About Paul Konikowski
25 years of Audio/AV/IT experience and a Masters in Cybersecurity
Thank you for cross-posting this @Iulia Popescu look for a follow-up article soon
Whenever possible, use two-factor or multi-factor authentication. If this is not possible in the video conference software, it can be implemented on the devices or network logins.
This brought up a super interesting point that I had never thought of before which is this:
- Join conferencing sessions, including video conferencing, discreetly and anonymously
Now, the concept here is pretty easy to grasp but I think it can be overlooked. What I mean is; most of the time IT security focused individuals are focused on preventing bad actors from entering the network and gathering traditional data. From my experience there has been a focus on what you could call a "live listen" or "live view" almost like looking through a peephole to gather real-time data. What I find even MORE interesting is what you could gain from doing this. As in, often times folks are what I would call "disarmed" in those situations. For instance, you are more likely to share and say things that you wouldn't normally do if you knew those communications were being recorded and stored (which I would assume they are normally not always). So, the information you could gather and record on your own as a bad actor would pay off BIG TIME. I'm curious if anyone has ever had a breach of this nature because that would be a super interesting case study.
Great discussion, @Jamie Horner and @Aaron Weiler. I am little late to the party, but I brought refreshments.
We all know that network security is only one part of cybersecurity. The other parts include the hardware that lives on the network, the firmware/software that runs on the hardware, the dependent packages that make up the software, not to mention mobile devices like cell phones, and your vehicle or headset if you are tethering your phone via Bluetooth. Plus all the humans involved! AV always starts and ends with humans. If you forget to mute your microphone before you say something confidential, is that the network admin's fault? No, but it may be a breach of security, privacy and/or compliance.
Security, privacy, and compliance need to be part of everyone's job. The biggest problem in AV Land is everyone is focused on getting things working so they can sell and install them faster. A product or protocol that gives little headache is considered favorable. Ever heard the terms, "plug and play" or "plug and pray"? News flash: God is not going to configure your device to be secure on the network!
I never forget the first time an AV sales rep showed me how easy it was to pull up the unprotected webpage of the DSP device he was pitching; how I could listen to any stream locally on my computer, with no password needed. That was a "feature" he was touting, but in my eyes, it was a clear vulnerability. Add in the fact that there was no record or log of who was using the product's website or when they were listening...
So, in this case, is it this the rep's fault for showcasing this feature/vuln? Is it the product manufacturer's responsibility to NOT include those features? Is it the AV consultant or integrator's job to only choose safe and secure products? Is it up to the client to verify? Or do we keep doing what most AV integrators keep doing and put it all on the network security folks?
The answer is all of the above. Cybersecurity is everyone's responsibility, end to end.
I really appreciate this article, especially the reminder about SQL injection attacks in web forms. If readers are creating custom webpages that require logins for intranet or dealer access, often known as "dealer portals" in the AV industry, be sure to check your inputs! Don't assume your user is going to type only their username and password, they may be typing a malicious SQL command along with it!
Really glad to see security in schools being discussed, let's keep it going!
I have been recently posing this question to industry contacts: how can we take all the AV knowledge we have acquired in the real world, and then sell those same professional services in the metaverse? For instance, if you are a home theater expert, you could apply that knowledge to virtual home theaters. If you are a stage manager, you can manage live events online. Some of this is already happening, with folks like Joey at DNA hiring virtual engineers, or live folks mixing zoom rooms just like they used to mix camera feeds. So how do we approach higher level topics like sound masking, acoustics, and event lighting in the virtual world like we have been doing for years in the real world?
One of the most recent attack techniques involves MFA fatigue, which is when a bad actor gains access to your email and login and then pushes MFA to your phone until you click "Approve".
I have heard closer to 80% of attacks are due to human error, but numbers aside, human risk continues to be the biggest vulnerability. This SANS report is very insightful and helpful