Are You the Keymaster?

In the original movie Ghostbusters, Rick Moranis (in his immortal role as Vince Tully, CPA) is taken over by an evil spirit from another dimension and transformed into the Keymaster, the minion who will enable Gozer the Gozerian to enter our plane of existence and destroy the world.

First, if you don’t understand that reference, your cultural literacy is in question. Stop reading this article now, and download the 1984 classic movie. (No, it is not necessary for you to do this to understand the point of this article, but you really should see it.)

But every time I see the scene (and I have probably seen Ghostbusters as many times as Gary Kayye has seen Star Wars), I remind myself that audiovisual technicians can easily become the Keymaster of Gozer with regard to our clients’ system security. And with today’s constant news about cyber attacks and data security disasters, I thought it would be a good topic for us all to talk about.

If one examines the greatest data security losses, one finds that they are rarely caused or perpetrated by senior management. Most of them come from lower level data technicians like Edward Snowden or Chelsea Manning, because no matter how secure a system is, you can’t actually hide data from the people who operate it, fix it or maintain it. These people do jobs most of their supervisors do not understand, and thus, once hired, are largely left to their own devices, with only random audits and accidents to reveal any issues.

AV and systems technicians have access to client systems at levels we rarely think about, but should. We often have access to servers for downloading company presentations and very often have access to company videoconferencing networks. And rental and staging technicians have a number of characteristics that would make them an especially vulnerable group to be exploited in a cyber attack.

First, they are largely mobile employees, as they must travel to customer events. This means that, unlike Manning, who should’ve been watched, they operate out of sight. They have to; it’s part of their job. What this means is that they travel with tablets, phones and laptops that have access in many instances to client data systems, and thus the theft of one of their laptops could prove to be a real danger to a client if that device is not properly protected. And, being a field technician myself in many instances, I know that the kind of safeguards one would like to see instituted on these machines can prove cumbersome to use in the field, especially in the high pressure atmosphere of the show.

Second, we often have to troubleshoot issues on site with the client accessing their systems. This has led, in many instances that I can recall, to me or one of my technicians being given very high level passwords in order to bypass layers of security and get a system up and running for show. And I can think of more than one instance where I have had to remind the client to deactivate that password afterwards and at least one instance where I discovered months later that it was still active.

See related  The Security Minefield Of The Internet Of Things: Protecting Your Connected Devices

Third, unlike most corporate machines, our employees often use each other’s computers to troubleshoot issues during a show, meaning that it is often difficult to tie an individual to a breach.

Lastly, most of the rental companies that I am aware of (whose employees travel) allow the employee to utilize their laptop and phone for personal use, meaning that they can install their own software and access routines on the machines. Only the largest rental companies that I know have corporate MIS departments to maintain these mobile computers, let alone security specialists.

Fortunately, however, our employees also tend to work in tight groups, who can watch out for each other and remind each other about security.

A few suggestions:

When setting up a company laptop, establish two separate accounts, one for company use and the other for employee personal use. Make sure that the company partition is part of some regular company-wide backup scheme when the unit is in the office. Any account which might contain customer data should be encrypted and a rotating password (a strong one) should be used.

Consider getting one of the better password protection software packages that are on the market, and issuing it to all employees. My staff are Macintosh users, and we settled on a password protection and encryption program called “1 Password” that not only encrypts all of the passwords on our machines, but deletes expired passwords using secure deletion and reminds you to change each password regularly. It makes that process painless by even suggesting strong passwords that it will remember for you. And you can unlock your password “keychain” with a single password that is not stored in open format on the machine. This keeps our employees from having to have notepads or text files full of logins and passwords. And it works for us because it is actually easier to use your computer, as you are not constantly looking up password information.

But the most important suggestion I have for you is awareness. Talk among your employees about the sensitivity of this kind of information and where they store it. The first time I did this, I discovered we had some unofficial practices that I was unaware of and scared me.

Data security is just like rigging security. If everybody is aware of it, you have less trouble with it.

So ask yourself: Are you the Keymaster?