According to Bruce Schneier, a cryptographer and computer security expert, “The mantra of any good security engineer is: ‘Security is a not a product, but a process.’ It’s more than designing strong cryptography into a system; it’s designing the entire system such that all security measures, including cryptography, work together.”
HBO, Time Warner’s pay-tv network’s recent hack is proof of the times we live in! A total of 1.5 TB of internal company documents were compromised. These included script outlines of the channel’s hit show Games of Thrones, upcoming episodes of the series Ballers, Barry and Room 104, employee emails, and personnel records. The hackers made their first move last month, by uploading files on their own site called WinterLeak. The hackers go by the name little.finger66. As of August 13, 2017, the group released upcoming episodes from Curb Your Enthusiasm, Ballers and Insecure as well as yet-to-debut shows, Barry and The Deuce.
The 1.5TB data stolen is seven times the data stolen in the Sony hack in 2014, which warranted the FBI’s involvement into the investigation. It is suspected that the hackers gained access to the data via multiple entry points, which is common in these types of hacks.
The latest news is that the hackers released a video to HBO’s CEO Richard Plepler, demanding a multimillion-dollar ransom within three days or more data would be leaked online.
In 2016, the media and entertainment sector was among the top five most-breached industries. According to IBM X-Force Threat Intelligence Index, 42 million records were breached in 37 publicly reported breaches last year in this sector. One wonders how many breaches went unpublicized.
Leaking online hacked episodes of the most popular TV shows is a way to seek ransom or to create credibility for an aspiring hacker on the dark web. The number of people working on these popular TV shows and movies runs into a few hundreds, if not thousands. From pre-production, casting calls, budget discussions, filming, post-production and finally distribution, a lot of people have access to the script and the finished product. This increases the scope of attacks from hackers along the value chain. Securing all the people involved, particularly when many are third-party partners is a daunting task.
According to many IT experts, the entertainment industry continues to use outdated technology to store its content and because of this, the entertainment industry is riding the wave of a digital growth spurt. But keeping up with the latest technology and protecting its sprawling supply chain is proving difficult. IT Security experts believe that the entertainment industry needs to update its security framework to reflect the reality of the present IT ecosystem. They believe the breach at HBO could have been prevented with the proper use of available technology. Small measures such as segmentation of networks to control access, limiting collaboration to small pools, stringent access control policies with multi-factor authentication, and data encryption could have prevented the hack.
Media and entertainment heads could have taken many key steps to protect content (especially given the collaborative nature of content creation):
Security Checks: Make sure all third party contributors follow the best practices with respect to security, networks, applications, cloud environments, and personnel’s access to content. The use of a Business Associate Agreement (BAA) is recommended to help here.
Versatile Content Management Systems (CMS) in place: Make sure all content is accessed only through a CMS, so you are aware of who is accessing what, and for how long. Access should be limited to only what is required and revoked after the job is done.
Security Awareness: Make sure every person involved is trained to recognize suspicious activity and phishing. It is good business practice to simulate a cyberattack and see how people respond. Be sure to take corrective action where required.
Be Proactive about Security: Engage the right team and improve your security posture. Identify where your content is stored and how to protect it. Don’t wait until there’s water in your house to buy flood insurance.
What can individuals do to reduce such hacks?
Don’t encourage piracy: Only watch original content. By watching pirated content, you encourage hackers to try and lay their hands illegally on content created with millions of dollars as investment. And if the original content creators don’t make money, you slowly kill the industry.
Only watch on verified websites: By watching content on unverified third-party websites, you put yourself and your devices at risk. These sites are usually loaded with malware — one wrong click could infect your devices and your network.
Protect your devices: Whatever device you access your entertainment on, make sure that all your devices are adequately protected. Keep your personal data safe by using a comprehensive security strategy.
Like other industry segments — health care, financial, etc., — entertainment companies outsource security. It is pertinent that companies partner with a firm that has a 24×7 holistic approach to security, and not a firm that just deploys tools. It is important to have a strong security strategy in place and remember that technology can and should be maintained and upgraded to meet the security demands. A good security partner can help with this so that entertainment companies can focus on their product – entertainment.