CDSA

Securing content, data and service integrity requires over-the-top (OTT) and other streaming service providers and operators to consider their vulnerabilities from the origin server to the network edge, cybersecurity experts at Yahoo! Edgecast and Eurofins Digital Testing & Cyber Security said Oct. 20 during the session “Playing Defense and Harnessing Community: Securing a video service from origin server to network edge” on day two of the first Video Security Summit.

They examined common vulnerabilities and how companies can address them, touching on the need to remove app vulnerabilities before deployment and the need to protect critical infrastructures from attack.

For a video audience, streaming services and companies that create and deliver streaming applications, “content piracy is a top of mind concern obviously because that’s the core asset that’s being delivered,” according to Jonathan Stock, senior manager at Yahoo! Edgecast, which he said specializes in servicing media companies and works with many OTT companies, helping them distribute their content “in a highly secure way.”

E-commerce and financial services companies have similar concerns but for different specific things, he noted, explaining: “They are more of a target for attackers trying to get at customer data that they may have and to really disrupt that secure platform that is housing that data…. At the end of the day, these are applications online, whether you’re an e-commerce company or a streaming service provider, you’re still putting an asset online and you’re still subjecting [that asset] to what is online, for good or bad.”

Because of that, streaming service providers “really need to be thinking about not only their content and how to protect it but also how to protect the consumers who entrust their data with the provider,” he warned. “They’re giving the provider in some cases payment information, payment card data. They’re giving information about themselves and their households and these are all very attractive points of interest for the hacker community. And so it’s important for streaming services to be thinking about that and what are they doing to protect that. And they must do so not only to protect that data but also because “attacks can also impact the experience” that consumers have.

And, as a streaming service provider, “experience is a top priority,” he noted. “Delivering those experiences in a fast and responsive way [is] impacted at many different levels by attackers. So [that is] also an important consideration to make.”

Such attacks “can really impact you in very unexpected ways, I suppose,” said moderator Colin Dixon, founder and chief analyst at nScreenMedia, noting: “A prime example of that, of course, is the Sinclair attack. They just had a ransomware attack which took down part of their network and really prevented them from scheduling shows and grabbing ads. It really was a big impact on their system and I think they’re still struggling even today to recover from it.”

Pieter Meuelenhoff, cybersecurity advisor at Eurofins Digital Testing & Cyber Security, explained what is involved in the testing of a wide variety of applications and devices that his company does.

During a security audit, you want to verify how your system is “aligned” with an industry standard, said Meuelenhoff, who noted he has more than 20 years of experience in the field of cybersecurity. Some standards take a lot of effort to adhere to, while some organizations, like the Trusted Partner Network, test an organization in a “more practical” way, focusing on activities organizations need to perform to make, for instance, an application more secure.

How long an audit takes-varies based on the depth and scope an organization wants to achieve, Meuelenhoff noted. It could take several weeks or up to a month in certain cases, while testing for compliance with other standards, such as those of the International Organization for Standardization (ISO), can take as much as a year to complete, he said. It makes sense for a company to initially start with a “more lightweight scheme” to adhere to and then make iterations to improve their security, he added.

After an audit is completed, a company will be told what its vulnerabilities are and how to get rid of them, Meuelenhoff said, adding it is often a good idea for a new organization to do an audit as soon as possible.

Dixon pointed to recent data showing it’s not if you will be attacked but when.

When putting an application online, Block said: “It doesn’t matter how much security countermeasures you put [in place] or how many vulnerabilities you identify. It’s just a constant, pernicious, persistent scenario.”

An average website is getting some kind of malicious probe 16,000 times a day and those running the site might not even be aware of it, Block pointed out. Such attacks can significantly impact a company’s ability to provide the good experience it wants customers to have, he warned.

It is important for companies trying to become more secure to start with their  visibility, then improve their ability to respond to attacks, and monitor updates and how they impact the organization’s security, Block said.

Meuelenhoff suggested that organizations learn from vulnerabilities and try to correct them, and also make sure to hire highly skilled engineers and then make certain they are trained.

Dixon turned to the common security problem of credential stuffing, noting the Disney Plus launch was impacted by that type of piracy early on.

To cut down on such issues, Block suggested more public service announcements are needed, telling people to change their passwords often, he said with a laugh. That is why credential stuffing is such an ongoing problem and remains a “major attack vector,” he said.

Recent MasterCard data showed that streaming services are about 40-50 times more likely to suffer from such a breach than other companies, maybe because they’re relatively new and “haven’t implemented the same kind of bot management controls than their peers and… other industries have,” Block said.

There is just a mass “proliferation of data,” including a growing number of streaming services and people are often setting up accounts with new passwords.

Dixon predicted these and other cyberattacks, including phishing, will continue.

Meuelenhoff said he hopes we are ending the era of passwords, noting there are too many attacks related to them and humans don’t seem capable of constantly creating new, unique and secure passwords and then updating them. He predicted we will see more adoption of new technology that involves the use of mobile devices as an authentication device. “I have good hopes that it will reduce the threats related to passwords,” he added.

Dixon advised organizations to ask their vendors for solutions and what they need to do and “just make sure you do it.”