Paul Konikowski

Cyber Security Architect, Level 3 Audiovisual

About Paul Konikowski

25 years of Audio/AV/IT experience and a Masters in Cybersecurity

Department

IT

Language

English

Company Type

AV/IT Integration

Influencer Of

Recent Comments

Nov 11, 2022
Replying to Aaron Weiler

This brought up a super interesting point that I had never thought of before which is this: 

  • Join conferencing sessions, including video conferencing, discreetly and anonymously

Now, the concept here is pretty easy to grasp but I think it can be overlooked. What I mean is; most of the time IT security focused individuals are focused on preventing  bad actors from entering the network and gathering traditional data. From my experience there has been a focus on what you could call a "live listen" or "live view" almost like looking through a peephole to gather real-time data. What I find even MORE interesting is what you could gain from doing this. As in, often times folks are what I would call "disarmed" in those situations. For instance, you are more likely to share and say things that you wouldn't normally do if you knew those communications were being recorded and stored (which I would assume they are normally not always). So, the information you could gather and record on your own as a bad actor would pay off BIG TIME. I'm curious if anyone has ever had a breach of this nature because that would be a super interesting case study. 

Great discussion, @Jamie Horner and @Aaron Weiler. I am little late to the party, but I brought refreshments.

We all know that network security is only one part of cybersecurity. The other parts include the hardware that lives on the network, the firmware/software that runs on the hardware, the dependent packages that make up the software, not to mention mobile devices like cell phones, and your vehicle or headset if you are tethering your phone via Bluetooth. Plus all the humans involved! AV always starts and ends with humans.  If you forget to mute your microphone before you say something confidential, is that the network admin's fault? No, but it may be a breach of security, privacy and/or compliance.

Security, privacy, and compliance need to be part of everyone's job.  The biggest problem in AV Land is everyone is focused on getting things working so they can sell and install them faster.  A product or protocol that gives little headache is considered favorable. Ever heard the terms, "plug and play" or "plug and pray"?  News flash: God is not going to configure your device to be secure on the network!

I never forget the first time an AV sales rep showed me how easy it was to pull up the unprotected webpage of the DSP device he was pitching; how I could listen to any stream locally on my computer, with no password needed. That was a "feature" he was touting, but in my eyes, it was a clear vulnerability.  Add in the fact that there was no record or log of who was using the product's website or when they were listening...

So, in this case, is it this the rep's fault for showcasing this feature/vuln?  Is it the product manufacturer's responsibility to NOT include those features?  Is it the AV consultant or integrator's job to only choose safe and secure products?  Is it up to the client to verify?  Or do we keep doing what most AV integrators keep doing and put it all on the network security folks? 

The answer is all of the above.  Cybersecurity is everyone's responsibility, end to end. 

Nov 03, 2022

I really appreciate this article, especially the reminder about SQL injection attacks in web forms. If readers are creating custom webpages that require logins for intranet or dealer access, often known as "dealer portals" in the AV industry, be sure to check your inputs!  Don't assume your user is going to type only their username and password, they may be typing a malicious SQL command along with it! 

Oct 27, 2022

Really glad to see security in schools being discussed, let's keep it going!

Oct 25, 2022

I have been recently posing this question to industry contacts: how can we take all the AV knowledge we have acquired in the real world, and then sell those same professional services in the metaverse? For instance, if you are a home theater expert, you could apply that knowledge to virtual home theaters. If you are a stage manager, you can manage live events online. Some of this is already happening, with folks like Joey at DNA hiring virtual engineers, or live folks mixing zoom rooms just like they used to mix camera feeds. So how do we approach higher level topics like sound masking, acoustics, and event lighting in the virtual world like we have been doing for years in the real world? 

Oct 11, 2022

One of the most recent attack techniques involves MFA fatigue, which is when a bad actor gains access to your email and login and then pushes MFA to your phone until you click "Approve".  

Oct 04, 2022

I have heard closer to 80% of attacks are due to human error, but numbers aside, human risk continues to be the biggest vulnerability.  This SANS report is very insightful and helpful

SANS 2022 Security Awareness Report: Human Risk Remains the Biggest Threat to Your Organization’s Cybersecurity | SANS Institute

Sep 29, 2022

 "The extender’s advanced features include HDCP 2.2, Dolby and DTS HD audio support, as well as serial and IR control of display devices."

I wonder if the students are learning how serial control is vulnerable to attacks, part of a larger problem with legacy operational technology (OT) and industrial control systems (ICS) security. 

Sep 06, 2022

I agree with the need for scalability, but unfortunately, AV is often customized. Even ten identical classrooms won't be the same because the designers work to value engineer the solutions.  Its these exceptions to the rule that rule our industry, and often, inadvertently cause vulnerabilities in security. We focus too much on getting devices together, and forget to lock the door, so to speak.