By Eoin Keary and Sean Martin
The nature of the business for media companies means they are under constant and tremendous pressure to keep their services up and running 24 hours a day, 7 days a week, 365 days a year. This becomes even more of a challenge as they look to grow their footprint in the market; extending to different audiences, markets, and even countries.
Competing with both of these goals is the non-negotiable need to establish a high level of respect and maintain their hard-earned reputation; arguably, this matters above all else.
At the core, media outlets are designed to spot trending and breaking news, investigate the situation, and report on it; they provide the channels through which events, stories, and causes make their way into the homes and businesses throughout the world.
Given the expansive audience the media have, they represent a natural target for the likes of hacktivists, terrorists, and even nation states. What better place to sow their seeds of doubt, fear, confusion, and perhaps even an alternative public opinion?
This experts corner was built to uncover the threats they face, what’s at risk if they were to be targeted and breached, and how to get a baseline defense in place to help mitigate the risk.
Face the Threat
Media companies face the following threats.
Each item below represents an example for which we’ve already seen some activity:
- Distributed Denial of Service: Against the BBC in 2015 and Brian Krebs in 2016
- Defacement: A key concern for TV executives
- Content Integrity: LA Times Article in 2010
- Watering Hole: Bring a horse to Forbes, and they will likely drink
The reality is, most of the real threat comes from the users within the company; they are typically the weakest link in security.
What’s Everyone Worried About
While there is certainly some overlap across these roles in terms of things they worry about, this list categorizes the core concerns for each type of media representative.
- Prevent unauthorized access to content (and resulting footage)
- Protect the anonymity of their sources
- Prevent stories under embargo from being revealed
- Keep their services and channels up and running
- Guarantee distributed content is authentic and has not been tampered with
- Ensure live studio production technologies have not been tampered with
- Tightly control access to sensitive material
Common Methods Used to Target Media Organizations
Recognizing there is a lot of sensitive and valuable information collected, stored, produced, and distributed by media companies, it should come as no surprise that hackers are very interested in getting through any controls put in place to keep this content safe. However, it’s probably fairly easy for them; entertainment and media companies suffer from the same baseline weaknesses:
- Poor access control and password policies
- Limited (non-existent) third-party risk management processes
- Unpatched, and exploitable, vulnerabilities on media systems
- Unaddressed web vulnerabilities, namely the OWASP top 10
However, when the low hanging fruit doesn’t do the trick, hackers aren’t afraid to leverage other tried-and-true methods of attack:
1. Denial of Service (sometimes for purposes of diversion)
6. Any/all of the above
Methods of Defense
Media companies, publishing houses, journalists, and reporters need to click links sent to them. They need to communicate with their informants and peers. They must store information for always-available access. They are usually required to produce their stories as quickly as possible. All of these things means they are all living in email, texting informants, leveraging the cloud, and probably doing it while on the go via their mobile device.
The following represents a collection of actions journalists and other media professionals can take to reduce their attack surface:
- Use a password manager and change your passwords regularly and make it long
- Patch, patch, patch your systems
- Don’t use “office” with macros enabled
- Enable full disk/device encryption
- Use a cloud service that offers over-the-air (HTTPS/SSL) and in-the-cloud encryption
- Use a personal hotspot over a public Wi-Fi when possible
- Use a VPN, preferably one that doesn’t keep logs
- Never use Internet Explorer (IE) for web browsing
- Don’t use old (and unpatched) web browsers either
- Disable Adobe Flash
- Use PGP for encrypted email communications
- Consider using a non-jailbroken, fully-updated, password-protected (encrypted) mobile device for your mobile email communications
NOTE: Eoin Keary, CTO and Founder of Edgescan, takes it a step further, narrowing this down to ‘an iDevice’
About Eoin Keary
Eoin is the CTO and founder of BCC Risk Advisory Ltd an Irish company who specialize in secure application development, advisory, penetration testing, Mobile & Cloud security and training.