M&E Daily

Richie May: Hackers are Taking Advantage of Decentralized Workforces

Now that organizational teams are more disperse than ever due to the COVID-19 pandemic, attackers are taking advantage of this and other new vulnerabilities, so the impact of hacks has exponentially increased, according to Michael Wylie, director of Cybersecurity Services at Richey May Technology Solutions (RMTS).

If organizations don’t test their security with penetration tests and social engineering, hackers will, but vendors and studios can fight off attackers by engaging in ethical hacking engagements, he said Oct. 20 during the online Media & Entertainment Day event.

He pointed out during the Threat Vectors & Monitoring breakout sessionWhat do Joe Biden and Kim Kardashian have in Common?” that he also goes by the nickname Dr. TPN because he is a Trusted Partner Network qualified assessor.

But he joked: “Hi, I’m Kim Kardashian and I’d like to match your charitable contribution today.” And he joked he also goes by another name: “Hi, I’m Joe Biden and I’d like to match your charitable contribution today.”

Answering the question of the session’s title, he said Biden and Kardashian  seemed to both tweet an “irresistible offer” for the community on July 15, claiming all Bitcoin sent to an address included in the tweet would be sent back doubled.

That is because: “People will believe these tweets. People believe criminals. People are often the weakest link in our security postures,” he told viewers.

On July 15, Twitter also tweeted it had been subjected to what it believed was a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” he noted.

According to an affidavit, a 17-year-old used social engineering to convince a Twitter employee he was a co-worker in the company’s IT department and connived the employee into providing him access to enter the customer service portal, Wylie said.

That vishing (voice phishing) attack netted scammers more than $100,000 by posting on behalf of Biden, Kardashian and other celebrities, according to RMTS.

Phishing and vishing incidents are more impactful today due to:

  1. A Dispersed workforce
  2. Flexible hours
  3. Workplace distractions including virtual schooling and UPS deliveries

“Pre-COVID-19, word of” suspected phishing or vishing campaigns “would go around the office like wild fire,” Wylie said. That is because people in an office would warn each other about weird messages they received and tell each other not to click on them. “But with a decentralized workforce like we’re seeing today, it may take hours or even days for teams to be aware of a new threat,” according to Wylie.

“Attackers are preying on all these opportunities,” he said, noting: “If you go to any of the new reports… we’re all going to see a massive uptick of attacks this year that were successful. We internally have been calling this the year of breaches.”

In another incident, Bangladesh bank heist hackers were only able to get away with $100 million instead of $1 billion planned because the attackers made mistakes with their online transfer effort, he pointed out.

He joked: “How could Twitter have helped Kim [Kardashian] sleep better through the night? Well, I’m not sure what Kim’s doctor prescribes for insomnia induced by security incidents but I do know that Doctor TPN would have prescribed a penetration test and maybe a dose of phishing or vishing tests.”

A vulnerability scan alone does not always suffice as a penetration test, he warned, and explained what security testing is and is not.

What Security Testing is Not:

  1. Just someone trying to hack you
  2. An inexperienced person running scans
  3. Evidence that you are secure
  4. A $750 commodity
  5. Something to take lightly

What Security Testing Is:

  1. A collaborative experience to fortify an organization’s defenses
  2. A simulated attack performed by a highly skilled, ethical hacker
  3. A point-in-time test of certain security controls
  4. An opportunity to identify false assumptions and build better controls
  5. An opportunity to find vulnerabilities and fix them before criminals exploit them

The Motion Picture Association (MPA) published a Best Practices V4.06 Update about a year ago in which it defined what actual penetration testing requires, Wylie pointed out. The update noted that such testing “often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual hackers” and “most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.”

Security can often be an illusion, Wylie warned, saying that, in his job, he makes sure organizations’ security controls are working and “not an illusion.”

As an example of the illusive nature of security, he pointed to an image of two security guards seemingly watching people coming and going on a monitor. However, a closer look shows they are actually playing video games.

He also showed an image of a security control of a building in which somebody put the 1234 password right next to the PIN pad, making the system useless. And then he showed an image of a chain tied to keep a gate closed, but that chain is tied together with just a zip tie. As the old saying goes, he said: “You’re only secure or strong as your weakest link. I think we have a point here.”

During a recent penetration test, “we were able to gain access to our customer’s CCTV system, domain controller, file server and extricate all of their data while being undetected – all their content, their proprietary data for that organization – all because someone clicked on one of our custom phishing emails,” he pointed out.

He noted that RMTS has nine ethical hackers on its team that can perform testing like this to help organizations.

Click here to access the full presentation.

M&E Day was sponsored by IBM Security, Microsoft Azure, SHIFT, Akamai, Cartesian, Chesapeake Systems, ContentArmor, Convergent Risks, Deluxe, Digital Nirvana, edgescan, EIDR, PK, Richey May Technology Solutions, STEGA, Synamedia and Signiant and was produced by MESA, in cooperation with NAB Show New York, and in association with the Content Delivery & Security Association (CDSA) and the Hollywood IT Society (HITS).