More devices connected to the network, increased wireless access, and a steep increase in the volume of content and data can leave room for temptation from outside attackers. Security, however, is not just about hacks and stolen data, it's important to fix internal flaws and embed best security practice to avoid accidental errors and protect yourself from both insider and outsider threats.
With so much going on, knowing where to start and what you should secure can be confusing.
AVIXA® spoke to a panel of experts about the need for secure systems when planning and executing a live event and how to mitigate the risk.
Meet the Participants
Director, Emerging Security Trends, SANS Institute, USA
VP of Specialty Services, PSAV, USA
Paul Zielie, CTS-D, CTS-I
IT and AV Systems Engineer, AVCoIP, USA
Bart van Moorsel
European Solutions Design Specialist, Tech Data, Amsterdam
John Pescatore joined SANS as director of emerging security trends in January 2013 after more than 13 years as lead security analyst for Gartner, running consulting groups at Trusted Information Systems and Entrust, 11 years with GTE, and service with both the National Security Agency, where he designed secure voice systems, and the U.S. Secret Service, where he developed secure communications and surveillance systems and "the occasional ballistic armor installation." Pescatore has testified before Congress about cybersecurity, was named one of the 15 most-influential people in security in 2008, and is an NSA-certified cryptologic engineer.
Matt Harvey’s 17 years at PSAV have been in a variety of roles, but the one constant is the desire to make technology simpler for people to understand and leverage. As the Vice President, Specialty Services, that challenge continues as the industry creates ever more complex event experiences. Specialty Services includes PSAV’s Rigging, Power Distribution, Internet Services, and AV Design & Integration groups. These four unique teams design, build, and operate the infrastructure solutions that are foundational to event success. Harvey is also a regular contributor to Events Industry Council’s Accepted Practices Exchange and Hospitality Next Generation.
Paul Zielie, CTS®-D, CTS-I, is a multi-disciplined generalist with 30 years of experience designing and integrating IT, telecommunications, and audiovisual (AV) solutions. He is a prolific writer and speaker and was the recipient of the 2015 InfoComm International, Educator of the year and was inducted into the SCN Hall of Fame in 2020. He is currently a consultant specializing in helping AV manufacturers create products that meet the IT requirements of enterprise customers.
Bart van Moorsel helps channel partners deliver solutions for combating ransomware, plus he also guides them on how to deliver effective cybersecurity around cloud and IoT in the context of GDPR. In addition, he works with Tech Data’s specialist business unit, Maverick AV Solutions, to help customers build secure AV solutions. Bart has worked in the IT security business for over 20 years, where he has built up extensive expertise and knowledge of cybersecurity vendors and their technologies.
Kicking off the conversation, Pescatore discussed some of the biggest security challenges facing businesses today.
“The human urge to be part of something, to know that your internal thoughts and feelings are shared among hundreds, thousands, tens of thousands is something that will never go away.”
Bart van Moorsel
“Usually with new technology or business processes, we firstly think about getting things going and then we think about the security, so this is low hanging fruit for attackers. With new technology, there is a repeatable pattern where bad guys always come after new technology or processes to disrupt things and cause things to crash. So, with live events, you may see the whole network go down and all the screens and booths disconnected.”
Pescatore shared insight into the thought process of a cybercriminal, “Through vulnerabilities, attackers can get on a network and see credit card transactions or personal information, which they use for identity theft or new account fraud. The more clever and determined attackers think about where else they can get to. For instance, from a hotel network for an event, they then get into the systems of a vendor who is connected back to their home office, and then they think ‘what can I do from there?’”
What does security mean for live events and why it is important?
“Security doesn't just protect against the malicious, it also protects against the stupid.”
Zielie commented that security in itself isn't a value proposition but what security does is it allows your devices to access networks. “Security becomes really important in that first step to be able to bring products onto the network and have control and management. That then brings all that other value of flexibility that events need. The live events industry is highly dynamic and requires lots of flexibility.”
“There are a number of external vulnerability points, as John mentioned but security doesn't just protect against the malicious, it also protects against the stupid. For instance, sometimes things are left wide open and people are ‘helpful’ without asking and that’s where you may want to put in password protection.”
Van Moorsel gave his view on why security for AV, particularly live events, is getting more attention: “What I've seen from the AV market is that there has been fantastic innovation over the past three years and where you would have used a projector in the past, now you have a tremendous system where you can collaborate and share your presentations and work remotely from everywhere you want. These AV devices now have an operating system, they have an IP address, so they become fully equivalent IT systems. The downside of that is that of course they have fully equivalent security risks.”
What are we really protecting?
“The three things you're protecting are confidentiality, integrity, and availability.”
According to Zielie, the three things you're really looking at protecting are “confidentiality, integrity, and availability.”
“Confidentiality is protecting secrets and could be important to live events, depending on whether you have customer files. Integrity and availability are really what drives a live event. Integrity means we know that what we have, hasn't been changed, for instance, your show files. Availability can be a denial of service attack when your service goes offline.”
Zielie’s advice when it comes to applying security is “Apply security wherever it's easy, defense in depth. You don't count on a single defense.”
“Security is not a one-time thing, it is a constant thought process.”
Zielie made another key point, “This is not a one-time thing, security is a constant thought process. The fact is that security is a mindset and it goes from top to bottom. It needs to become some level of habit.”
Van Moorsel agreed, “The first and last most important thing in security is people. People are very important to close the gaps and make your chain as strong as possible. People working within your organization need to understand the typical risks of using equipment, they need to understand how to behave, and then what kind of responsible behavior do we expect from them.”
Watch the full roundtable discussion on Best Practice Security Measures for AV in Live Events.