Hack attack: TV and cybersecurity
Cyber attacks are increasing in number and becoming more sophisticated, with the cost to corporations running into the billions. With conventional security concepts increasingly powerless against it, protection requires a paradigm shift. Adrian Pennington reports.
Like every other aspect of commerce, economic crime has, to some extent, gone digital. In a hyper-connected business ecosystem that frequently straddles jurisdictions, a breach in any part of that system – including third parties such as service providers or suppliers – can compromise an organisation’s digital integrity in a variety of ways.
At one end of the spectrum are the macro events, like Distributed Denial of Service (DDoS) and Domain Name System (DNS) attacks. These types of attacks are loud, noisy and, when they happen, they interrupt service for everyone. DDoS attacks send huge amounts of traffic to interfere with organisations serving up content, while DNS attacks prevent the end user being able to find the services operators are providing to begin with. Both affect large numbers of users at a time and gain attention in the news, adding embarrassment to the existing injury.
One type of attack that can affect both the content provider and the customer equally is when web servers are compromised. According to Akamai, it’s not uncommon to see organisations have their site content compromised and embarrassing content put in its place. However, equally common are sites being used to serve malware to customers as they surf the web.
At the other end of the spectrum is the targeted attack. This aims to compromise the computer of a specific user, with the aim of getting access to something that a user has access to. Every industry should worry about an attacker who can get to important financial data or sensitive customer records but broadcasters have the additional worry that their valuable content could find its way online.
As a form of cybercrime, online content redistribution piracy is the major threat to high value content. A report earlier this year from Frontier Economics estimated that counterfeiting and piracy could drain US$4.2 trillion (e3.5 trillion) from the global economy by 2022.
However, service providers also have to consider threats to their network and systems.
“The HBO example clearly shows that data breaches and content theft are not necessarily separate threats,” says Peter Oggel, VP of technology, Irdeto. “The same digital and connected TV platforms that cybercriminals target for illegal redistribution of content also act as attack surfaces for hackers looking to gain access to service providers’ networks and potentially steal customer information and other important data. Cybersecurity strategies must consider the whole threat landscape and a 360-degree approach to security is crucial.”
According to Martin McKeay, senior security advocate at Akamai Technologies, one of the reasons security has become a higher priority is the shift in business model from ad-supported to subscription-based, and the corresponding increase in the storage of personal identifiable information of customers.
SVOD alone will generate 70% of digital revenues in Europe in 2022 according to Dataxis. It forecasts that there will be 80 million additional SVOD subscribers signing up between 2016 and 2022.
“This has fundamentally changed the way media companies need to protect their businesses and their digital assets. It’s no longer a matter of ‘if’ a media company will be attacked, but ‘when’ they will be attacked,” warns McKeay.
At the same time, shows like Game of Thrones are incredibly valuable. No one would have cared, back in the day, if an episode of Happy Days or Laverne & Shirley was leaked. Now, content thefts have tended to result in blackmail demands for money in exchange for not releasing the content before the studio or broadcaster desires it to be released.
As McKeay observes, it’s far easier for a hacker to send a well-crafted email laden with malware specifically designed to compromise an executive’s system than it ever has been for an insider to walk out the door with a hot script.
“The all-pervasive nature of digital storage, global production and IP distribution of media – in contrast to the physical storage and distribution of tapes previously, for example – means that the attack surface increases, is not geographically bound and attacks are often highly automated and continuous,” says Peter Elvidge, VP of technology at TVT.
August’s HBO attack appears to have been the most sophisticated yet, targeting the company from multiple points including employees’ Twitter feeds. Hackers may have stolen as much as 1.5TB of HBO’s data, or seven times more data than the 200GB taken in the Sony hack of 2014, which led to the resignation of Sony Pictures co-chair Amy Pascal.
As these and other cases illustrate, theft of source content is not the only target. Confidential employee data, including salary details, corporate documentation including confidential commercial agreements and emails, and customer data are at risk. Comcast paid a US$33 million settlement in September 2015 relating to theft of 75,000 Xfinity voice customer details; CBS-owned Last.fm had 43 million user details leaked in 2016.
“Media companies are very public and their services are used by entire communities and populations,” says McKeay. “A data breach can quickly yield a very large return for a hacker and therefore media companies need to realise that they are walking with a target on their heads.”
Pay TV is just one part of the ecosystem impacted: everyone with an interest in the content will suffer – broadcaster, production house, rights owner, OTT streaming services – but quantifying the impact is very challenging.
Quantifying risk and loss
“Hardly any other industry is subject to such a constant and disruptive change as the media and broadcasting industry,” says Peter Nöthen, CEO of systems architect Qvest Media. “The need to protect IT infrastructures from cyber-attacks or manipulations, however, will never change. With the rise of OTT offers and bidirectional integration of social media and online platforms, it has become even more crucial to organisations to protect consumer’s personal information.”
More than one media analyst company contacted by DTVE for this report declined to contribute since they lacked data relating to cyber-crime’s impact on pay TV. Perhaps that’s not surprising. Incidents of fraud have historically been hard to track, not least because organisations are understandably reluctant to publicly divulge theft unless forced to.
The Ponemon Institute, which carries out an annual study across major economies and industries including healthcare, technology and retail, states in its June 2017 edition that the average consolidated cost of a data breach is US$3.62 million.
It found that the country with the highest cost, both per record and per incident, was the US whereas the countries with the lowest cost per record and per incident were Brazil and India. It found that the average size of a data breach – the number of records lost or stolen – increased 1.8% over the last year.
Another study by the same group examined reputation and share value and found that the average drop in stock price on the day the breach is announced is 5%, that companies lost on average 7% of their customers and that 31% of consumers discontinue their relationship with the company following a breach. “There’s no reason to suppose these figures are markedly different when applied to pay TV operators,” says Rik Turner, principal analyst, infrastructure solutions, Ovum.
Other surveys have shown that DDoS attacks are the most common form of attack suffered by media companies of all sizes. A study showed that the cost of such an attack can be US$40,000 per hour. The cost of a full data breach could certainly be far more significant than that in bad publicity, retrospective remediation actions required following a breach and in increased regulatory fines.
With the advent of the EU’s General Data Protection Regulation in 2018 those costs could be driven even higher, because sanctions can include a fine of up to Ä10 million or 2% of a company’s annual worldwide turnover of the preceding financial year, whichever is greater – far exceeding the current maximum of £500,000 (e545,000).
Norbert Schirmer, VP, business unit end-point security, Rohde & Schwarz Cybersecurity, likens the scale of cybercrime to that of the global drug trade.
According to the report Secure My Site, over half of media IT execs lose sleep worrying about cyber-attacks. Nearly a third admit to experiencing an attack. And while 61% of CEOs admit concern about cyber security less than half of board members request information about their organisation’s state of cyber-readiness, reports PwC.
“There’s no question that cybersecurity is now at the top of board agendas,” says Mark Harrison, managing director, Digital Production Partnership (DPP). “There is a lot of anxiety about how you achieve it.”
A collection of CEOs and CTOs will convene behind closed doors at IBC to thrash out cybersecurity concerns. “If there is one lesson all companies should [understand] it’s that cybercrime is not an IT problem,” says PwC partner Kris McConkey.
There is of course no silver bullet.
“No matter what a security vendor will tell you, there is no single piece of software or managed security service that will guarantee and disarm a cyber criminal from breaching your systems,” says Elvidge. “Whether you’re a content owner or SVOD provider, security is a matter of baking security into your corporate culture, along with continually testing and ensuring systems are up to date.”
Broadcasters and pay TV operators “should look strategically across their entire business and devise multi-layered defences that will protect their assets” suggests McKeay. “Particularly when it comes to applications and services – for both internal use and external websites and OTT apps – their data centres and their DNS. Since hackers and malicious users now use many attack vectors – media companies need to be prepared on all fronts.”
He says many organisations have historically viewed security as something to be tacked on at the end of the process – something that is simply icing on the cake, and often more bother than it’s worth.
“This was an acceptable stance to take a decade ago, particularly when targeted attacks were rare and the losses from most attacks were minimal and easily forgotten. But modern attackers are taking a more strategic approach – they’re targeting specific companies, their users and the valuable data they hold,” he says.
In the GoT example, attackers sent a fake email to an executive and when it was opened, the malware contained in the attachment executed. This malware, often called a RAT or Remote Access Tool, enabled the attackers to view and download everything the executive had access to.
Another tactic used by attackers may be to disrupt the bandwidth needed to serve up the content for high-speed users. According to McKeay, “If an attacker can produce an attack that causes buffering for the end user by tying up the network of the provider, they can cause significant complaints from the user base and the ratings of the provider takes a hit.”
Ransomware, in particular, plays a large role in attacks on sensitive data. Ransomware encrypts computer files and, in principle, encrypts the contents of a file so that it cannot be opened without a key that correctly decrypts the file. A ransom must be paid to receive the key. Once malware has infected a computer, it can spread to other devices in the network and completely cripple operations.
“Attacks such as WannaCry and Petya have changed the game by using ransomware, which usually extorts funds, as a cover,” says Schirmer. “This is evidenced by the fact that Petya erases portions of the hard drive instead of blocking access, and that the hackers proved to be very negligent in collecting their ransoms.” Schirmer calculates that around 360,000 new viruses are discovered daily. In the first three days after discovery, 27% of malware remains undetected. “This means that attackers have already infected many thousands of devices before they are discovered and stopped,” he says. “New types of attacks, called zero-day exploits, exploit security gaps before they can be found and closed. Antivirus software programmes have no chance of warding off these attacks.”
Verimatrix is concerned that certain service providers collect data without understanding how it should be used – or how it should be protected.
“If data is being aggregated that isn’t going to provide any value, it should be deleted before it has the chance to become a liability,” says CTO Petr Peterka. “There are various rules and guidelines in place about how data can be used and when it needs to be anonymised. These are new considerations that service providers didn’t need to understand or address just a few years ago.”
Verimatrix claims to be the first company to offer fully integrated encryption, key management and watermarking solutions for both managed and unmanaged networks. Its capabilities for video tracking and forensic identification offers protection for high-value content such as UHD, early release VOD and live content.
“The toolbox includes VideoMark client-side and StreamMark server-side offerings for forensic tracking, through which Verimatrix equips service providers with a range of more flexible anti-piracy tools and deployment options that they need to secure and monetise the latest premium content services and delivery methods,” says Peterka.
R&S’s Schirmer advocates what he calls proactive solutions. For example, by using trusted virtual domains, the production servers that contain films can be isolated from the regular Office IT and better protected.
“It is also important that products are developed based on the Security by Design principle, where security is an explicit requirement in the development process and holistic security measures are taken into consideration, implemented and tested at all stages – starting with product inception,” says Schirmer. “Beyond isolating production servers, proactive solutions can and must be implemented.”
The virtual browser is an example of a security solution that does not react to an attack and instead proactively keeps it from reaching the IT system. Around 70% of malware enters the network via browsers. Strict isolation is used to decrease the range of targets.
“Browsing takes place in a virtual browser that is hermetically isolated from all other applications and data, making corporate data invisible to an attack such as ransomware,” he explains. “Viruses, Trojans and similar malware remain enclosed in this environment and cannot spread to the computer or local network. Attacks on the Windows host system fail, regardless of the type of attack. If malicious code corrupts the browser, the virtual browser environment simply restarts and is immediately virus-free and ready for use.”
New firewall technologies should also be employed. Conventional firewall technologies use blacklists that block only data packets that have known attack patterns, which Schirmer says is useless against new and unknown attacks. “More effective are next generation firewalls whose new technologies proactively inspect data packets,” he says. “Packets are allowed to pass only if they can identify themselves as friendly. All others, including unknown data packets, are rejected.”
Pre-empting potential threats is also hugely valuable, and allows platform builders to take a proactive approach to prevention. The key here, according to Oggel, is understanding the threat landscape, from the evolution of piracy to how hackers are using increasingly sophisticated attacks to target networks and data theft.
“This is a major challenge for service providers, as the main piracy threat has shifted from control word sharing to content redistribution and the increasing use of illicit streaming devices and pirate plug-ins. Meanwhile, hackers are evolving their attacks from tactics like phishing, to gain credentials, to using WiFi to steal credentials via Evil Twin attacks. Working with a security partner who has expertise in both the media industry to protect content as well as really understanding cybersecurity is what’s needed. That blended knowledge is key.”
One of the most dangerous situations is when an operator decides to connect devices that were never designed to be robust against network attacks. This applies to both headend components as well as client devices such as STBs. Conax gives the example of retro-fitting network capabilities in vulnerable STBs that may not only expose the operator to be held ransom in the face of a DoS attack, but could equally provide an attacker the entry point into a household network.
“This is why the Conax STB security evaluation has for some time now reported network attack robustness as a separate security level so as to raise awareness to operators that security threats to a STB population encompasses more than simply content protection,” says Anders Paulshus, security development director.
Although the valuable content within MAM systems will often reside in a different part of the organisation than billing and subscriber data, the connected nature of many networks means that breaching one area might lead to lateral movement to the other.
“Some operators are enacting similar types of controls to banks and standards like PCI-DSS – mandated by credit card companies for anyone handling card data – are in many ways helping to focus minds,” says Elvidge. “The main issue is that many operators leave much of the payment taking to third parties and although their brands are attached to this process, they may not be directly hands-on. For operators in this situation, it is a case of holding feet over the fire of the financial service providers and getting them to show how they are maintaining operational security and to what standards they are compliant against.”
According to recent DBIR research, a quarter of all breaches involve an ‘internal actor’, underlining the need to train staff and place controls that ensure only the right people have access to content.
Steve Plunkett, chief technology officer, broadcast and media services, Ericsson, says: “Many of the recent high profile attacks have originated inside organisations’ digital perimeter on compromised machines, often the result of phishing attacks where users unwittingly installed malicious software on their PCs by interacting with nefarious emails purporting to be from trusted sources.
Operators can take as holistic an approach as they want but even that may not be enough. Conax warns that ‘housejacking’ could be the next big threat to pay TV.
“While pay TV operators are taking measures to protect their content, they may not be aware that today’s new generation of pirates also have additional goals for hacking than getting hold of an operator’s premium content,” says Paulshus. “The IoT and connected nature of all we own increases hackable IP addresses. DDoS attacks present new threat for operators as hybrid STBs may present attractive vehicles to access connected homes based on ‘always on’, internet-based services.”
Hackers exploiting unsecured hybrid STBs may aim to install malware to take control of the STB, or as a platform for attacking other devices in the home.
Everything with an internet connection can be compromised: lights, credit card details stolen, webcams, electronic signatures for automatic garages to gain access to the home.
“Hacking connected devices such as hybrid STBs is easy and inexpensive to carry out, and a high level of knowledge about hybrid STBs is not necessary to compromise them,” Paulshus says. “Hacking kits and malware created by advanced hackers are available on forums for use by anyone who can follow a set of instructions. As these hacks become more frequent, the general public’s interest in security will grow and, eventually, they will demand that IoT suppliers implement the necessary precautions to ensure that their private information is kept safe.”
Separation technologies can help secure hybrid STBs by preventing malicious apps and malicious software from attacking the security core of the STB.
Qvest reports that the incorporation of security concepts as a part of RFP requirements as steadily increasing.
“We advise operators and suppliers to take a three-step approach to protect their companies against cyber threats,” says Nöthen. “The first is to perform a comprehensive assessment of cybersecurity postures of their infrastructures. The assessment will lead to the development of a determined strategy to improve cyber security postures by adding network security devices and layers as well as further network protection measures. Lastly, the set-up of a security operation centre is needed to actively monitor threats. Alternatively, media companies can commission managed security service provider that offer 24×7 security monitoring.”
While nothing will cast-iron guarantee content against cyberattack or pirated streams, following these best practices for security can reduce exposure.
“Unfortunately, many organisations still don’t recognise cybercrime as it truly is – a competing business entity that continues to grow its illegal offerings,” says Oggel. “Cybersecurity strategies in the pay TV industry must consider a broad range of vulnerabilities. Once organisations and the content production market have made this mind-shift, the more effective the industry will be at recognising and combatting cybercrime.”