Diego Santa Cruz, PhD, is Technology Architect at Spinetix. Diego has been passionate about Spinetix product security for more than 10 years now, making every effort to deliver, secure, reliable and well-integrated products. He co-founded Spinetix and is in charge of systems level development at the company.
Story: Diego Santa Cruz
During the past two years there have been a slew of important cybersecurity attacks, among them the most (in)famous being WannaCry, NotPetya… and the list goes on. There have also been fundamental security vulnerabilities discovered, like Meltdown and Spectre.
WannaCry and NotPetya have caused severe disruption to IT services and costly remediation for those affected [hundreds of millions, according to a report I read in Wired magazine recently — Ed.] In addition, those attacks didn’t spare any industry – from manufacturing, health, government agencies to smaller scale businesses. Services and manufacturing facilities had to be shut down several days on end to recover operations.
In recent years there have also been countless other lower profile attacks specific to digital signage infrastructure, but no less damaging. The effects of these range from the relatively benign “please secure your system” message to ransom and even the display of hardcore porn in public places, like Washington’s Union’s Station in May 2017.
Common sense says that as the prevalence of connected digital signage systems increases, the number of attacks will not diminish, so it’s important to have security as a core requirement when planning, deploying and operating digital signage solutions. Unfortunately, when selecting products for a new project the security aspect is most often ignored and the main decision points are acquisition price, operational costs, features and performance.
Common misconceptions: ‘it won’t happen to us’ and ‘all solution providers are equally secure’. When, in fact, the risk of a security attack is real and not without consequences. A breach may cost you downtime, lost advertising revenue, and even your company image.
Another common misconception is that a piece of software can remain secure without any action. Any software will have unknown vulnerabilities, so it is important that when they become known they are fixed in a timely manner and the fixes can be deployed efficiently.
It’s important to know the weak points of your digital signage network. If you’re in a public place, then the most visible and easy to evaluate weak point is the screens’ physical security. Much more difficult to assess is the security of the digital signage player, the security of the display itself if connected and how protected is the network in which the player is installed.
Then there is the security of the content acquisition, distribution and production that also needs to be evaluated. And finally, how to ensure operators follow good security practices.
All these aspects should be considered from planning stage. Adding security as an afterthought can be impossible or very costly once you are tied to a product.
“A breach may cost you downtime, lost advertising revenue, and even your company image”
QUESTION & ANSWER
Evaluating the security of a system is a hard problem, but there are some basic questions you should consider:
Is the solution provider well established?
Do they have a good track record?
Do they provide regular security updates?
For how long will the selected product be maintained?
Are they transparent about which security issues are addressed on each update?
How are updates distributed and how costly is to deploy these?
How good is the backwards-compatibility of updates?
Does it have a good support service which you can reach?
Security comes at a cost, and it should be no surprise that a secure solution is costlier, although the converse is of course not true. Developing secure systems is hard and thus has an extra cost. Maintaining a vulnerable platform is time consuming and thus has an extra cost attached.
Once you have selected a provider that suits your security needs you should also apply sound security principles to the deployment and operation. Diminish the attack surface as much as possible by disabling unnecessary services and do not expose the services on the network beyond what is really required for operations. Do not expose your devices directly on the Internet and use a firewall to protect the player’s network. Ensure that operators are properly trained to not fall prey and use strong and unique passwords.
All of this may seem like a lot to consider, but if the right security related questions are considered from the start of a project and the security aspects are integrated in the selection process it should not be that hard to choose the proper products that will diminish the risk of falling victim to a successful attack.