This document discusses security vulnerabilities and threats facing media web applications. It notes that media organizations are prime targets due to their always-on services, reputation, and large public footprint. Threat actors like hacktivists and nation states use cyber attacks to disrupt service and influence public opinion. Common attack types for media include DDoS, defacement, and advanced persistent threats. The document provides statistics on data breaches in early 2016 and surveys of vulnerabilities found across media websites. It outlines challenges in protecting journalists, content, and systems. Fullstack security is recommended along with continuous assessment to match changing environments.

1. Media web application
security and vulnerabilities

2. Eoin Keary CISSP CISA
CTO/Founder edgescan.com
Hacker/Software Security Geek
OWASP Global Board Member (2009-2014)
OWASP Person of the Year 2015 & 2016

3. Always-on: The pressure to maintain a 24x7 service.
Reputation: one thing that matters above all for most media organizations.
Footprint: The public footprint makes for prime targets for visible impact to a wide audience
Propaganda is alive and well
Cyber attack has become an effective tool in its deployment by both state and non-state groups.
Attempts to raise the profile of a cause, to sow the seeds of fear or to sway public opinion
Threat actors: hacktivists, terrorist and nation states.
Media industry is highly likely to face a CyberAttack in order to disrupt service.
Tactics such as
• DDoS (Denial of Service)
• Defacement
• Integrity Attacks
• Highly-sophisticated Advanced Persistent Threat campaigns conducted by nation states.
Media Business Model & Challenges

4. 2016 – First 90 days
• 83,000 impacted by breach at Gyft Inc
• 63,000 records exposed at UCF (Florida)
• 15,000 credit cards Bailey's Inc.
• Hyatt data beach 250 hotels in 50 countries
• Neiman Marcus – 5,200 accounts
• TaxSlayer – 8,800 customers

5. 43%
50%
49%
58%
8%
4.10%
4.20%
0% 10% 20% 30% 40% 50% 60% 70%
HACKING ATTEMPT
DOS
MALWARE
PHISHING
SQL INJECTION
MOBILE ATTACKS
SOCIAL MEDIA ATTACK
Probability of an Attack Type – Media Orgs
edgescan research - 2016

6. edgescan.com “Media vertical” Web Security Survey – January 2016 - August 2016
11 Sites Randomly Surveyed globally
• Newspaper
• Television
• Radio
• Social Media
• News Feeds / PR
2%
32%
27%
39%
Frequency of Detection
Critical Risk
High Risk
Medium Risk
Low Risk

7. Old Vulnerabilities
99.9% of the exploited vulnerabilities in had been
compromised more than a year after the associated CVE
was published. - “Zero day’s” are overrated.

8. Security by Numbers
Likelihood of a vulnerability being discovered – Web Applications

9. Challenges to Media
What are we protecting?
Journalist
• Protect sources
• Prevent future storylines being revealed
Broadcaster
• Guarantee content distributed has not been tampered with.
• Protect my systems against denial of service attacks – availability
• Prevent unauthorised access to raw footage
• Live studio production, Control Signals/Technology won't be tampered with.
Rights Holder
• Prevent unauthorised access to my content.
Production team
• Grant access to the content to authorised staff.

10. Dangerous Times - Journalists
• There is not a journalist working who doesn't expose themselves to a web-
based attack at least once every day.
– journalists have to click links
– open email attachments
– Consider:
• Using an iDevice for mail (not jailbroken)
• Don’t use “office” with Macros enabled
• Enable FDE (Full disk Encryption)
• Patch
• Use and Ad-blocker (I said it!!)
• Don’t use IE (Internet Explorer) or any old browser.
• Disable Flash

11. Fullstack Protection
Web Applications
App Server
SSL/TLS
Databases
Services
Operating Systems
Networks

12. Continuous Vigilance

13. Conclusion
• Fullstack protection is key
– Applications and Hosting environments
• Continuous assessment to match ever-
changing systems & environments
• Journalist procedures – unique problem
• Security is a journey never a destination.