I work for an independant radio station in Central Vermont, which due to the mountainous terrain could only be heard from select cities surrounding Montpelier. In fact, one of the few places our frequencies could actually be picked up is in Northfield, where Norwich’s brick and mortar campus is located. For many years, we operated in the relative isolation of the Green Mountains, entertaining and informing skiiers as they drove along I-89, but otherwise insulated from the influences and dangers of the outside world.
Though in the past decade, through the advances in Internet Technology, the world has become a little smaller. It used to be a heft challenge to get information to the top of a mountain. Once neigh insurmountable summits, where our radio transmitters were located, were fraught with challenge and disaster, cutting our way through maple and granite on a frenzied quest to run electricity to the tops of rugged mountains to power our transmitters. In many locations water is rare and telephony is non-existant, but even where we must move earth and defy gravity to attain 120v of power, the Internet is now ubiquitous.
Now, through sister stations and Frequency Translators, linked via the internet, our signals are heard across the state, from New Hampshire to Lake Champlain, from Plattsburgh to Dartmouth, and beyond, if you tune in via our high bitrate audio streaming service.
And while this has opened many doors to listeners and potential advertisers, it has also opened many windows to would be hackers and hijackers. As has happened in South Carolina, North Korea, and Great Britain[1], signals can be compromised and forced to play offensive material, resulting in hefty fines from the FCC, which between 1990 and 2004 has fined radio stations over 4 million dollars for indecency, half of which was directly instigated by Howard Stern. [2] When our station was created in 1977, little thought was given to the risk management framework, or maintaining confidentiality.
In this paper, I intend to study the network lay out of my Independant Radio Station, and analyze how the risk management framework can assist us in bolstering it’s defenses, measuring the standards of implementation, effectiveness, efficiency, and impact. Categorization and Selection: In this paper I intend to categorize our radio and computer network, and select the appropriate NIST FIPS and Special Publications relevant for our scope and size. Implementation and Assessment: Once I have developed a strategy for bolstering our networks, I intend to seek authorization from our company Presidents and prepare a security assesment report and the framework for our documentation process to ensure future administrators can easily maintain our secured network. Authorization and Montior: Once the NIST policies and recommendations are implemented on our network, we will implement automated tools for continuous monitoring, like SNMP, to ensure our continued integrity and availability, regardless of the risk.
And there is not only one kind of risk. Our independent radio station has not been appropriately mindful of various types of risk, including Information Security Risk, Legal Risk, and Budgetary Risk, and our Reputation Risk would undoubtedly suffer were it known our clients or listeners information was compromised due to negligence. We can only hope to mitigate these risks by enforcing stricter security standard that factor in the System Development Lifecycle, the Risk Management Framework, learning and enforcing NIST standards and by training our staff: DJs, Salespeople, and Billing department alike, to be wary of these potential problems. It would also behoove us to create contingency and continuuity plans, so if these foreseeable threats come to fruition, we are prepared to face them head on. Throughout the entirity of this companies use of the Risk Management Framework, there have been instances that could have been improved upon. As illustrated:
The first step in the RMF is to categorize the function of the system, and the information that comes into, is kept upon, or leaves that piece of hardware. This information should be rated based upon the impact of that particular piece of information. For example, our broadcast equipment should be ranked by magnitude of it’s failure or penetration. Devices that can take control of our broadcast and potentially release something offensive, resulting in a major fine should be categorized, with particularly emphasis on maintaining those devices.
The next step in the RMF after categorization is to select the set of controls you want your organization to adhere to. To minimize potential vulnerabilities and/or equipment failure, it is imperative to have a thorough and up to date set of controls. Our station’s controls are poorly documented, and in many instances, the only method of control. Not only would I recommend a thorough and up to date documentation of the controls procedure, but I believe we should install secondary means for manipulating our audio feed, for instance a pay as you go satellite internet connection, in case a storm knocks out our only control path along the phone line, or at the very least, a contingency plan in case this low probability threat comes to pass.
This station seems to lack an appropriate technology centric contingency plan. There are steps in place to get employees out in case of fire, and what to do to preserve our valuable music library, but the forethought given to the computers, databases, and network configurations was next to non-existant. I suggest we develop a seven step process surrounding a technology centric contingency plan, in regard to preserving our assets for the duration of the system development life cycle to develop an appropriate contingency plan, using the risk management framework as a guideline:
First, we find out exactly what we can’t live 48 hours without. We shouldn’t have to bring every CD in our collection. Hearkening back to the first step of the RMF stark surmisal of the potential situation is imperative, by accumulating a list of the minimum for what we need to broadcast, we will be able to accurately prioritize what we will need to bring with us to a new location. Identify preventive controls. The best plan to have is to ensure emergencies don’t happen. By regularly inspecting the permissions and controls that ensure everything works as intended, we can ensure we don’t have an equipment malfunction or privacy breach that predicates our using of this contingency plan. Naturally, we can’t assume that catastrophe won’t strike. Furthermore, no disaster ever goes as intended, so we should factor in as many variables as possible into our contingency plan. Once we have developed a seemingly solid contingency plan, we need to role play the plan, by either talking it out with a group, or have a full on exercise, physically testing each step of the plan to ensure the continuity of our operations.
Ideally, once this updated contingency plan is complete, we will have thorough contingency and continuity plans for a number of situations, with the paramount concern in any sort of emergency being: keep the station on the air. In our knowledge-base we will have already created many bulletined lists describing appropriate steps to take in case any of the equipment stops working, available both digitally and on print. We will have timelines set up to ascertain the point of lowest fiscal impact, or how many ad dollars we will lose in that particular hour if the transmitter is taken down for any amount of time. To prevent the aforementioned downtime, we monitor the equipment physically three times a day, and automatically through a digital continuous monitoring program. We must also regularly revise our knowledge-base to reflect our evolving technical ecosystem, and make a point to regularly train employees on the revised contingency plans, even team members from other departments, as a way to familiarize them with different operations within the company, and as a potential preventative measure, in the very small case of them being the only employee at the facility, and having to flip the switch in a time of true crisis. Through these steps, can control the selection of our organizational controls.
Arguably the most direct step in the Risk Management Framework is the third step, implementation. Implementation is how our updated system and controls are deployed. In our organization, this has been a ramshackle procedure, laying infrastructure over obsolete infrastructure, without bothering to remove the remnants of the prior foundation. For this step in upgrading our systems integrity, the simplest method would be a complete reconstruction. By rebuilding the studio in another location, we can ensure an efficient and secure installation by adhering to specific NIST FIPS and special publications. In doing so, we will also increase efficiency, by replacing structurally necessary but functionally inoperable uninterruptible power supplies, removing half of the unused cabling routed through the soundboard and computer desks, and moving our operation level computers to their own subnet.
After our system is installed, the fourth step of the RMF is to assess the controls and ensure that everything works as intended. From a functional standpoint, this should be as simple as taking the station out for a test drive, but from a practical standpoint, even though we had full control of our systems installation, update, and integration, there are still unknown factors on the vendor’s side of the curtain that we were forced to take for granted. Accordingly, we should expect to spend two weeks testing our system and working out any gremlins that could exist along the path from the microphone to the microwave transmitters.
Once the system is appropriately installed, tested and configured, the next step is to authorize the system’s operation, delegating user levels and groups appropriate to the tasks given them. This way we don’t have our weekend D.J.’s adjusting processor settings or tampering with transmitter power levels, and preventing anyone from accessing our clients billing information, and our prize winners personal information. When appropriate, the use of multi-factor authentication will alleviate many of the concerns to integrity confidentiality a system owner my express at the prospect of untrained or unauthorized employees accessing critical controls or sensitive information.
The final step in the Risk Management Framework is monitoring. By monitoring the system, the data, and the controls on an ongoing basis, through network based programs and by documenting every major change and update to the system physically and digitally, an engineer can ensure due diligence in regard to preserving the longetivity and fidelity of his radio system. We do not do those things. In order to significantly reduce risk to this organization, we need a dramatic overhaul of our monitoring procedures. As with the selection of controls, important aspects in the cyclical nature of monitoring coincide with the phases of the risk management framework. We can include these phases by monitoring our set up time on the studio rebuild. This establishes a timeline for system events, which would prove invaluable in our contingency and continuity plans. Studio updates and upgrades should also be continuously monitored, updates include refreshing assessments or policy changes and ensuring the refreshing of documentation to ensure that everyone is on the same page. By regularly monitoring our system, our engineer will remain abreast of the current state of each piece of hardware, and a be able to compose a proper report that will reveal weaknesses, deficiencies, or vulnerabilities existing in the information system, and our broadcasting system, stopping equipment failure before it happens.
Although
security assessments are typically addressed in implementation phase
of the RMF, they should be reviewed again while monitoring our
information system, as these control assessments can be upgraded
according to system updates or potentially changes in the information
security climate. New vulnerabilities and policies are created all
the time, and everything should be monitored continually. It is also
important to monitor risk determination and it’s acceptance. Through
variations in our billing, the timetable of valuable hours is bound
to change from season to see. Obviously there is always risk, but
there are times that there is more risk than can be appropriately
mitigated. It is up to the authorizing official to determine
what risks are considered acceptable, but by updating these
timetables through continuous monitoring, we can ensure the official
has to the minute information that is current and relevant, and
record the philosophies behind his decisions, so if he is unavailable
in a time of emergency, the contingent authorizing official can make
a decision in accordance with his interests. In the ever
evolving world of the industry, even once acceptable risks can
change, so it’s important to monitor the determinations and allowance
permitted by the authorizing official, and the mitigating
circumstances surrounding the final verdict.
“Continuous
monitoring enables information security professionals and others to
see a continuous stream of near real-time snapshots of the state of
risk to their security, data, the network, end points, and even cloud
devices and applications. Assessing security controls as well as
ongoing monitoring of security controls are both directly assisted by
continuous monitoring through vulnerability monitoring processes,
which many organizations already have in place.” [3]
According to the RMF and the SDLC, continuous monitoring officially takes place in the Operations and Maintenance, & the Disposal segments, but the strategies and activities for continuous monitoring are developed much earlier, during the selection of security controls, or the initiation phase, as it’s known in the System Development Life Cycle. The selection of our continuous monitoring software is selected early on in the System Development Life Cycle, so appropriate plans will be made for approval, budgeting, documentation, and potential disposal. By planning accordingly early on, we will tailor a control baseline for the most optimally efficient deployment, and it’s continual operation for years to come, throughout all it’s changes.
In the future, as these changes develop across the station, there are 4 major measures we should employ to categorize effectiveness of our system. We should monitor the percent at which progress is made during the implementation phase. As alarms and encryptions are installed across our audio chains, we should assess our vendors and methodologies to help make the next implementation more efficient. We should also measure the effectiveness of the extent a security control works and achieves it’s desired outcome. For instance, we may find that by increasing password length and complexity is counter productive. While we never experienced the hijacking of our audio chain as a result of a simple password, we could find that corrective measures take much longer, due to the difficulty of remembering the password to access the system. This point brings to mind another measure, efficiency. In other words, efficiency is the measure of control performance in consideration to the time and resources allocated. Earlier in the paper, we mentioned a satellite internet feed as a backup to a less expensive phone based internet line. But if the phone line is rarely down, the exorbitant costs of a slower satellite internet connection would be considered inefficient. In all of our efforts, we should seek to reduce costs, and not frivolously over protect our institution from every potential business ending calamity.
Which leads us to the impact of the monitoring controls. Impact demonstrates the effects of systems awareness on an organizations mission. It is possible that too much monitoring can impede the actual job at hand, but it seems more apparent to me, in the example of the OPM data breach [4], that the lack of systems awareness can have just as much impact on the mission at hand. While this may be overkill in relation to an independent radio station, the example still shows that no department is too marginal when it comes to defense.
In constructing this research paper, I have compared the security vulnerabilities to our potential liabilities to justify the suggested system revisions. Assuming all goes according to plan, I hope to be able to use this security and policy overhaul to leverage a significant increase to salary, or use the documentation and risks mitigated to bolster my resume for future employment. By securing this ramshackle rats nest of broadcast property, sales and billing information, and listeners identifiable information, I will have learned and executed the intricacies of contingency and continuity planning while selecting controls for this updated information system, and similarly exposed myself to the actual trials involved with maintaining a system wide monitoring policy. Furthermore, I will have developed a foundation for security and policy that should carry this radio station into the next forty years of it’s broadcast, and made this corner of Vermont a little safer from security attackers and malicious actors.
[2] https://www.cbsnews.com/news/fcc-big-fine-for-airing-howard/
[3] https://www.sans.org/reading-room/whitepapers/analyst/continuous-monitoring-is-needed-35030
[4] https://krebsonsecurity.com/2016/09/congressional-report-slams-opm-on-data-breach/