2021-01 IT in AV
Summer Upgrade – Security Audit
By the time you read this, our winter projects are wrapping up and the start of the Spring term is right around the corner. One might think this would be a great time to take a break, but we work in higher education. Us higher education tech managers know that we need to start planning our summer upgrades now! We are still dealing with the uncertainty of the pandemic so our summer upgrades might look different than they did in the past. The pandemic has not affected one of my normal summer projects. Each summer I like to perform an audit of the AV equipment. The main focus of this audit is to verify that the AV equipment is secure because as technology changes so do security risks. Making sure our equipment is secure is important to prevent disruption to the education of the students as well as any critical information being accessed by an unauthorized person. Here are a couple of the security elements I will be looking at during this audit. Please note that I am not a security expert and before rolling out any type of security you should make sure you talk with your security administrator. 
802.1x:
If you have not listened to episode 108 of the Higher Ed AV Podcast then you need to listen to it. Bill O'Donnell, Joe Way, and I discuss 802.1x and why it’s important in higher education. We discussed different aspects of 802.1x but here are some notes for those who have yet to listen. 802.1x is a security protocol that can allow/denied devices from accessing the network. This protocol can be applied using an authentication method or a certification method. Setting up 802.1x needs to be done correctly as the settings need to match across all devices. To roll out this security protocol there needs to be a discussion between the networking, security, and AV teams. For my audit, I am going to compile a list of our devices that support and do not support 802.1x. Having this list will aid in helping to make sure our AV network is secure. For those looking for more information on 802.1x please visit this link - What is 802.1X? How Does it Work?
Adobe Flash Player:
July 2017 Adobe announced that December 31st, 2020 will be the End-of-Life (EOL) of Adobe Flash Player. When a product is EOL it means that the company will no longer support it and more importantly means that they will no longer provide security updates. What does this mean for AV in higher education? Flash was a very popular product used in developing website's elements and many AV manufacturers took advantage of Flash Player in their equipment. Running systems that utilize EOL products/software make that system a low-hanging fruit for malicious attackers. With AV equipment using Flash they now become that low-hanging fruit for hackers. With this announcement being over 3 years ago AV manufactures should have already removed Flash Player from their products and came up with a game plan to address legacy equipment that might still be out there. During the audit, I will be seeing how many of our devices are still using the Flash plug-in and find ways to address this security issue.
Configuration Document:
There are many steps that should be taken when setting up our AV equipment. We have to make sure the device can communicate with the other devices in the system, we need to make sure the code can control the devices, we need to make sure that settings like video and audio are set correctly, and most important is we need to make sure our devices are secure. Making sure to address all of these configurations can be a daunting task for one person let alone a team. Having a configuration document will allow the AV team to make sure no steps were missed when setting up equipment. Technology is always changing and security risks are always coming out, so this document should be a living breathing document that is reviewed during any security audit. The security elements that I believe should be looked at are all the default settings. These default settings are easily accessible on the Internet which means anyone can get this information. We should be changing the default settings, like user names, passwords, and network ports when possible. Also, the configuration document should list out settings that should be disabled; for example, many devices support Telnet and SSH. SSH is a secure shell and enabling this protocol will allow you to disable the unsecured Telnet. During the audit, I will be reviewing our configuration document and making sure that it addresses any of the new security concerns, such as Flash, and that default settings are getting changed.
As I mentioned above, I am not a security expert and the settings I roll out may not work in your environment. When you are looking to secure equipment, it should always be a discussion with all members of the AV/IT teams. The settings need to work in your environment by making sure that it does not impact the function of the system but also should not become the low hanging fruit. If you take anything away from this article it should be that a security audit of your AV system should be performed on a regular basis. Performing audits of your system will also aid in discussions with other members of the IT team. Most system administrators perform an audit of their equipment and if you can provide your IT team an audit of the AV equipment it shows them that you take security seriously.
Meet the author: James King
James King graduated from Stockton University in 2008 with a Bachelor's of Science in Information Systems and a Minor in Business Studies. After graduation, he started working full time for Stockton's IT department and in 2012 was assigned to support the classrooms' AV equipment. Since joining the AV team, he has continued his education by getting AV certifications as well as working on getting his MBA. Besides working at Stockton, he is also a member of the AVIXA Technology Managers Council, manager of the HETMA award-winning Higher Ed AV/IT Slack workgroup, the current president for Pinelands Soccer Association soccer league, co-coach of a travel soccer team, and a goalkeeper trainer.
