CEOs Beware: Ransomware Attacks On Broadcasters Hit ‘Ocean’s 11’ Sophistication
The information security stakes are so high and attackers so deft at deploying new tricks that broadcasters need an arsenal of protection and mitigation strategies against ransomware.
To prepare against a ransomware or other security attack, a broadcast chief executive officer should begin by asking the chief information security officer (CISO) about the existing level of threat.
Once broadcasters come to terms with the idea that a data breach is more of a “when” than “if” scenario for a number of reasons, they can begin to take protective measures to tighten up their security systems to minimize the potential for damage and create plans for remediation and recovery.
Information security (infosec) attacks have evolved.
Mike Kelley, CISO for E.W. Scripps, says ransomware attacks once were a “smash and grab threat vector” in which attackers grabbed everything they could find and take off. Now, he says, they’re “acting more like Ocean’s 11. They’re getting smarter, looking to get on your network, stay on your network, hide for a while.”
A few years back, ransomware attackers began exfiltrating data before encrypting it.
That meant, as Kelley puts it, “they had two ways to get you.”
Even if the broadcaster had a backup that allowed accessing the information, the data removed from the network may still prompt the victim organization to pay because the data was either embarrassing or worth selling on the market, he says.
Now, ransomware attackers are “acting a lot more like nation states.” “Their whole goal is to get on your network, surreptitiously move across your network and hide, hide in plain sight in some cases, and stay on your network for some time,” he says
And broadcasters are attractive targets for ransomware and other infosec breach attacks for a number of reasons.
Dmitriy Sokolovskiy, Avid’s chief information security officer, chief security officer and VP of information security, points out that broadcasters tend to be larger companies with a “lot of technical depth in various places,” such as older equipment, and are very visible.
“Increased attention leads to increased attacks,” he says. “Combine that with the other things I’ve mentioned, and that’s a recipe for bad things to happen.”
And while anyone working at a broadcasting company could be a target, CEOs are particularly attractive to ransomware attackers.
Tony Lauro, director of security technology & strategy for Akamai Technologies, says CEOs are often targeted because information technology teams often give CEOs access to everything on the network.
Because of this, Lauro says, one of the questions CEOs need to be thinking about is what is the infosec team doing to limit the potential impact of a breach, what the procedures are and how quickly the infosec team can respond to an attack.
But CEOs need to be asking other questions, too, experts say.
Brian Morris, VP and CISO at Gray Television, says ransomware is much more than a buzzword and that broadcast CEOs should be asking” “What do you see our threat as, our potential for being exposed, or being breached or being hurt by this? The more questions the better.”
Sharpening Risk Awareness
Sokolovskiy says broadcast CEOs need to understand the risk the organization faces, ideally from continuous assessment, but at least based on one assessment. The question, he says, is “what is our current state?”
Beyond that, he says, the assessment should quantify and qualify risks to aid in prioritization. Next, he says, the CEOs need to ask what is absolutely critical for operations. In other words, he says, they should ask, “which of these things will cause the biggest business disruption for us?”
Once risks are identified, they should be minimized as much as possible. Some of that effort will require staff training, such as to upgrade social engineering and anti-phishing awareness, and some of it will require dedicating a portion of the budget to security software, tools and technology.
Skip Levens, product marketing manager at Quantum, says a common social engineering tactic lately is for someone to drop a “valuable-looking USB key around the office that looks cool.” When someone picks it up and inserts it in the USB drive, “boom, they’re in the network.”
Another thing for employees to look out for is ensuring emails received actually came from the correct domain, he said. For instance, it’s easy for an r and an l to blend together to resemble a d in a domain name.
“I was almost a victim of that,” Levens says. “It’s important to know what to look for.”
As Sokolovskiy puts it, when risk awareness is high in the company, across the board, the chances of an employee clicking on a phishing link or making stupid mistake is drastically lower.”
Phishing is such a common avenue of attack that Kelley says phishing simulation is essential to help educate employees.
“We’re phishing them regularly,” he says.
In addition to that, he says, it’s important to use a powerful security platform that automatically filters out the majority of phishing emails.
Zero trust comes up a lot in security conversations, and it’s important to think about how to build more zero trust strategies into the security plan, he says.
Historically, Lauro says, most organizations have run on the “old key principle” that “if I trust the network a computer comes from, then I trust all the data coming from that network.”
And all it takes is one compromised computer accessing the network via a virtual private network (VPN).
“How do we limit the blast radius, or the impact of that happening?” Lauro asks.
One strategy is microsegmentation through a tool such as Akamai’s Guardicore, which limits the scope and access of what different machines can talk to, he says.
Another basic is using a good end-point protection client.
“We’re a big fan of Crowdstrike,” Morris says. “That was one of the first tools we bought.
Sokolovskiy recommends employing “multifactor authentication in as many places as possible, all places if possible.”
Maintaining security is hardest when there’s lack of buy-in, experts note.
As Kelley puts it, “security is a team sport.”
Avid’s Sokolovskiy says: “The biggest issue for us is that senior management isn’t all in on this, isn’t dedicated to solving this problem.” But when senior management buys in to the security plan, “our job becomes so much easier,” he says.
Even with planning and security measures in place, Morris says that to a “certain extent” broadcasters have to “accept that a breach of some sort is not an if, it’s a when, like hard drive failure. Somebody’s going to figure out a way in.”
Even so, Morris says, “It’s not a hopeless situation.” It’s critical that broadcasters also put efforts into remediating potential breaches, not just preventing them, he says.
Levens says CEOs should ask to see the company’s ransomware plan.
That plan, he adds, should indicate how quickly the system could be brought back up if it went down, as well as what the workaround would be for people who had to go without a home office connection during work from home conditions.
How To Act When Alarms Go Off
Broadcasters face some “grim math” in the event of a successful attack in which the company has been asked to pay a ransom or servers are shut down, he says. “It’s not the best time to realize that maybe we should have worked harder on our plan or practiced or briefed our team better.”
“Many of our customers replicate their on-site environment in the cloud so they’re ready to go at moment’s notice,” Levens says.
The main point when developing a plan isn’t “just designing a perfect solution, but knowing how to put it in action,” he says. “If the alarm goes off, do people know what to do? How to swing into action and restore system?”
Levens says the potential damage from a successful attack can be hard to measure. “How do you quantify loss of reputation and people thinking twice about working with you?”
On the other hand, successfully defending the organization from ransomware means business as usual.
“If you’re not hit by ransomware for 365 days in a year, you don’t get a prize,” Lauro says. “You just get to be in business for another year.”