How secure are your AV-installations?
Less than one month after the WannaCry ransom-ware attack, many companies and institutions were hit by Petya. The Petya attack spread very rapidly affecting many companies in a very short time-frame(1). It nearly paralyzed operations of one of Europe’s largest container terminal and has seriously disrupted the operations of companies like TNT Express(2).
While large corporations have teams dedicated to information security, most AV-installers do not have such teams available. The question is, are we still in control of our installations?
Is 100% secure possible?
In short ‘no’. Dr. Melanie Rieback, owner of Radically Open Security, explained in a recent interview of one of the Dutch newspapers: “A group of hackers with time and money get in everywhere”(3) It primarily boils down to how great the interest is in entering a network, set off against the effort needed to get in. In parallel, one should design the security in view of the value/importance of what it protects.
What does it mean for AV?
With AV-installations we should as a bare baseline make reasonable effort to secure our setups. In corporate environments, the security specifications are mostly dictated by the IT departments and usually the design must be 
assessed and approved by that department prior to installation. In small commercial and residential installations, it mostly comes down to the choices of the installer.In each case, we must avoid being the cause of opening up the network of our customers to those who want to do wrong. We certainly don’t want to be the cause that the private holiday snaps of your VIP customer are suddenly all over internet, because we have insecurely created a port forwarding to show that device on your phone or because we forgot to change the default password of the WiFi.
IoT, Easy Wizards and stuff you can show on your smartphone
Many of us have grown to love the use of ‘easy installation wizards’ and flashy smartphone app’s: The stuff you plug in and works without configuration. There are off course trade-offs for your ease of installation. Firstly, all these wizards are primarily designed for the DIY/retail market and installing these in residential or commercial AV setups require very little added value from the knowledge of the installers. Secondly, since more is done for you, more of the technology is moved to the ‘black box’. We get less and less influence on the security of the installation.
The largest DDOS (Denial of Service) attack of 2016, which crippled large parts of the Internet was caused by a botnet that made use of vulnerable devices like webcams, camcorders, baby monitors, and other insecure internet connected devices. Basically, easy to install stuff you can show on your phone!
The greatest concern of all is the quick rise in Internet of Things (IoT) devices. We already bring in those easy to use IoT devices into both corporate and residential environments, while the chip manufacturers of the IoT chips are still bickering on what level of security needs to be embedded on those chips.(4)
Simple steps to improve security
Again, there is no guarantee to fully securing your installations. Making it more difficult to get in, also makes it less attractive to get in. These steps are merely a guideline to some security basics, but the needed level of security measures needs to be assessed for each individual installation. When in doubt, ask an expert!
- Educate yourself in networking and security: Both Infocomm and Cedia offer training programs to give you understanding on networking and the security aspects of it.
- Don’t blindly rely on wizards for configuration: Only when you understand what these wizards do and how secure they are and have satisfied yourself it meets the requirements, make use of a wizard. Usually, the easier it is to configure, the easier it is for someone else to get in. Great benefits can be had from being able to configure the devices yourself: You are in control of what you are installing and you add more value to the installation.
- Make Security a standard paragraph in your design: Creating best practices will make implementation easier and more effective.
- Make sure here is good firewall protection: Don’t rely on the firewall functions in mass market retail routers or ISP equipment. Get professional equipment in and put that behind the ISP router. Apart from increasing security, you create a clear demarcation between ISP and installer responsibilities.
- Check which devices are allowed to connect to internet: More advanced routers will offer the possibility to check per device if and how often it connects to internet. Some are even capable of automated lock outs or set that manually.
- Isolate IoT device on a separate VLAN: segment your network as to isolate IoT from the rest of the network.
- Turn off unnecessary ‘Smart’ features of equipment: Be cautious of ‘Smart’ features like televisions with camera’s or voice enabled controls. These features are easy targets to get in. Turn it off if it is not needed.
- Change the passwords: It seems like the most obvious no-brainer, but in many cases passwords are kept default in many AV installation. This is used in many exploits and very easily avoidable. Not convinced? Check this link: http://lmgtfy.com/?q=default+password+list
- Use remote access only when you need it and are convinced of the security: Showing off stuff on your smartphone is not a goal by itself. Only use remote access features if you know how they are secured and if that meets the levels required.
- Use VPNs: Securing and encrypting access will help the security of your network.
- For wireless devices:
o Turn off WDS: This one button connect is easy entry for everyone.
o Change the SSIDs: Standard SSIDs give away the vendor/type.
o Activate Wireless encryption.
o Turn off standard guest networks: They are easy entry and not just for your guests.
________________________________________
[1] https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html?mcubz=2
[2] http://investors.fedex.com/news-and-events/investor-news/news-release-details/2017/FedEx-Files-10-K-with-Additional-Disclosure-on-Cyber-Attack-Affecting-TNT-Express-Systems/default.aspx
[3] https://www.volkskrant.nl/tech/deze-wonder-woman-van-de-computerbeveiligingswereld-hackt-zo-je-bedrijf~a4505208/
[4] https://www.technologyreview.com/s/603015/security-experts-warn-congress-that-the-internet-of-things-could-kill-people/?set=603780
________________________________________
Niveo Professional is a manufacturer of enterprise network equipment for commercial and residential AV industry. Niveo Professional offers firewall routers like the NR10 with many capabilities to increase security of AV installations: https://www.niveoprofessional.com/product/nr10/
To learn more on how Niveo Professional and the equipment can help you build more secure installations, please check www.niveoprofessional.com or contact us at: info(at)niveoprofessional.com