‘Hi to all mankind’. Thus began the email sent to journalists by hackers who have reportedly stolen 1.5TB of files and videos from entertainment giant HBO. What has made the headlines is the fact that the script for next Sunday’s episode of Game of Thrones has been released. The HBO hackers conclude their email saying that ‘HBO is falling’ and it is perhaps chilling to consider the vulnerability of even the largest and best-protected companies to breach and data theft.
In April Netflix was also compromised and refused to pay a ransom demand. Ten episodes of its series ‘Orange Is the New Black’ were leaked by a hacker group known as TheDarkOverlord. It is not yet clear whether the HBO hackers are seeking a ransom payment. Yet although advance plot lines for a TV series make headline news, there is another important aspect to consider. Namely the sensitive corporate data held by HBO which may now also be in the hands of unprincipled criminals.
HBO confirmed this week that it had experienced a cyber incident ‘which resulted in the compromise of proprietary information’ and that it is examining the breach. Forensic investigation will reveal how the system was breached and enable the company to secure its systems. But assuming that a company the size of HBO has access to the very best cyber defence, what more can they do?
First of all it is worth pointing out that anything to do with Game of Thrones is a huge headline draw. With 8.9 million people reportedly watching the finale of Season 6, hackers will have been particularly motivated to succeed. Yet all organisations which hold data are vulnerable to a greater or lesser extent. Those with a strategic plan which includes regular penetration tests, network security testing and vulnerability assessments are, however, better placed because they have created inbuilt responsiveness.
Expert pen testers put themselves into the mind of potential attackers, exploring and exploiting all opportunities. As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.
As an additional precaution, organisations should defend their systems by assuming that they have already been breached and that a hacker lurks quietly within. If information is encrypted and secured with high difficulty passwords regularly updated, hackers may just prefer to concentrate their efforts on easier prey. When it came to the fate of the Seven Kingdoms, perhaps the hackers felt the effort was worth it, but, like Jon Snow, let’s make their lives as difficult as possible.
SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services.