Design Principles for Secure AV Systems

Secure AV systems start with smart design. Here are some standards that’ve been around forever but easily apply to modern audiovisual projects.

This article was originally written by Paul Konikowski, and published on Commercial Integrator on March 1, 2019

In my last CI article, we reviewed cyber threats and vulnerabilities in AV systems. Many of the known vulnerabilities, or “vulns” can be fixed with a firmware upgrade, securing your network, and/or enabling passwords; but what else can AV manufacturers, consultants, and integrators do to achieve secure AV systems?

One thing that can be done is to adopt a secure mindset from the get-go when designing secure AV systems, keeping the following design principles in mind.

These principles were outlined by Jerome H. Saltzer and Michael D. Schroeder in an IEEE paper way back in 1975. We will apply those secure design principals to AV systems here.

Economy of mechanism

Keep designs simple, which also means keeping your programming code as small as possible, making it easier to test and analyze. Simpler design means that less can go wrong.

Fail-safe defaults

The default access to a resource should be no access. A good example of something that violates this principle is a wireless router that does not require a password and/or encrypt the traffic by default.

Complete mediation

This means every access to a resource is checked against the access control mechanism, every time, and all attempts to bypass security are prevented.

Open design

“Security by obscurity” does not work. Adapt an open-source attitude so your security does not depend on secrecy. Code and designs should be open for scrutiny by your community. It’s much better to have a friend or colleague find an error, then it is to wait for a bad actor to discover it.

Separation of privilege

Access to rooms, systems, or files should depend on more than one condition. If someone gains access to the AV rack, can they simply access the components using a console cable? Or did you go a step further, and enable passwords, as well as encryption of those passwords?

Least privilege

Users (and programs) should only be given the minimum access rights to complete their tasks. The default access should be none, and then access should be granted as needed, on an individual basis, or based on well-defined roles within the organization. Temporary access can also be granted.

Least common mechanism

This means that one should minimize the amount of mechanisms and/or equipment that is used by more than one user. A good example of this would be a “room PC” in a training room used by multiple instructors. Does each instructor log in with their own credentials?

Psychological acceptability, a.k.a. ease of use

Users will avoid security measures that get in the way of convenience. A physical analogy would be a dead bolt that requires a key on both the outside and the inside. Some people won’t bother locking it from the inside, especially if their key gets stuck in the lock.

Other best practices like layering, isolation, encapsulation, modularity, and auditability should also be kept in mind.

If you enjoyed this article, you might like these related posts on PKaudiovisual:

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps



Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

Your AV installations ARE incredibly vulnerable to cyber threats. The first step to understanding that is learning these cyber attack terms.

This article was originally written by Paul Konikowski, and published on Commercial Integrator on February 12, 2019

I accidentally started a “tweet storm” in January. I shared a recent blog post by an AV installation technician named Anthony Tippy. In his post, “@Tibbbbz” showcases “how vulnerable audiovisual equipment and AV installations are, in hopes of improving security awareness for companies and manufacturers”. It was pretty shocking to see how many devices he could gain access to online.

Readers may have also heard about the Crestron TSW-XX60 and MC3 vulnerabilities, or “vulns”, uncovered by Ricky “@HeadlessZeke” Lawshae in 2018.

Other vulnerable AV products can be found by searching brands in the NIST National Vulnerability Database as well as the advisories issued by the Industrial Control System-Cyber Emergency Response Team (ICS-CERT).

Most of these vulns can be patched by updating the firmware, securing the network, and/or enabling the passwords on the devices.

But uncovering and patching these device vulnerabilities is only one aspect of securing AV installations. Securing and segmenting the network is another obvious one, and I will leave that topic to the experts.

But just as importantly, it is also imperative for readers to understand the other possible cyber threats, the different types of cyber risks, and other basic terminology used in cybersecurity policy discussions.

One of the best analogies I have heard is, a vulnerability is like a glass window, and a threat is like a rock that can break it.

Continuing on this analogy, a threat actor is the person throwing the rock, and the risk is the cost of replacing the window, as well as anything that was stolen while the window was broken.
There are three areas of risks when it comes to cybersecurity:
1. Business

  • Hackers can steal valuable data and account information. In other cases, the services you provide to your clients may be disrupted, if your communication networks are unavailable.

2. Reputation

  • What comes to your mind when I say Equifax, Target, Sony Pictures, and Yahoo!? Even if companies address their vulns, their reputations, and their stock prices, can suffer.

3. Legal

  • Class action lawsuits and regulatory hearings are not cheap. Some CEOs end up in jail.

Similarly, we can divide cyber threats into four basic categories and provide an example of each:
1. Unintentional External

  • An outside client unknowingly sends an attachment with a virus on it.

2. Unintentional Internal

  • An employee uses an infected USB drive they got at a trade show.

3. Malicious Internal

  • A retiring employee who purposely deletes files on their last day of work.

4. Malicious External

  • Hackers, vandals, terrorists, nation-states, or even business competitors.

More Valuable Cyber Attack Terms

An attack surface is basically all of the exploitable vulnerabilities in AV installations, including open ports on servers, applications both outside and inside of the firewall, and any software that processes incoming data, email, and attachments.

It also includes humans who may be prone to errors, or social engineering. Adding new types of AV devices to an organization’s ecosystem is said to increase the cyberattack surface area.

An attack vector, Victor, is the exact means or the path within the surface area that a hacker uses gain access to a computer or network server. Attack vectors enable hackers to exploit a system’s vulnerabilities, including the human element.

For example, if I call a website, or your corporate IT helpdesk, and I ask them to reset a password, will they bother to verify I am actually who I say that I am?

Attack vectors can be easily confused with an attacker’s capabilities, which are the collection of various methods and skills he or she can use to launch an attack.

The difference here is that capabilities describe the attacker, whereas attack surfaces and vectors are about a particular victim and attack.

Going back to the broken window analogy, capabilities are something the threat actor would carry with them, like a backpack full of rocks, a crossbow, and a BB gun.

They may chose different ones for different houses, or they may use similar attack vectors, depending on the attack surfaces, or vulnerabilities, of each house.

Now that we’ve covered the basic terminology, I invite readers to join in the next AV security tweet storm, forecast for February 17, during the weekly #AVinTheAM chat.

It’s easy to participate, just get on the Twitter anytime after 8am Eastern on any given Sunday, and search the hashtag #AVinTheAM.

If you enjoyed this article, you might like these related posts on PKaudiovisual:

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps

Proofpoint ($PFPT) Releases Solution To Detect and Respond To Compromised Microsoft Office 365 Accounts