CDSA

CPS EU: Richey May Technology Highlights Current Threat Landscape

Richey May Technology Solutions used a breakout session at the June 29 Content Protection Summit Europe (CPS EU) event to detail the current cybersecurity threat landscape.

Arnel Manalo, director of cybersecurity services at the company, provided a deep-dive exploration of current threats, and explained how different responses provide relevant solutions to each variant of threat.

Topics during the session, “2021 Unbreaking the Internet,” included the latest information regarding penetration testing and other leading-edge risk management technologies.

Cybersecurity threats involving ransomware and hacking groups have been in the news a lot in recent weeks, Manalo noted. At the same time there has been increased compliance and regulation activity, he said, adding: “It’s kind of hard to always wrap your hands around all that stuff.”

Cybersecurity was, of course, a major area of concern for the media and entertainment and other sectors, long before the pandemic, Manalo said, pointing to FBI and Verizon data that showed M&E was the most impacted sector of them all.

It shouldn’t be that surprising. After all, the primary business for most organisations today is information, he noted.

The FBI Internet Crime Complaint Centre (IC3) identified 2,474 organisations in the U.S. impacted by ransomware in 2020, he told viewers. The threat only increased during the pandemic while “everybody was streaming and consuming media and entertainment from home from multiple devices,” he said. After all, “hackers follow the money,” he noted.

The average cost of remediation for each compromised customer record is $154, although the cost “can vary a lot,” he said, referring to an estimate by the Ponemon Institute.

Ransomware has continued to be a major problem for the M&E sector in recent months, he said, noting Funke Media Group “halted their production” due to a ransomware attack impacting 6,000 laptops and thousands of additional endpoints in December 2020 and January 2021. The attack caused that organisation to remove the paywall on its website and only release emergency papers, he added.

Nine Entertainment went on to be the victim of a ransomware attack in March that locked out its employees from emails, internet access and print production systems, he said.

Data keeps businesses running and the “bad guys” realise they can make money by holding data for ransom, he noted.

But organisations are not powerless. There are several steps that can be taken by everybody to defend themselves.

“The biggest thing is user awareness and training,” according to Manalo, who warned: “Don’t click those links. Don’t go to suspicious websites. Always be on guard.” And, while “people are the best defence,” they also, unfortunately are “also the easiest barrier to break through for hackers,” he explained.

Perimeter defence using malware detection on emails, firewalls and other areas, is important, as is endpoint defence and using a segmented and distributed environment to decrease the impact of an attack, he explained. One specific suggestion he gave: “Your guest Wi-Fi should be isolated on a different network segment – even potentially on a different Internet pipe.”

Stolen credentials, meanwhile, represents the top cause of data breaches in the M&E sector, he told viewers. Citing Akamai data, he said 20 percent of the 88 billion credential stuffing attacks seen last year targeted media companies. While there are many ways to hack into an organisation’s system, if the attacker has credentials, there is no need for him or her to hack the system because they can just log in, he noted.

He provided four tips to combat stolen credentials: User awareness and training, subscribing to known cracked password lists, enforcing multi-factor authentication, and enforcing behavioural, geographical and suspicious login controls.

He also recommended Trusted Partner Network (TPN) assessment for M&E organisations, explaining that, during an assessment, there is a measurement of the controls and maturity of the security program a studio is using. Included are penetration testing and vulnerability assessment.

Manalo went on to explain the difference between penetration testing and vulnerability scanning.

In penetration testing, an ethical hacker simulates real-life threats and that person leverages identified vulnerabilities and gaps. A report is then provided on flaws in the studio’s system and suggested ways to remediate them.

Vulnerability scanning, meanwhile, involves an automated scan from a tool of targets that produces a report based off vulnerabilities and ways to remediate. There is no leveraging or further testing to verify and validate the fidelity of the findings.

The main difference between the two methods is that a penetration test is a simulated hacking exercise that’s often much more complex and provides a step-by-step compromise report and recommendations to remediate along the way. Manalo warned organisations not to be sold on vendors who provide a vulnerability scan claiming that is a penetration test because vulnerability scan reports do not suffice to meet industry requirements.

Understanding both of those tests “will really help you not only meet regulations and compliance but it’ll also help strengthen your environment,” he said.

An additional important control is user awareness, he noted. That is because no matter how many sophisticated tools an organisation has, how well its networks are segmented and how hardened its devices are, there will always be a human element that adversaries can manipulate to gain access into a system.

Wrapping the session up, Manalo said cybercrime is increasing because it is profitable and the more technology evolves and adapts, the more criminals evolve and adapt with it.

There has, for example, been a lot of cryptocurrency mining in which machines are transformed into slaves to mine coins, he said, explaining that is an “easy way to fly under the radar” and can be done after work hours, when it is harder to detect.

Luckily, organisations can fight adversaries by following industry standards and by implementing proven tools and processes, according to Richey May, warning everybody must remain diligent in being good stewards of content entrusted to them.

The event was produced by MESA, the Content Delivery & Security Association (CDSA), the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA board of directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.