EPISODE 173 | Mark Malaney, systems engineer for Visix
Digital signage is a powerful communication tool, but its connectivity to your network also makes it a potential target for security threats. A breach can lead to downtime, reputational damage or even a compromise of sensitive company data.
This episode demystifies the world of digital signage security, breaking down the most common vulnerabilities and risks that every organization should be aware of. We explore actionable, real-world strategies to harden your digital signage deployment against attack. From the fundamentals of network segmentation and data encryption to the importance of physical security and choosing the right technology partners, you’ll get a clear roadmap for creating a secure and reliable digital signage ecosystem.
- Learn about the unique security vulnerabilities of different digital signage media players.
- Understand common threats like social engineering, malware and man-in-the-middle attacks.
- Discover best practices for securing your network, including segmentation and encryption.
- Get expert advice on the importance of physical security and keeping your software updated.
- Explore key security considerations when choosing hardware and software providers.
Subscribe to this podcast: Podbean | Spotify | Apple Podcasts | YouTube | RSS
Want to learn more about digital signage networks? Download our Digital Signage Systems Overview Guide
Transcript
Derek DeWitt: Today we’re talking about something that is absolutely critical for the smooth and successful operation of any digital signage deployment. We’re talking about security, and from that obviously comes reliability. So you have to think about it, right?
Digital signage is very often a key touchpoint for your audience. It’s giving them important information. It might be driving sales or sending important KPIs or other information that teams need to know. And it basically just generally improving your audience experience, whether it’s an internal or external audience.
But what happens when suddenly it all goes dark, and everything is not working? Uh oh! Or what if, even worse, you’ll have a security breach, and your system has been compromised. What do you do? Well, I don’t know. This is certainly nothing remotely like my field of expertise, but I’m lucky today to have someone who does know all about it.
He is Mark Malaney, he is systems engineer for Visix, and we’re going to talk about some strategies and best practices to keep your digital signage systems secure and reliably working day in and day out, and make sure that nothing goes horribly amiss. Thanks for talking to me today, Mark. I’m very interested about this subject because I literally know nothing about it.
Mark Malaney: Hey, Derek. It’s nice to be here. I’m definitely looking forward to chatting about this. It’s a very large topic, as you mentioned, and people always ask me questions about what to do and what not to do. So, let’s get into it.
Derek DeWitt: Excellent. I’d like to thank Mark, of course, for talking to me and everybody out there for listening. I remind you that you can like and subscribe and share, and you can also follow along with a transcript of the conversation we’re about to have on the Visix website, where you will also find several helpful links.
So first, let’s talk about the threats and the risks and potential security vulnerabilities that digital signage systems have. Like, I don’t think anybody out there is unaware that anything that is networked or that is connected to the internet is potentially in some kind of danger, and so we have firewalls and all these other things. But I think most of us don’t really know how they work or why we need them. And I’m also wondering if digital signage systems themselves, specifically, if they have unique vulnerabilities that, like, say, just my laptop doesn’t have.
Mark Malaney: So, there are some vulnerabilities, particularly with digital signage media players in general. Since each media player is essentially its own computer, just like your laptop, but it uses different protocols and different systems to communicate with servers both on the internet and locally on your network, or sometimes even across a VPN at one of your other branch offices.
So, because it’s a computer, they have computer-like vulnerabilities. If you’re running a media player that uses a run-of-the-mill operating system like Windows, you’re presented with Windows vulnerabilities. That could include things like pieces of malware, unattended access by threat actors, and any Windows-type vulnerability that is discovered would be, of course, affecting your digital signage players as well.
Now, Windows players are not the only things that have vulnerabilities like this. You’re familiar with BrightSign. BrightSign uses a version of an Android operating system, and Android operating systems are also not immune to these types of vulnerabilities. Because Android is a very well-known operating system for cell phones and even some computers like Chromebooks, there are a lot of vulnerabilities that occur with systems that use those operating systems as well. Android operating systems are mainly vulnerable to bad applications, for lack of a better term. They’re very open. So, you can install pretty much any .apk file. And if someone is troubleshooting a device for not working correctly and is talking to the wrong person, that wrong person or threat actor on the phone or via email, they could send them a .apk file that isn’t what the end user’s anticipating.
It may not be the signage software. It could be a remote access tool, which will give them a way into the system and use it to monitor traffic, see what’s being sent, from and where. That .apk they install can appear to be a digital signage software, but it could be a tool that a threat actor uses to steal information that’s being transmitted and stored on that digital sign running Android.
Derek DeWitt: Right. So, like we’re doing KPIs, for example, with, say, our sales numbers. It’s an internal-only thing; this is not for the general public. You know, oh, well, if you have this thing installed on the system, sort of trojaned in there, you could access that information.
Mark Malaney: In a way, yes. I’ll mention more about this later, encrypting your information in transit, but if that information is not being encrypted correctly or not encrypted at all in some cases, then that information could be captured, saved and then retransmitted. That’s called a man-in-the-middle attack.
Derek DeWitt: Ah. I always love the different kinds of attacks and the names for them. They’re always quite exciting.
Mark Malaney: Yeah, they sometimes can sound like something out of a Mission Impossible movie, but it’s all real.
Derek DeWitt: Yeah, yeah, yeah, yeah, yeah. Now, like viruses and malware, are these also, I assume, for anything that’s connected to the internet, that’s always a constant possibility.
Mark Malaney: Yes. It is always a constant possibility. However, things are getting a lot more secure out of the box, which is good. So, the main threat, or the easiest way I should say to get into a system now, is through a process called social engineering, where you essentially would trick or manipulate a person that has access into granting you access to the system.
Derek DeWitt: Ah, that’s interesting, yeah. It’s kind of been, I think, in the hacker world that’s been a common idea for a very long time. You know, movies and TV always have people just, oh, I’m just gonna type away for a long time, and then I’ll figure out a way into the system. And you’re like, so what are you using brute force? ‘Cause that, you know, that could take thousands of years, conceivably. But I think for most hackers, and we saw this, for example, with the TV show, Mr. Robot, you’re not hacking the computer, you’re hacking the person.
Mark Malaney: Correct. Yes. Hacking the system itself is quickly going away. Things are getting more secure. And it still does exist out there, hacking the system by punching on your keyboard and knowing what to type and how to attack a node on a network, that still is a thing. But most “hackers” out there have no idea how that works. They’re simply emailing you from an email address that was compromised, that looks trusty. Like, hey, I got access to this CEO’s email address. Let me go ahead and email All Company and tell them that they need to click this link and sign in with their Microsoft account to sign an HR document. That’s the number one way. Or you may have gotten these emails yourself where it would say, hey, this random person has a Docusign. You need to click this link, log in and sign this document for you to get your paycheck, for example.
Derek DeWitt: Right. And the easiest way to thwart these is don’t click on that link. Just don’t click it.
Mark Malaney: Correct. Don’t click on any links in any emails that you did not explicitly ask for. And if you did receive one and it happens to be real, you still are not obligated to click that link.
Derek DeWitt: Right. You could type it into your browser.
Mark Malaney: Right. You could always log in to Docusign yourself instead of clicking the link. You could actually go and navigate to that URL in your browser, docusign.com or whatever the case might be, log in with your credentials and try to find it there first. If you can’t find it there and you still feel it is real, you could always ask the person that sent it via another means. Give them a call, shoot them a Teams message, shoot them an email separate from the email chain. Contact them some way and double check with them, hey, did you actually send this? Is this real?
Derek DeWitt: And they say, “I don’t know what you’re talking about.” And you go, Aha!
Mark Malaney: Right. Because even though some emails appear to be coming from your actual email address at company.com, for, like, ceo@microsoft.com, it could appear to be coming from that email address, but it in some cases is not. It’s an attack style called email spoofing. So, they could pretend to be someone else by manipulating what are called email headers, and long story short, they could make their email address look like whatever they want. And when you reply to it, it will actually send that reply to a different email address. So, someone else would be getting that message.
Derek DeWitt: Right. Sneaky! Sneaky, sneaky, sneaky. Now, is it possible…. So, obviously unauthorized access, clearly a potential problem. Is it possible for someone to hack into a digital signage system, especially one that’s networked, and actually inject their own content? Is that a possibility or is that just something that you would put in a screenplay?
Mark Malaney: If somebody has remote access to a system hosting data or hosting media content as a whole really, then yes, they can go into the file system of that player and find out where those source files are and change them to something else.
Derek DeWitt: Wow. So, I could go into a competitor, for example, and just alter their KPIs, or, you know. Or if I’m quitting, you know, put up, you know, “The CEO is a jerk” or whatever the heck I want, conceivably.
Mark Malaney: Yeah, conceivably. You could essentially go in and change whatever you’d like. Now, the reason that’s a thing is because most digital signage players, they have to have a local copy of whatever content they’re playing. It’s very difficult for these devices to stream them over the network. And if you have a hundred signs streaming the same video, for example, all on the same network, you’re bogging down your entire system. So, most digital signage players would actually contact the content management server, request a copy of the content it needs for playback, download a local copy of that content and then play it back on its own screen.
So, because there’s a separate copy here, then yes, that could be changed. What’s concerning is that, depending on what type of content you’re displaying, that local copy of the content could contain some very sensitive information, particularly access keys for APIs such as Microsoft Graph, I’ll use that one as an example.
If you have a digital sign that’s displaying calendar information, or it has two-way booking enabled, that digital sign has to have internet access, and that’s accessing an API on the internet through a secured channel. So, none of this information is available to just grab through the network traffic. I’m talking strictly on the sign itself if you were to gain access, those access tokens are technically saved on that sign.
It is encrypted, but if you get a copy of that file that contains the information through a remote access tool or other means, and you make a copy of it yourself on your computer as a hacker, even if your access to that system is cut, if those secrets or tenant IDs don’t change, and the hacker decrypts the file, they can then get access to your Microsoft Graph API themselves. And depending on the level of access you grant that app registration, they can book things in your system without anyone even being notified about it.
Derek DeWitt: Wow. Now here’s the thing, I could imagine some people thinking like, okay, so what? So, somebody, whatever, they delete a meeting from the calendar, or they put a spurious meeting on the calendar and nobody shows up or, you know, whatever. Like who really, is it really that big a problem? What are the actual drawbacks to having all this?
I mean, obviously one that I can think of is if you have public-facing signage, obviously you can very badly damage the brain reputation. But other things as well, right? I would imagine if people start thinking, oh, this isn’t reliable, they won’t be engaged. If you’re using it for advertising revenue, maybe again, people don’t want to use your digital signage because it’s weird and unreliable and you have holes in your security systems. Like what are some of the actual drawbacks?
Mark Malaney: The drawbacks of your information being compromised?
Derek DeWitt: Yeah.
Mark Malaney: One of the largest drawbacks of any information, specifically like API keys, for example, getting leaked or given away to threat actors is that a lot of cases, these API keys are generated without the principle of least privilege in mind. Now, I’ll get into that in a second, but these keys sometimes are created by either an IT department or somebody with access who just wants their signs to work. They’re not thinking too much at the time. They just want, hey, I have a hundred signs, I want them all to work, they need to be installed and working by the end of the week because we have a convention or something else coming in.
So, sometimes these API or app registrations are created and granted full access to their tenant in Microsoft 365 or CollegeNET or a different system. So, because these app registrations essentially have full access to the entire domain, you could do more than just book calendars and delete events. You could actually create users and grant them permissions. You can delete files from OneDrive and SharePoint. You could create SharePoint websites and adjust those permissions.
I mentioned the principle of least privilege earlier. That’s a pretty hot concept for information security. It essentially boils down to grant only the minimum amount of permissions needed for something to work. An example of that would be a typical end user or, say, a salesperson for a company, they don’t need access to user creation at the company they’re working for, ’cause that’s not needed for their job to be successful. So, using the principle of lease privilege, you would give that salesperson access to only what they need, nothing more.
Derek DeWitt: So, there is a lot more danger than just someone can basically get in there and cause mischief. Like they could actually go in and alter all kinds of things, especially if you’re a fairly large company. Like they could change your, your sales figures, everything, anything and everything is potentially open once somebody gets into the network.
So, yeah, have a secure network. Well, how do we do this? I mean, the way I imagine it, how it works usually for things that I personally am involved with is firewalls, antivirus software, VPNs sometimes. How do you secure these things?
Mark Malaney: Securing digital signage players boils down to some key points. The first one being keeping these media players separate from all your other devices on your network. That is the largest and most important one in my opinion.
Topic two would be to ensure that any information leaving or going to these media players is encrypted, typically with a TLS or SSL certificate encrypting that traffic.
And number three is making sure that your digital signage players are playing content that should be seen by people. That sounds funny, but I’ve had people request some very sensitive information to be displayed on signs, and I highly advise against doing that.
Derek DeWitt: Why would they wanna do that? Is it just like, hey, this is, whatever, the C-suite has a couple of digital signs, and they can all see this stuff, but we wouldn’t want that to get out onto, you know, the factory floor or the prairie dog farm, the cubicle farm, or something like that. Is that what they’re thinking?
Mark Malaney: They want to use a digital sign as an accoutrement to a meeting room. And depending on what meeting they’re having, like if they’re discussing yearly financials, they want financial information for their company displayed on these signs in the meeting room, so while they’re talking about it, they can glance around and be reminded of what the figures are specifically.
That sounds cool, but that information has to be retrieved from somewhere, right? So that information is being accessed by these digital signage players and being displayed. Now, I don’t advise displaying sensitive information like that on a sign because these are signs, they’re meant to be seen by people. So, keeping that information mentally just not displayed on a sign is a good first practice as well.
Derek DeWitt: Create a PowerPoint, have it on there, or, you know, write it down on a piece of paper.
Mark Malaney: Yes. There are much more secure ways of sharing information like that to a large group of people, but don’t put it on your digital signs.
Derek DeWitt: Now what about, like, having network passwords and, you know, multifactor authentication and all this? Does this apply to digital signage? Is it a good idea? Does it matter?
Mark Malaney: For digital signage, it’s not typically used because of how the digital signs access information. They use API calls, typically, to retrieve information from web sources. So, multifactor authentication wouldn’t apply to those because they’re using different forms of authentication.
Derek DeWitt: Gotcha, gotcha. I understand that. So, you said keep the devices kind of secure and separate, you know, sort of segmenting the network. What do you mean by that? You mean like physically? Do you mean partitioning them from certain parts of the network?
Mark Malaney: Both, physically and logically. I’ll touch on physical first. Physical access to a device is also a way that a device can be compromised by threat actors or mischievous people, like students, for example, who have too much time on their hands. So, it is important to keep these in an area that’s out of reach or locked in a box or so well hidden that it’s not obvious where they are. That’s because if someone has physical access to the system, they could steal the system along with any information saved on the hard drive inside of the computer or media player. Or they could plug in a USB drive that is using something like DuckyScripts to go and execute .bat files or scripts or input keyboard commands even to the system without the need for them to plug in the keyboard and mouse to create their own vulnerabilities or install software on it that will grant them access to that system later.
So, logical separation would mean keeping these devices digitally separate from your other devices. You could use something like a VLAN, virtual local area network, that keeps these devices from basically talking to or communicating with other devices on your network as a whole. What that does is basically it gives your media players access to the internet and potentially communicate with each other, but it does not give your media players access to communicate with workstations or servers that are on your corporate network.
Derek DeWitt: Now, I assume, as you’ve said, they’re computers. One of the things we’ve mentioned many, many times on here is you gotta keep this stuff updated. You know, software gets updated, and patches are written, because nothing is perfect and everything’s always, people are trying to find new vulnerabilities or new vulnerabilities show up or what have you. There’s a constant system in place where software is being updated all the time. And if you’re not updating your devices, you’re really just, you’re kind asking for it.
Mark Malaney: You’re right, Derek. Because these are computers, yes, just like your workstation, they need updates. And they could come at inopportune times, like 6:00 PM on a Friday. Your computer says, hey, I gotta install updates before I shut down, it’ll take 10 minutes. I know that sucks. But it’s like that for a reason. And yes, if you have an outdated system and never update them, that version of the operating system that’s not being updated is gonna remain that way. Things are never gonna change. If a vulnerability is discovered down the road and you don’t update your system, you are automatically a now vulnerable system to that attack. So, keeping it updated is extremely important.
Derek DeWitt: I have in my notes something about disabling unnecessary ports and services. Does that make sense? Is that something that you need to do?
Mark Malaney: Yes. Sometimes you do. Because they’re computers, depending on how they’re configured out of the box, this can be customized by whoever receives it or their technical people or even their network administrator. These devices have a default level of access given to them by whatever company’s operating system you’re using. If that’s Android, Google would decide that; if it’s Windows, Microsoft has their own idea of what the typical computer needs and gives it to these operating systems as default deployments.
So, what that typically means, and most listeners may have seen this before, but Windows Firewall on Windows, it has a lot of allowed rules by default and a lot of denied rules by default. And if you customize and restrict that system to only allow traffic on certain ports through and out of the system, you can, in a way, control the flow of the information to and from that system without having to make any very specific changes to the information itself.
So, let’s say you just want to have internet access on a player, and you don’t want it to communicate via any other means. You can block all the ports on that system to and from, except the web traffic port. So, all that device can do is communicate to web servers. So, doing something like that would keep the vulnerabilities down to only those that affect web traffic. Which is, at the moment, not many. Luckily. At the moment. But that may change.
Derek DeWitt: You know, so when I’m thinking about, like you said, stuff coming in over the web, like, you know, a lot of digital signage deployments nowadays, they’re using subscription feeds, RSS feeds, news feeds for tickers or for messages or for what have you. There are tons and tons of these out there, and they of course have their own security protocols. Can you just trust that your source, your RSS feed source, is doing what they need to do? Or do you need to do special things on your end to sort of double check and make sure that, hey, when this stuff’s coming in, I need to make sure that it’s secure?
Mark Malaney: Yes, there is, and that’ll circle back to what I touched on initially with encrypting your traffic. There are different ways to access information on the internet, and most websites let you do both encrypted and not encrypted traffic. If you opt for using the encrypted traffic, then you can have a high level of confidence that that data is not being manipulated in transit. So, what you’re getting is what was intended by whatever server you’re communicating with. If that’s CNN’s RSS feed server or weather information from the Weather Channel or what have you.
You could double check and tell if your information or your web traffic is encrypted by looking at the address bar in a web browser. If you type in an address or you go to say google.com and look at the address in the address bar, if you notice in the beginning, you’ll see “https”, that information is being encrypted before transit and then after it was received by the communication partner, if that’s the server or the digital signage player itself. If that “s” is missing, that information is not encrypted. That is an unsecured connection, and I would highly advise making any necessary changes to the server or to the player to make sure that you’re accessing it using https.
Derek DeWitt: Right, right. Well, you know, like, just for web stuff on my personal computer, I use Chrome, and Chrome now, if it’s just http, no “s”, it won’t actually let me access the page. It’s very hard to, there’s a little thing you have to click, and you have to click another thing and another thing, and you have to kind of basically force the browser to do it. Because it’s like, look, this is the standard now, and if someone’s not using that, they’re either dumb or they’re up to something, and so no, I’m not gonna let you access it.
Mark Malaney: Yeah. Browsers nowadays are smart enough to not allow most people to access web services without encryption. But systems like digital signage, or if you’re accessing a server directly from, say, a line of code, or you’re accessing something with a script, or you’re entering something in manually to a digital signage content management system, it’s typically not gonna say, hey, what you typed in is not a secured URL. And the reason that is like that for digital signage players is because digital signage players can access servers both on the internet and locally to a network.
Now, servers locally on a network typically are not using a security certificate that is signed by a partner like DigiCert online. You actually have to go and purchase these certificates to encrypt your traffic. So, if someone just spins up a server on their local network, and they want to test something, or they just want it kept inside their corporation, they may not see the need to purchase a certificate like that because it’s not being accessed by web browsers. They don’t see the need. So, they’ll keep that server’s access unencrypted because it’s already in their local network. The idea is that what’s in your local network is already trusted.
So, web browsers, they’ll let you know, and they’re smart enough to do that, but most digital signage software won’t. They’ll just take whatever URL you enter, and they’ll try to hit it. And most of what it’ll tell you is, hey, that worked, or, hey, that didn’t work.
Derek DeWitt: So, let’s say, I’m out there, I’m shopping around, I’m thinking, oh yeah, I’m gonna get some digital signage finally. Obviously, one of the first things is the hardware. I think most people shop for that first, though our advice is usually get the software first and then get the hardware to match it. But let’s do it the way that most people do it, which is I think most of them are looking at the hardware probably first.
How do you, I mean, you should probably not go for my friend’s cousin, you know, repurposes computers and makes media players out of his garage. Like, for your company, this is your company after all, you want to use reliable commercial grade stuff, right? I mean, on, on the other hand, or could you? I mean, if you’ve got somebody who’s a tinkerer or something on staff, I mean, is it possible for them to create their own bespoke media players?
Mark Malaney: So, it is possible to do that. I would advise against that, however. Because most mass produced or commercially available hardware is made to a specification. So, you’re given a level of guarantee of playback quality, build quality and support for the player itself. If you build a player in-house or from your cousin or a neighbor who builds computers, you may get a really good price on them, and you probably will, to be honest with you. But you’re not gonna be guaranteed a level of support. You’re not gonna be guaranteed the software that’s installed on there is OEM or is supported, or in some cases even legal copies of the software. And you’re also not guaranteed a specification. You’re not guaranteed that, hey, this device can 100% play my 4K video without any issues.
Derek DeWitt: I would imagine the same thing when you’re going for the software. You should find something that is known to be stable, that’s known to be well supported, that, you know, regularly gets updates, that isn’t just like, well, we created the software and now good luck! What else should we be looking for when it comes to security considerations, when shopping around for digital signage software?
Mark Malaney: Something to look for with a digital signage provider for security as a whole that’s typically a green flag in my opinion, is whether or not they’re open to suggestions, or if they have new versions that release pretty regularly. Then you know that it’s always being looked at and updated. Bugs being found, features being added, new programming methods are being used that are more secure. Those are all green flags or regular updates and suggestions.
Now, I point out suggestions because we at Visix get those, and we really do appreciate them. Where a customer may find a very niche use case for the signage software, and in their specific environment, they may be using a different version of .net framework, for example. And if they find that, hey, if I use this older version of .net framework, then there’s this vulnerability discovered. And if that gets submitted to the digital signage company that you’re using or purchasing your software from, then they can go and actually fix that vulnerability if they haven’t seen it before.
So, suggestions being an option, or at least being received by the digital signage software provider, then that’s a good sign in my book. That means that they’re wanting to hear from everybody and they’re always wanting to improve their software.
Derek DeWitt: Right, right. Which is absolutely the case. And I’ll just throw in a little plug there, since you mentioned Visix, you can get free updates. You don’t even have to really think about them using a Software Maintenance and Support Subscription and all of our cloud server stuff also, that stuff, I don’t even think you have to do anything; it just automatically updates. So, if you’re doing something that’s cloud hosted, you know you’re always on the most recent, most up-to-date version because it just happens automatically on the cloud servers.
Mark Malaney: Right. Our cloud servers are updated whenever a new public release of our software is available, and the players themselves will automatically update as well. So, it’s a very hands-off process for anyone using the Visix software specifically. I can’t speak for all softwares, but being part of Visix, I can tell you that whenever the cloud servers are updated, in the next day or so, all your players will be updated as well and given those security patches, updates and fixes, and a lot of times even new features and new tools for you to use and make better signage as well.
Derek DeWitt: There you go. And of course, connectivity I think is, obviously, important. A lot of this stuff is, obviously if it’s cloud, it’s gonna have to have some kind of internet connectivity. A lot of digital signage software out there also allows for sort of remote management and remote monitoring and things like this. Basically, you can do it all, anything you need to, get into the dashboards, reconfigure playlists, whatever you need, over the web.
Obviously, you need to have reliable internet. Is there a real difference between wired versus wireless these days? Or are they basically, because they’re using encryption, equally safe?
Mark Malaney: They are not equally safe.
Derek DeWitt: Oh!
Mark Malaney: Wired connections are going to be more secure. If you use and implement proper physical security measures, a wired connection’s going to be a lot more secure.
Now, a wireless network, it is convenient. It is nice to have, and you could manage it and make it as secure as you think you could. But there are methods of attack for a wireless network that are exclusive to wireless networks and not wired networks. And they’re less secure because they’re wireless. You can’t really control radio waves as well as you could a wire. So, if somebody has a laptop or is within range of that wireless network, they could sit in a van or sit outside or anywhere and hide and just continuously try to attack that wireless network until they get access to it.
Derek DeWitt: Right. Obviously, to get into a wired network requires literally physical proximity.
Mark Malaney: Right. It needs physical proximity, and a wireless network, you also need physical proximity, but it’s open to a large area instead of a half-an-inch wide cable that you could throw into a ceiling and have a camera look at and no one can touch it without being sent to jail. So.
Derek DeWitt: Right, right. So, you’ve got your system up and running, you think you’ve made it pretty secure, everything seems to be good, but you really do need to constantly be monitoring how the system’s health is, how the performance is, all the time, right?
Mark Malaney: Yes. It’s always a good idea to monitor these devices for suspicious activity, and most companies already have a system in place for that. The network firewalls do a pretty good job of keeping checks on how much data is being sent or received by an endpoint, like a digital signage player or a computer. And it will automate that typically and notify the network security team if there’s any anomalies. That’s always good because that’ll give you and your security team a heads up that there’s suspicious activity on a device.
And a lot of the times these firewalls, if they detect something like that, will go and cut the connection to that device or blacklist it until a network security professional can take a look at it and either verify that it’s real information or in some cases, if it is being attacked, they can get rid of the device or make changes to it to mitigate the threat.
Derek DeWitt: Sure, sure. And I would imagine all your troubleshooting processes, they need to be clear. And I would imagine documentation would be very important because you need to be able to have a record of, hey, in the past these things have happened, and this is what we did. So, we have that document as a backup for anything that might crop up in the future.
Mark Malaney: Yes. It’s always a very good idea to keep everything documented very, very well. I like to use what I call the “hit by a bus” analogy. So, if you have one guy that’s been there since the Stone Age and has seen everything, if that person doesn’t document what they’ve seen, doesn’t document how they fixed it or how a system is configured and set up, and where all the parts of the spider web are connected and how one part is responsible for 30 other things, for example, if none of that’s documented and they get hit by a bus in the analogy, right, they get hit by the bus and they’re gone, that information is gone with them.
There’s a giant puzzle that needs to be solved by whoever takes their place. And if that puzzle isn’t laid out with instructions on how to put it together, then they have to try to figure out how to put it together. And that is very time-consuming for that person. It costs the company money and time and resources because now that new person isn’t doing their job that they got hired for, they’re instead having to solve a puzzle before they could even start doing the responsibilities they were hired for. They’re having to figure out a bunch of stuff.
Derek DeWitt: Right. Exactly. And of course, they’re also basically re reinventing the wheel because the person who was hit by said bus already did this. They already solved the puzzle.
If we were gonna give three main takeaways for someone, what would they be?
Mark Malaney: The three main takeaways would be physical security, you know, keeping things physically secured and away from the general public.
Point two would be encrypting your traffic in transit. That’s very important.
Point three would be keeping your systems up to date, especially for digital signage players. ‘Cause that’s what we’re talking about, we’re not talking about users’ laptops. Keeping your digital signage players up to date is a very important aspect of this and making sure that those updates are installed regularly.
Derek DeWitt: And I’d also say if you’re in the planning stage, you haven’t actually got a digital signage system yet, or you’re thinking about scrapping the one you have and starting from scratch with a whole new thing, kind of put these considerations into that shopping process. Make sure that you’re getting something that is already gonna meet you halfway towards your requirements, so that you don’t have to do a ton of stuff on your end.
Mark Malaney: Right. Yes. Not only is that convenient for the buyer of the software, but it’s also saving everyone a headache later. So, all these questions are already answered, you know? Like, is it encrypted? Yes. How is it encrypted? This is how, this is what it uses. Knowing that before getting into it is, it saves everyone a lot of time and it keeps things secure as well.
Derek DeWitt: Which is the name of the game.
Mark Malaney: Exactly.
Derek DeWitt: Well, it’s all very interesting stuff. I know you have an astonishing amount of information in that head of yours, and you could probably talk about this for three days with just the occasional food break. But we don’t have that kind of time. We’re out of time. But I hope that this kind of overview of securing digital signage networks, specifically digital signage networks, has been useful for the people listening out there.
And I’d like to thank my guest, an expert on the subject, Mr. Mark Malaney. He is a systems engineer for Visix, and he has been talking to me about digital signage network security. Thanks, Mark. A lot of it makes sense, but I didn’t really know it before we spoke.
Mark Malaney: You’re very welcome. Thank you so much for having me, Derek. It’s been a pleasure.
Derek DeWitt: Thank you. And again, everybody, I remind you there is a transcript of the conversation we just had on the Visix website, so go there.