow Post-it Notes. Whether it’s an A/V room controller or a network server, these are nothing more than IP addresses that need to be protected.” Whenever the ugly Post-it breach is discovered, Mahan discreetly changes the password, removes the offending cheat sheet, then diplomatically explains the judgment lapse to his client.
Security consists of two components, the product itself and the policies put into place by the end-user organization, regardless of vertical industry. A device that incorporates the most robust access protections is wholly unsecured if the user name and password is written on a little yellow sticky note, whether or not the default has been changed.
The products themselves do pass muster, according to Josh Stene, director of Technology Management at A/V solutions manufacturer Crestron. “Products routinely conform to accepted security protocols, and go through network security testing before they are allowed on the network.”
IT departments routinely spend millions of dollars creating perimeter firewalls to ward off attacks from the outside. As the Post-it Note scenario shows, the threat of unauthorized access from within the perimeter — the proverbial inside job — cannot be overlooked. Both perimeter and interior intrusion protection are essential.
“Network security should be built like an onion, with many layers,” says Tim McInerney, director of Product Management at A/V control manufacturer Savant Systems. “It’s not one magic security feature, but a combination of layers that keeps everything secure. Breach one layer and you’ve got another underneath to contain the intrusion.” And on and on.
Walk Right In, Sit Right Down
It’s problematic enough when the bad guys break in through the back door and breach the firewall. But, it’s worse when you’ve rolled out the red carpet, inviting them in as honored guests. But, that’s exactly what happens with teleconferencing and videoconferencing, says Brian Ricca, northern regional director for KBZ Communications, a Cisco exclusive TelePresence distributor based in Doylestown, Pa.
“Multimedia projector and other A/V products have no need to get out past the firewall; they can live on a closed network, VLAN, or subnet. But, you can’t deploy video that way. On a closed network, videoconferencing is useless — you installed it for business-to-business communications. For that reason, it needs to get out to the public Internet,” says Ricca. And that’s where the trouble starts. “We’re finding that KBZ is doing a lot more A/V training within the IT department. It’s clear that IT needs a much better understanding of how A/V products work.”
To deal with the threats that videoconferencing poses, KBZ urges its customers to implement five simple suggestions. They include turning off auto-answer, requiring an administrative password, enabling encryption, keeping microphones on mute and the all-important installation of TelePresence behind the firewall.
Even the lofty New York Times sees the videoconferencing threat as news that’s fit to print. In January, the paper noted that it’s common practice to install videoconferencing solutions outside the firewall, essentially rendering their ability to encrypt video streams moot. Default configurations that accept inbound calls automatically add more woes.
Savant’s McInerney sounds the same theme, admonishing IT departments to keep the A/V devices on a separate subnet logically isolated from the mainstream computer network. “Use firewalls to allow only designated data to pass through specified ports. And always have secure login and passwords on all devices.” In other words, the gear isn’t the problem, it’s the people using it.
That being the case, who’s doing it right? KBZ’s Ricca gives high marks to the health care industry. “Health care is tops when it comes to security, due largely to the expansion in electronic patient records and regulations like HIPAA. By far, health care is most hyperaware of the need for security.”
More on Security:
Unfortunately, for every top security performer, there is an also-ran. Says Ricca, “Without a doubt, hospitality is worst from an IT and security perspective. In almost all conference rooms and business centers, the A/V and IT experience is poor.” He attributes this, in large part, to hotels’ standard practice of outsourcing IT services. “When you work through a third party, something is bound to fall through the cracks.” A hotel’s business center, designed to make it easy for guests to network, is especially vulnerable.
Mahan’s take is not all that different. Though houses of worship have physical security to protect parishioners and assets, they have virtually nothing in the way of network security. Hospitality is his middle ground, with security people sometimes on staff, but with a focus on making networking seamless for the guest that creates exposure. That leaves corporations as the wider target for mischief. “After all, that’s where the mother lode is.”
The bottom line is that A/V security is no different than anything else on the network. Devices should be isolated on a VLAN or subnet when possible. Best practices and policies for password protection must be enforced. Videoconferencing, which blasts a hole through the firewall, allowing outside customers to come right in, deserves heightened awareness.
So, what is Mahan’s security philosophy? “It’s simply a matter of making it harder to access you than your neighbor, no different than the camper who need not outrun an attacking bear, but just outpace one other camper.”
To learn more contact MCC today!