Cyber security: what broadcasters need to know. And what they should do

This is not a definitive article of cyber security.

It can’t be, because the threats change minute by minute. That is the biggest challenge for anyone defending against cyber-attack.

Everyone is vulnerable and the volume of attacks is soaring.

Some attacks are targeted, but many exploit class hacks where security of an entire class of devices is compromised and the malware autonomously seeks out other devices to infect.

Cyber-attacks are easy and cheap to initiate, whether using tools which are widely available or through criminal SAAS (software as a service).

It’s almost impossible to determine where an attack may come from.

The perpetrator might be motivated politically, be a competitor, be someone out for revenge or just see the broadcaster as a revenue opportunity through ransom or stealing and re-selling content.

A broadcaster has the same threats to its IT infrastructure as any other institution.

There are many companies offering products and services to secure the IT infrastructure and this article focusses on threats more specific to the media industry.

Best practices include contracting with an independent company that specialises in security review and penetration testing.

Holding an organisation to ransom is prevalent and a broadcaster must have a response ready. Some reading this article will have experienced first-hand the WannaCry and Petya ransomware. A simple cost-benefit analysis led many to pay $300 to unencrypt their data but WannaCrypt brought to the fore a problem with that tactic: paying the ransom didn’t unlock the data.

Whether the WannaCry decryption function was buggy or the criminals had no intention of unlocking data is beside the point.

Stolen content

The theft from an audio post-production facility, Larson Studios, of the current season of the Netflix TV series, Orange is the New Black saw a more traditional ransom demand. The attackers wanted to be paid or they would post the series on pirate sites. The attackers released the series despite the post production company reportedly paying the $50,000 ransom.

So, there is no guarantee that paying a ransom will get you the result you desire.

In May, Disney received a ransom demand by someone claiming to have stolen a copy of Pirates of the Caribbean: Dead Men Tell No Tales.

In a Yahoo! Finance article on May 25, Bob Iger, CEO of Disney, said “To our knowledge we were not hacked. We had a threat of a hack of a movie being stolen. We decided to take it seriously but not react in the manner in which the person who was threatening us had required.”

He went on to say: “We don’t believe that it was real and nothing has happened,” and added “in today’s world, cyber security is a front burner issue.”

Iger has pointed out a vital requirement. Regardless of any other security measure, you must have monitoring to determine what is happening and what has happened.

My first law of cyber security is to assume an attacker is already in your network. Monitoring all activity on the network as well as on systems is one way you will find out.

Human and machine analysis must look for unauthorized access attempts and abnormal network activity.

ITV Director of The Technology Management Office Paul Lynch sums this up. “With such a broad range of risks and vulnerabilities to manage, comprehensive monitoring and analysis of network and device behaviour alongside well practiced incident playbook’s are critical to the defence of any broadcast company.”

You cannot rely on detection solely at the operating system level.

Apart from zero-day attacks and malware resident only in RAM, there may be malware in the hardware. In May, Intel fixed a 7-year-old bug in its Active Management Technology saying that the security hole allows “an unprivileged attacker to gain control of the manageability features provided by these products” enabling re-configuration of the hardware undetectable by the OS.

There is another lesson to be learned from the Orange is the New Black incident. With the most secure systems possible, a broadcaster, or any other content creator or distributor, is vulnerable through its outside contractors.

A broadcaster should have a dedicated information security (InfoSec) group, but small companies or individuals providing specialised services may not.

Cyber security starts with documented procedures and risk analysis, but these may be lacking in a small company. Security assessment - an audit - will be difficult.

While the audit could be conducted by the broadcaster’s own InfoSec department, I recommend security audits are done by experienced third-party experts.

There are three reasons

• A difference in skills between building a secure infrastructure (the InfoSec role) and assessing the security of someone else’s system
• The company may be more open if the security assessment is kept confidential until any issues are dealt with
• The final report can be made available to other clients

News organisations are the target of politically motivated attacks designed to bring about a chilling effect on reportage by attempting to prevent or discredit reporting.

But even here the motivations can be unclear.

In April 2015 TV5 Monde appeared to be the victim of an attack by a group calling themselves the Cyber Caliphate and linked to Isis that used highly targeted malicious software to destroy the TV network’s systems.

However, further investigation of the attack suggested it was in fact carried out by a group of Russian hackers. 

IT and production systems aren’t the only assets that need to be protected.

Social media accounts are a key contact point with the audience, whether that be reportage or marketing. A compromised Twitter account could prove to be as damaging to a news organisation as a compromise of their servers.

Websites pose some unique challenges.

A broadcaster may not know about all its websites. That may sound silly but a marketing department unaware of the rules might create a website for individual pieces of content that are hosted by a third-party. Furthermore, programme websites are often (quite reasonably) left up beyond the time that the content is being actively promoted.

These orphaned websites pose an unnoticed security risk and the security may not be kept current. The risk is that the site may have collected PII or be used as a platform of activities damaging to the broadcaster’s reputation.

The security of any system that collects personally identifiable information (PII) must be the highest priority. Compromise of PII has regulatory, liability and public relations implications, and above all else, the theft of PII impacts peoples’ lives.

Every media company must undertake continuous assessment of the risks to their business.

“All-IP implementations like SMPTE 2110 lack basic security functionalities” - Andreas Schneider

Risks include theft of content, alteration of content, interference in social media, denial of service (look beyond DDOS attacks), piracy from the supply chain and at the consumer end, illicit rebroadcasting and the theft and publishing of confidential information.

Publishing of stolen information has the obvious risks but there is another subtle risk. Stolen information that is published may have been altered or forged. It only takes the removal of the word ‘not’ from an email to bring about damaging consequences. I hope by now that every reputable news organisation understands these sources are unreliable and unverifiable.

Best practice

Content that has been edited with sync sound is more attractive to attackers than raw camera footage without sound. That’s not to say that the effects shots for the latest Hollywood blockbuster aren’t attractive, and if the attacker can acquire the right assets – sound and picture - they can finish the content themselves.

There are best practices for securing media in production. The use of Aspera to transfer content securely and efficiently instead of FTP. Going beyond access controls with encryption-at-rest with a proper key management system helps protect against from anyone with system administrator privileges.

Threat landscape

The threat landscape in production is complicated by the type of specialised systems that are used. For example, it may not be possible to upgrade a workstation running a specialized application on Windows because upgrades may be incompatible with the application or hardware drivers for a newer version of Windows do not exist. From an operation point of view maintaining a Windows XP system is an annoyance, from a cyber security point of view it is a disaster.

Furthermore, Andreas Schneider, CISO of SGR SSR, highlights another threat when he says “Our industry is moving from the proprietary world of SDI technology to an all-IP, all-interconnected world. All-IP implementations like SMPTE2110 lack basic security functionalities.

“Decision makers thinking in broadcast terms are not adopting an IT-security awareness mindset. Vendors and broadcasters neglecting this reality are ignoring the increased risks that come with these new technologies.”

The vulnerability in the core technology is extensive.

We have seen security bugs and malware in open source code and contractors inserting backdoors in applications either for ease of maintenance or malicious reasons. Two-factor authentication will fail if SMS messages are diverted to another phone by exploiting vulnerabilities in SS7, the 40-year-old signaling protocol that controls the public switched telephone network.

There are some obvious threats to content distribution systems such as unauthorised access to media on CDNs. A less obvious threat is that the content staged on the CDN ahead of release can be accessed by hacking the entitlement server, the server that determines whether a user account is entitled to access the content.

The content distribution chain is vulnerable at the consumer end.

Nothing will be completely effective, and DRMs and anti-piracy measures are best seen as a way of degrading the consumer experience of illicit use. This is more effective when it is accompanied by an excellent consumer experience for legitimate use. Stopping redistribution of content involves extensive full-time monitoring and rapid response, particularly with rebroadcasting of live events.

Effective cyber security requires a commitment from everyone in the organisation especially the leadership.

Any lack of commitment at the top erodes the entire security culture. That’s a challenge for the cyber security team because senior management expects groups maintaining the infrastructure to just get on with it. That works for email servers and keeping the building clean but everyone has a role to play in cyber security. A successful dialogue with senior management means a discussion of the consequences to the business of a security breach and the awareness of cyber security defences are, fundamentally, not 100% effective.

In the media industry, objections to security procedures by the creative team have resulted in exceptions to security protocols being granted. For example, a producer may insist on being exempted from two-factor authentication when viewing dailies. If the management is truly committed to cyber security then exemptions will not be forthcoming.

It is the duty of those responsible for cyber security to make a clear, concise and contextually relevant presentation of the risks as well as the requirements.

Practical cyber security means finite budgets and resources. Prioritisation is a matter of the risk (what do you build a wall around first?), the places were a little effort has a lot of benefit (properly protecting a Twitter account), and where mitigation is a good first step (someone might steal one TV show but that doesn’t mean they automatically get a second).

Any corporate budget process involves ROI (return on investment) analysis. ROI is a challenge for cyber security. It’s difficult enough to measure the true financial and non-financial impact of a successful cyber-attack after the event, it’s impossible to do it beforehand.

If you are responsible for cyber security there is one further risk that you must mitigate by fostering a corporate-wide security commitment. To quote Donald Rumsfeld’s Known and Unknown: A Memoir: “Those who made the decisions with imperfect knowledge will be judged in hindsight by those with considerably more information at their disposal and time for reflection.”