Year of AV Security
James King
They say time flies when you are having fun. With that in mind we would assume that the year of COVID would be the slowest, most dragged out year there is, but for me, that was not the case. There have been some days that it felt like the clock stood still but for the most part, this year has gone by crazy fast. Not only was this year quick for me but I also feel that this year put technology on a fast-pace as well. We have all seen Zoom go from a newcomer in the UC field to being one of the top dogs. We have seen a greater push for cloud services, software-driven AV, and AVoIP deployments. We have even seen more discussion about security for AV equipment. In this month's article, I wanted to look at how I feel security has grown quickly over
this last year. As I mentioned back in my January 2021 article, “Summer Upgrade – Security Audit” AV equipment is becoming the low-hanging fruit. I feel this was the case because security wasn't at the forefront of the discussions, design, and plans. This year I feel security has leapfrogged to the front of the discussion, design, and plans as we become more aware of the importance of securing our AV equipment.
In the past, it seemed that AV didn't worry about security as that was an IT thing and only IT devices are targets. Back in 2015, there were reports of smart TVs listening and recording everything back to cloud servers. One might think why should I, a higher education tech manager, worry about a smart TV recording to the cloud? Smart TVs are being installed across campuses including in offices and meeting rooms where sensitive information might be discussed. If you were unaware of this security concern you might be tempted to contact the network team and get the TV connected to the school's network. Granted, many companies have fixed these issues by encrypting the communication between the cloud server and the TVs. Also, many
network teams are putting AV equipment on different VLANs that have ACLs to prevent them from accessing other areas like POS. With these security changes, it is no longer a problem to install a smart TV, or is it? Even with the communication being encrypted or unable to access other areas of the network, data is still leaving campus and we should be aware of this mainly if these TVs are being installed in board rooms.
TVs are not the only equipment we are working with or should be worrying about. We are running control systems on our campuses and these control systems are basically computers. They have storage, microchips, and processors as well they run code. With these devices being installed and connected to basically all aspects of our campuses they start looking like good targets for folks to do malicious acts. We are aware of Zoom-bombing but if a malicious person gains access to a classroom control system they could send unappropriated content over the speakers and displays as well across campus if the proper security measures are not put in place. Also, malicious code or keylogger could be loaded into the memory of these devices to try and steal user information or carry out an attack.
I don't want to come across as doom and gloom as putting equipment onto the network makes it easier to support, deploy, and upgrade. I just want to point out that we can no longer sit back and say that security is an IT problem. As more advanced equipment is released it must adhere to IT's security standards. Also, AV tech managers need not only to stay on top of new AV trends but also security issues. This year there has been a good number of resources talking about AV security. For example, on February 10th, 2021 HETMA held a security panel, titled 'Equipment Security'. John Cheatham and I moderated the panel of five outstanding SMEs, three from higher education, one from government, and one from integration, as they discussed the
importance of securing AV equipment and working with the InfoSec/Networking teams. The panel covered a range of topics but the common theme I took away from it was that the Info Sec/Networking teams are no longer, or at least should no longer be, the department of no. As Sandy Silk, from Harvard University put we all are working to achieve the same goal. Besides this HETMA session, there are also more and more AV podcasts, blogs, articles, companies, and even Twitter discussions centered around AV security.
“The session today on security was a perfect example of this. I think it's the first security session I've seen at one of our typical events and it was so applicable to decisions we're making as managers and strategies we're developing for our campus” – Atkins from Texas State University
Meet the author: James King
James King graduated from Stockton University in 2008 with a Bachelor's of Science in Information Systems and a Minor in Business Studies. After graduation, he started working full time for Stockton's IT department and in 2012 was assigned to support the classrooms' AV equipment. Since joining the AV team, he has continued his education by getting AV certifications as well as working on getting his MBA. Besides working at Stockton, he is also a member of the AVIXA Technology Managers Council, manager of the HETMA award-winning Higher Ed AV/IT Slack workgroup, the current president for Pinelands Soccer Association soccer league, co-coach of a travel soccer team, and a goalkeeper trainer.