HBO Hack Targeted Valuable Intellectual Property and Company Secrets

Corporate espionage and the theft of intellectual property and company secrets have gone cyber. The latest victim is cable network HBO and its flagship series Game of Thrones. The HBO hack, perpetrated by a hacker or group calling themselves “Mr. Smith,” may involve as much as 1.5TB of data. Mr. Smith has been releasing their treasure trove in increments; so far, they’ve leaked five Game of Thrones draft scripts, complete unaired episodes of Curb Your Enthusiasm and several other HBO series (although not GoT), the personal contact information of several GoT actors, company emails from HBO’s vice president of film programming, login credentials for HBO’s internal systems, and numerous other confidential documents.

The HBO hack has been compared to the 2014 Sony Pictures hack, which involved the release of scandalous company emails. However, there are more similarities to the Netflix hack in April, where hackers stole upcoming episodes of Netflix’s smash hit Orange is the New Black and dumped them online after Netflix refused to pay a ransom.

Hackers are Coming

The latest Verizon data breach report highlighted cyberespionage and digital IP theft as growing threats. The manufacturing industry, professional services, education, and the public sector were noted as being especially vulnerable, but any industry could be victimized.

Hackers are still very interested in stealing identities and payment card data, but there’s arguably even bigger money in stealing digital intellectual property. Mr. Smith is threatening to release more data from the HBO hack – including full GoT episodes – unless the network pays them six months’ worth of the $12 to $15 million they claim to earn annually from cyber crime. HBO has offered Mr. Smith $250,000 as a “bug bounty” payment, which Mr. Smith has scoffed at.

Lessons from the HBO Hack

Entertainment companies make particularly attractive targets for three primary reasons, all of which also apply to organizations far removed from the Hollywood spotlight.

The entertainment industry’s entire business model is built around intellectual property. Hollywood sells nothing but content, and they are always making more of it. The same applies to software, game, and web development companies, as well as any business that sells content as opposed to widgets. Even companies that don’t actually sell intellectual property are in possession of some: Think secret sauces, R&D data, product prototypes, proprietary software packages, and vendor and customer lists. The Houston Astros MLB team lost millions of dollars when a competing team hacked their database and stole information on potential prospects and trades.

The industry is going digital. Film cans are being replaced by hard drives, consumers have come to expect online streaming options, and everything that’s ancillary to productions, such as scripts, lists of shooting locations, and actors’ personal information, is stored on networks. As organizations move from storing records in file cabinets to storing them on hard drives and in the cloud, hackers have more access points to more digital IP and company secrets than ever before.

The typical Hollywood studio has a complex cyber ecosystem. Film and TV studios depend on numerous third-party vendors to perform services, from sound dubbing to film editing, that involve access to company data. Often, these businesses are small and do not have the same level of cyber security as major studios. The Netflix hack was traced back to a breach at a small, third-party vendor – as was the latest Anthem breach and other recent breaches impacting Google, Trump Hotels, and Verizon. Outsourcing IT services to third-party vendors is commonplace in the digital age, so it is critical for all organizations to secure their entire cyber ecosystem, including business associates who have access to company data.

Hackers will keep engaging in digital IP theft because it’s lucrative. Companies will pay big bucks to protect their intellectual property and trade secrets. It’s far less expensive to invest in proactive cyber security and prevent IP theft from happening in the first place.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

[bpscheduler_booking_form]

Department of Defense contractors and their subcontractors have until December 31 to obtain DFARS compliance

Third-party data breaches are a serious problem, especially when highly sensitive data is involved – and our nation’s infrastructure, including our defense systems, are built and maintained by third-party government contractors. Recognizing this, the U.S. Department of Defense is requiring that all of its contractors, as well as their subcontractors, comply with the security controls specified in NIST Special Publication 800-171r1, also known as DFARS (Defense Federal Acquisition Regulation Supplement). The deadline for DFARS compliance is December 31, 2017.

As expected, DFARS compliance mandates that DoD contractors and subcontractors adhere to rigorous protocols to protect sensitive data and promptly report cyber incidents. However, DFARS also goes a step further by additionally mandating the protection of “Unclassified Controlled Technical Information (UCTI).” UTCI is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.”

This rather broad definition means that any organization that is handling DoD data, whether as a direct (prime) contractor or a subcontractor, must comply with DFARS.

Understanding DFARS Compliance

DFARS compliance was originally based on NIST Special Publication 800-53, which contains 18 control families and 303 requirements. However, after many contractors found the rules to be overly complex, NIST released Special Publication 800-171, which condensed the protocols down to 14 control families and 109 requirements. This was later updated to NIST Special Publication SP800-171r1.

While DoD contractors are accustomed to adhering to comprehensive security controls, since DFARS addresses the security of unclassified systems, many contractors will have to extend their controls to cover additional systems.

Noncompliance with DFARS is not an option for contractors and subcontractors who wish to continue working with the DoD after the December 31 deadline. There is no reason to believe that the DoD will extend this deadline and every reason to believe it will abruptly cut off any contractors who are not compliant. The agency recently held an Information Industry Day emphasizing the importance of DFARS compliance and reminding attendees of the approaching deadline.

In addition to enabling an organization to continue working on DoD contracts, there is inherent strategic value in DFARS compliance. Other public and private-sector organizations know how rigorous DFARS compliance standards are and recognize that service providers who are compliant are serious not only about their own cyber security but that of their own third-party vendors. It also demonstrates due diligence in the event of legal action or matters of business insurability.

Is your organization ready to meet the December 31 deadline? DFARS compliance is complex, and time is running out, which is why it’s best to enlist the help of a professional IT audit and cyber security firm such as Continuum GRC. We create sustainable DFARS and NIST 800-171 based compliance partnerships with our clients. Our proven methodology and project plan, powered by our proprietary IT Audit Machine IRM IRM GRC software solution, will help you achieve compliance on budget and on schedule.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!

Verizon, Trump Hotels, and the RNC are Among the Recent Victims of Third-Party Breaches

Even if your own cyber security is up to snuff, your organization could be at risk of third-party breaches if your business partners are not as diligent as you are. Verizon just learned this lesson the hard way after one of its vendors, telephonic software and data company NICE Systems, left the information of 14 million Verizon customers on a misconfigured Amazon server.

This incident did not happen in a vacuum. Other recent third-party breaches affecting major organizations include:

• The Republican National Committee (RNC), whose data analytics vendor exposed the data of 198 million voters after leaving it on – you guessed it – a misconfigured Amazon server.
• Trump Hotels, which, along with chains such as Hard Rock and Four Seasons, had its customer data exposed after a breach at its reservations vendor, Sabre Corporation.
• A number of Google employees were also impacted by the Sabre breach because Google’s third-party travel management company used Sabre’s systems – meaning this breach happened at the third-party vendor of a third-party vendor.
• Netflix, which had the upcoming season of its hit series Orange Is the New Black dumped online after a hacker breached a third-party post production house, Larson Studios. It has since been discovered that the hackers got into Larson’s systems by taking advantage of the fact that the company was running an antiquated version of Windows.

Third-Party Breaches Common in the Age of Outsourcing

Once a dirty word, outsourcing is a normal part of doing business in the 21^st century. Organizations of all sizes routinely retain the services of third-party business partners to take care of all manner of functions outside their core competencies, from cloud storage to customer billing to payroll services. Unfortunately, because so many business functions are now outsourced, third-party breaches have more common than primary data breaches; an estimated 63% of all enterprise breaches can be traced back to a third-party vendor.

If one of your vendors gets hacked, don’t expect to be able to point fingers and pass the buck. Even if your business partner makes a colossal mistake, your organization will be the one that’s held responsible by your customers, any affected banks, and regulatory bodies. The infamous Target breach, which cost the company nearly $300 million and shook up its C-suite, involved a third-party vendor.

Protecting Your Organization from Third-Party Breaches

As with primary cyber attacks, the best way to deal with third-party breaches is to prevent them from happening in the first place. While you cannot dictate to your business partners how they should run their firms, as their paying customer, your enterprise is not without recourse:

• Understand your enterprise ecosystem so that you can build risk profiles for all of your business partners. Who are your business partners, and what service does each provide? What level of access do they have to your data and systems?
• Understand who your vendors are subcontracting to and whether they will have access to your data. As in Google’s case, a breach at a third-party vendor used by one of your third-party vendors can come back to haunt your organization.
• Include cyber security provisions in your vendor contracts, including security measures your business partners must take regarding their own vendors.
• Give your vendors the minimum level of access to your systems and data that they need, and no more.
• Only do business with IT services vendors who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have undergone rigorous security audits and have proven their commitment to the highest levels of data security.

Further to the above, if your business provides IT services to other businesses, obtaining the appropriate data security certifications is a wise investment that will help you instill trust in your customers. Continuum GRC’s IT Audit Machine (ITAM IT audit software) RegTech solution empowers organizations to get and maintain compliance the easy way, with self-help modules covering numerous compliance standards, including FedRAMP, SSAE 16, AT 101, CJIS, DFARS, COBIT, ISO 27001, ISO 27002, ISO 27005, SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC CIP and other federal and state mandates.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!