Building a Holistic Cyber Defence Strategy for AV Systems
Back in 2017, a North American casino was subject to a successful cyberattack. The thieves got what they were after, but instead of George Clooney, Brad Pitt and Julia Roberts working in a stylish, classy and well-orchestrated manner, there was a different kind of crew at work here…
Casinos. Fish tanks. Cycling… Wait, what!?
Whilst I have no doubt the people who perpetrated the heist were just as glamorous as these Hollywood A-listers, this crew operated in a way that they ensured they never set foot in their mark. Just like the best stories, there was even a Patsy – someone that didn’t know what was happening and was being used covertly for nefarious means. Only it wasn’t a someone. It was a something. Specifically, a fish tank.
You see, someone had plugged this essential piece of equipment into the casino’s network, and it was calling out to home, doing its job. This was noticed by attackers and the rest is history. The casino lost a large amount of personal data, sent out via its machines to a server in Finland.
Why am I talking about fish tanks when I work for an audio-visual firm? Well, it’s to do with how we need to look at everything in the world of security. In British cycling, Sir David Brailsford placed huge value on the aggregation of marginal gains. Little things that make a huge difference. This included providing each cyclist with their own personal mattress and bedding at each hotel, ensuring everyone would be well rested and able to perform at the elite level required. All those little things added together make a big difference.
From birth to death: The cybersecurity lifecycle
It's the mirror image of that in the cybersecurity world. Attackers now can’t just walk in the casino’s front door; they really have to look for ways to get in. So, if they see an unprotected device - in this instance an IoT device – then they will investigate its feasibility. In the case of the casino attack, we can assume there wasn’t even a default password on this system, but it was still talking on the casino’s network… We know the rest of the story.
But there must be an aggregation of marginal gains in cybersecurity, as well. It’s for this reason that we need to look at everything when it comes to safeguarding systems, a concept referred to as holistic security. Simplified, the security of systems must be considered from birth to death. That includes everything from strategy, design and implementation, through to management and what happens at end of life.
Security begins at home
We need to look at where a system lives as well as hardening. That’s the digital equivalent of making sure your doors and windows are shut when you’re out. We also need to ensure it is fed and watered through regular updates. It’s also important to clarify who owns it, who has what responsibility, and so on. All these steps bolster the security posture, lessening the chance of attackers being successful and protecting the proverbial fish tank.
When there is a crossover where a target is too hard to crack and it’s too much effort to get in, attackers are deterred and try their luck elsewhere.
Are you asking the right questions?
Why are we talking about all this? Kinly believes the entire AV industry needs to improve its security to improve their clients’ security posture and reduce their attack surface. The fundamental questions you need to ask yourself are: Do I know what is on my network and where it is talking? What is our cyber strategy? How can we make our products and services more secure for our customers, and what processes can we put in place to achieve this?
I’ll leave you with a closing thought that makes this advice particularly important to heed. The casino attack used protocols commonly used in audio-visual devices to covertly send the data out to hackers. Makes you wonder, doesn’t it?
*Don is Kinly’s CISO and has always wanted to use the word nefarious in a blog.