- Avoid using the default ports for common application protocols such as FTP (port 21) or web (80). Change these to something unusual for example port 2122 or 8089. Basically make it harder for hackers to guess what ports you are using for certain applications.
- Avoid using common passwords such as “password” and “test”. Increase your “password strength” by using at least 7 characters with at least 1 uppercase letter and 1 number. Case sensitive passwords are harder for Brute Force password software tools to break and hack.
- Rename or disable common login accounts. For example, in the Windows environment rename the “administrator” and “guest” accounts. For Unix, rename the “root” account.
- Enable or Install Firewall Software. Having some sort of protection (the built in Microsoft Windows Firewall suffice) is better than not having anything at all. When creating firewall rules, make sure you only allow IP addresses that require access to the device. Don’t get into a habit of just allowing everything through – only use this for testing or special circumstances. If you have a digital signage appliance and cannot install any firewall software, invest in purchasing a hardware Firewall.
- Enable or Install Antivirus Software. This will prevent viruses and Trojans from getting into your digital signage network.
- Ensure your Operating System, whether it’s Unix or Microsoft Windows has the latest software updates. There is a considerable amount of security vulnerabilities out there – just make sure that you backup your operating system before installing any new patches.
- Physically locate your devices in a secure environment e.g. in a rack or a communications cabinet or use a kensigton lock if it’s in a public location.
- For wireless connectivity to your network, disable the wireless SSID and use the latest encryption methods such as WPA.
- Don’t just use HTTP to manage or transmit files – this is an unsecured protocol and the login and password is transmitted using clear text. Use HTTPS, with at least 128 bit encryption.
- If you have to manage multiple sites, don’t purely connect the digital signage players to the Internet, but instead setup VPNs (Virtual Private Network). With the right equipment you can easily setup a VPN tunnel in no time.
- If using the unit in standalone mode i.e not connected to the network, then disable the interface cards (wireless or physical)
- If using a web based player or SaaS, ensure that the web browser is using 128 bit encryption and SSL (basically you will see HTTPS at the front of the URL). We cannot stress enough that using HTTP is not secure as the login and password is sent in clear text, meaning that someone can easily capture your login and password credentials.
- Install the latest Operating System Service Packs ie. if using Windows XP, then install SP3.
- Disable any SNMP services (Simple Network Management Protocols). By doing so you will avoid hackers using SNMP tools to remotely manage your devices. Also avoid using the standard community strings “public” and “private”. If you do intend to use SNMP then use at least SNMP v3 as it is more secure.
- Disable any remote management tools (remote desktop, VNC, Dameware, PCAnywhere, telnet, SSH) unless it’s required for managing the network.
- Disconnect keyboard or mouses from the digital signage device unless required.
- Screen lock – make sure your software actually locks the player window so that the public is not able to access or change settings on the player without a password.
So there you go, thats our Security checklist. Have a look at your current digital signage solution and check to see whether it meets all or any of the above items. Now having worked for large corporate organisations, most of the above security requirements are mandatory in any IT department. So if you’re serious about winning those large tenders or contracts then make sure you consider validating your digital signage equipment against this Security Checklist before you submit your next proposal.
Are there any other Security aspects that we’ve missed? Please let us know.
Feel free to submit your answer as a comment.