CDSA

M&E Journal: Mitigating Cyber Risks Through Military Strategies

[svg-table-content]

By Martin Mazor, SVP and Chief Information Security Officer, Entertainment Partners

These days, cybercrime is pervasive. Scan the news and you’ll likely run into information regarding the latest large-scale security breach. Financial services, healthcare, higher education, the public sector, technology, retail, and entertainment have all been prey to potent cybersecurity breaches that have exposed personal information, intellectual property, and other kinds of valuable data.

Consider that the September Equifax breach accessed approximately 145.5 million U.S. customers’ personal data, including names, social security numbers, birthdates, and addresses. Yet, the sheer number of companies, and even government entities, that have lost our data in the past few years has resulted in an organizational and individual desensitization to these breaches.

Security breaches as an act of war – My suggestion: We wake up, and begin treating every breach, small and large, as a brutal act of aggression; an act of war.

War, and the strategies around it, has changed dramatically over time. The large-scale land battles and straightforward invasions that categorized both World Wars have given way to today’s strategic, low collateral damage attacks against unique small targets. We need to understand how the theater of war has changed and apply that line of thinking to the cybersecurity field. Of course, our war plan still must include broad land attacks such as directed “noisy” assaults on our internet facing assets. However, we now need to consider Advanced Persistent Threat (APT) that may include crafted unique malware targeting our organizations, or even a single person.

If we begin thinking in these terms, wouldn’t we be more likely to all be taking measures both personally and professionally to do everything we can to mitigate these threats? It’s time for those of us in entertainment to begin to treat these intimidations as if we are on the front lines of battle. How can we leverage basic military principles that have been refined throughout the ages for our own security strategies?

Prior to implementing our strategy, it’s first necessary to breakdown the entertainment industry’s most notorious adversaries when it comes to breaches. Who are our enemies, and how can we understand them? What do these aggressors want, and what are they willing to do to get it?

Nation states

Nation states are highly funded with trained, dedicated resources and capabilities. From economic espionage to political motivations, their goals are varied. These sovereign entities are highly focused; usually spending considerable resources on a single target to ensure success. A target may be broad in nature, such as a single enterprise, but they don’t typically go after an entire segment due primarily to cost restraints.

A recent obvious example was the 2014 breach at Sony Pictures, purportedly by the North Korean military and intelligence agencies. The hack was arguably inspired by Sony’s decision to release the controversial film, The Interview, in movie theaters. Of course, one could question whether any corporation could withstand a mature nation state’s cyber offensive capability. Still, a war plan offensive is a good place to start.

Organized crime

Replete with mature actors and resources, these highly centralized groupings run by criminals have been in the game of making money for a long time. They’ve figured out that cybercrime techniques are less costly, and far more profitable than more traditional kinds of crime. Now they employ virtual, in addition to physical, threats. Lastly, they’ve become highly adept at indirect targeting methods by concentrating on upstream and downstream partners or supply chain supporting organizations.

The dramatic rise in ransomware is a good example of how organized crime is carrying out cyberattacks. If a group sent out millions of phishing emails, most would be blocked by standard industry security defenses. However, statistically speaking, a few of these emails will likely successfully penetrate. These successes have fueled a major response on payments, making the cost of delivery low, and the rate of return high.

Opportunistic groups

In many cases, individuals or groups seeking public notoriety may be the perpetrators of security breaches. They may be upset by a product portfolio, or a trading relationship. Those looking for a quick financial gain are often hackers with limited skill-sets and minimal resources at their disposal. The most infamous hacktivist group is called Anonymous.

They have launched hundreds of cyberattack campaigns across commercial, government and private organizations based on what they feel were injustices these organizations committed. The attacking groups may not have had the strongest cyber skills but rather took advantage of organizations with frequently weak cyberdefenses to communicate their messages.

Insiders

Sadly, many large-scale security breaches are committed by disgruntled, revenge-motivated employees, or even partners, with significant access to internal systems and data. Their motivations might be informed by an interest in exposing organizational secrets.

For insiders, capabilities are often vast because they know the environments, and what data has the most value.

The most infamous example of the ultimate insider breach was Edward Snowden’s leaking of classified National Security Administration (NSA) information. Snowden was an IT administrator and analyst with access to a broad range of systems and data.

A cohesive plan that covers all our data

Where you fit into the entertainment ecosystem will likely drive your risk register of what’s important:

Content protection is key – without it our revenue streams don’t exist;
Personal data – our industry is glued together with PI;
Back office assets such as financial information and forecasts.

Unfortunately, if you ask 14 business units in your organization about their respective missions, you’re likely to get 14 mission statements. This may be fine from an operations perspective, but it lends itself to failure when being strategic in protecting your company. A cohesive, integrated, companywide mission plan and statement around cybersecurity is critical to success.

Like the military, apply the three levels of war in your company’s doctrine:

1. Strategic
2. Operational
3. Tactical

Then, let’s prepare for battle using these key strategic areas:

• Recruit your army

Establish a resource plan that includes your dedicated cybersecurity professionals but also focuses on the enterprise staff. Like any military unit, your army needs infantry (cybersecurity), leaders (business support), supply and depot (your supply chain), and strategists (senior leaders across the organization).

• Build your war plan

Many organizations start with an established framework, not unlike what military strategists learn in war colleges. While no specific framework fits all organizations, it is highly recommended to start with the NIST Cybersecurity Framework (NIST CSF). This provides the resources for a security framework, while also ensuring measurement and metrics are applied to establish and grow the organization’s maturity.

• Establish your defenses

It is paramount to complete a risk ranking exercise that establishes a prioritized methodology for what is truly valuable to the organization. A key factor in this risk ranking is completing an information classification matrix. By starting with risk ranking your data, wherever it lives and goes, you are ensuring that the protection methods are consistent. See the NIST CSF for specific recommendations. Once this is complete, you will have a better idea of where to focus your investments and resources.

A key factor in this risk ranking is completing an information classification matrix. By starting with risk ranking your data, wherever it lives and goes, you are ensuring that the protection methods are consistent.

• Drill, test and retest … drill again There is good reason why the military’s repetitive drills are required. As such, you should be planning, preparing, testing, retesting, drilling, and preparing some more. It’s important to focus on our primary threats and have end to end drills. These should include our business partners — both internal and external — as well as supporting groups and senior leaders — with an automatic reflex always as the end goal.

• Assume nothing and everything It may seem obvious, but many in entertainment and other industries lack a Plan B formulation. While a strong business continuity and disaster recovery plan is imperative, think on a smaller scale as well. Look at your risk register and you’ll find what drives the business: content management, production systems, and financial apps, but may include simple communication tools like email. Do you have a plan B for an email compromise?

• Execute, but quickly learn from mistakes Similar concepts in DevOps in the IT world apply here: fail fast and often. The goal of a DevOps model is to integrate disparate resources into a single reasonably sized goal, and be agile enough to allow for unknown factors and failures. The same concepts apply when building a war plan; have the right eyes on the goal, and monitor continuously. If something isn’t working, cease doing it and refactor aligned to the end goal.

Mitigating your risk

Lastly, people want to partner with you. Join supporting groups like an ISAC or a cybersecurity information sharing organization. There are several that are specific to the entertainment industry. They are well developed to share Intel and other attack analysis to help you protect against threats.

By incorporating military principles to your comprehensive strategy, security leaders can mitigate cyber risk. We’ve all heard the saying “there is no such thing as 100 percent protection” and it’s true. Can it happen to you? “Absolutely” is truly the only honest response in this interconnected digital age. However, every day you should be asking yourself if you are ready to respond to a cyberattack. Further, what is your plan should you be infiltrated? Even if you lose a battle, having a crisis plan in place can help you win the war.

—-

Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Winter 2018 M&E Journal