Disconnected, disillusioned or indifferent to cyber warfare? IBC365 speaks to Tony Gee about ethical hacking and how broadcasters can defend against cyber security attacks.
Tony Gee is a Security Consultant at Pen Test Partners which specialises in high-end penetration testing. Gee knows all the ins and outs of hacking into smart technology devices and IoT networks to identify real vulnerabilities.
Gee, who is speaking as part of the Weaponising IoT session at IBC2018, focusses on the weaknesses in organisations across technologies, systems and departments as a single entity to mitigate cyber security breaches and loss of critical data.
He says: “Ethical hacking is less cloak and daggers and more legal vulnerability testing for our clients.”
“For broadcasters, cyber security should be a major concern…organisations are implementing smart devices without testing them, they’re opening up their entire content network to a real challenge.”
What does cyber war mean for broadcasters?
Broadcasters are increasingly adopting new technologies to ease workflows and automate processes. The internet of things (IoT) is far bigger than smart kettles and lights, on a consumer side, smart TVs and IPTV have become integrated into everyday life because it is cheaper and convenient.
The smart technology and IPTV integration has incredible benefits but the key to success is implementation in a secure way through trials and testing. Organisations that overlook due diligence put themselves, their assets and client data at risk.
A cyber security breach can be driven from malicious targeted software invasions or hacking groups obtaining sensitive and or valuable information to be held for ransom. The exploitation of media assets from broadcaster networks can lead to significant risks.
Broadcasters store valuable media within its networks and a simple compromise can exploit that content which ultimately has a destructive impact financially and reputationally.
What kind of security breaches commonly occur?
The biggest breach in recent times is certainly the attack on Yahoo which was allegedly performed by nation state hackers who compromised the security of 3.5 billion user names and affiliated passwords. It is certainly the largest breach in history and has helped organisations recognise the importance of cyber security safety.
At a simplistic level, poor passwords and lack of antivirus software are the primary issues. Choosing good passwords is the number one entity to help guard against security breaches. Password managers really can help and I would advise organisations to allow end users to create strong passwords, it means those passwords are secure and efficient.
Often people are reusing the same password across various accounts, if this is compromised it takes a simple network hack to run the same password through different websites. We saw this with Uber, when users had their accounts compromised, they didn’t have their money refunded as Uber classified the breach a direct result of poor password strength.
Failure to keep software and antivirus scans up to date is the other main issue that opens up systems for security breaches. Use adblockers because they’re a good control to help limit viruses from malicious advertisements.
Read more Catching the pirates offside
How can firms mitigate against cyber security issues and breaches?
Good security hygiene is fundamental to all organisations and ensuring this knowledge is filtered down to all employees. From a business perspective, investing in cyber security resources and insurance coverage that is a benefit to the entire supply chain of the organisation should be a priority. This helps to offset risk and prevent cyber breaches.
Make sure your staff are aware of cyber security, this can be more difficult in larger organisations but ultimately it will help teams to be more reactive as the staff body are the eyes and ears of the business. Staff training should be a mandatory requirement not from a compliance perspective but from a risk point of view.
Organisations should undertake traditional security testing against web applications and IT infrastructure and seek accreditation against Cyber Essentials and if smart devices are employed check the security reviews and perform security testing.
Companies as a whole should undergo more testing of software and procedures particularly to simulate real world attacks with traditional and new business workflows.
What are the best defence and response techniques?
In addition to general security hygiene and password protection, due diligence is always the best to defence and we are seeing organisations to having a requirement to check technology, staff and software systems before installing and throughout the implementation lifecycle.
Separate from the broadcast network, I would always suggest password managers are used to make the most of strong formats to test the strength of passwords.
One common oversight is the ease of transferring bugs and malware through portable storage devices whilst transferring content. Making sure these devices are approved and IP systems are authorised and used for the purposes required.
How important is education?
Education is critical and security awareness is key for business but the media industry needs to realise they are a high-profile target for hackers.
The ransom heist and subsequent leak of Orange Is The New Black from Netflix last year is a good example of a hacker exploiting the terms of ransom. The content was leaked after the ransom was paid, these high-profile breaches have helped to engage the discussion on cyber security.
I often see that there is a disconnect between company management and the staff who are purchasing the technology. There is a wider issue from a corporate perspective about accountability of implementing smart devices without testing them. However, often we see that developers and implementers or purchasers don’t understand security implications and as such it is often overlooked.
Should companies pay ransoms?
The general advice from senior security officers is that a ransom should not be paid given the fact there is no guarantee of getting your data back. The next action from the cyber criminals staging the attack could be far worse, not to mention the reputational damage this could brand the organisation with.
Broadly speaking the answer is always no, however in some situations it can be beneficial for the organisation to pay the ransom.
I would advise rather than paying a ransom attack, money is better spent is an investment in the organisations security controls and security testing to prevent an attack from occurring. I commonly see security breaches which could have been avoided if the measures to eliminate the weak points and secure systems and operations to avoid any form of breach.
What is the reputational damage for organisations who experience a cyber-attack?
What we see is often a short term dip in reputation and stock market prices. Depending on the industry specialisation and how comprehensive the attack is the services on offer may fall short whilst the recovery is bridged.
The recent high profile Facebook and Cambridge Analytica scandal saw the social media giant’s stock prices take a huge dive with Chief Executive Mark Zuckerberg called to explain regulation and data sharing procedures. In this instance, Facebook has recovered its stock price.
However, that’s not to say all organisations reputation will fully recover in similar situations, and it can have a long term impact. The enforcement of the global data protection regulation (GDPR) which came into effect in May this year has seen an empowerment amongst individuals and a heightened awareness about their personal data.
GDPR is absolutely going to change the way businesses handle data and how end users can manage their rights. It can only be a good thing for public resolve and the impact of storing data amongst corporate conglomerates.