CPS EU: Why Remote Environments are Keeping Security Experts Awake at Night
As the creative industry continues to embrace remote working, real world threats have emerged across all sectors that often result in the theft of data and high value premium media and entertainment content, which has only been exacerbated by the unknown risks and commercial implications of remote environments.
The COVID-19 pandemic has “created a major change in the working culture” and many professionals “now realise that it’s much more convenient to work at home,” where they can be more productive, according to Mathew Gilliat-Smith, EVP at Convergent Risks.
Many people, including in the M&E sector, now have a “better mix of work and home life” as a result,” he said on June 29, during a session on “What Keeps Us Awake at Night: The Challenge of Remote Work in Creative M&E Workflows” at the Content Protection Summit Europe (CPS EU) event.
When it comes to “what we’re seeing [with] creative professionals, some are leaving larger companies and are setting up on their own,” he pointed out. “They are setting up small companies and what they’re doing is to create their own freelance community” that does not work in a traditional office environment, he said.
“Now, on top of this, you need to add in the… widespread use of cloud workflows,” he told viewers, noting: “We’ve got many new applications being used to transfer files, to perform post-production editing, screening applications and so on and so forth.”
As a result, he said, “content owners and studios are rightly asking the question ‘How can we be sure these new companies – or freelancers – are working securely and are they equipped with the knowledge and the training to be working securely? And also, is their own freelance community working securely?”
Although many of the people watching the CPS EU session were security experts, “that’s not necessarily the case with a lot of creatives,” he pointed out and then introduced Dr. Andrew Blyth, computer forensics specialist, Oxford University lecturer, professor and director of the Information Security Research Group and computer forensics at The University of South Wales.
How Remote Work Changes the Equation
“When you go to a home working environment, there are a set of services that you forget about”, according to Blyth. “If you work for a large organisation, you have IT support, you have all of the issues of patch management and firewalls, protection and software licensing and things like that,” he explained. However, “when you go to working at home and you’re working in your home environment, you don’t necessarily have the level of physical security you have in the office,” he said. “You don’t necessarily have the same level of cybersecurity that you have in the office. And, to some extent, you are, therefore, more vulnerable in this space.”
As an example, when we focus on cybersecurity, “we often forget physical security,” Blyth said.
“We forget that it’s just as easy to kick in a door, grab a computer and leg it, as it is to break in electronically. We forget about things like dumpster diving. People have an idea that when I throw my computer in the bin, the data fairy takes it away and sprinkles her magical dust and the data disappears. It doesn’t. And so we forget about those types of things. We bring that ethos of ‘I’m used to working in a commercial environment. I’m used to working in an office.’ And we think, ‘Because I’m working at home, I’m still working in that commercial environment. I’m still working in the office. All of my assumptions I had in the office, I now have for home.’ But of course they’re not true.”
So What Can Go Wrong?
Asked by Gilliat-Smith what exactly can go wrong in a remote environment, Blyth responded: “Physical security. You’re working from home. You’re not working in the office where you might have a guard 24/7 and guards on the gates and things like that. You’re working in your home environment and you, therefore, have security in your home environment.”
And security in one’s home tends to not be as secure as an organisation’s office.
If freelancers are using social media, “that opens them up to being targeted, whereas before you had” protection at the company they worked for and their email and social media accounts were protected by the IT department,” Blyth noted, adding: “When you are working on your own, you are consuming these services yourself and, therefore, the onus is on you to take reasonable technical measures to ensure that your data is safe and secure.”
The Wi-Fi network being used is another big factor, according to Blyth, explaining: “It comes down to, do you have two Wi-Fi networks? Do you have a home Wi-Fi network and a work Wi-Fi network so you’ve got a network that is unique to your work that only you are accessing?…. Or are you piggybacking on your home Wi-Fi? Because if you’re piggybacking on your home Wi-Fi, then, if you’ve got children,” they must be taken into account also.”
“I have an 11-year-old who loves playing Minecraft [and] he’s on the home Wi-Fi,” Blyth noted. “That home Wi-Fi is the same network that I’m on and, therefore, his security has to be part of my security because if his computer is broken into on my home network, that opens up an attack avenue to my computer on my home network. So you’ve got to think about these things. Do you put in a separate Wi-Fi network to yourself? Do you go and get a separate landline and you have a little network that’s all yours that only you have access to? And that’s one way of doing it. Or do you start educating your kids about patch management and perhaps getting them to educate you about the latest hacking trends?”
The Phishing Threat
There is “a lot of personal information” being made public today on social media, Blyth said, noting: “It’s very easy to get somebody’s home address if you know a name and an area where they’re likely to live.”
He was doing forensics work on a real case in which a government department had been hacked, he recalled. His team analysed all the servers and figured out “the hackers had spent six months developing a relationship with… the head of this government department and they put together a website,” he said, noting the head of the government agency was a “classic car nut [who] had a beautiful” Jaguar E-type racing car.
The hackers in that case set up a fake classic car website that attracted people interested in cars, he noted, adding: “It’s all about developing trust and… so when he got an email from this website that over six months they developed trust with, he opened a PDF and that was the point of infection, when effectively they exploited his machine, got a foothold into his network, mapped out the whole network and started exfiltrating data.”
What has happened is that, when it comes to scams, “we’ve gone from ‘you are related to the prince of Nigeria’ or ‘congratulations, you’ve won the Spanish lottery; give us your bank details and we’ll transfer the money to your account’ into very, very targeted attacks,” Blyth said. “Organised crime is all about making money and if they think you have something that they want, that they can monetise, they are prepared to put in the groundwork in order to get that. Nowadays, setting up and running websites is very easy and very cheap to do.”
So what is the profile of a typical hacker/bad actor that organisations tends to face today?
“If you go back to the 1980s and 1990s, the film War Games had an awful lot to answer for,” according to Blyth, noting it “launched a thousand hackers; it gave rise to the view of a hacker as being this typically male child in a bedroom alienated from his parents, from his peers [wearing a] dark hoodie, working.”
That profile is just not true anymore, according to Blyth. “Now what we’re seeing is organised crime and organised crime is interested in one thing only: Making money. Organised crime tends to operate in countries like Ukraine, Brazil, Russia, where they don’t have extradition treaties necessarily with the West and therefore the hackers can behind those countries,” he explained.
“We also see complex supply chains being developed,” he said, adding: “The people that mount a spearfishing attack won’t be the same people that are operating the spearfishing infrastructure, and they won’t be the same people that have developed the exploits. What you see on the dark web are these supply chains building up with people developing and selling vulnerabilities, developing botnets, they sell infrastructure. So it’s very easy for somebody – for organised crime – to go out there and pick… the bits that they need for a campaign, glue those bits together and make an awful lot of money. If you look at ransomware, the current figures for ransomware run into billions and that’s not all going to a 15-year-old kid in his bedroom.”
All the details that people typically provide on social media about the things they like, their hobbies and the places they like to travel to “all allows people to build up a profile of your interests,” explained Blyth. “When you actually start profiling people, it’s amazing how much information people post about themselves on Facebook and that makes it easier for somebody to engage with you if they’ve done their homework and understand what your interests are,” he said. “If you’re an avid skier – if you enjoy skiing – in Canada or France or wherever, you’re more likely to engage with someone who has the same interests as you.”
However, other than the Sony hack in 2014, “it’s pretty unlikely” that your M&E organisation is “going to be targeted by a state-sponsored actor,” according to Blyth. “Typically, state-sponsored actors are interested in industrial espionage for IP that can be monetised in terms of production, the latest manufacturing techniques and things like that,” he said. “They’re not really interested in one-off blips.”
However, North Korea, is “different because they use it as a way of making money for the country” itself, according to Blyth.
A big studio may be targeted by North Korea not because they are a studio but because it has a lot of money – “the same way that banks get targeted or Ford or General Motors get targeted,” he said.
Tell-Tale Hacking Signs
If an organisation is trying to figure out if it has been hacked, “you’re looking for things like” an obvious network slowdown, according to Blyth.
After all, “if I exfiltrate data, that takes network bandwidth so if your network is continually running slow and you’ve got a light flashing on your router like crazy and you’re not doing anything, well, somebody’s doing something because your router’s flashing,” he said.
“Simple things that can make a difference are things like anti-virus and firewalls,” he noted, adding: “They can mitigate an awful lot of the threats.”
Returning to Normal But Stay Prepared
During the welcome remarks that kicked off CPS EU, Chris Johnson, CEO and president of Convergent Risks, reflected back on the start of the COVID-19 pandemic last year, when his company “frantically” started “implementing temporary measures to continue delivering our support remotely,” he said.
“Security became a vital component of everyone’s response,” he recalled. “After the inertia of lockdown,” at least some organisations were able to become agile and “innovative opportunities were starting to appear,” he said.
“Organisations with a focus on technology, such as the cloud and the use of applications, were well positioned to be resilient in [that] stage of the pandemic response,” he said, explaining: “Companies like ourselves, we were small, we’re agile enough to accelerate existing plans and change our priorities towards remote and technology-based services…. A lot of small companies like ourselves were able to manoeuvre and put themselves into a stronger position.”
Production is now “returning to pre-pandemic levels and set to increase…. But we need to make sure we remain well-prepared and resilient,” he cautioned.
Content Protection Summit Europe was presented by Convergent Risks, with sponsorship by Richey May Technology Solutions, Synamedia, BuyDRM, Friend MTS, NAGRA, and X Cyber Group.
The event was produced by MESA, the Content Delivery & Security Association (CDSA), the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA board of directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.