IP Security For Broadcasters: Part 7 - Operating Systems

As well as providing the core functionality of a computer, operating systems have the potential to be a primary issue for security and keeping hackers at bay.

In the ideal world, all software would be free from bugs. However, the massive number and combinations of inputs, calculations, and outputs that occur in most programs makes it almost impossible to test the system completely and exhaustively. Recent advances in software testing methods have made code much more dependable, but it’s impossible to make any system 100% reliable and predictable.

Operating systems (OS) are at the heart of every computing system and interact at some point with any application program running on the computer. Consequently, the OS is the single most vulnerable aspect of any computing system and as our reliance on the internet increases, the importance of closing OS vulnerabilities quickly is more important than ever.

Access vs Security

If we were to lock our computers in a vault one-hundred feet below a concrete bunker, not tell anybody their whereabouts, and not connect them to the internet, then the chances are that we would make them 100% secure. However, they would be perfectly useless as virtually nobody would be able to use them. By making computers accessible and useable through networks, we inadvertently make them vulnerable to attack from cyber criminals and hostile actors. So, in this respect, security is about risk assessment and being proactive.

Any part of the computer that allows a user to input data is a potential source of vulnerability. Whether it’s the keyboard and mouse, the USB port, or the ethernet/WiFi connection, anything on the computer that allows user access is a vulnerability. The difference with the OS is that a fundamental aspect of their operation relies on providing the processing of the TCP/IP information on the ethernet or WiFi interfaces. This makes the system particularly vulnerable as a hacker doesn’t need to be in the vicinity of the computer to do their damage—they could be located on the other side of the world.

Building OS Defense

Preventing cybercriminals from accessing any computer on the network is of paramount importance and always the first line of defense, but to be effective with our security, we must assume somebody will be able to breach the network defenses and gain access to the computers on the network. And this is where the OS provides the next level of defense.

Hackers can generally exploit two types of vulnerability on individual computers, whether they’re a user’s desktop, a video processing server, or a web interface: through a user application or the OS. Restricting access to either of these relies on sophisticated login credentials. However, this proves difficult as users are generally hostile to security credential policies that require passwords to be changed regularly or using complex passwords that involve obscure characters. But this really is a line of defense that cannot be compromised. Luckily, systems such as two-factor authentication make user security easier to implement and much more secure, but centralized credential authentication systems must be employed to facilitate their effective use. Examples of these include AD (Active Directory) or RADIUS (Remote Authentication Dial-In User Service).

To help keep the effects of any security breach to a minimum, users must have the minimum amount of read, write, and execute privileges. This involves a great deal of effort and planning from the IT system administrators, but again, is essential.

As already mentioned, no software system is 100% secure and vulnerabilities exist in the code itself. These are not limited to any vendor, and the good news is that each vendor has a small army of developers constantly testing and fixing vulnerabilities should they occur.

Keeping Software Up To Date

Major OS vendors such as Microsoft and Apple have a clear commercial incentive to keep their systems clear of vulnerabilities, but this raises an interesting question for open-source software. Although an OS such as Linux may be “free”, the reality of the situation is that, to make it as secure as the other major vendors, one of the commercial open-source software suppliers such as Suse, Redhat or Ubuntu must be adopted as they are constantly testing the OS for vulnerabilities and providing patches.

Figure 1 – All processes within the user space interact with the operating system kernel at some point. Here, two “write()” library calls are shown writing to the network and disk drive, with “printf()” sending data to the display port.

Figure 1 – All processes within the user space interact with the operating system kernel at some point. Here, two “write()” library calls are shown writing to the network and disk drive, with “printf()” sending data to the display port.

Any broadcaster should be extremely careful about downloading an instance of Linux and expecting it to be secure enough for enterprise use. There are a plethora of security patches and configurations that broadcasters often lack the resource and knowledge to install effectively and safely. However, the good news is that one of the commercial open-source vendors will have done the security checking, configuration, and validation to make it safe for enterprise use. They will also provide regular updates and patches as needed.

With some operating systems, the line between the OS and the internet browser is becoming increasingly blurred, to the point where the browser must be considered a potential source of OS vulnerability as it is often provided as a patch during OS updates. Browsers can be made secure, but this often requires an in-depth understanding of its configuration to stop problems with Trojan software or spyware. These are small programs that can be installed on a computer by a hostile actor and either track keyboard, mouse and website actions, or attack other computers.

Leaving a user to configure their own browser security is a disaster waiting to happen. Expert IT professionals must configure the browser and then lock it so the user cannot override the settings. The challenge with this is that users are often restricted to the security policies of the broadcaster. For example, it may be that Java applets or ActiveX are disabled, thus restricting the user experience, or even access to some websites. Again, security is all about risk assessment and the IT professionals must work in tandem with the users to provide secure systems – a task much easier said than done.

Closing Vulnerabilities

Although SSH (Secure Shell) is a separate program from the kernel of the OS it is often distributed with it to allow remote access to the computer. Used mainly by developers and system administrators, it allows anybody with the correct credentials and TCP/IP access to login to the computer, access any of the files configured in the user credentials, and even load and run other software. Consequently, SSH is an incredibly dangerous program to have lying around just in case it’s needed one day.

SSH is one example of a remote login, and a far better strategy would be to disable it or not load it in the first place. Anybody with access to the “root” SSH login will have access to not only the machine they’re logged on to, but potentially every machine on the wider network.

Once a malicious user has access to a computer or server then they can use it for a whole host of nefarious actions including DOS (Denial of Service) attacks where one or multiple servers send high-frequency messages to the target computer to tie up its resource as it handles a large volume of TCP/UDP/IP activity, potentially rendering the machine useless.

Operating systems are at the heart of most computer systems used in broadcast enterprise environments and have the potential to be a source of security vulnerabilities. Consequently, IT professionals specializing in security should install, configure, and maintain them, along with associated software such as browsers, so they always have the latest patches to keep vulnerabilities to an absolute minimum.

Part of a series supported by

You might also like...

Broadcast Audio For Coachella With American Mobile Studio

For the past 15 years, Chris Shepard, chief engineer and owner of American Mobile Studio, has been responsible for the music mixes broadcast over a variety of streaming platforms from some of the biggest festivals in the United States, including Coachella,…

IP Security For Broadcasters: Part 9 - NMOS Security

NMOS has succeeded in providing interoperability between media devices on IP infrastructures, and there are provisions within the specifications to help maintain system security.

IP Security For Broadcasters: Part 8 - RADIUS Network Access

Maintaining controlled access is critical for any secure network, especially when working with high-value media in broadcast environments.

Thoughts On NAB 2022

NAB happened! Yes, footfall was inevitably down and there were fewer vendors exhibiting, but the show went on. And what a great success it was too.

Audio Consoles Focus On AoIP Networked Production At NAB

Like most equipment now being marketed to broadcasters these days, audio consoles continue to improve in the area of audio over IP (AoIP) networking and remote production workflows. Indeed, efficiency, flexibility, and remote as well as distributed production are at…