Two cyber incidents involving news media companies underscored the need for these businesses to take a closer look at their security operations.
In the past two days it was reported that the website and Twitter account of the N.Y. Post was hacked by an insider, whom the paper subsequently fired. And Thomson Reuters reportedly left a least three of its databases open on the public internet. One of the open instances was 3 terabytes of a public-facing ElasticSearch database that contained sensitive data across the company’s platforms.
SC Media reached out to security experts and asked them to offer some insights as to why media companies face constant attacks and if they have the necessary security tools to meet the growing threat landscape.
Media companies have been and will continue to be targeted by cyberattacks for at least two important reasons, said Jerrod Piker, competitive intelligence analyst at Deep Instinct. First, as we saw with both the Sony and Thomson Reuters hacks, media companies are often behind the eight ball when it comes to completely protecting their computing environments from the inside-out, making them relatively easy targets to penetrate. Second, Piker said the intellectual property that media companies produce is very valuable, from not-yet-released blockbuster movies to sensitive news stories.
“If we are to see a marked improvement in the number of attacks on media companies, it’s going to take a concerted effort by the cybersecurity community and willing technical teams from the largest media organizations to identify common security gaps and introduce necessary policies and tools to close them,” Piker said. “It could also prove helpful if more specific security guidelines were created and enforced by an external collective, similar to what we see with the Payment Card Industry’s Data Security Standards compliance framework.”
Amit Shaked, co-founder and CEO at Laminar, explained that media companies are appealing targets because they can reach a large number of people in a short time. They also keep contact information for a slew of credible and potentially valuable sources, scoops on stories that haven't yet broken, and, whether all of the details make it into articles or not, massive amounts of notes/recordings from interviews with their story subjects — which could include geopolitical actors, said Shaked.
“If their systems or even social media accounts were infiltrated, cybercriminals or hacktivists could spread misinformation, or if any of this data ended up in a cybercriminal's hands, they'd have significant leverage for monetary extortion of the company,” Shaked said. “In all cases, it’s critical for news organizations to know where all data resides, who is accessing the data and/or their systems, and what their security posture is, to prevent hacks, leakage and extortion.”
Shaked added that news organizations have traditionally had smaller budgets than major corporations in other verticals, making it more challenging to obtain funds for cybersecurity tools and teams. Shaked said with all of the sensitive information they house and the number of people they can reach, it will become increasingly important to fight for the investment.
Tech environments less hardened and may be more prone to insider risk
Mike Parkin, senior technical engineer at Vulcan Cyber, pointed out that media companies operate in a much different environment than do financial services or healthcare. Parkin said they operate at a fast pace and don't have the same kinds of regulatory oversight found in other industries. While many of them do invest in solid security controls, it's often not as high a priority as it is for a bank or hospital, said Parkin.
“This can lead to an environment that's not as hardened as other potential targets, and employees who don't get the same level of security training, or take it as seriously, as can be found in other industries,” Parkin said. “Media companies may not have the same kinds of personal data that threat actors can be interested in, they are still inviting targets. And it's hard to overestimate the potential damage that can occur if a malicious actor took control of a widely respected media outlet.”
John Bambenek, principal threat hunter at Netenrich, said attacks against media companies, particularly social media accounts, have been ripe targets for a long time. Compromises are highly public, and thus embarrassing, which makes them appealing for disgruntled insiders or hacktivists looking for attention.
“Typically, they don’t view themselves as needing high security, except when national security reporting or politically sensitive reporting are involved, so they may not adopt as strong of controls as they could,” noted Bambenek.
Deep Instinct’s Piker said media companies are generally so focused on preventing unauthorized access, they could miss an insider threat. Piker pointed to the Sony Pictures hack in 2014 where attackers collected more than 100 TBs of data without being detected, and one individual who claimed to have been involved in the attack as a member of the Guardians of Peace said they had access for at least a year prior to the attack.
“While Sony Pictures undoubtedly had best-of-breed perimeter security in place to prevent unauthorized access, they didn’t account for a trusted account being used to steal the data,” Piker said. “Further analysis of the attack also revealed that the threat actors had used a listening implant, backdoor, proxy tool, and wiper malware to collect information and then erase evidence of the attack. It’s important that media companies take appropriate measures to not only prevent unauthorized access at the network level, but also to monitor for suspicious system and user behavior at every level of access to avoid this type of catastrophic damage.”