My TechDecisions

IT Infrastructure, Network Security, News

Assess Your Cyber Risks and Vulnerabilities

Your organization may be vulnerable to cyber risks as a result of systems being installed on or adjacent to the network. Here are some considerations for assessing cyber risks.

Leave a Comment

Proofpoint CISO, CISOs cyberattack
Gorodenkoff/stock.adobe.com

Author Paul Konikowski, CTS-D, is in the business of installing AV systems and, since his customers are technology purchasing decision makers, this topic of assessing cyber risks and vulnerabilities is near and dear to him. This column originally appeared on MyTechDecisions sister site Commercial Integrator. 

I accidentally started a “tweet storm” in January. I shared a recent blog post by an AV installation technician named Anthony Tippy. In his post, “@Tibbbbz” showcases “how vulnerable audiovisual equipment and AV installations are, in hopes of improving security awareness for companies and manufacturers.” It was pretty shocking to see how many devices he could gain access to online.

Readers may have also heard about the Crestron TSW-XX60 and MC3 vulnerabilities, or “vulns”, uncovered by Ricky “@HeadlessZeke” Lawshae in 2018.

Other vulnerable AV products can be found by searching brands in the NIST National Vulnerability Database as well as the advisories issued by the Industrial Control System-Cyber Emergency Response Team (ICS-CERT).

Most of these vulns can be patched by updating the firmware, securing the network, and/or enabling the passwords on the devices.

But uncovering and patching these device vulnerabilities is only one aspect of securing AV installations.

Related: How to Write a Cybersecurity RFP 

Securing and segmenting the network is another obvious one, and I will leave that topic to the experts.

But just as importantly, it is also imperative for readers to understand the other possible cyber threats, the different types of cyber risks, and other basic terminology used in cybersecurity policy discussions.

One of the best analogies I have heard is, a vulnerability is like a glass window, and a threat is like a rock that can break it.

Continuing on this analogy, a threat actor is the person throwing the rock, and the risk is the cost of replacing the window, as well as anything that was stolen while the window was broken.

There are three areas of risks when it comes to cybersecurity:

1. Business

  • Hackers can steal valuable data and account information. In other cases, the services you provide to your clients may be disrupted, if your communication networks are unavailable.

2. Reputation

  • What comes to your mind when I say Equifax, Target, Sony Pictures, and Yahoo!? Even if companies address their vulns, their reputations, and their stock prices, can suffer.

3. Legal

  • Class action lawsuits and regulatory hearings are not cheap. Some CEOs end up in jail.

Similarly, we can divide cyber threats into four basic categories and provide an example of each:

1. Unintentional External

  • An outside client unknowingly sends an attachment with a virus on it.

2. Unintentional Internal

  • An employee uses an infected USB drive they got at a trade show.

3. Malicious Internal

  • A retiring employee who purposely deletes files on their last day of work.

4. Malicious External

  • Hackers, vandals, terrorists, nation-states, or even business competitors.

More Valuable Cyber Attack Terms

An attack surface is basically all of the exploitable vulnerabilities in AV installations, including open ports on servers, applications both outside and inside of the firewall, and any software that processes incoming data, email, and attachments.

It also includes humans who may be prone to errors, or social engineering. Adding new types of AV devices to an organization’s ecosystem is said to increase the cyberattack surface area.

An attack vector, Victor, is the exact means or the path within the surface area that a hacker uses gain access to a computer or network server. Attack vectors enable hackers to exploit a system’s vulnerabilities, including the human element.

For example, if I call a website, or your corporate IT helpdesk, and I ask them to reset a password, will they bother to verify I am actually who I say that I am?

Attack vectors can be easily confused with an attacker’s capabilities, which are the collection of various methods and skills he or she can use to launch an attack.

The difference here is that capabilities describe the attacker, whereas attack surfaces and vectors are about a particular victim and attack.

Going back to the broken window analogy, capabilities are something the threat actor would carry with them, like a backpack full of rocks, a crossbow, and a BB gun.

They may chose different ones for different houses, or they may use similar attack vectors, depending on the attack surfaces, or vulnerabilities, of each house.

Read Next: 9 Cybersecurity Training Videos That Aren’t Boring

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ