In the past, if the virus protection software on your computer was up to date, you could feel secure that your computer was safe. But with almost all computers interconnected through IP networks, it’s not that simple anymore.
Many think of network security as protection against viruses, but that’s just the tip of the iceberg. IP network security encompasses a wide range of measures to guard against a wide range of threats, both internal and external, and every station needs to set up a security policy to protect against them.
A security policy is a list of priorities and rules that upper management has agreed upon as important to keep the station running. As more and more of a station’s assets are kept on network-connected storage systems, keeping all that data safe is of prime importance. Developing a security policy is a first step in keeping your spots, programs and financial records safe.
Having upper management sign off on a security policy gives more authority to its enforcement, especially when the security policy comes up against a manager who sees no problem with surfing certain Web sites or downloading suspicious software or employees who complain about network restrictions. (See Figure 1.)
The policy is a guide that pinpoints what needs to be protected and what it would mean if those areas were compromised. It also outlines the ways in which these assets can be targeted and what the most vulnerable areas are and how they can be protected. Goals should be set to achieve the desired level of protection.
For a TV station, the policy might cover several areas: financial records, including billing and traffic file access; on-air playout and archive storage; nonlinear edit systems; graphic systems; IP network segments that carry the feeds from remote locations; or even an IP network that connects the studio to the transmitter. The loss of any of these systems and/or network segments would disrupt the workflow of the station and possibly result in loss of income and trust from creditors, upper management and so on. Any way you look at it, the loss of any part of your IT infrastructure will at the very least cost the station money, so it needs to be protected.
A computer system could become infected with a virus and slow down, stop working or even erase data. But how can a network segment be lost without it being unplugged? It is not uncommon for a spambot program to infect a computer and send out spam e-mail at an extraordinary rate, thus occupying almost all available bandwidth of the network that it thinks leads to the Internet. Or, an employee might be playing a new first-person shooter game that uses lots of online graphics (even worse, several employees might be playing and hogging all of the network’s available bandwidth). These are just a couple of examples, and as everything becomes IP-based, it’s important to improve communications between machines and systems as well as stay informed of what’s going on in your network. And it all starts with a security policy.
Backing up data
An important part of any security policy should be a commitment to backing up all important data and being sure it will really work if the need arises. If all else fails, computers can be replaced, but data can’t, unless it’s been backed up. Off-site storage is best in cases where your building cannot be accessed, such as a fire or other disasters. For large backups, this means using data tapes or even Blue-ray Discs, and then transporting them to a remote storage site. This does not include self-storage facilities where the temperature and humidity are not controlled.
Smaller amounts of data, such as weekly billing files and the chief engineer’s files, can be backed up with an online service that works in the background and continually updates as files change. Just make sure to keep an off-site record of what online backup systems are in place and how to access them; it’s easy to forget passwords. Using local hard drives for automatic backup is also a good idea for everyday use, such as when a file is accidentally deleted, but don’t depend on them in case of catastrophic loss.
The strategy to accomplish your goals is very important; it outlines how you are going to meet the goals set out in the security policy. This could include defining the actual layout of the network(s) and how they interconnect and who is responsible for adding new users and setting up their computers. Some of the most important aspects are assigning who is responsible for setting up any routers and other security software.
Because the personnel that use the computer network play a major role in protecting it, you might want your staff to sign an acceptable use statement that outlines the need for security practices and the penalties for not following station policies. This could include things like not installing any outside programs no matter how helpful they might appear to be and not connecting any USB drives to the company computers because they can carry malware (malicious software) that can damage or spy on the network. A more recent trend in gaining illegal access to a company’s network is to leave a UBS flash drive with the company’s logo on it in the company parking lot, an employee picks it up, and when they attempt to open a document on it, a malware program is started.
Although standard template-style acceptable use statements can be found on the Internet, it is best to write your own because you can tailor it to your company’s specific requirements. If the statement is too broad and complex, your personnel may not understand it. Clear and simple steps should outline the statement, making it easy to follow and easy to point out if it is violated.
One of the hardest things to do is to actually make sure all the policies are being carried out. Just like transmitter readings, a regular inspection of the network and updates to the employees are good ideas. Letting your employees know that you are aware that they are following the rules lets them know that you take network security seriously. Of course, running regular virus scans and keeping your antivirus software up to date are both important steps any network administrator should always take. It’s also not a bad idea to have network security awareness reminders several times a year.
Keeping your network equipment safe is another aspect of network security. Do you keep the doors to the network closets locked? Are the front panels of the servers locked? Who has access to these keys? At one station, a wireless router was installed on the second floor to allow wireless Internet access. The router was set up properly with a unique password to gain access, and it seemed like that was all that was needed. The engineer then discovered that the settings and the network name did not work when he brought his own laptop to the second floor. Upon investigation, he found the wireless router had been reset to factory default settings. He then set up the router again and a week later, found the same thing had happened again. The router had been left in a unlocked storage room on a table, and it appeared that someone who wanted access but did not have the password had pressed the reset button. A quick search on the Internet provided the factory default password and allowed the person access. It also opened up the entire network to the outside world; with the router in its factory default settings, anyone parked on the street could gain access to the company network and computers. There were no available rooms that could be locked, so the engineer moved the wireless router to another room and hid it under a plastic milk carton on the floor. He never had any more trouble with it.
The above is just one example of why physical security is necessary to protect your network — another reason is theft. With personnel in the broadcast facility 24/7, it provides ample opportunity for equipment to disappear. Unlike professional video equipment, a high-powered computer server could work just as well as a high-powered gaming system.
Cutting it off
Another method in use today is to take any mission-critical data and just cut it off from the Internet, isolating it from the rest of the network. Although this may not be possible in all cases, it will limit the avenues of access for viruses and other malware to reach your valuable data and systems. This is another instance that could call for the use of subnets, which allow parts of a network to have Internet access and block the same access to other parts.
Sometimes a single computer is outfitted with two or more network interface cards, so they can be connected to more than one network at a time. And although it may seem like it isolates the two networks, it actually links them. If one side is connected to the Internet, malware can be installed on that computer and infect others on both networks. A better way is with two computers and a KVM switch, which really keeps the two networks isolated.
Network security will remain a hot topic for broadcast engineers as broadcasting moves toward an all-IP infrastructure. Keeping a station running will depend on keeping your networks clear and your computers free of malware.