The cyber supply chain risk management problem with Disney and Depp

Disney, Depp and the cyber supply chain risk management problem

Multimillion dollar movies and TV shows are increasingly being targeted by cybercriminals. ESET's Stephen Cobb investigates the cyber supply chain risk management problem and explains what to do about it.

Multimillion dollar movies and TV shows are increasingly being targeted by cybercriminals. ESET’s Stephen Cobb investigates the cyber supply chain risk management problem and explains what to do about it.

As a security researcher, I don’t get many chances to drop Hollywood names like Disney and Johnny Depp. However, attentive readers of WeLiveSecurity may have noted the collision of cybercrime with Hollywood in last month’s story, “stolen by cybercriminals“.

I didn’t comment on the story then – the WannaCryptor/WannaCry story was still sucking up a lot of time and headlines – but I would like to pass along advice that can help to prevent future high-profile thefts of digital IP (Intellectual Property).

Clearly, multimillion dollar movies and TV shows – like Orange is the New Black – are now being targeted by bad actors of the digital kind, black-hatted hackers – in other words, cybercriminals. My theory is that these plunderers of IP are trying to find the best business model by which to monetize their ability to get their hands on pre-release copies of major productions. So, every movie studio and TV production company needs to be thinking about what they can do to protect their digital assets, not just on location and in the studio, but in every other place to which those assets travel during the production process.

Framework and process

One field-tested security strategy for information systems and digital content is to address the problem through processes, people and technology. On the process front, all companies involved in the production of digital IP should, by now, be adhering to a proven information security framework that fully addresses supply chain risks. That includes making sure your digital IP is protected at all times, even during post-production (or maybe we should say especially during post-production, given recent incidents).

“There is a ready-made cybersecurity framework that companies can use.”

Fortunately, there is a ready-made cybersecurity framework that companies can use, at no charge, thanks to the US federal government, which has done some sterling work in this area, namely the NIST Cybersecurity Framework.

The current version is a great way to get a handle on your organization’s cybersecurity, and the next version, currently in draft, goes even deeper into the need to maintain cybersecurity throughout the supply chain. For that reason, the draft is worth quoting at length:

“The practice of communicating and verifying cybersecurity requirements among stakeholders is one aspect of cyber supply chain risk management (SCRM). A primary objective of cyber SCRM is to identify, assess and mitigate “products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain.”

So what does cyber SCRM entail? Here again is the framework:

  • Determining cybersecurity requirements for suppliers and information technology (IT) and operational technology (OT) partners
  • Enacting cybersecurity requirements through formal agreement (e.g. contracts)
  • Communicating to suppliers and partners how those cybersecurity requirements will be verified and validated
  • Verify cybersecurity requirements are met through a variety of assessment methodologies
  • Governing and managing the above activities.

To summarize: you need to check that you have binding commitments from all entities that touch your digital IP project, attesting to the fact that they have a full set of cybersecurity defenses in place. Furthermore, all parties need to be aware that you reserve the right to audit those commitments.

Some concrete examples might help, so consider these items from a fairly standard assessment form, used to perform the initial due diligence when a potential vendor or supplier, such as a post-production company, requests access to your systems in order to work with your content:

  • Does the party have an appropriate and up-to-date information security program in place, with documented security policies, standards and procedures?
  • Does the party employ physical security mechanisms to ensure only authorized parties have access to sensitive areas containing information assets?
  • Are vendor employees educated on what information can and cannot be transmitted via email?
  • Does the vendor have policies defining access control and administration?
  • Does the vendor’s user authorization capability enable administrators to group users into roles, and define specific permissions for each role based on least privilege?
  • Who is responsible for granting access to IT system resources?
  • Are third party workers allowed to share login credentials?
  • How often are user access privileges reviewed for appropriateness?

If you do not have the answers to those questions, and many others like them, for each of your suppliers, then you are not meeting the reasonable standard for your IP protection. In other words, if some IP goes missing, you will face criticism for failing to meet minimum security standards.

People and technology

I’m not going to go into a lot of detail on the people and technology parts of the process/people/technology triad in this article. Suffice to say that the people part of the security strategy involves making sure your employees are both trustworthy and well-trained in cybersecurity. Of particular importance is teaching them how to deflect social engineering attacks, either the kind that comes at you in deceptive emails, or those that appear in person (the unchallenged person on the lot who looks like he’s with the utility company).

Fortunately, there are some excellent free resources that you can use to get started with cybersecurity education. For example, businesses can use the free ESET Cyber Training online. This is a great option to recommend to your suppliers if they are smaller firms pleading poverty when it comes to employee training.

“The technology response has to include a healthy dose of encryption and multi-factor authentication.”

The technology response has to include a healthy dose of encryption (encrypt everything of value in transit and at rest) and multi-factor authentication (make sure all access to systems that process valuable IP is identified, logged, and monitored).

Access to digital assets should be revoked promptly when employees depart or contracts are ended.

Make sure there is protection against malicious code on all servers as well as workstations and laptops. Servers are often neglected and may be remotely accessible, therefore reachable by determined attackers (right now there is a thriving black market in server credentials that bad actors can buy or rent to gain remote access). Also, make sure that an alert is immediately raised and answered if malware protection is turned off (turning off AV measures is often the first thing system intruders will try to do).

The last line of defense against cybertheft and extortion is to ensure you have safely preserved digital copies of all assets. A robust and frequently-tested system backup and recovery regimen is essential. And this regimen needs to encompass all assets – too often we hear companies say “we did have a backup program in place, but there was this one set of files that was not included.” Guess which one the bad guys are now ransoming?

When scenarios become reality

“One of the biggest failings in companies of all sizes is the lack of adequate preparation for when a security incident does occur.”

One of the biggest failings in companies of all sizes is the lack of adequate preparation for when a security incident does occur. Even when you have the right defensive technologies and processes in place and your people are well-trained, a breach can occur. When it does, you need to activate your incident response plan. Pre-designated personnel need to reach out to your designated legal and law enforcement contacts. (If you don’t yet have these in place, take care of it now, before there is a crime to report.) Get to know your local FBI office. In many parts of the country the FBI coordinates digital crime task forces.

Some companies fail to report computer crime because “law enforcement probably won’t do anything”. In my opinion, that is a mistake. Your report could be the missing link in a string of crimes already under investigation (and of which you have not yet heard). Furthermore, law enforcement can’t make a strong case for more resources to prosecute digital crimes if people don’t report them. Today’s law enforcement agencies are sensitive to data confidentiality and business concerns and will work with you without disrupting your work.

What you should not do is pay to get ransomed IP back. Paying a ransom only encourages criminals to try it again – on you or some other company. If someone has cloned a digital asset and wants money not to release it to the public, hold your ground. If they do release it that will give law enforcement more clues for identifying the perpetrators. If you are hit with ransomware that has encrypted files and demanded payment, be aware that paying a ransom is no guarantee of getting the files decrypted.

Clearly, the entertainment industry is not exempt from the attentions of cybercriminals and they are currently exploring ways to exploit the industry’s increasing reliance on a cyber supply chain. The time to check your defenses is now, not later.

Discussion