As more and more AV devices find themselves on IP networks, the surface area for cyberattacks increases. Generally speaking, I advocate for AV devices to be placed on dedicated AV networks, not on the local area network, but this is not always possible. In either case, the audio video network security should be preserved.
Here are five ways that any IP network, AV or otherwise, can be made to be more secure:
1. Restrict Access, Including Physical Access
Start with the Principle of Least Privilege and don’t give users any more access than needed. If a malicious actor obtains a user’s login and password, you don’t want to give them the keys to the kingdom.
Use multi-factor authentication (MFA) and force users to reset their passwords periodically. Use role-based access controls (RBAC) to define what access a given role should have, and update those roles when an employee changes roles.
Review the access privileges on a regular basis to prevent “privilege creep”. You should also limit physical access to server rooms, IDF closets, computer labs, and data storage centers.
2. Update Software and Patch Vulnerabilities
In many of the largest data breaches, the vulnerability was discovered months before the attack, but the companies failed to patch their software. Put someone in charge of updates, and make it their responsibility to install all software patches immediately, and share these patches with your clients.
3. Segment Networks
As I mentioned in my last CI column, the Target attackers used stolen credentials of a HVAC contractor to access Target’s payment network; the Stuxnet worm was able to infect an air-gapped network using USB drives.
Although you may not be able to fully segregate your networks, you should apply the principle of Least Route to limit the physical and logical connections between networks. If an attacker gains access, you should make it more difficult to traverse the networks using firewalls and access control lists (ACLs).
4. Filter Outbound Traffic
Many of the biggest data breaches, including Target, Sony Pictures Entertainment, and the Office of Personnel Management, depended on outbound connections to send the data out of the infected network to the hackers, using common protocols like FTP, DNS, ICMP, HTTP, or HTTPS.
By carefully monitoring outbound traffic flows, and enforcing aggressive outbound filtering, you can make the data breaches more difficult for the attackers and minimize the impact of a breach.
5. Monitor Logs
Most network devices, including many audiovisual devices, have the ability to log everything that they do. The problem is that most companies don’t bother to look at the logs until they realize they have a problem.
Monitoring logs can be a very difficult task, as the amount of entries in them can be staggering. Luckily, there are log management tools that are designed for this task, to help filter out normal log entries, and highlight any anomalies.
These are just five ways to audio video network security, there are dozens more. How you implement these security controls depends largely on your network architecture and the personnel involved.
Start by asking if these five steps are being taken. If you don’t have the right skillset on-prem, consider outsourcing to a company like Strategic Communications (who also does AV integrations!).