IP Security For Broadcasters: Part 7 - Operating Systems

As well as providing the core functionality of a computer, operating systems have the potential to be a primary issue for security and keeping hackers at bay.

All 12 articles in this series are available in our free 82 page eBook ‘IP Security For Broadcasters’ – download it HERE.

Articles in this series:

In the ideal world, all software would be free from bugs. However, the massive number and combinations of inputs, calculations, and outputs that occur in most programs makes it almost impossible to test the system completely and exhaustively. Recent advances in software testing methods have made code much more dependable, but it’s impossible to make any system 100% reliable and predictable.

Operating systems (OS) are at the heart of every computing system and interact at some point with any application program running on the computer. Consequently, the OS is the single most vulnerable aspect of any computing system and as our reliance on the internet increases, the importance of closing OS vulnerabilities quickly is more important than ever.

Access vs Security

If we were to lock our computers in a vault one-hundred feet below a concrete bunker, not tell anybody their whereabouts, and not connect them to the internet, then the chances are that we would make them 100% secure. However, they would be perfectly useless as virtually nobody would be able to use them. By making computers accessible and useable through networks, we inadvertently make them vulnerable to attack from cyber criminals and hostile actors. So, in this respect, security is about risk assessment and being proactive.

Any part of the computer that allows a user to input data is a potential source of vulnerability. Whether it’s the keyboard and mouse, the USB port, or the ethernet/WiFi connection, anything on the computer that allows user access is a vulnerability. The difference with the OS is that a fundamental aspect of their operation relies on providing the processing of the TCP/IP information on the ethernet or WiFi interfaces. This makes the system particularly vulnerable as a hacker doesn’t need to be in the vicinity of the computer to do their damage—they could be located on the other side of the world.

Building OS Defense

Preventing cybercriminals from accessing any computer on the network is of paramount importance and always the first line of defense, but to be effective with our security, we must assume somebody will be able to breach the network defenses and gain access to the computers on the network. And this is where the OS provides the next level of defense.

Hackers can generally exploit two types of vulnerability on individual computers, whether they’re a user’s desktop, a video processing server, or a web interface: through a user application or the OS. Restricting access to either of these relies on sophisticated login credentials. However, this proves difficult as users are generally hostile to security credential policies that require passwords to be changed regularly or using complex passwords that involve obscure characters. But this really is a line of defense that cannot be compromised. Luckily, systems such as two-factor authentication make user security easier to implement and much more secure, but centralized credential authentication systems must be employed to facilitate their effective use. Examples of these include AD (Active Directory) or RADIUS (Remote Authentication Dial-In User Service).

To help keep the effects of any security breach to a minimum, users must have the minimum amount of read, write, and execute privileges. This involves a great deal of effort and planning from the IT system administrators, but again, is essential.

As already mentioned, no software system is 100% secure and vulnerabilities exist in the code itself. These are not limited to any vendor, and the good news is that each vendor has a small army of developers constantly testing and fixing vulnerabilities should they occur.

Keeping Software Up To Date

Major OS vendors such as Microsoft and Apple have a clear commercial incentive to keep their systems clear of vulnerabilities, but this raises an interesting question for open-source software. Although an OS such as Linux may be “free”, the reality of the situation is that, to make it as secure as the other major vendors, one of the commercial open-source software suppliers such as Suse, Redhat or Ubuntu must be adopted as they are constantly testing the OS for vulnerabilities and providing patches.

Figure 1 – All processes within the user space interact with the operating system kernel at some point. Here, two “write()” library calls are shown writing to the network and disk drive, with “printf()” sending data to the display port.

Figure 1 – All processes within the user space interact with the operating system kernel at some point. Here, two “write()” library calls are shown writing to the network and disk drive, with “printf()” sending data to the display port.

Any broadcaster should be extremely careful about downloading an instance of Linux and expecting it to be secure enough for enterprise use. There are a plethora of security patches and configurations that broadcasters often lack the resource and knowledge to install effectively and safely. However, the good news is that one of the commercial open-source vendors will have done the security checking, configuration, and validation to make it safe for enterprise use. They will also provide regular updates and patches as needed.

With some operating systems, the line between the OS and the internet browser is becoming increasingly blurred, to the point where the browser must be considered a potential source of OS vulnerability as it is often provided as a patch during OS updates. Browsers can be made secure, but this often requires an in-depth understanding of its configuration to stop problems with Trojan software or spyware. These are small programs that can be installed on a computer by a hostile actor and either track keyboard, mouse and website actions, or attack other computers.

Leaving a user to configure their own browser security is a disaster waiting to happen. Expert IT professionals must configure the browser and then lock it so the user cannot override the settings. The challenge with this is that users are often restricted to the security policies of the broadcaster. For example, it may be that Java applets or ActiveX are disabled, thus restricting the user experience, or even access to some websites. Again, security is all about risk assessment and the IT professionals must work in tandem with the users to provide secure systems – a task much easier said than done.

Closing Vulnerabilities

Although SSH (Secure Shell) is a separate program from the kernel of the OS it is often distributed with it to allow remote access to the computer. Used mainly by developers and system administrators, it allows anybody with the correct credentials and TCP/IP access to login to the computer, access any of the files configured in the user credentials, and even load and run other software. Consequently, SSH is an incredibly dangerous program to have lying around just in case it’s needed one day.

SSH is one example of a remote login, and a far better strategy would be to disable it or not load it in the first place. Anybody with access to the “root” SSH login will have access to not only the machine they’re logged on to, but potentially every machine on the wider network.

Once a malicious user has access to a computer or server then they can use it for a whole host of nefarious actions including DOS (Denial of Service) attacks where one or multiple servers send high-frequency messages to the target computer to tie up its resource as it handles a large volume of TCP/UDP/IP activity, potentially rendering the machine useless.

Operating systems are at the heart of most computer systems used in broadcast enterprise environments and have the potential to be a source of security vulnerabilities. Consequently, IT professionals specializing in security should install, configure, and maintain them, along with associated software such as browsers, so they always have the latest patches to keep vulnerabilities to an absolute minimum.

Part of a series supported by

You might also like...

Designing IP Broadcast Systems: Routing

IP networks are wonderfully flexible, but this flexibility can be the cause of much frustration, especially when broadcasters must decide on a network topology.

Audio For Broadcast: Cloud Based Audio

With several industry leading audio vendors demonstrating milestone product releases based on new technology at the 2024 NAB Show, the evolution of cloud-based audio took a significant step forward. In light of these developments the article below replaces previously published content…

Future Technologies: New Hardware Paradigms

As we continue our series of articles considering technologies of the near future and how they might transform how we think about broadcast, we consider the potential processing paradigm shift offered by GPU based processing.

Standards: Part 10 - Embedding And Multiplexing Streams

Audio visual content is constructed with several different media types. Simplest of all would be a single video and audio stream synchronized together. Additional complexity is commonplace. This requires careful synchronization with accurate timing control.

Designing IP Broadcast Systems: Why Can’t We Just Plug And Play?

Plug and play would be an ideal solution for IP broadcast workflows, however, this concept is not as straightforward as it may first seem.