News Corp's software supply chain attack proves the need for enhanced security posture

Journalists from News Corp have been targeted in a recent series of cyberattacks, which underscores the need to ensure adequate protection for organizations’ SaaS services. In this particular incident, the attackers were able to access News Corp’s systems since February 2020 or earlier.

It is reported that the hackers have had access to emails, documents on Google Docs, as well as article drafts.

Being a publicly-traded company, News Corp had to disclose this information in an SEC filing in early February, where it shared general information about the security breach. In summary, as described in the filing, the company discovered that one of the cloud service providers it utilized had been the target of persistent cyberattacks.

Said cloud service providers are used to support the company’s various business operations and are thus considered upstream suppliers – hence the cyberattack being described as a supply chain attack.

A compromised cloud security posture

The attack on the media conglomerate underscores the need for extended security posture management, especially with the potential of News Corp did not specify what particular cloud services were compromised and how the attackers were able to gain access to these SaaS services.

However, the news organization’s security advisors believe that it was a state-sponsored attack–that the hack was most likely intended to gather intelligence for the benefit of the Chinese government. Analysis points to data allegedly being collected by the attackers.

According to its security consultants, the hackers were “likely involved in espionage activities to collect intelligence to benefit China’s interests.” This was rebuffed by Chinese embassy officials in the United States, wherein a spokesperson for the Chinese embassy sought a “professional, responsible, and evidence-based approach to cyber-related incidents, rather than making allegations based on speculations.”

This is not the only time that a media company had been targeted by a major cyberattack. In 2013, the New York Times also reported a breach that affected 53 personal computers belonging to employees. That particular attack coincided with a journalistic investigation into wealth accumulated by relatives of then-prime minister Wen Jiabao.

State-sponsored attacks have likewise reportedly been targeting other media organizations, including the Washington Post, the Wall Street Journal (also owned by News Corp), and Bloomberg, among others.

Improving security through cloud security posture management

Compared with on-premises deployments, SaaS solutions are touted to be more secure for several reasons:

Cloud providers–especially the major ones–have substantial resources invested into cloud security. In comparison, a business or enterprise may not be able to focus on cybersecurity if it were not their expertise.
Cloud providers also have more substantial experience in cybersecurity best practices, as well as human resources.
Cloud services are also built by design with security in mind, including identity and access management, network segmentation, encryption, continuous monitoring, and logging.
Cloud providers are also incentivized to provide security, along with their contractual uptime obligations to clients. This results in fault-tolerant architectures and redundancies.

However, there is no question that there are weak links that can expose businesses and organizations to vulnerabilities. On top of the cybersecurity provisions that cloud service providers include in their service, organizations will need to be well-versed in cybersecurity posture management.

Here are three main concepts that form an essential cloud security posture management.

Visibility – An organization needs real-time visibility into security risks. This means the ability to monitor cloud assets on a real-time basis, including scanning and event detection. Your security solution should intelligently listen to events and detect any changes in the system, as well as their associated security risks.

The ability to investigate potential issues – Here, the end-to-end analysis will be required to determine any potential issues or loopholes in one’s cybersecurity posture. This will require both adversarial and collaborative approaches through breach-and-attack simulation (which automates penetration testing), as well as purple teaming (which involves collaboration between defensive and attacking positions).

This will help discover security gaps, misconfigurations, product deficiencies, and undocumented threats. Frameworks like MITRE ATT&CK will be a useful resource in determining the adversarial tactics and techniques based on real-world observations and occurrences of cyberattacks. Such an adversarial approach can also be scaled across the organization’s assets, to ensure wider detection and coverage of such potential attack vectors.

Actionable insights and remediation – Knowledge of potential security issues will only be useful if an organization has gained actionable insights and can thus address or remediate the issues that have been found. Given limited resources, organizations should be able to prioritize

Another big challenge for any organization or security team is the deployment context, which entails the ability to act on alerts when there are development or information silos within the organizations’ infrastructure. Prioritization also plays a big part in this, since one might get inundated with the volume of security alerts. There needs to be a balance between avoiding technical debt and reducing security risk.

The economy of risk

For media organizations and any business for that matter, going to the cloud is not enough. There needs to be adequate or strong cloud security posture management in order to protect the integrity of their systems. Cyberattacks directed at media organizations add up to a chilling effect that could be weaponized to achieve certain foreign policy matters.

Security analysts have stressed that media companies are often a favorite target of certain state-sponsored cybersecurity attacks. Some nations that have aggressive cyber-espionage stances would usually have journalists at the top of their list in executing data extractions or spying–and this has been going on for decades.

The big takeaway here is that there is always a cost involved when mitigating cybersecurity risks. In News Corp’s SEC filing, it warned that cyber risk insurance is increasingly difficult and expensive to obtain in the face of growing threats.

Thus, while the company does have a certain level of insurance meant to address incidents like the latest cyberattack, there is a concern that such will be more difficult or expensive to maintain in the future. However, given the prevalence of the cloud, having a strong cloud security posture is now a must, considering the risks.