He too compared the HBO attack with the Sony breach. "The Sony attack was touted as a massive cyber incident targeting the media and entertainment industry and the information leakage was just about 200GB of data. Sony brought in a cybersecurity firm called Mandiant to investigate this incident. Basically, a group of anonymous hackers calling themselves TheDarkOverlord (TDO) stole the fifth season of Netflix's hit series 'Orange is the New Black' and posted most of it online after Netflix ignored the hackers request for ransom money."
"The HBO hack of 1.5 TB included Games of Throne, Ballers, Barry, Room 104, Insecure and various credentials of HBO's senior vice president and legal counsel. Rumour has it that HBO has also called cybersecurity firm Mandiant to investigate this," said Rajagopal.
"It is gruesome that the attacker seem to have obtained almost all credentials of the executive [name witheld]," he surmised. "Either these were saved "securely" in a text file and the hackers got access to this, or she used a password manager with a simple guessable password. This aspect of the incident is basically about cybersecurity hygiene."
"Interestingly, at about the same time that HBO got attacked Mandiant (a subsidiary of FireEye Inc) was also allegedly attacked and confidential data including joint exercises with the Israeli Defence Forces were leaked," he explained. "Confidential details of their security analysts were released and one could see that he/she used simple passwords to protect his/her online accounts."
Rajagopal echoed Fong's comment. "These incidents are wake up calls to implement proper controls and have a strong basics and practice good cybersecurity hygiene no matter which industry and who you are."
"I believe the way HBO's CEO Richard Plepler dealt with the incident was way better than how Sony dealt with theirs," he said. "When Sony got hacked it took 12 days to email employees about the status, and even at that time they still did not have much clue whereas the HBO CEO responded within two days of first finding out the incident."
What should be in place? Rajagopal answered that when an organisation gets hacked "there are three options:
i. First and probably the most popular way is to pretend the hack never happened, and cry wolf about it.
ii. Secondly you could post a half-baked lack-lustre security statement about the incident
iii. Thirdly, openly admitting you got attacked and that you are on top of the entire incident, keeping your interested parties informed of the entire investigation and journey of the incident."
"Fundamentally, I'm a strong believer of two things:
i. Cybersecurity hygiene is equally as important as Toilet hygiene
ii. Implement multiple layers of control through Defence in Depth Strategy"
Security is risk management
"Information security management is always about 1) Prevention, 2) Detection and 3) Correction," said Fong, when speaking about his suggested action plan for security leaders.
"Pro-active information security health checks are no longer an accessory. Hackers today are driven by much larger financial goals, they don't just work from 9am to 5pm, or rest on holidays," he said. "With the widespread of automated hacking tools on the Internet, hackers can focus more time on developing more sophisticated corporate espionage tactics." (See - Malaysia interview: How easy is it to set up as a cyber crook today?)
"Prevention must start from good practices, e.g. by not sharing passwords, using strong encryption on sensitive information," he continued. "From a technical perspective, effective preventive measures can be achieved by applying regular information security audit, penetration testing (ethical hacking), and education."
"Detection refers to the ability to identify 'out-of-norm' activities and then classify these as incidents," Fong said. "Without effective detection capabilities, organisations will not be able to stop attacks in a timely manner. Like Preventive controls, good detective controls can range from physical aspects (tempered alarm, motion sensors) to technical (Intrusion prevention system, Log Analysis)."
"Finally, the Corrective countermeasures: Now that we have prevented, detected the attacks, the last question for us to ask ourselves is: what can we do to contain the attack, lock it down, stop further advancement, and execute investigations on what has been impacted by the attack," said Fong.
In Malaysia, suspected digital security breaches should be reported to Cybersecurity Malaysia for additional support and advice (see Appendix).
For some recent local security news, see:
Ransom DDOS attacks hit Malaysian financial firms: Experts advise action plan for IT
WannaCry attacks: Former Malaysian hacker predicted healthcare target
Global ransomware attacks prompt national 'WannaCry' alert from CyberSecurity Malaysia
Crash Override, Industroyer malware: CyberSecurity Malaysia calls for critical infrastructure checks
Malaysia interview: How easy is it to set up as a cyber crook today?
In Malaysia, worries about cyber threats overtake physical concerns for the first time: Unisys Index
This article was first published 3 August 2017: The latest edition of this article lives at Computerworld Malaysia.
To report incidents in Malaysia at Cyber999, please use these channels:
E-mail: firstname.lastname@example.org or email@example.com
Fax: +603 89453442
Mobile: +6019 2665850 (24x7 call incident reporting)
SMS: Cyber999 report email complaint to 15888
Sign up for Computerworld eNewsletters.