Recent HBO hack could spur better cybersecurity practices
It’s time for businesses to update, fortify their shield against threats
By Sue Poremba, ThirdCertainty
Add HBO to the growing list of companies victimized by a serious cybersecurity incident. According to The Associated Press, cyber criminals stole 1.5 terabytes of corporate data, including some HBO shows and sent a ransom video to CEO Richard Plepler in which the hackers demanded a ransom worth millions in bitcoin.
As of this writing, there is still a lot of mystery surrounding the HBO attack. “Beyond the already released programming and ‘Game of Thrones’ episode outline, it’s unclear exactly what else the hackers might have,” Grant Rindner wrote in a Vox article. “One major concern is how much of the data might go beyond HBO programming to include company financial documents, employee emails, or the personal information of employees and customers.”
Related article: Parallels to earlier Netflix hack
It’s also been difficult to determine the motive behind the HBO hack. It initially appeared to be more about causing disruption and gaining attention than about actual financial gain. Once the hackers accessed the data, they reached out to the media in hopes of securing interviews and spreading the data, instead of asking for money or anything else. Then at one point, parties casting themselves as the hackers issued a video demanding $7.5 million, threatening to release more TV scripts and other sensitive business documents.
Motive not always necessary
“It’s a common misconception that hackers only target popular organizations and that they always have a motive,” said Ferruh Mavituna, CEO of Netsparker, a web application security scanner. “Any business that is connected to the internet is a potential target; hackers do not always need a motive. Every business with an online presence is a target, and hacks happen daily.”
There have been some leaks of data clearly compromised from the HBO hack, including phone numbers and email addresses of the “Game of Thrones” cast. These leaks, as well as the leak of an unaired version of the show, came via media company Star India. While it is unknown if the two attacks are related or conducted by the same hackers, Jeff Hill, director of product management with Prevalent, pointed out how the attacks highlight the dangers of third-party vendors.
Keeping tabs on vendors
“Does HBO require its vendors to deploy data loss prevention or other security technologies that could potentially flag the nefarious exfiltration of a gigabyte-size file necessary to capture an entire episode of an hourlong television program?” Hill asked. “Does HBO even know if this vendor—or others for that matter—are committing to data security policies and investments that would reduce the risk of such embarrassing and expensive incidents? Sadly, if not, that would place HBO squarely in the majority.”
Knowing the security practices of a vendor is one lesson learned from the HBO attack, but that’s scratching the surface. The HBO attack highlights several issues that businesses need to consider going forward.
First, a breach of this magnitude goes well beyond the immediate damage. Reputational damage can linger a long time, Virsec Systems founder and CTO Satya Gupta, explained. In the specific case of HBO, the attack comes as its parent company, Time Warner, is the target of a possible acquisition by AT&T. Will this impact the sale in some way, as the Yahoo breach slowed down that company’s acquisition by Verizon?
Breaches get C-suite attention
Another factor from major breaches like Target and Sony is that this instantly becomes a board-level issue, Gupta said. “And heads roll—maybe not literally, like in ‘Game of Thrones’—but breaches can be career-ending for CISOs, CIOs, and other C-level execs.”
The HBO attack serves as a reminder that too many security systems are out of date and easily bypassed by smart hackers. Most security is backward looking, trying to block yesterday’s threats and looking for previously identified malware. Hackers who are highly resourced and innovative will be able to conduct attacks that fly below the radar of conventional security tools.
“As surprising as the lack of focus on the type of document data that was stolen is, what’s even more surprising are the basic security steps most organizations could take to lock this data down much better,” said Jonathan Sander, CTO with STEALTHbits.
Sander recommends that organizations do the following to beef up their security steps:
• Add new technologies to the security toolkit
• Ensure there are no places with too much access for all employees
• Basic cleanup of old, unused data and accounts
• Basic monitoring of how people use data
Improving simple security practices will go a long way in keeping organizations safe from the worst of these attacks.
More stories about business security:
Security ratings help expose connections that can put organizations at cyber risk
Self-training programs for IT staff, execs effectively boost cybersecurity
Ransomware attacks are a fact of life, so real-time detection, response is critical