The Best Defense Is a Good Offense

Reducing hacking and piracy requires new systems and better employee precautions

Cybersecurity attacks have been in the
news almost weekly this year, with hackers sending
bogus emergency alerts about an impending
zombie atttack over several TV stations and major media
companies including Apple, Twitter and Facebook all
reporting security breaches. The Open Security Foundation
noted that cybersecurity breaches hit record levels in
2012, with 1,520 incidents involving data loss.

But as media and entertainment companies face the
rising threat of online security attacks, piracy and hacking,
solutions for addressing the hazards are unlikely to
be purely technological.

While experts point to a number of promising developments
in chip security, fingerprinting and protection
systems, they also stress that successful responses need
to include some fundamental changes in the way companies
educate their employees, organize their operations
and formulate business strategies.

“The problem has definitely gotten worse,” says Peter
Yared, CTO of CBS Interactive. “The vendors have improved
the tools that are available [for preventing security
breaches]. But at the same time, there is a growing
hacker community. And the number of channels where
attacks can occur has increased dramatically.”

“Compared to 10 years ago, companies have multiple
presences beyond simply a website,” Yared adds. “They
are now on the Web, Facebook, Twitter, YouTube, etc.,
and their employees have laptops, mobile and tablet
devices that provide many entry points for attacks.”

0311 Technology Attacks on the Rise chart

The sheer range of potential threats for media companies
also poses daunting challenges, with security experts
pointing to dozens of different types of attacks. These include
distributed denial of service (DDoS) attacks to shut
down websites; viruses that infect systems with malware
for collecting information; software flaws that give outside
access to sensitive data; spear-phishing attacks on specific
individuals within the organization; attacks on outside
companies such as Twitter or Facebook that might provide
passwords and other information about a company’s
users; and pirates hacking into encryption codes for pay
TV signals or DVD disks.

Governments and well-funded organized crime groups
are increasingly involved in the attacks, but some of the
most successful threats are low-tech tactics to steal passwords.
Tom DeSot, executive VP and chief information
officer at Digital Defense, notes his company is hired regularly
by major corporations to test their defenses. In those
tests, DeSot says, “we are successful in getting passwords
about 95% of the time in social engineering attacks” that
trick users out of their passwords via emails or phone calls.

Even higher success rates of 95%-98% occur when
Digital Defense attempts to breach security from inside
a company by going through desks or offices. Rogue employees
or even cleaning workers often provide hackers
with passwords using similar techniques.

Creating Best Practices

Here, education is the best defense, DeSot notes. But
companies are increasingly using biometric tools that grant
access based on !ngerprint or facial recognition technologies
or a two-step login process. After a Web administrator
logs in with his or her password, the employee then gets
another randomly accessed password from a mobile app.

Progress is also being made in denial of service attacks,
notes Neal Quinn, chief operations officer at Prolexic, a
major provider of cloud-based service to protect against
DDoS attacks. These typically involve networks of computers,
or Botnets, that have been taken over by hackers
to flood a website with so many requests that the site shuts
down or slows down to the point where it is unusable.

“These attacks can also be designed to distract security
people,” Quinn says, allowing hackers to penetrate the
company’s defenses and steal sensitive information.

To defend against those attacks, Prolexic offers cloudbased
services that make it possible to rapidly respond
to attacks and handle large-scale attacks that would
be difficult for a single company to repel. They have
also built centers around the world to be closer to the
sources of attacks, and they have extensive experience
in identifying the nature of the breach. “A lot of it centers
around human knowledge and understanding of
the best countermeasures,” Quinn adds.

Likewise, companies have been improving the security
of computer chips so hackers can’t steal encrypted pay TV
signals, notes Paul Kocher, president and chief scientist at
Cryptography Research, a major player in semiconductor
security research and development. The company recently
signed a deal for the use of its CryptoFirewall security core
in EchoStar set-top box technologies. “We are in a period
of rapid improvement in the underlying silicon used in
these systems that will pay huge benefits,” Kocher says.

Better fingerprinting techniques are also helping companies find content that has been illegally posted on sites,
notes Richard Atkinson, a well-known cybersecurity expert.
A number of major companies have set up units to
look for this pirated material on YouTube and other sites.

But Atkinson and others stress that technology is
only part of the solution. “The industry has historically
turned to lawyers and technology to solve piracy problems,”
Atkinson says. He argues, however, that companies
need to also pay closer attention on the “business
process that encourages piracy” and revamp corporate
cultures to better respond to threats. Traditionally, employees
handling security “have been located somewhere
in the bowels of the company” with little power
to influence overall corporate practices, he notes.

To better combat the threats, companies should have
someone who can directly communicate with the CEO
about the threats and educate the company as a whole,
adds Debra Sharon Davis, president and CEO of the
Davis Communications Group.

Investing in these efforts, Davis adds, “isn’t cheap,
but it is a lot cheaper than the alternative of having a
company brought to its knees” by an attack that can
“shut down its operation or damage its brand.”

For a look at how the government is planning to improve
cybersecurity and some of the best practices for avoiding
attacks, see Washington Watch.

E-mail comments to
and follow him on Twitter: @GeorgeWinslow