The second most popular post on the Billboard Insider website is Hacking Digital Billboards. There are people out there who would love to hack your digital signs. The Digital Out of Home Primer which was published last week contains an outstanding summary of the issues relating to digital billboard security and best practices for keeping your digital billboards secure. Insider is reprinting the security discussion (pages 36-38 of the Digital Out of Home Primer) below. Must reading for anyone with digital billboards.
Security
Internet access is extremely important to digital signage networks and needs special consideration in terms of integrating the signals across an organization’s existing IT network or building a dedicated one. Redundancy should be addressed, as should backup plans for Internet failure — the more critical the network is to an organization, the more important the backup plan is. For example, a network that goes down in an airport is obviously a much bigger problem than a single display in a doctor’s office waiting room. Digital signage networks are of interest to hackers and other cyber criminals due to the public nature of the displays and the ability to reach a wide audience. Network operators need to take cybersecurity very seriously.
Nature of Threats
An attacker does not need to gain control of your systems to do damage. They only need to disrupt normal operations. If an attacker gains control of a system they can display whatever they want. Physical security of the display and the accessibility of its ports is also important; security on your player and network will mean nothing if the attacker can simply bypass them and plug their own device directly into the display.
Areas of Concern
Run applications with the minimum amount of privileges required. Disable or remove any “Easter Eggs,” or maintenance backdoors. Test for overflow and injection vulnerabilities.
Most systems out of the box are not secure. You will need to perform a full review of services, accounts and software. Remove or disable what is not needed.
All communications should be encrypted by default. Certificates or keys must be used. Each mode of communication has its own unique exposures whether it is wireless, DSL, cable or plain old telephone service.
Lockdown and enclose each component. A lock is only a deterrent. Assume that it will be bypassed. Cases should have no external screws; cables should all be routed internally. Expose only what you must (antennae, touch screens, etc.) Develop automatic fallbacks if any item is compromised. A disabled system is better than a compromised system.
Social engineering is one of the most powerful tools available to a hacker. Put policies in place that ensure that information is only revealed to those who need to know and only through proper channels. Make sure that staff is trained in the policies and that training is a continuous process.
Strategies for Protection
Make security an integral part of your plans from the ground up. Don’t rely on a single piece of software or hardware for security. Assume each device is vulnerable to attack. A Virtual Private Network (VPN) does not guarantee network security.. Disable unused ports on your Ethernet switch. Disallow all network cards, except for the MAC addresses you know should be on your network.
Reduce the avenues of attack by removing all applications and services that are not needed. Remove or disable all guest or system accounts that are not needed.
Use strong passwords, change them periodically and do not have one universal password that gives away the keys to the kingdom if compromised. Remove the easy web configuration software on your router.
Prepare a plan for patch management. Ensure you identify all items that could need security patches or firmware updates. Routers, hubs, touch screens. Every day hackers find new ways to wreak havoc. Bring an outside expert to review your security.
Make sure that staff is trained in basic policies and procedures. Only share information with known people outside the company.
Turn on logging and enable monitoring of each system that you can and prepare for off-hour notifications via email, text or pagers.
Managed DNS Services
A managed DNS service queries DNS (Domain Name Service) queries through a secure network of servers around the globe. These systems use threat intelligence to produce realtime perspectives on which websites are safe and which sites are known to include malware or other threats. If the system detects that the site you want to reach is known to be infected, you’ll automatically be blocked from entry — keeping your data and boards safe. While there are different managed DNS services, one of the top-four services in the world is Quad9. Unlike other services that either charge users a fee or sell users’ data, Quad9 is highly privatized, free and GDPR-compliant.
Two Factor Authentication
Moving beyond the simple username and password sign in, the industry security standard is two-factor authentication. This capability mitigates certain brute force attacks, by having a user authenticate themself first through the standard username and password and then either through a randomly generated number provided by a service (e.g., Okta) and authenticating a user through the app or by having their mobile phone tied to the account and receiving a randomly generated number that they then type into the website.
Email Phishing Mitigation
The number one attack surface for cyber criminals is you and your employees. The vast majority of all successful cyberattacks first begin with a phishing campaign. By pretending to be someone else and sending either an attachment that the user downloads or a link that a user clicks on, a cyber-attacker will gain access to a user’s network. One of most efficient means to mitigate phishing risks is to make sure that you are adequately protecting your emails with the following protocols: DMARC, SPF and DKIM. One of the easiest ways for you to see if your emails are protected is by going to DMARC here. This site will allow you to put in your email address and tell you whether or not you are protected and if so at which level. If you are not protected, the site will then walk you through the appropriate steps so that you (or your IT administrator) will have the appropriate script to copy and paste into your email server.
Physical Access
Digital signage systems are often physically accessible to the public. Direct access to hardware dramatically increases the susceptibility of digital signage networks to potential 38 attack. Network owners must take precautions to limit access or block off physical access to ports and inputs on displays and players.
Where to Go for Additional Information
While it can be overwhelming, the NIST Cyber Security Framework is the all inclusive and ever evolving catalog of knowledge when it comes to cybersecurity. More information on data security can be found on the American Institute of Certified Public Accounts’ website and on its SSA16 standards.
[wpforms id=”9787″]
Paid Advertisement
