Focal Point Blog

Chaos is a Ladder: How Hackers are Attempting to Get Rich by Creating Chaos at HBO

Written by Phil Casesa | Aug 22, 2017 1:19:45 PM

I can’t go online without seeing a Game of Thrones reference.  HBO has invested hundreds of millions into building hype around this show, and with great return: Two episodes this season have broken ratings records for the cable giant, with Episode Five surpassing 10 million viewers.

But Game of Thrones is also in the news for two very different reasons. 

The first: Action is heating up in Season 7, and fans are expecting plenty of ice and fire in the finale (no spoilers here).  Each episode sparks water cooler talk for days, and it won’t stop as long as the jockeying for the Iron Throne continues.

The second, and the reason I am captivated, is the saga of HBO versus the hackers that lifted 1.5 TB of data from the company and what those hackers are doing with that data.  As a bonus, I also got to watch the small sideshow happening around the (unrelated) GoT episode leak from one of HBO’s broadcast affiliates.

Digital transformation has reshaped the world we live in.  The digital world is not just where we can get our work done, but it’s now where organizations deliver value and a core element of business strategy.

But digital transformation has a dark side too.  It has reshaped risk - as the data itself has a value that transcends the 1s and 0s that make it up.  As we participate in this digital revolution, risk will be a constant companion.

We have mentioned before, and it bears repeating, that you can’t prevent 100% of breaches.  In the media sector alone, we have seen recent breaches from HBO, Netflix, and more infamously, Sony Pictures.  Each of them has revealed some critical lessons that all organizations can learn from.

What We Learned from the Sony Breach

The Sony breach really set a new bar for the sheer number of things that employees could do wrong before and after a breach: text files filled with passwords, unencrypted classified reports with little access control, confidential conversations in email, and dozens of critical and embarrassing software vulnerabilities left unremediated.    

Still, even with all of those strikes against them, Sony’s key failure is that it didn’t have a clear picture of what their critical data was, who could access it, where it was stored, or what could happen if any of it were to leak, either on accident or on purpose. Let’s pause for a minute and consider all the stolen data that could be considered the “crown jewels” at Sony.

  • Private employee information including social security numbers
  • Intellectual property including unreleased films
  • Screenplays for future film projects
  • Security certificates for servers that were used to prove identity
  • Internal and external account credentials and plaintext passwords
  • Social media login information for all Sony properties
  • Banking information and non-public financial reports
  • Confidential executive communications (including some very embarrassing ones)
  • Contracts with actors and other Sony personnel
  • Insider project information including future projects
  • Compliance data and IT audit reports

Even with all the next generation firewalls, endpoint solutions, and security black boxes thrown at the situation, without a rudimentary understanding of their critical data, Sony didn’t stand a chance.  Then, on top of it all, this lack of understanding meant that Sony didn’t have a clear response path.

Lessons: Compliance reports will show you where you have control weaknesses, but they won’t show you where your critical data is, how it is being handled (and by whom), and where it might go.  And often, large segments of crown jewels data (embarrassing emails, film scripts, etc.) aren’t regulated at all.  A clear understanding of your critical data is key, because you can’t protect what you can’t identify.

What We Learned from the Netflix Vendor Hack

Netflix recently was a victim of a cyberattack as well.  Hackers stole episodes of Netflix’s hit show Orange is the New Black and attempted to ransom them back to the company.  What makes this so interesting is that the episodes weren’t stolen from Netflix but rather a vendor in charge of a post-production process for the program.  This highlights another critical element in the crown jewels risk scenario: third-party risk. 

Most organizations have relationship with third parties at some level, whether through contract manufacturing, payroll, legal, cloud services, or even media production.  This means that valuable data is traveling back and forth across the organizational perimeter and leaving the immediate control of the data owner.  Organizations need to be keenly aware not only of this risk but of the implications. 

In a bold move, Netflix refused to be blackmailed by the attacker, and the episodes were released.  Netflix didn’t experience a decrease in viewership due to the release, but this is likely because the Venn diagram of “fans of the show” and “subscribers of Netflix” is pretty much all overlap (i.e., no incentive to download illegally).

Also, as is typical of Netflix, all new episodes are available on the release date, and viewers don’t need to wait for weekly episodes to continue the story. But had this been a wide movie release or typical episodic television, the impact could have been more severe.  Still, Netflix made a value calculation when deciding how to respond, and it was quick to determine that they would not give in to the attacker’s demands.

Lessons: Organizations need to make their own determinations on the value of their data and game plan responses. Also, organizations should consider third parties when assessing crown jewels data and the protections necessary.

What We Learned from the HBO Breach

The breach at HBO is a lesson in inevitability. Like Cersei eliminating her contenders for the Iron Throne, determined and malicious actors with a clear target are bound to get in eventually. In fact, the HBO attacker said that the $6 million ransom requested is because of the six-month persistent effort to compromise and exfiltrate nearly 1.5 TB of data.  Now episodes of HBO shows such as Curb your Enthusiasm, Insecure, and Ballers are available online along with scripts from Game of Thrones.  Other data like actors’ personal information was also released, no doubt leaving them quite upset at their employer.

Media companies like HBO are in a bind.  Their material has a short shelf-life. Most of the value for a new program will be captured not long after the release. The choice between allowing hackers to dissolve this value ahead of the release or paying ransom becomes a business decision. 

Having a plan in place before an attack, however, is critical.  This allows you to assess, improve, and manage this data commensurate with its value to the organization.  While putting the focus on the data that is most valuable seems like common sense, it rarely plays out that way in the real world (with catastrophic consequences as the result). 

HBO has also learned lessons these past few weeks about the Insider Threat.  When employees of a partner company leaked a Game of Thrones episode online, HBO received another black eye.

Lessons: A persistent attacker will find a way through defenses.  It’s up to the organization to have layers of security in the right places to neutralize the ability to take data critical to the business. And like Netflix, risk goes beyond the borders of the organization and into any contracted third parties.  Any security plan must identify those risks; quantify them; and accept, mitigate, or transfer those risks.

The common thread in these breaches: Companies were all faced with the theft of their crown jewels. While the nature of the stolen data and the reactions of the organizations varied, the lesson learned is that these scenarios need to be assessed and a game plan needs to be in place.  While some organizations will increase IT audits in an attempt to solidify their defenses, a better strategy would be to assess the crown jewels data itself, identify the threats against it, strengthen your defenses, and don’t let your focus waver.  This strategy will better prepare any organization for the inevitable breach and will make a measurable difference in the impact that a breach has on your organization.

(Images Source: https://giphy.com/

Contact Focal Point today to find out how we can help you with your crown jewels assessment and reduce the impact of your critical data being stolen.