February 11, 2015
During an HPA Tech Retreat panel yesterday on “Cyber and Content Security: Time for a Strategy Change,” moderated by NSS Labs Sales Director Kari Grubin, panelists asked the important questions: Who are the perpetrators? How easy is it to gain access? How can we understand the risks to our specific companies? And how can we architect against risks? Grubin was joined by Frank Artes of NSS Labs, Theresa Miller of Lionsgate, Bryan Ellenburg of the CDSA, and Ted Harrington of Independent Security Evaluators.
“About 79 days ago, Sony had a massive breach that has forever shifted what we talk about in cybersecurity,” explained Grubin. “Last year was defined by the mega-breach and the mega-bug,” agreed Ted Harrington, executive partner at Independent Security Evaluators, who noted both the Sony breach and the Heartbreak virus.
Prior to the Sony hack, earthquakes were the major concern at Lionsgate, said Theresa Miller, CIO/EVP Information Technology. “The magnitude of the attack, how much data was leaked and how much destruction to internal systems had an impact on every major company,” she said. “It’s definitely a new game.”
Harrington, who described the hack of the first iPhone in 2007, noted that the media and entertainment industry’s “major adversaries” are nation states, organized crime, hacktivists and the casual hacker.
NSS Labs Principal Engineer Frank Artes described how much information a hacker can harvest from a mobile device, using SSIDs (service set identifiers), despite security products being in place. “You need to know what the security product doesn’t detect,” he said. “Security vendors don’t always do what they say they’re supposed to do.”
“Technology to make your life better is often brought to market without ever having a security expert review it, even to point out how it might be misused,” suggested Artes. “Your blind faith in security products will not end well. Talented people, not security products are your most valuable asset.”
The number of IT people monitoring and auditing security is woefully small, he added, noting that, at large companies, the IT security staff “grew” to 29 people in 2014. “It’s an asynchronous battle against hackers,” said Artes.
Industry response to hacks is likewise wanting. According to Artes, there is currently a 153-day wait from the day a breach is announced until a patch is available. And that breach has likely been active for 312 days. “So that’s 465+ days of exposure,” he explained.
Hackers not only harvest tens of millions of accounts, they analyze the passwords; then they hack a second time to analyze password changes. “Hackers have predictive analytic models for passwords,” Artes noted. “They know the password you’re going to have next before you do.”
The one “upside” from the Sony breach is that media and entertainment companies are taking security much more seriously. “Before, our executives thought I could prevent any kind of hack,” explained Miller. “Now our executives recognize it’s impossible or almost impossible to do that. What we can do is minimize the risk.”
Bryan Ellenburg, security consultant at the Content Delivery & Security Association (CDSA) promotes the importance of education and training. “A lot of movie spoilers came out because people didn’t know what the threats were,” he said. “Screenplays, location images, budgets are all targets. Education and training are the foundation for getting out in front of movie productions.”