Pebble – Cybersecurity collaboration for protecting high-value media
Neil Maycock, CCO, Pebble
As broadcasters continue their IP transition and take advantage of the commanding and compelling opportunities that cloud systems offer, protecting high-value media must now be a fundamental component of the design, not a hastily appended feature.
Taking a stand-alone application running on a traditional broadcast infrastructure and shifting it into the cloud is just asking for trouble. The chances are that the application, no matter how effective it is at processing video and audio, was probably never built with advanced security in mind. Usernames and passwords are often kept to their default values and even the simplest of penetration tests expose vulnerabilities that would make the average hacker salivate.
Placing a firewall at the point of the internet connection certainly provides a level of protection, but the way we now use IP based systems has changed beyond all recognition meaning the approach of relying on walled gardens is both out of date and exceptionally dangerous. Bring your own devices, international cyber-terrorists, and human error all conspire against protecting high-value media and new approaches are needed to counteract these challenges.
We often think of cybersecurity as the responsibility of the broadcaster, but as hackers continue to hone their skills, security must fundamentally start with the software vendor. There is no point in having the most secure network on the planet if the code running on a broadcaster’s servers has more holes and vulnerabilities than the proverbial sieve. Modern software must be built from the ground-up with security being equally important to the processes and services the application is providing.
Security policies need to be defined before a single line of code is committed and then robustly enforced throughout the whole software design process. Vendors that diligently enforce secure coding principles as part of the design process, including verification using advanced third-party tools, can guarantee their code is highly secure even before it has left their own development lab. Continuous analysis and review should be at the heart of development methodologies so that when a new feature is shipped, security is guaranteed to be at the core of the design.
Modern software designs generally rely on the implementation of third-party libraries to provide generic tasks, such as HTTP message processing and secure access. Although these libraries are often highly secure and well proven, their prolific use in the wider IT community means they often provide a focal point for hackers looking to exploit vulnerabilities. As an example, the security issue found in OpenSSL’s implementation of the Heartbeat extension for the TLS protocol, which was first discovered by Google back in 2014, gave rise to the Heartbleed vulnerability. This exposed SSL/TLS servers into potentially giving away sensitive information to the hacker, including usernames and passwords. Although this was quickly addressed and the necessary security patches issued, it is still a potential source for hackers’ attention today, and if the SSL/TLS access point hasn’t been updated, then a hacker can gain undetected access to the network.
We may think that the Heartbleed exploit is the responsibility of the IT department who installed the SSL server, and this may well be correct. But what if the software service vendor providing the video and audio processing application had used the OpenSSL library in their solution? Even if the vendors library was the most secure version available at release, a new exploit could leave the broadcaster vulnerable to attack even if they had patched all their own instances. This is where vulnerability management comes into play, and it forms part of the EBU’s R143 Cybersecurity Recommendations. With this, the responsibility for monitoring and identifying security exploits becomes a collaboration between the broadcaster and their partner vendors who are supplying software applications. Vendors who understand and comply with EBU R143 are more likely to quickly and proactively notify broadcasters of a pending issue.
The Common Vulnerability Enumeration (CVE.org) website is an excellent source of information for quickly discovering library vulnerabilities and exploits. Broadcasters and vendors that sign up to their news emails will be made aware of vulnerabilities allowing them to significantly reduce their exposure.
When users access the application through the convenience of a web browser, we can no longer rely on simple password access. Although IT departments have tried to implement security policies by forcing password changes, these have proved to be counterproductive as the users have been shown to just increment a number at the end of their password, thus establishing a pattern and making it more vulnerable to hostile hackers.
Using centralized credential management combined with OAuth 2.0 provides the best of both worlds for user security. A unified login approach means users do not have to keep changing their passwords and can login to the web browser quickly, easily and securely. Also, the centralized management allows system administrators to provide variable logout timing. For example, in an MCR where monitoring is key to its operation, engineers do not want the web browser to be logged out at critical moments. Centralized credential management facilitates smart time limited sessions that meet the operational needs while maintaining secure media.
Granular permissions for servers, storage, and network access also promotes secure systems and encourages the concept of Zero Trust security. This assumes anybody or any process accessing the system is potentially hostile and must be validated against the centralized credential management database.
These new methods of delivering highly secure cloud software are just a few examples of how software design engineers and security experts coordinate their skills to keep high-value media secure in today’s cloud infrastructures. Cybersecurity resilience augments when vendors and broadcasters collaborate and work in partnership.
