By Corey Moss
To the executives and concerned citizens of the AV industry, as well as the end users, the time has come. CEO’s, CTO’s, CIO’s, CSO’s, CISO’s – I have spoken with many, in and outside of the industry. The AV industry is truly in danger – and there’s nothing left to ignore.
Danger? No couldn’t be.
I guess you may need some evidence.
Where cybersecurity began for me
First, going back several years, I was tasked with writing about a cybersecurity conference I would be attending (in New York City) by my editor at the time. I had become intrigued with this tech realm, and started to reach out to people, connect on LinkedIn. One person that I did connect with invited me to this cybersecurity conference in New York City. I asked my editor “are you positive, I’m not sure the industry is ready for this?” She asked that I please do, that there would be definite value in it.
At the conference I met and spoke with cybersecurity experts and executives, and I continued to be invited to cybersecurity conferences in New York and Washington, D.C. metro (where I reside), thus continuing to meet with more experts, and examine cybersecurity solutions. I’ve met with people at Trend Micro, Cisco, Palo Alto Networks, CA Technologies and BlueCat just to name a few. At one such conference, I was asked by numerous people what I did – at the time I was the Owner of DC Smart AV/IT, working with AV industry companies as well as a company that provided a mobile device security solution. I was a Microsoft and Dell partner.
They would try to put two and two together when I said AV – probably thinking anti-virus. I said that’s audio visual. They thought that was very interesting, along with questioning the tie-in.
Yet I continued to be invited to these conferences, along with mobile device management and security as I had become semi-expert in this as well. I even taught a summer session class on this to 9th and 10th graders. I’ve continued to write on cybersecurity, track the industry, its experts and attend more conferences.
In hindsight, my thought process on this was wrong at the outset, the what would the AV industry get out of this? She was right – yet…
The AV industry now, five years later
As an industry the grasp for straws continues. In many cases so-called industry “experts” instruct on network and cybersecurity, only for those who attend to continue on the usual path to integration without much regard for security. That’s not saying all, I know there are integrators who are forming scope of work with the security factor well in place. There are consultants who are very security-minded, they may even be trained and hold such certifications to go with CTS’s.
There are those industry manufacturers that consider security as front of mind in the engineering process, yet there are those who are manufacturing products that become a part of the critical network infrastructure who still don’t – and how does that provide any sort of comfort level for the industry’s integrators, consultants, and end-users? Will there ever be any level of uniformity brought to the industry when it comes to network security?
The industry organization did put out Recommended Practices for Security in Networked AV Systems which you could purchase for the low price of $75 – I did look to get background on all who were involved (task group members), I actually knew three of them. I did lookups on LinkedIn and other various sources, and it left me wondering as I wasn’t sure that all were eminently qualified. Little or nothing in descriptions in this overview description to note that they were experts in the field – one an AV technician, one in business development in the audio field, one a design professional. Now that’s not to say that they might not be, but I’d figure that the overview here would give insight to their backgrounds as experts before purchasing the report.
Another question – are there certifications to go with CTS (which I assumed they all have) for this expertise level? Should we rely on CTS’s to evaluate and instruct on network security and cybersecurity, or do we call in the true experts – in the field and/or outside?
Getting down to brass tax – the security researcher
There have been numerous incidents over the last few years involving security researchers and disclosures on tech companies’ vulnerabilities – many of us are familiar with Ricky Lawshae (Headless Zeke) and what he reported at Def Con last year – my story The Hacking Frontier, Expertise, and IoT (Laws Established?) addressed this in part.
I recently had calls with an industry CISO, and a security researcher, in relation to the reveal of a zero-day security vulnerability:
The CISO, Richard Farley, works for Zoom Video Communications, and the security researcher is Jonathan Leitschuh, a software engineer with Gradle. I will admit that having both sides of this discussion was somewhat eye-opening in certain ways, and predictable in others.
Farley talked about Zoom’s responses to the ongoing situation that continued to unfold – he answered certain questions almost immediately, and others with a little more thought process involved. Leitschuh talked about his approach as well as justification here throughout the 90 days, as well as the events of the last week. I’d have to say overall as a result that it was a pleasure speaking with him, and even related to how the AV industry seeks young talent like him.
Zoom CEO Eric Yuan put out a followup blog: Security Update and Our Ongoing Efforts – I know Eric, and I know him to be the type of CEO who will get directly involved in a situation like this. In fact, I know for certain that he did.
A part of Eric’s statement: Earlier this week, a security researcher published a blog highlighting concerns with aspects of the Zoom platform. In engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough — and that’s on us. We take full ownership and we’ve learned a great deal. What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.
What about other industry CEO’s and C-levels? Concern? Accountability?
Will they provide a voice to all of what those of us in the industry raise our own voices about now?
With this, I have to wonder if software engineer/security researchers could be a thing, the missing piece to the puzzle that this industry sorely needs. Maybe AVIXA looks into this, the “secure experience” to go right along with that exceptional experience, because it’s needed – now.
And to be most honest – enough of this “experience” jargon, the industry needs to be very serious at this point when it comes to network and cyber security. I’ve said that now is high time for this – a colleague of mine said no, five years ago was high time.
Companies and organizations held for ransom, and others do suffer as well
When talking about being “held for ransom” in the cybersecurity world, it involves a miscalculated internal act, and many times cryptocurrency. There was a recent report of a ransomware attack in the industry.
For those who are not yet aware of what ransomware is:
Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult. *
According to cybersecurity firm Trend Micro:
Users may encounter this threat through a variety of means. Ransomware can be downloaded onto systems when unwitting users visit malicious or compromised websites. It can also arrive as a payload either dropped or downloaded by other malware. Some ransomware are known to be delivered as attachments from spammed email, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems. **
Where ransomware is concerned – anyone is vulnerable. The main message here, as has been said over and over again – if you receive an e-mail and it looks even the least bit suspicious, don’t open any links. There is the possibility that it’s a spoof e-mail, read this to find out more, and how you can prevent falling victim to this.
Search security: email spoofing.
Contact IT if necessary, and let them handle it. Become more aware now, it’s imperative as such shutdowns are not only costly to the company, but to those they provide for.
There again is a level of education to this – I’d have to wonder if the company is bringing in anyone to instruct their people to prevent this, or any other cyber disasters from ever happening again. I would also hope that other industry companies would be looking to instruct their employees in the same way after learning of this.
Funny story, I received an e-mail from a person who wanted to produce my movie (?) and I had an exchange with him. Here’s the last e-mail I received:
I have no film, but hmm – to open or not open those links… 🤔
Are you paying attention AV companies?
I guess it’s ok if the industry keeps ignoring the issue, as soon IT integrators will partner with network and cybersecurity security companies (unless they provide these solutions and services themselves) to do these integrations (with some AV consultants involved), and the need for the AV integrator on the whole will lessen (except for maybe those SMB huddle spaces).
The manufacturers will be fine though, right? After these recent incidents of note – that answer is… not quite. Security researchers are watching, and waiting to “correct” your mistakes. Hackers are laying in wait to release attacks of various sorts.
Industry C-Levels and other executives – it’s time to act, come up with solutions… now.
We must enforce the point, as when Indiana Jones in ‘Raiders of the Lost Ark’ asks who is examining the Ark of the Covenant at the end – the answer is “top men.”
Nope, here that’s top men and women. Get on board if you are an industry CEO, CTO, CIO, CSO, CISO or any other person involved in the day to day activities of IT, the network, and security.
This can’t be shouted any higher on the mountain.
But there will be more to come.
** Trend Micro: Ransomware.
(Header image: Pixabay License, free for commercial use. No attribution required).
With over 20 years in audio visual integration and IT/computer sales and consulting, Corey Moss is the owner of Convergent AV Media. Corey writes for the publication and hosts/produces podcasts – The AV Life, Convergent Tech Talk, Convergent Week and The AV Tech Trade. He has written for numerous industry publications about AV, IT, unified communications and collaboration (UCC), cloud and software, IoT, cybersecurity and more. He has also conducted interviews with AV and IT executives and global influencers. Find him talking about a whole lot of things, tech and otherwise. On LinkedInhttps://www.linkedin.com/in/mosscorey/.