Game of Pwns: Security lessons from the latest HBO hack
By Alex Manea, Chief Security Officer, BlackBerry
HBO recently suffered a massive cyberattack, with hackers stealing 1.5 terabytes of data from their network, including upcoming episodes of shows like Ballers and Room 104. But the crown jewel of the hack wasn’t even a video, it was the script to a recent episode of the wildly popular HBO series Game of Thrones. The network’s chairman and CEO Richard Plepler confirmed the hack and called the recovery efforts “nothing short of herculean,” but, he also said something much more important, something that many people overlooked:
“The problem before us is unfortunately all too familiar in the world we now find ourselves a part of.”
Winter is Coming
We often think of major data hacks as individual unrelated incidents, but when we step back and look at cybercrime as a whole, some very disturbing trends start to emerge. Last year alone, companies and individuals were targeted by an estimated 90 million cyber attacks globally – that’s over 12 attacks per second. According to a Financial Times story last year, cyber attacks cost Asia-Pacific businesses more than an estimated US$81 billion in revenue in the first nine months of 2015. By comparison, natural disasters in Asia Pacific cost almost US$60 billion in 2014, according to a United Nations report. The total amount was based on the 119 disaster events recorded in the region.
Over the past decade, we’ve seen a significant evolution in the scale and sophistication of hacker organizations, along with the types of businesses that they target. Historically, hackers tended to go where the money was, primarily targeting banks, merchants, retailers, and other organizations that directly handled financial information and transactions. But as these organizations improved their security standards and began locking down their systems, hackers started looking for easier targets whose assets were just as valuable.
Our goal isn’t to make our defenses impenetrable, it’s to make them strong enough that hackers simply move on to easier targets
Trial by Combat
With streaming services like Netflix and Hulu leading the way, the global entertainment industry is now worth around US$2 trillion, equivalent to the combined value of the world’s top 10 banks. HBO by itself generates around US$6.4 billion in revenue, with Game of Thrones being its most popular series. Therefore, it is no surprise that professional hacker groups are increasingly targeting major movie and television studios.
In 2014, a group of hackers known as the Guardians of Peace, infiltrated Sony Pictures and spent at least 2 months inside their network—copying critical files and stealing up to 100 terabytes of data. The group demanded that Sony halt the release of the major motion picture— The Interview— threatening terrorist attacks and eventually causing Sony to cancel the film’s premiere and mainstream release. Just a few months ago, Netflix was hit by a ransomware attack from the Dark Overlord hacker group, which ultimately leaked an upcoming season of the hit show , Orange Is The New Black. Even HBO is no stranger to these types of attacks, with the first four episodes of Season 5 of Game of Thrones leaking out to BitTorrent before the season premiere.
Where Are My Dragons?
The entertainment industry (along with most other enterprises) needs to update its security model to reflect the reality of the modern IT ecosystem. Many organisations still focus on perimeter defenses – firewalls, intrusion detection systems, and Network Access Control. But perimeter defenses are only effective in protecting data inside the network. What happens if, as was the case with Sony, your network is compromised? And more importantly, how do you continue to protect the data once it leaves your network?
The good news is that all of the technologies needed to protect against these types of attacks are already available from companies like BlackBerry. Enterprise File Synchronization and Sharing solutions are used by several entertainment companies to securely share encrypted files and control digital rights even after the files leave their network. Using secure communication solutions means that it is safe to communicate with external parties over secure channels, be they email, text, phone or instant messaging. Unified Endpoint Management (UEM) solutions are also key in centrally securing and controlling all of IT endpoints, including desktops, laptops, mobile or even IoT devices. And finally, cyber security consulting services can be used by organizations to assess their defenses, bringing “ethical hackers” into their environments to simulate a real-world attack.
If Game of Thrones has taught us anything, it’s that enemies will always try to find and exploit our biggest weaknesses, be they physical, mental or in this case digital. And just as in the hit HBO show, our goal isn’t to make our defenses impenetrable, it’s to make them strong enough that hackers simply move on to easier targets. In the end, enterprises and individuals who adopt this rational and economic approach to risk management will have the best chance to survive the digital winter.