Last issue I made a prediction that the subject of securing AV systems would take on a much higher profile this year. Admittedly that was a fairly easy prediction to make – a bit like predicting the sun will rise most mornings! I didn’t need a FHD or UHD crystal ball for that one.
With the Internet-of-Things or IoT, and the fact that almost every device in our AV systems has a network connection these days and therefore connected to everything else on the network, the opportunity for those evil hackers to enter a secure environment via one of ‘our’ devices is quite real.
Co-incidentally when reading the above blog on Design Standards, there was another blog about IoT security vulnerabilities on the Infocomm site.
And another less AV-specific article here to highlight what is at stake if a hacker uses an AV device as an unlocked door. But for now I’ll focus on the first one….
The author highlights a particular vulnerability I doubt many AV people would have considered – an ‘outsider’ (contractor or vendor) inadvertently introducing malware by connecting a ‘personal’ (read ‘company’) laptop onto a secure network. His suggested workaround of the contractor signing out a university laptop doesn’t sound very workable to me – and I’d be very surprised if the potential to infect a network via someone else’s laptop wasn’t already well understood by network security people. But not to be totally overlooked either.
One danger I see in raising the whole argument of security is over-reacting. The most secure environment is one that no-one but the Security Manager can access – everyone else is denied access. Better still, lock the Security manager out too. Secure? Yes. Practical? No.
The balance between the right level of security and not blocking legitimate access is a tricky one – e.g. preventing that external contractor from connecting to a system he/she is trying to troubleshoot or program is not clever, even if it is secure.
What is really important these days is for the AV /IT team to develop a good relationship with the IT security people in universities to develop a sensible and sustainable strategy that provides the right level of security without impeding the various stakeholders from doing the work they are paid for.