Maintaining a Healthy Digital Signage Network − Security Best Practices for the IT Professional

lobby digital signage
Reading Time: 5 minutes

Have you ever considered how secure your digital signage network is? Or maybe you’ve thought to yourself “what’s the worst that could happen?” Perhaps you don’t remember Union Station, DC May of 2017 when it was hacked, playing pornography for several minutes in front of a busy crowd or in September of 2018 the flight information digital displays being taken down by hackers at Bristol Airport in Britain. Today we can no longer ignore the possibility that someone with malicious intent could cause harm to our digital signage investment. Even with using one of the most secure digital signage software solutions on the market, Korbyt Anywhere, there are still best practices you can follow to further protect your digital signage investment. In this article we’ll cover some of the best practices for cyber hygiene used by many IT professionals to prevent malicious activity on their digital signage networks. Because let’s face it, it’s time you secure your digital signage network!

We will focus in four areas: Player Hardware, Software, Local Network, and Internet best practices. Keeping in mind, cyber hygiene is like brushing your teeth. You brush your teeth to proactively prevent cavities. The idea is the same here. We want to implement best practices that make it more difficult for anyone with ill intentions to find vulnerabilities with your signage solution.

Digital Signage Networks – Security Basics

For our first health checkup let’s take a look at Player Hardware and Software measures you can take to safeguard your solution. The obvious things to look at first would be the physical layer vulnerabilities. For a Brightsign player it would be making sure that you installed the Micro SD card cover to prevent anyone from easily reaching behind your display and popping out your Micro SD card right out of the player. For a Windows computer it could mean mounting it in such a way that the USB ports aren’t easily accessible to connect a thumb drive or a mouse and keyboard. In general, this could mean better cable management using zip ties to keep loose cables away from would be troublemakers. Sometimes this means installing your players in a rack inside a central IT closet and using video extension equipment to extend their video to their respective digital displays. This is always a difficult balance between physically protecting your digital signage players and keeping them accessible for a certain degree of maintenance.

Digital Signage Players

Many digital signage players have internally hosted configuration pages. Many of these allow you to do several things from reboot the player, adjust firmware, or even add/remove files on the players storage system. Malicious files can be added in some cases, or incorrect firmware versions depending on the type of player you have. The passwords on these hosted config pages should not be left default! Another example with many SaaS solutions today occurs when the customer is managing their logins manually. If someone leaves the company and their login to that CMS isn’t removed, then that person still has access to the company’s digital signage even after they have left the company. A way to remedy this scenario is to use a SSO (Single Sign On) provider to manager your logins. Following these steps can help you avoid getting a nasty cavity (in a digital sense of course).

Digital Signage Software

On the software side there are other important things we can do to mitigate security challenges. The first of which being software updates. Before deploying a player of any type, you should make sure it is on the newest Firmware or Windows Update supported by your CMS. However, this is a double-edged sword because if you update your firmware too far ahead to an incompatible version you can break your media player, which is why it is important to know which versions of firmware/updates your CMS vendor supports. Next, this one is so simple but is rarely done, change default passwords whenever possible (password is not a password ).

Digital Signage Network Management

Now for the fluoride varnish, let’s harden the network! Let’s start with one of the more common approaches, VLans. Creating VLans are a regular process today for protecting devices from unwanted network access. It is par for the course for an IT professional to put all of their Media Players on a VLan of their own, where the internet connection is the only thing the players have access to.

Signage player distribution zones

Other common ways used to lock down access to your players or from your players into your network include Mac Filtering and certificate-based authentication. In the simplest of terms Mac Filtering works on the basis of whitelists and blacklists, where if you’re not on the correct list you’re not granted access to network resources. Certificate-based authentication is pretty straight forward as well, if your device doesn’t have the correct certificate to provide when requested, then it won’t be granted access to any network resources (as a side note not all digital signage partners can handle security certificate requirements). All-in-all there are many tools you can use to protect your investment. The point is to be proactive with your cyber hygiene and to avoid needing a root canal.

Firewall Software Technology

The last points of cyber hygiene we will examine are the steps you can take with your firewall software. One of the more common strategies here is whitelisting websites, a form of web filtering. The principle being that you only allow your media players access to websites that you have on your Whitelist. This is a very secure way of limiting what access your media players have to anything on the internet. Heaven forbid if one of your media players was infected with malware and tried to connect to a nasty site, if it wasn’t on your whitelist the player would be prevented from communicating with it. There are many other security related functions your router can perform that protect your network at a broader level that we won’t get into like Deep Packet Inspection, Sandboxing, and Intrusion Preventions System to name a few. In other words, there are lots of tools in the tool belt to consider!

There are countless ways to UP your security game, and it’s important to remember that security is a layered approach, none of these steps are full proof by themselves. In any case Cyber Security is always changing and some of the best practices listed above are just good starting points to work on protecting your digital signage solution investment. Regularly evaluating your approach is key to a secure digital signage network. You must brush those teeth every day!