IP Security For Broadcasters: Part 7 - Operating Systems
As well as providing the core functionality of a computer, operating systems have the potential to be a primary issue for security and keeping hackers at bay.
Articles in this series:
In the ideal world, all software would be free from bugs. However, the massive number and combinations of inputs, calculations, and outputs that occur in most programs makes it almost impossible to test the system completely and exhaustively. Recent advances in software testing methods have made code much more dependable, but it’s impossible to make any system 100% reliable and predictable.
Operating systems (OS) are at the heart of every computing system and interact at some point with any application program running on the computer. Consequently, the OS is the single most vulnerable aspect of any computing system and as our reliance on the internet increases, the importance of closing OS vulnerabilities quickly is more important than ever.
Access vs Security
If we were to lock our computers in a vault one-hundred feet below a concrete bunker, not tell anybody their whereabouts, and not connect them to the internet, then the chances are that we would make them 100% secure. However, they would be perfectly useless as virtually nobody would be able to use them. By making computers accessible and useable through networks, we inadvertently make them vulnerable to attack from cyber criminals and hostile actors. So, in this respect, security is about risk assessment and being proactive.
Any part of the computer that allows a user to input data is a potential source of vulnerability. Whether it’s the keyboard and mouse, the USB port, or the ethernet/WiFi connection, anything on the computer that allows user access is a vulnerability. The difference with the OS is that a fundamental aspect of their operation relies on providing the processing of the TCP/IP information on the ethernet or WiFi interfaces. This makes the system particularly vulnerable as a hacker doesn’t need to be in the vicinity of the computer to do their damage—they could be located on the other side of the world.
Building OS Defense
Preventing cybercriminals from accessing any computer on the network is of paramount importance and always the first line of defense, but to be effective with our security, we must assume somebody will be able to breach the network defenses and gain access to the computers on the network. And this is where the OS provides the next level of defense.
Hackers can generally exploit two types of vulnerability on individual computers, whether they’re a user’s desktop, a video processing server, or a web interface: through a user application or the OS. Restricting access to either of these relies on sophisticated login credentials. However, this proves difficult as users are generally hostile to security credential policies that require passwords to be changed regularly or using complex passwords that involve obscure characters. But this really is a line of defense that cannot be compromised. Luckily, systems such as two-factor authentication make user security easier to implement and much more secure, but centralized credential authentication systems must be employed to facilitate their effective use. Examples of these include AD (Active Directory) or RADIUS (Remote Authentication Dial-In User Service).
To help keep the effects of any security breach to a minimum, users must have the minimum amount of read, write, and execute privileges. This involves a great deal of effort and planning from the IT system administrators, but again, is essential.
As already mentioned, no software system is 100% secure and vulnerabilities exist in the code itself. These are not limited to any vendor, and the good news is that each vendor has a small army of developers constantly testing and fixing vulnerabilities should they occur.
Keeping Software Up To Date
Major OS vendors such as Microsoft and Apple have a clear commercial incentive to keep their systems clear of vulnerabilities, but this raises an interesting question for open-source software. Although an OS such as Linux may be “free”, the reality of the situation is that, to make it as secure as the other major vendors, one of the commercial open-source software suppliers such as Suse, Redhat or Ubuntu must be adopted as they are constantly testing the OS for vulnerabilities and providing patches.
Figure 1 – All processes within the user space interact with the operating system kernel at some point. Here, two “write()” library calls are shown writing to the network and disk drive, with “printf()” sending data to the display port.
Any broadcaster should be extremely careful about downloading an instance of Linux and expecting it to be secure enough for enterprise use. There are a plethora of security patches and configurations that broadcasters often lack the resource and knowledge to install effectively and safely. However, the good news is that one of the commercial open-source vendors will have done the security checking, configuration, and validation to make it safe for enterprise use. They will also provide regular updates and patches as needed.
With some operating systems, the line between the OS and the internet browser is becoming increasingly blurred, to the point where the browser must be considered a potential source of OS vulnerability as it is often provided as a patch during OS updates. Browsers can be made secure, but this often requires an in-depth understanding of its configuration to stop problems with Trojan software or spyware. These are small programs that can be installed on a computer by a hostile actor and either track keyboard, mouse and website actions, or attack other computers.
Leaving a user to configure their own browser security is a disaster waiting to happen. Expert IT professionals must configure the browser and then lock it so the user cannot override the settings. The challenge with this is that users are often restricted to the security policies of the broadcaster. For example, it may be that Java applets or ActiveX are disabled, thus restricting the user experience, or even access to some websites. Again, security is all about risk assessment and the IT professionals must work in tandem with the users to provide secure systems – a task much easier said than done.
Closing Vulnerabilities
Although SSH (Secure Shell) is a separate program from the kernel of the OS it is often distributed with it to allow remote access to the computer. Used mainly by developers and system administrators, it allows anybody with the correct credentials and TCP/IP access to login to the computer, access any of the files configured in the user credentials, and even load and run other software. Consequently, SSH is an incredibly dangerous program to have lying around just in case it’s needed one day.
SSH is one example of a remote login, and a far better strategy would be to disable it or not load it in the first place. Anybody with access to the “root” SSH login will have access to not only the machine they’re logged on to, but potentially every machine on the wider network.
Once a malicious user has access to a computer or server then they can use it for a whole host of nefarious actions including DOS (Denial of Service) attacks where one or multiple servers send high-frequency messages to the target computer to tie up its resource as it handles a large volume of TCP/UDP/IP activity, potentially rendering the machine useless.
Operating systems are at the heart of most computer systems used in broadcast enterprise environments and have the potential to be a source of security vulnerabilities. Consequently, IT professionals specializing in security should install, configure, and maintain them, along with associated software such as browsers, so they always have the latest patches to keep vulnerabilities to an absolute minimum.
Part of a series supported by
You might also like...
Designing IP Broadcast Systems - The Book
Designing IP Broadcast Systems is another massive body of research driven work - with over 27,000 words in 18 articles, in a free 84 page eBook. It provides extensive insight into the technology and engineering methodology required to create practical IP based broadcast…
IP Security For Broadcasters: Part 1 - Psychology Of Security
As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and t…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
If It Ain’t Broke Still Fix It: Part 2 - Security
The old broadcasting adage: ‘if it ain’t broke don’t fix it’ is no longer relevant and potentially highly dangerous, especially when we consider the security implications of not updating software and operating systems.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.