.jpg)
21 June, 2016
Willie Sutton’s ctitious rejoinder, “That’s where the money is,” when asked why he robbed banks, is a well-known expression of bad guy motive. When performing a cyber threat assessment for any company, understanding who the potential attackers are, what their motives are, and the harm they are trying to in ict on a target are critical to creating resilient defenses.
In the case of the entertainment industry, “the money” is the company’s “crown jewels,” which can be intellectual property (IP) such as pre- release content or scripts; a broadcast feed; identifying information about customers and employees; sensitive e-mail; the ability to operate as a business by using computers; and, in some cases, credit card information. Hackers’ motives may be economic, but they can also be political, personal, or simply to establish bragging rights. When a hacker’s target is information, their goal can be stealing, deleting, corrupting, or denying normal users’ access to that data. Increasingly, cyberattacks involve attempts to destroy computer hardware or industrial equipment that is run by computers, a trend that can put broadcast network and content repositories
at risk. A case in point: after hackers knocked out the ability of a French television station to broadcast current content in April 2015, a French intelligence agency announced it suspected Russian state-sponsored agents(i).
For the entertainment industry speci cally, we know that attacks are rising and signi cant. Akamai, a global leader in providing Content Delivery Network (CDN) services, reported in its State of the Internet Security Reportii that Q3 2015 set a new record for the number of Distributed Denial of Service (DDoS) attacks, or attacks in which there was an attempt to make an online service unavailable by overwhelming it with tra c from multiple sources. The report found a 180% increase over Q3 2014 and a 23% increase over Q2 2015. Online gaming, for instance, received the highest number of attacks across industries. Of the eight biggest attacks detected by Akamai, the media and entertainment sector received the largest share. Akamai isn’t the only industry researcher reporting a high threat level for the entertainment world. New research by Symantec found an uptick in attackers using malware and phishing scams to steal online streaming iii credentials . Why? To help black markets provide access to the streaming services for cheaper prices.
In response to this growing threat, the industry must build its cyber resilience. In the new cybersecurity paradigm, while there is still a stress on preventing attackers from getting in, intrusion is thought to be inevitable. As a result, there is now equal focus on being able to e ectively detect, respond, and recover. This report provides a high-level description of the threats facing entertainment companies, and seven actionable recommendations that companies in the industry should consider in order to build their resilience and strengthen their security.
The Threat Landscape
The 2014 Sony hack became a global, watershed moment for corporate information technology (IT) security, and particularly for the entertainment industry. State-sponsored agents, in retaliation for a movie satirizing their head-of-state, permanently disabled thousands of computers at the movie studio, ex ltrated and published reams of sensitive e-mail, and published pre-release copies of a number of the studio’s full-length movies. For these activist hackers, the motive was ideological.
These ideologically-driven threats are increasing, and they re ect many of the same motives threatening other high-target industries: disruption of global commerce, acclaim, and political statements. In the last several years, hacktivists who oppose the protection of IP rights have targeted media companies when they engage in litigation to enforce their copyrights, or support IP protection legislation, such as the controversial Stop Online Piracy Act (SOPA). Such adversaries have hacked media rms to gain unauthorized access to millions of customer contact records, triggering expensive data breach noti cation costs and class actions. They have also conducted or threatened DDoS attacks, including against gaming platforms, to successfully disrupt online service.
Criminal hackers, inside the organization and outside of it, are another formidable foe. The Ponemon Instituteiv reports that 47% of all breaches were caused by “criminal insiders.” Stroz Friedberg investigations have also uncovered that entertainment industry insiders have leaked sensitive e-mails as well as pre- release copies of movies and television shows, illegally monitored emails using key-loggers, and wiretapped internal instant messages.
Achieving Resilience
Cyber resilience involves protecting the company’s “crown jewels,” or its key digital assets, including ideas. So, how do you achieve resilience? Here are seven concrete steps that entertainment companies should consider to improve their security posture in today’s threat environment.
1. Ensure executive governance
Cybersecurity is not solely an information technology issue; it is a corporate issue. The foundation of resilience must begin with a vision and budget set by executive management and accountability established at the board or audit committee level. Level-setting is often accomplished through an independent, enterprise- wide security risk assessment against one of the widely accepted cybersecurity standards, including those set by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), with the prioritization of improvements being driven by the threat assessment. In other words, xing rst the vulnerabilities that the threat assessment shows are the most likely to be exploited by attackers to get to key digital assets. Another best practice is having a third-party perform an incident response readiness gap analysis. This assesses whether the company has the necessary incident-response speci c technologies, processes, skill-sets, and partners in place to e ectively respond to a breach. Post-breach class action litigation will scrutinize pre-breach readiness and security with 20/20 hindsight. Filling in gaps in advance of a breach protects customers, employees, and reputation, as well as mitigating litigation risk.
Board governance can be facilitated by a cyber “dashboard,” which gives qualitative and quantitative information to the board. Executive management governance can be practiced by conducting table-top scenarios in which management—IT, legal, operations, corporate communications, human resources (HR), outside counsel, and the retained, outside technical incident responder—role-play in a simulated attack scenario that brings to the fore high-level, breach-related management decisions.
2. Shore up databases
Entertainment companies typically have many millions of records containing customer information, often derived from customers’ website interaction or product registration, in enterprise databases. To operate securely, continuously, and con dentially, serious proactive measures need to be taken at the database level. One principal form of attack against databases is exploiting unpatched vulnerabilities in web and application servers that sit in front of those databases. A vulnerability management program, third-party penetration testing, and ethical hacking are critical to ensure that web and application servers are properly patched so that they can’t serve as easy gateways. In another typical pathway, the attacker gains a foothold in the corporate network, often through a phishing scheme, and then escalates privileges until he has compromised database administrator credentials. This potential attack surface must be defended with layers of security that prevent or detect successful phishing and privilege escalation. Moreover, a database rewall that can programmatically recognize or block anomalous, pseudo-administrative queries can help prevent mass database ex ltration. To combat against the attacker nding on the network and cracking highly-privileged administrative accounts, companies are moving towards administrative passwords that quickly expire and that, beyond user name and password, require an ever-changing, randomly-generated code from a hardware or software token carried by the user. This “dual factor authentication” renders stolen administrative passwords useless as the attacker cannot generate this second code.
3. Shelter pre-release content
To protect against pre-release content leaks, most studios and other entertainment companies have built layered pre-release security programs and have multi-level protection policies, for example establishing tight chains of custody on copies of content, using digital rights management technologies, and utilizing secure cloud portals with dual factor authentication. While the policies are many, we nd there is often a gap between pre-release content policies and what happens in practice. Third-party experts can perform security gap analyses and advise on potential improvements to policies using the latest technologies and practices. Film and television production can often involve third-parties who may have remote access to servers or, as in the case of composers and visual e ects companies, have access to pre-release content. An entertainment company’s security is often only as good as the security of its third-party vendors who have trusted connections into the network, because adversaries often try to hack in through such vendors’ networks. Having a robust program to audit the security of such third-parties is a rising best practice.
4. Risk-review controversial content
Threats by activists over controversial entertainment content will always exist, and the best practice is to establish a risk review before the content is greenlit. This is not to suggest that self-censorship is always the answer, but having a risk-review early in the process increases awareness, can lead to better preparedness, and may trigger a heightened state of alert when the content is released. In certain situations, it may lead to a decision to alter or potentially not produce the content.
5. Protect live broadcasts
In an era where cyber attackers seek to knock live broadcasts o the air, two forms of protection can be re-envisioned. First, a higher degree of segregation between the corporate and production networks can be considered, as attackers typically gain a foothold in the corporate network and then try to move laterally into the production network.
If permissions between the two networks are wide open, meaning if passwords from the corporate network also work in the production environment and there is no focused monitoring at the interface between the two environments, attackers will have an easier time jumping over to the equipment used to broadcast content.
Second, disaster recovery (DR) can no longer be thought of solely in terms of recovering from a software or hardware glitch or a physical disaster—it must be expanded to account for the possibility of its own systems being hacked. Cyber attackers who gain su cient administrative control of the production network may well have compromised DR systems, or may, once the DR is brought online, exploit the same vulnerability they exploited in the production network. This is especially so if the DR and production networks share administrative credentials and are mirrors of one another.
6. Safeguard Email
As the Sony hack demonstrated, attackers may access and publish sensitive entertainment company e-mail to cause reputational harm. An email system may also contain valuable intellectual property or personal identi able information (PII); trade secrets; material, non-public information; and other sensitive information. Two of the most effective protections against e-mail theft are dual factor authentication and good data hygiene. When attackers capture an individual’s user name and password, for example through a key-logger, those credentials are useless
when dual factor authentication is enabled. Even better, adding dual factor authentication on the email administrator’s account prevents this common attack surface from being exploited to provide access to all users’ email. Another way of easily reducing risk is by reducing the size of email storage. If all users have six months instead of six years of email storage, and the creation of laptop-resident email archives is prohibited, risk is exponentially reduced. Transitioning to that level of data hygiene entails so much behavioral and cultural change that it normally has to be driven from the top of the organization. Highly sensitive mails can also be protected with encryption.
DISASTER RECOVERY MUST BE REINVISIONED TO ACCOUNT FOR THE POSSIBILITY THAT THE BACKUP ITSELF MIGHT BE HACKED
7. Expand insider risk programs
Organizations—including those in entertainment— also face increasingly complex insider risk. Recent reports point to insiders causing nearly 50% of all instances of company data loss(v). Whether senior or junior, malicious or inadvertent, insiders can compromise con dential information, trade secrets, and even employee safety. Malicious insiders, especially those with administrative privileges, have enormous advantages: they are already behind the rewall, they already have passwords, and are privy to where the “crown jewels” are. These risks must therefore be approached with constant vigilance, attention, and preparedness to limit exposure. E ectively reducing insider risk revolves around identifying and defusing at-risk insiders before they act out, setting up systems to prevent insider attacks in the rst place.
Insider threat risk mitigation involves, at the outset, avoiding bad hires. This is a function of the depth and quality of the background check, something companies should invest in more heavily as level of network privilege increases. But technology can help, too. Insider threat detection software exists that can ag the growing feelings of disgruntlement associated with the insider threat. Such technologies are the last line of defense when insiders with privileges who are acting behind the rewall go AWOL.
For instance, as employees with a predisposition to become insider risks proceed down what is known as “the Critical Pathvi,” the language in their day to day emails can spike with subconscious expressions of victimization and anger in ways that can be objectively measured. Monitoring email for such departures from employees’ emotional baselines can help alert management to a growing threat. Other technology can model employees’ actions on the network and ag departures from normal. Database rewalls can even pro le normal database administrator actions and alert on, or block, departures from the pro le.
Substantial care must be taken to reconciling processes and technologies that hunt for malicious insiders with the goal that most entertainment companies have of maintaining an open corporate culture that can attract and retain creative talent.
Conclusion: A Top-Down Approach
The opportunities and challenges that come with this new cyber era are substantial. Entertainment and media companies can deliver content more e ciently than ever before and reach audiences in places that were unimaginable just years ago. But the challenges are proliferating. Like audiences today, cyber attackers can be anywhere in the world. They can be employees in your building, state-sponsored agents on the other side of the planet angered by the content of a lm, or even the Willie Suttons of the world. The threats are varied, omnipresent, and ever advancing. Total impenetrability is not achievable, especially against such a rapidly evolving adversary. To e ectively manage this type of risk requires a commitment to resilience— a commitment that begins with support from the very top of the organization to protect against, detect, respond to, and recover from cyber attacks.
+ i, TV5 Monde attack 'by Russia-based hackers'” BCC News, June 9, 2015. (http://www.bbc.com/news/world- europe-33072034)
+ ii, Akamai’s State of the Internet: Q3 2015 report. (https://www.stateoftheinternet.com/resources-connectivity-2015-q3- state-of-the-internet-report.html)
+ iii, Net ix malware and phishing campaigns help build emerging black market ( http://www.symantec.com/connect/ blogs/net ix-malware-and-phishing-campaigns-help-build-emerging-black-market)
+ iv, 2015 Cost of Data Breach Study: Global Analysis, IBM/Ponemon Institute, May 2015. (http://www-03.ibm.com/security/ data-breach/)
+ v, Intel Security Poll found insiders were responsible for 43% of all data loss. IBM research found 56% of data breaches are caused by insiders. A Symantec survey found 50% of employees admit taking company data when transferring jobs.
+ vi, The Critical Path to Insider Risk is a recognized model for understanding how insiders with relevant “personal predispositions” can move towards destructive behavior in reaction to certain “stressors,” especially when exacerbated by a “maladaptive corporate response.” The model has a detective component in that, as insiders’ disgruntlement, anger, or victimization increases, they can exhibit “concerning behaviors” that a trained H.R. professional can detect. Dr. Eric Shaw and Laura Sellers, Application of the Critical-Path Method to Evaluate Insider Risks, Studies in Intelligence Vol. 59, No. 2 (Extracts, June 2015). Such escalating emotions can also unconsciously manifest themselves in changes in the language that insiders use in e-mail and other written communications. Psycholinguistic algorithms have been developed to detect those changes and alert the company to growing insider risk.
+ Author: Eric M. Friedberg; Contributor: Ilanna Bavli
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg
pjackson@strozfriedberg.com
