Design Principles for Secure AV Systems

Secure AV systems start with smart design. Here are some standards that’ve been around forever but easily apply to modern audiovisual projects.

This article was originally written by Paul Konikowski, and published on Commercial Integrator on March 1, 2019

In my last CI article, we reviewed cyber threats and vulnerabilities in AV systems. Many of the known vulnerabilities, or “vulns” can be fixed with a firmware upgrade, securing your network, and/or enabling passwords; but what else can AV manufacturers, consultants, and integrators do to achieve secure AV systems?

One thing that can be done is to adopt a secure mindset from the get-go when designing secure AV systems, keeping the following design principles in mind.

These principles were outlined by Jerome H. Saltzer and Michael D. Schroeder in an IEEE paper way back in 1975. We will apply those secure design principals to AV systems here.

Economy of mechanism

Keep designs simple, which also means keeping your programming code as small as possible, making it easier to test and analyze. Simpler design means that less can go wrong.

Fail-safe defaults

The default access to a resource should be no access. A good example of something that violates this principle is a wireless router that does not require a password and/or encrypt the traffic by default.

Complete mediation

This means every access to a resource is checked against the access control mechanism, every time, and all attempts to bypass security are prevented.

Open design

“Security by obscurity” does not work. Adapt an open-source attitude so your security does not depend on secrecy. Code and designs should be open for scrutiny by your community. It’s much better to have a friend or colleague find an error, then it is to wait for a bad actor to discover it.

Separation of privilege

Access to rooms, systems, or files should depend on more than one condition. If someone gains access to the AV rack, can they simply access the components using a console cable? Or did you go a step further, and enable passwords, as well as encryption of those passwords?

Least privilege

Users (and programs) should only be given the minimum access rights to complete their tasks. The default access should be none, and then access should be granted as needed, on an individual basis, or based on well-defined roles within the organization. Temporary access can also be granted.

Least common mechanism

This means that one should minimize the amount of mechanisms and/or equipment that is used by more than one user. A good example of this would be a “room PC” in a training room used by multiple instructors. Does each instructor log in with their own credentials?

Psychological acceptability, a.k.a. ease of use

Users will avoid security measures that get in the way of convenience. A physical analogy would be a dead bolt that requires a key on both the outside and the inside. Some people won’t bother locking it from the inside, especially if their key gets stuck in the lock.

Other best practices like layering, isolation, encapsulation, modularity, and auditability should also be kept in mind.

If you enjoyed this article, you might like these related posts on PKaudiovisual:

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps

 

Advertisements

Know Your Audience, #AVtweeps

Photo of the Brooklyn Bridge by Paul Konikowski

I shared this joke earlier today on Twitter, during an #AVinTheAM online chat:

“An Architect, an IT Director, and an AV Professional walk into a bar…

[The AV Professional could be a consultant, integrator, or manufacturer]

The Architect orders a Vodka Sour, the IT Director orders a Rum and Coke,

The AV Professional says they need to standardize their user experiences,

orders three Long Island Ice Teas, and then asks, ‘who’s paying for these?'”

I hope I don’t offend any architects or IT people with my humor, the joke is really on the AV professional. He or she may think they are making both the Architect and the IT Director happy, by incorporating both their drink ideas into the triple order of Long Islands. There are many roads this joke could lead us, but today, we will talk about knowing your audience when meeting about an AV project.

In practice, meetings with architecture firms, IT departments, music ministry leaders, fitness instructors, technical directors, general contractors, or higher education universities, have some similarities, but each group has their own priorities and lingo.

Dropping lofty buzzwords like “user experience” and “agile workspaces” may not be as effective as using the words that they use; ask about their typical meetings, or classes, rehearsals, services. You are basically asking them about the current user experience, but in their words.  Ask them what meeting spaces are the most popular, and why.

Discuss any trends you are seeing in flexible work or education environments. Ask them if they have any divide/combine spaces, but instead, use the term “airwalls”. How often do these rooms get combined or separated? How do the systems work when combined or separated? And how well do they work for the typical room usage?

If you discussing a church, house of worship, or auditorium, say “sound board” when asking them about the FOH (Front of House) mixing position. See what I did there?

If a client or work contact uses an acronym you don’t recognize, don’t be afraid to ask them what it means, to them. Don’t assume they know your acronyms either.  You might say OMP meaning Operations & Maintenance Plan, and they may instead hear:

Office Managing Partner

Occupational Maternity Pay

Open Market Purchase

or a dozen other meanings for the acronym OMP.

And if you audience includes Millennials, they may think, for a second, that you meant

One Moment Please

because that is how OMP is used in SMS messaging and other text chat platforms! So don’t be afraid to spell out your acronyms and ask them about theirs. Some companies have so many acronyms that they develop a glossary page for them. Ask for a copy!

The other thing to ask about early on is timeline.  Architects and consultants will use acronyms like SD, DD, and CD to describe the Schematic Design, Design Development, and Construction Document phases of their drawing sets. Owners and end-users are more concerned with the commissioning and occupancy. Each has its own deadline.

What if you are going to a meeting with an architect, owner’s rep, IT department head, furniture vendor, plus various engineers from other trades?  Who are the others in the room? How do you know your audience if you have never met any of them?

Do your homework. Start with the meeting planner, and then the other people invited, looking up each one on LinkedIn or Google.  Look at their current job descriptions, but also at their work history, where they went to school; what did they study?  Read their most recent posts, and ask yourself, what drives them? Whenever possible, ask your coworkers if they have ever worked with the other people invited to the meeting.

When the meeting starts, try to quietly jot down the names of any “special guests” you may not have anticipated, and then look them up on LinkedIn or Google afterwards. Ask for business cards for anyone who has one, especially any electrical engineers.  You need to keep your coordination within proper channels, by communicating through the client, the architect or project manager, but you can address them by name in your correspondence, “Following up on the question raised by XYZ…”

Circling back to the joke I made about the architect, IT director, and the AV professional: all are highly technical people, but with different strengths. The IT Director may be able to talk at length about bandwidth, IP addresses, firewalls, and cyber-security, while the architect may be more concerned with determining the electrical and backing needs, and the BTU load of the AV racks, so they can coordinate with their HVAC and MEP engineers.  Furniture vendors need to know what holes to provide in the tables for microphones and table boxes.  They all love dimensions!  Coordinate using AutoCAD or Revit, or markup PDFs using Bluebeam or similar.

By determining your audience in advance (or during a meeting, or sometimes after) you can tailor your communique and deliverable to each, making each one happy. You might also find yourself being a bridge between different people involved in a project. By speaking their own dialects, you can connect them like the boroughs of Manhattan.

And maybe Long Island :)

Photo of the Brooklyn Bridge by Paul Konikowski
Photo of the Brooklyn Bridge by Paul Konikowski

If you enjoyed this post, you may also enjoy these other articles on PKaudiovisual.com:

Technology and Green Buildings

Your Conference Rooms Are So Trendy!

The Anatomy of an AV Integration Project

Resume of Paul Konikowski, CTS-D

Proofpoint ($PFPT) Releases Solution To Detect and Respond To Compromised Microsoft Office 365 Accounts

Registered Trademark of Proofpoint Inc.

In a press release issued earlier today, Proofpoint (NASDAQ:PFPT) “announced the availability of Proofpoint Cloud Account Defense (PCAD) to detect and proactively protect Microsoft Office 365 accounts, preventing attackers from causing financial and data loss.”

So What Does This Have To Do With The Folks In AV Land?

Back when I was an audio/video installer (cue the instrumental music), a well-known manufacturer of AV racks would use a handful of key codes for the locking doors on the front and rear of the AV racks. Once an installer had the basic set of keys, he or she could basically unlock any AV rack made by that manufacturer. This was very helpful when troubleshooting AV racks, because the keys were often lost by clients.

Since the AV Rack enclosure keys were so common, they were more of a theft deterrent, and provided no way of truly stopping the theivery, nor was there any trace left behind indicating that someone had unlocked the front or back door.

Many AV integrators will add “security screws” which only prevent someone who was not smart enough, or just plain too lazy, to buy the associated security bit/driver. I remember some of my former coworkers taking it a step further, and hammering the mounting screw posts down until they were bent, just to stop another contractor who kept removing the integrator’s 1RU vanity plate.

About 15-20 years ago, some higher-education IT departments were the first groups that I saw to utilize the LAN ports on the data projectors for security purposes. They would ping the projectors once every minute or so, and if for some reason the projector did not respond, an email was automatically sent to the campus police department, telling them a projector thief may be in such and such room. If the police department was quick enough to respond, they might catch them in the act.

*Cough-cough* It’s All About Convergence *Cough-Cough*

Nowadays, AV rack keys and walking projectors are the least of our worries. As stated in today’s Proofpoint press release, “Cybercriminals have pioneered a new way to compromise corporate email systems, this time by using brute force attacks to steal Microsoft Office 365 login credentials of corporate users and then logging in as an imposter on the system. These new hacking techniques work even if the company has deployed single sign on or multi-factor authentication (MFA) as part of their security system. Once the hacker has logged in masquerading as a real employee, they have a wide spectrum of choices while operating within a corporation’s email instance to cause financial harm and data loss.”

Just as AV has fully converged with IT, so have our security concerns for both hardware and software. We don’t just sell projectors, flat panels, speakers, and AV racks, we sell cloud-based software solutions like Skype For Business, which will soon be a part of Microsoft Teams. Users use single-sign on or multi-factor authentication to access our conferencing and presentation systems, and collaborate with others in the cloud. We install tablet-style room reservation systems that work with Active Directory and company-wide scheduling systems like Microsoft Outlook and Exchange Server.

Having a compromised O365 account is like having a key to every AV system on the network, as well as valuable data stored in the company cloud. If our AV systems rely on a secure network, single sign-on, and active directory, then AV manufacturers, consultants, and integrators all need to be made aware of the inherent security risks.  Integrated system components need to be fully vetted on test networks that use O365 and Proofpoint’s Cloud Account Defense (PCAD) or similar cloud-security solutions, so that there are no surprises when the systems are brought online. We need to go the extra mile, and “hammer down the screw posts” of AV/IT cyber-security, so-to-speak. Constant vigilance!

For more information on Proofpoint’s Cloud Account Defense solution, click here.

If you enjoyed this article, you might also be interested in these similar posts:

Cybersecurity In Audiovisual Systems

We Used To Be Heroes

 

Registered Trademark of Proofpoint Inc.
The Proofpoint Logo Is A Registered Trademark Of Proofpoint, Inc.