Redefining Information Security for Journalists & the Media
As the number of compromised major online media publications continues to rise, the attention should be focused on journalist information security standards, or rather, the lack thereof. Just a few of those include the Associated Press, New York Times, CNN, Washington Post, Thomson Reuters, several U.K. publications (the Guardian, Daily Telegraph, Financial Times and ITV), NPR and more.
This begs the question of what kind of security our news outlets use internally to protect access to their sensitive information and sources. Although there are tons of guides out there with their own set of information security best practices for journalists, there aren’t any set standards for the industry at large.
One of the concerns comes with the adoption of new IT models; with apps and data hosted both on-premises and in the cloud. Locking down access to sensitive data stored in the cloud is a security issue all journalists and other members of the media need to address.
As the CPJ Journalist Security Guide denotes, there are many threats to cloud-stored, or, external data, including the ability for attackers to intercept or social engineer to steal credentials.
When it comes to authentication security, most guides include tips on creating stronger passwords, yet they also recognize the failure in trusting passwords alone for strong authentication:
Software allows attackers to generate millions of the most likely passwords and then rapidly test them against a password-protected device or service. - CPJ Journalist Security Guide
They also recommend creating passphrases at least 12 characters long, with complicated phrases and multiple types of characters. However, creating a more complex password isn’t as secure as adding a different method of authentication. With two-factor authentication, you can use an out-of-band authentication method to secure your accounts.
Why do you want to use out-of-band? It’s more secure to use two different networks to log into your accounts; i.e., one being web-based username/password and another being mobile app-based push notification. And, you can use a single two-factor solution to manage access to your different accounts, regardless if they’re cloud-based or on-premises software.
The CPJ Journalist Security Guide also recommends using a password manager to not only centralize your multiple accounts, but also to generate unique passwords. You can easily download and install a simple cloud-based password manager as a browser extension. For example, LastPass is an extension that will prompt and allow you save website credentials as you browse, and autofills when you revisit.
Using an effective two-factor authentication solution paired with a password management tool can help journalists and members of the media secure their network and account access to help combat the repeated attacks against these online publications.
Also important to note, a number of these attacks were successful only because they were waged against third-party applications integrated with these online publications - one example is the breach involving Outbrain, the content-sharing widget seen at the bottom of articles that provides links to related articles around the web.
The Syrian Electronic Army (SEA) used a phishing email to gain access to their internal systems and change admin settings for their partners - affecting the Washington Post, CNN and Time. Keep in mind, news organizations are only as strong as the security standards they set and follow, including those they set for their contractors. Crafting a security policy is pretty standard after conducting a risk assessment, and should be part of a general security audit process anyway.
Learn more about lessons learned in news media and third-party breaches by reading:
CNN & Microsoft Breached: No 2FA in Sight
Target Breach: Vendor Password Exploit
HootSuite and Buffer: Social Media Giants Enable Two-Factor