Taking the Entertainment Industry for a Ride is more than a Game
By Hamid Karimi, VP of Business Development at Beyond Security
The entertainment industry has been taken hostage- literally. America's soft power that has manifested in its entertainment industry prowess, is now under siege by a slew of nefarious actors. One can walk on the streets of underdeveloped or developing countries and find pirated copies of blockbuster movies or the latest music albums.
However, there is a paradigm shift from simply circumventing copyrights laws to direct intentional assault against an industry whose reach and influence far exceeds any hard power. It is difficult to imagine the real intent behind the infamous Sony hacks and recent HBO breach was anything but for financial gains. If we speculate that the aim is to cause harm (financially or to the brand), then state actors come to mind.
If we eliminate the inside actor- any disgruntled or financially motivated employee, then those who breached the defenses of HBO, could have lived anywhere in the world if they had the right exploits at their disposal and a simple Internet connection to reach their intended target.
It is not hard to fathom that HBO was specifically targeted and the breached put in motion a set of steps to reach their target. Likely, the attackers scanned the HBO networks and found unpatched vulnerabilities (more than 99% of intrusions rely on easily addressable vulnerabilities) and then used an available exploit or set of exploits to invade the network and conduct their heist. It is also possible and not currently known if the exploit, e.g., injected bot, was placed in the network many days or weeks ahead like a sleeping agent and an event triggered its action.
Even without standard security controls, HBO could have protected its assets by deploying strong encryption technologies and maintaining a hardened key management system- designating themselves or a trusted third party as the root of trust or the master key holder. HBO is certainly guilty of not only failing to deploy standard security controls but also weak access control tools and absence of effective mitigates such as limiting the amount of data available in a single repository thus forcing the intruder to wage multiple attacks to gain access to the trove of material.
Lesson to be learned? Nothing is impenetrable anymore and every organization no matter if it's in entertainment or in healthcare are vulnerable to attacks and security breaches. A very notable quote from HBO hit series comes to mind - "Power resides where men believe it resides. It's a trick, a shadow on the wall. And a very small man can cast a very large shadow." - Lord Varys.