News

By Chris Tribbey

CENTURY CITY, Calif. — When Sony Pictures was hit with one of the worst cyber attacks in Hollywood history in late November, hackers stole mountains of employee data, leaked high-quality versions of five Sony Pictures films and threatening violence if the studio allowed the comedy “The Interview” to be released as scheduled Christmas Day.

It also put the rest of the industry on notice, and had them asking the question: could it happen to us too? Speaking May 14 at the Hollywood IT Summit, panelists said that the Sony hack has the industry rethinking how it allows employees to access critical systems and content off-site, and put a renewed focus on watermarking content, whether it’s video or employee information. One of the issues presented to the industry is the balance between information security and the delivery of services, panelists said.

The Sony attack resulted in call for all content companies to re-evaluate the security measures they have in place, to prevent similar breaches from occurring in the future.

“We were summoned immediately into the boardroom to talk about our vulnerabilities and risk, as I assume most of the people in this audience were [as well],” said Sean Flynn, chief technology officer at Marvel Studios. “It was great because the conversation was happening at the senior leadership level.”

Marvel conducted a security review, and found it needed to catch up to the changes of the last few years, with new and unexpected risks identified. Marvel conducted threat modeling and found a list that helped it prioritize which areas of the company needed to be addressed first, and which areas of mitigation would offer the most bang for the studio’s buck. Marvel found that multifactor authentication “was a must,” internally and externally, and that privileged account management, tracking who’s accessing what, all the time, was beneficial. Encryption was revisited, with a renewed focus on encryption at rest.

“For many years there’s been a gold rush to accessing information anytime, anywhere, any device, bring your device,” said Bryan Ellenburg, a security consultant for production and post production editorial for the Content Delivery & Security Association (CDSA). “We’re starting to see a retrenchment, we’re starting to see more limits to access, making it more difficult to view your emails remotely. Do people really need access to this information?”

Jonathan Chow, chief security officer at Live Nation Entertainment, said the hack has Hollywood better understanding what the risks are, and better communicating with IT departments, instead of just assuming security has been addressed. However, the media attention in the wake of the attacks against Sony, Target, Home Depot and others is a double-edged sword, he added. It’s caused a lot of doubling up on people looking into the security measures companies have in place, which can be distracting.

The Sony hack “really hit home for us as a serious event,” said Stan Stahl, president of the Information Systems Security Association, L.A. Chapter (ISSA-LA). He said Hollywood companies are better understanding that information security is all about the internal conversation, that implementing technology is only half the battle. “It takes the village to secure the village,” he said.

Sean Cordero, chair of the Controls Matrix Working Group for the Cloud Security Alliance (CSA), said companies working in the cloud realize the benefits: agility, flexibility and reduced time to market. But they often don’t understand all the risks, or don’t address them correctly, he said.