Name: Paul Zielie
Title: Manager, Enterprise Solutions
Company: Harman Professional
As AV systems are increasingly attaching to enterprise data networks, user organizations expect the network-connected AV system to maintain a security posture in alignment with their security goals. There has been a great deal of variation in the marketplace as to who takes responsible for determining, specifying, and communicating the security configuration of the AV network. This has led to many instances where the installed system did not meet the customer’s security needs and required costly remediation.
In practice, security measures and configurations should be determined as part of the design process and agreed upon by all parties by design sign-off in order to avoid impacting project schedules. This may be accomplished as part of the consultant design package, or may be included in the integrators scope. In either case, the requirements must be clearly defined as part of the bid package.
Depending on organizational requirements, the security needs analysis and resulting security design may be highly detailed and customized, but in many cases, a more general set of guidelines may be sufficient. A set of minimal best practices is outlined below and should be part of every specification for a network connected AV system. Requiring these measures will meet the security requirements of most enterprises.
Enable Password-Protected Access
All devices on the network should have password protection enabled. Many AV devices do not require passwords in their default states. Devices that do not allow for password protection should be avoided.
Change the (Default) Password
All passwords should be changed from the factory-default passwords before installation. A good practice is to change all passwords to a common job password. This will allow all the various installers to have access to the systems during installation. At system hand-off, a list of user names and the job password can be given to the customer along with password exchange instructions. The organization may then change the passwords according to its internal policy.
Set Multiple User Roles
If a piece of equipment has different modes of operations, for instance administration and user access, set up user roles so that the equipment is operated in a user mode with only the privileges required for the operation of the system. This will keep general users from being able to make changes they shouldn’t, either accidentally or maliciously. As a best practice, each user should have his or her own account, but often this is not feasible. At the minimum, if it is possible, there should be separate common user and administrator accounts, with the password information being distributed according to need.
Disable Unnecessary Services
A service on a network device is any program that listens for an incoming connection. Any incoming traffic to a service is processed; therefore, services are a favorite target of hackers. AV equipment tends to be “Swiss Army knife” devices, capable of many different functions and connectivity options, some of which may not be used in a given installation. Services that are not being used in the installation should be disabled, lowering the risk that a vulnerability or exploit can be used to access the system. For instance, if a telnet interface is not being used, it should be disabled. Active services and the network ports they are using should be documented.
Use Encryption if Available
Unencrypted communications will allow potentially sensitive communications to be viewed if it is intercepted. Encrypted communication should be used if available. If encrypted services are used, the unencrypted services should be disabled. For example, if using HTTPS, then HTTP should be disabled.
Implement an AV VLAN With Access Control
Whenever possible, segregate the AV installation on its own VLAN(s) (virtual local area network). In cases where an installed AV system does not meet the gaining organization’s security requirements, an additional layer of security can be obtained by implementing a router ACL (access control list) to limit access to and from the enterprise network.
Many AV devices have a capability to enable an audit log, which will record events such as login attempts and system changes. Enabling these audits can assist in determining if there is a threat trying to break into a system, or to determine how a breach occurred in order to prevent one in the future.
Document the Security Configuration
Security configurations should be part of the statement of work and acceptance criteria. Any network configuration dependencies provided by the user organization should be added to the assumptions, with delivery dates, and the delivery dates should be added to the project schedule as a finish to start (FS) predecessor to connecting the AV devices to the user organization network. As-built security documentation should be consolidated into a single document in order to facilitate security audit functions and ongoing security updates.