During the 2014 Sony hack, Deadline readers benefited from the wisdom of Los Angeles based Hemanshu “Hemu” Nigam, a former federal prosecutor against Online Crimes and former Chief Security Officer for News Corp and Fox Interactive Media, and VP Worldwide Internet Enforcement under Jack Valenti’s MPAA. Nigam then called for the appointment of a Hollywood cyber czar after the Sony attack, and gave self-protection advice to Sony staffers dealing with the public dispersal of their personal information including Social Security numbers. Following the brazen cyber theft and attempt to ransom new episodes of the Netflix series Orange Is The New Black, Deadline asked Nigam to assess what this breach means for studios, and what common sense steps they might undertake to protect their content. Surprisingly, his advice includes careful evaluation of pricey services offered by “cyber experts” cropping up in the wake of the latest hacking scare. Nigam is currently CEO of the Cyber Security Company SSP Blue.
Several years ago when Sony was hacked by what the White House dubbed as a cyber attack by an enemy nation state, Hollywood felt like it was under siege from shadowy hackers who invaded the echelons of storytelling without ever stepping a single foot on American soil. Cyber thieves have sent a new chill in town. A few weeks ago, UTA apparently had some type of malware issue, with whispers of a ‘ransomware’ attack. It’s probably not coincidence other talent agencies had issues at the same time: part of the reason emails went down was that many of the talent agencies rely on the same vendor for their client management solutions.
And now Netflix is reportedly under siege for ‘ransomware’ – pay the hacker known as “The Dark Lord” or risk the release of next season’s episodes of Orange Is The New Black, a threat the hacker reportedly made good on. Same hacker is threatening other networks and their upcoming programs unless ransom demands are met.
Coming after the widespread release of what seemed like every Clinton Campaign email during the presidential election last fall, it is easy to feel helpless against these faceless villains with ominous-sounding names. What can be done? There might not be a fail-safe way to keep a sophisticated hacker out, but there are plenty of ways to make it harder for thieves to get into operating systems where digital programming can be accessed. Studios, agencies, development houses, celebrities, and others in leadership positions can all button up, because the best cyber security is only as strong as its weakest link.
It isn’t entirely clear how Netflix’s programming was breached, but it is clear that the entry point could well be one of the third-party vendors that are so critical to the Hollywood ecosystem. Whether the vendors work in post-production, audio, coloring, editing houses, or whether they provide critical client management solutions, or deliver digital dailies or serve on demand content for the consuming public, they all have one thing in common. They have access to or else they house valuable assets. On top of that, many of these vendors have worked behind the scenes for programmers for decades. Befitting those long relationships, they are treated like family, and can come and go as they please. A close relationship with one studio usually leads to relationships with others.
Can you imagine how a vendor with access to multiple program generators would be a hacker’s dream come true?
To me, what the Netflix tragedy highlights is how vulnerable the gates of Hollywood are when another set of keys sits in the pockets of a third-party vendor. These vendors can be as honest as the day is long, but if their safeguards are far below those used by their studio clients, breaches become possible. Hackers can exploit third-party service providers with attacks on networks and databases to get to critical files like movies, episodes, scripts, and email, the same things extracted from Sony computers in 2014. Hacker attacks map out the network and then run a password guessing program to try to get in. If a system doesn’t have a safeguard with an automatic timeout following multiple guesses, or if it doesn’t recognize the breach attempt, hackers can let these program run till they succeed. Once inside the network, the hacker can often access multiple databases and files, simply because the network is set up to provide easy access once you are allowed in.
Hackers can also gain entry with crude phishing schemes tailored toward their victim, and these work more often than you might imagine because everyone is in such a rush that it is easy to be careless. Say an employee at a post-production coloring house gets an email purporting to be from the “IT guy” at the studio, saying they had an issue and need all their vendors to run a quick scan to check if they were affected. The cooperative vendor employee who quickly runs the attached file might not even realize it is a Remote Access Trojan (RAT). The RAT gives full access and control of that employee’s computer to the hacker, no matter where the hacker is. That hacker can now see and do everything the employee can do, and no one will detect a thing, not even the IT department (if there is one). Hackers can also compromise a third-party tool set up for use by a group of creative artists. Since many vendors have testimonials on their websites from their clients, hackers can easily tailor phishing emails to those clients asking them to do things like install the latest version, which is actually a RAT in disguise. Or these phishing emails can simply re-enter their username and password to keep their records active. Either way, they just invited themselves in.
While there may be quite a few ways to get to a variety of these critical assets, the greatest danger lurks when third-party providers have multiple staffers who are asked to multi-task on multiple projects for multiple clients to meet multiple deadlines. This happens every day across the industry and it is exactly why the industry can release so many shows and movies using the limited experts they all rely on.
What to do? Instead of panicking, now is the perfect time for Hollywood to do what it does best – step up in the face of adversity. Here are just a few basics to get started. Whether you are a studio or a vendor serving that studio, all of these pieces of advice apply to both of you.
1. Make a list of all vendor services you are using, and find out who has access to your critical assets. Then make sure your provider has set up “need to know” and “need to have” access system, has implemented managerial oversight on who gets those rights, and has mechanisms to promptly revoke those rights when staffers are no longer working on your project.
2. Work with the vendor to see how they manage internal staffers and sub-contractors. Vendors are often busy working many projects. These use the same group of internal or even external sub-contractors, because it is easy to give everyone a single credential to keep them moving from project to project. That might be good for efficiency, but not security. Ensure that your assets are kept locked separately from another company’s assets. That might limit the chances that your unreleased episodes fall into the hands of a hacker who first got access to another studio or network’s episodes.
3. Make a list of your own critical assets and which vendors you share them with. If something is up for sale in the Dark Net, this allows you to better determine whether a theft or leak may have occurred and where it might have started. In one assessment, we found that different members of our client’s leadership team had different answers to this very same question. In other words, no one knew who was sharing what with whom.
4. A note for legal folks: require all vendors to contractually commit to certain minimum security and privacy best practices. fact, at a minimum, any vendor that works with you and passes critical assets back and forth through an online site (public or not) should be required to review and follow what we call the “OWASP Top 10.” The 2017 version will be released soon – require it. You should also contractually include the right to audit the security measures vendors have committed to via third-party assessors. If you are working with vendors that rely heavily on databases, review this concise and smart security summary done by our friends at UC Berkeley. For example, you may be working with a vendor that is synching dailies and needs to store all these heavy files for easy access and delivery, and these security measures will apply.
5. Require your provider to confirm that they have done at least some type of attack and penetration testing in the past year. These types of tests are important: they locate vulnerabilities and fix them. So, ask to see the report looking at what was tested, whether the holes were fixed, and how long ago was it done. If there is no such report, find out why and then put it on the short-term calendar of things that must get done.
6. Work with the vendor to make sure they are patching regularly. Every company wrestles with updating their systems with security patches versus the possible downturn in productivity. Hackers scan for un-patched systems; it is the often the easiest way into a network. In the physical world, this is similar to not changing your locks when you know a burglar has your keys.
7. Discuss with your providers — especially those who work in post-production — whether they are segmenting the files their staff is working on into “need to have” and “need to know” access. If certain staffers are working only on certain elements, they don’t need access to the whole file. This might initially require changes in how work flow is done, but it is better to lose the final three minutes of an episode to a hacker than losing the entire episode. This same holds true for the type of access that is given to a network and its many components. Allowing access from outside in to a network should not automatically allow for access all aspects of that network. In the physical world, this is like going to a bank where you can walk into a lobby, but you still need separate authorization to access the vault, and still separate access to your safe deposit box.
8. Discuss with your providers the use of encryption, and what should be encrypted. This is a deeper discussion that needs to take place between your security folks and theirs, but it is one worth having. Encryption might be necessary when a file sits in a database that is accessed from outside the network. Sometimes encryption may be needed when that same file goes from the vendor’s database to yours. Just having the discussion often leads IT and cyber security teams to identify additional protections they can add in the handling of certain critical assets.
9. Set up mutual training with your own teams and vendor teams to educate them on how hacking occurs, which illustrates the dangers that come with carelessness or haste. A simple awareness training program can go a long way toward preventing a worker from installing a RAT, simply because they are now aware.
10. If guarding against hackers wasn’t enough, it’s worth it to be on alert for cyber security experts who want to sell you “everything.” Unfortunately, everyone who knows anyone is now a cyber security expert specializing in Hollywood, and they might attempt to sell and install everything but the kitchen sink. This is clearly not something those of us who have integrity want to see. I have worked as News Corp’s and Fox Interactive Media’s Chief Security Officer, built the MPAA’s Worldwide Internet Enforcement group, and worked as a security executive inside Microsoft serving as the liaison between internal security teams and federal prosecutors, and served as a federal prosecutor against computer crimes and other online crimes in the U.S. Department of Justice. I know that good security can be implemented, sometimes with a few tweaks. Not always, but sometimes.
Some vendors may not want to deal with new security protocols, but it is best for everyone to think of it as a minimum entry requirement to enter Hollywood. It’s the best way to avoid becoming the reason some hacker writes a nice little script (techie pun not intended) that steals your Emmy-winning season.