After 30 years in IT, Hubbard’s Paul Anderson has some valuable thoughts on how broadcasters can make their IT networks less vulnerable to cyberattacks and breaches. And, he adds, don’t forget about being prepared to survive natural disasters as well.
Paul Anderson, director of corporate information services at Hubbard Communications, says the television industry reached a real tipping point in awareness of cybersecurity in 2014 — the year both Sony Pictures and Target were subjected to widely publicized hacks.
In fact, at Hubbard’s January 2015 senior management review of cybersecurity at the company every manager in attendance acknowledged that their company was probably vulnerable to some sort of security breach, he says.
Anderson, who has been with the broadcaster for the past three years, suspects that heightened awareness isn’t unique to the management team at Hubbard. Now may be the perfect time to enlist the support of top management to take the steps needed to make broadcast IT networks and operations more secure.
With more than 30 years in IT and in the years prior to joining Hubbard with responsibility for OS and software patch management and entitlement control at a large regional bank, Anderson has some definite thoughts on how broadcasters should make their IT networks less vulnerable to cyberattacks and breaches.
In this interview with TVNewsCheck’s tech editor Phil Kurz, he discusses a range of issues including enlisting top management to support cybersecurity remedies, working with outside IT consultants to ascertain threat levels, the importance of firewalls and subnetworks, passwords and even disaster recovery.
An edited transcript:
In your view, where should broadcasters start when tackling cybersecurity?
I think what’s most important is to understand the security status of your equipment’s operating systems. What I mean by that is all equipment has an operating system, and that operating system gets security patches.
If you think about your Windows machine at home, Microsoft is constantly doing patches.
You need to know where you are current on your patches. Sometimes the vendor is responsible for that, and sometimes you are responsible for that.
So I think the first step is to always do an inventory of your equipment and identify the operating system, identify patches that are still available and then identify if the patches are being applied.
Once you know your vulnerabilities from this inventory, it is important to present that to top management, or ownership, first.
What you really are doing is sizing up the problem. At that point, top management can look at your inventory and do a simple risk-and-reward evaluation of the tradeoff between the cost of remedying vulnerabilities and enhancing security.
It all depends on their appetite for risk, but they have to understand the risk. The inventory makes it possible for you to point out the devices that have vulnerabilities.
I think it is best to present the overall vulnerability position that you [the entire broadcast organization] are in to top management.
These are not fun presentations. Nobody wants to go to management and say, “Here’s money you spend with no [visible] result.” It’s right up there with insurance.
Once top management commits to spending money on cybersecurity, what’s the dynamic between IT and engineering to implement the changes that are needed?
Any machine that can get an IP [Internet protocol] address is essentially in the world of information technology. Your engineering equipment in and of itself is proprietary, often in a standalone black box and in many cases does not connect to the Internet, although I have to say there are also many pieces of broadcast gear with built-in Ethernet ports.
So the responsibility tends to land in the world of IT to help provide cybersecurity. However, that’s not to say that IT and engineering don’t work together.
The corporate IT committee involves IT infrastructure directors from within the company to facilitate the activity of all the responsible IT and engineering personnel involved.
I do believe, however, that there needs to be one person representing the level of risk and the recommendation for remediation to management.
Is there a role for outside cybersecurity consultants?
It’s vital to have an outside expert to work with you. There are firms out there that do penetration testing, and there are firms out there that do security assessments. I think it is important to do a combination of those. And I would start out with having somebody come in and do a security assessment.
They will ask for your inventory [of equipment, security patches, available updates, etc.] and your firewalling standards. They will ask for your network topology; they will ask for a variety of things.
Then they will go examine your network and your methods and come back to you with information.
They often also will have a service to do penetration tests. They use known techniques and start trying different hacking methods.
Every single vulnerability is cataloged in their formal report. They put them in the order of severity and the risk of them happening, and then you go about fixing them.
From a network topology point of view, how important is segmenting your networks with firewalls and isolating subnetworks to make it harder for hackers to take down your entire network?
Those are important steps, and I would advise to protect the production environment first. You may take every piece of equipment that has anything to do with transcoding, transmission, recording, etc., and put it on a subnetwork behind a firewall. So it is still on the Internet, but there is that last wall of protection. That’s where I think most news operations have the most risk.
So the importance of firewall protection from outside intruders is pretty well understood. Are there any commonly overlooked vulnerabilities?
You definitely do need to protect against unauthorized connections to the network. Unfortunately, someone in the building can access the network just by plugging into any active Ethernet port and they are on your network.
When I worked in the banking industry, it was a common auditor’s step when they came into the bank to find all of the available Ethernet ports and plug in. If they were hot, the bank got dinged.
If you think about the news business, you have a lot of people coming in. That’s the nature of the business. That said, I have not heard in the news of a breach where people come in and hack the [news] system.
Should individuals make up their own passwords to access networks and systems or should organizations assign them?
When it comes to assigning passwords, we don’t. However, we have the ability with every computer system to set the length and makeup of the characters. So we go with at least eight characters with one alpha, one number and one uppercase.
Having a complexity standard that is enforceable through the administration panel is important.
Remember, the easiest way to hack into anybody’s account is to get the account ID and the password. The password world is really a matter of discipline. Sometimes you do share them. Sometimes you do need to write them down. You need to put them somewhere where they are not out there in the open.
I know I have trouble remembering all of my passwords. What are your thoughts about password management software to help people like me?
I have been in classes where instructors emphasize that that is a good way to approach passwords, and the reason why is you can put up very complex strings of characters and not need to remember them or not need to have them nearby to reference.
What you are really doing is entering the one password that you need to remember and then letting that password management system handle the translation to the more complex password for the system.
How do personnel changes fit into the password equation?
A key process in any company is to manage who has access. There are three critical time periods: when employees start, when they get a new job in the company or a transfer and when they leave. Those are often vulnerable processes. If you have 2,000 people who work for you in 20 locations, you may not have a complete process for assigning, re-assigning and terminating access rights.
What do you think about secretly testing the computer habits of employees as they relate to cybersecurity? Maybe sending out fake spam messages with attachments and counsel employees who open them?
You have to find a way to communicate, and that may be a good way to start the conversation. Half of the battle, honestly, is awareness, communication and smart computing practices.
Any other thoughts on cybersecurity?
Not exactly, but one on a closely aligned field. I am a big believer in disaster recovery. We still have the risk of data loss and system loss by natural disaster. And that can be more crippling and probably happens more often than all of the hacks we have talked about.
With a natural disaster you have a data loss risk, but perhaps no ability to recover your system. So if you have weather come through and flood your data center and you lose everything, a lot of companies are left with a mishmash of tapes and no idea of how to build it back.
But really they probably don’t have the time to rebuild their business infrastructure. So we always want to emphasize the need to recover.
Money is important to the P&L in any business. Operating costs are important. And I think we have in our business a lot of smaller operations that unless you provide a very cost-efficient solution — say from an ownership group — they’re never going to be able to build that protection in, and that includes both the security and disaster recovery aspects.