The global video streaming industry is a multi-billion-dollar market that includes renowned brands such as Disney and Netflix alongside smaller, more niche players. Many of these services have experienced exponential growth due to the pandemic. In 2020, the viewing figures for streaming services were up 71% compared to the previous year.
By Darren Lepke, Head of Video Product Management for Verizon Media
Yet, with great success often comes additional risks and responsibilities. When it comes to security, streaming providers think first about content protection and methods of thwarting piracy e.g. DRM and Forensic Watermarking. Streaming services are also home to data from potentially millions of customers, which includes names, email addresses, and payment details. This new focus on consumer data is an example of how threats continue to evolve and shows that no industry is safe.
Many streaming services have struggled to evolve their cybersecurity tools in line with the growth of their subscriber base, leaving them vulnerable to cyberattacks that take advantage of the vulnerabilities specific to OTT platforms and technologies. It’s a vicious cycle: The more popular a streaming service becomes, the more susceptible it becomes to cyberattacks due to the growing numbers of users and devices, giving cybercriminals a greater surface area to attack.
Every single streaming service has the potential to attract unwanted cyberattacks from cybercriminals. The most common cyberattacks include:
- Application attacks: cybercriminals exploit vulnerabilities in the application architecture and software code that may or may not be publicly known.
- Distributed denial-of-service (DDoS) attacks: these types of attacks use artificial traffic to disrupt a site or service, making it inaccessible or slow to respond to legitimate users.
- Credential stuffing: hackers exploit the fact that people tend to use the same username and password combination across multiple accounts. In such an attack, the hackers can buy vast lists of stolen credentials from the dark web and use automation to try each one to gain access to the target service.
Verizon Media recently surveyed security professionals at streaming and OTT service companies to better understand how well prepared these platforms are for cyberattacks. Participants included broadcasters, publishers, studios, content owners, D2C platforms, aggregators, and sports leagues. Although these attack types differ, they are often used in a coordinated fashion. Our survey found that most streaming services have most likely already suffered from a security breach:
- 80% of our survey participants said they are not prepared for DDoS and Application Attacks
- 50% said security breaches had corrupted their service’s user experience
- 30% of respondents said a security breach that had caused a service outage
- 14% of respondents said their content had been misappropriated
Even streaming services with a powerful cybersecurity solution cannot afford to let their guard down by becoming complacent. Cybercriminals are relentless and will continue to bombard streaming platforms with attacks until they find a vulnerability they can exploit. One of the primary ways streaming platforms can keep pace with cyber threats is by deploying cloud-based solutions. Our survey found that 30% of responders consider moving to cloud-based security solutions to help minimize security gaps. Adapting to the cloud and CDNs solutions offers streaming services greater scalability and reliability and lower operational costs than on-premise solutions.
We’re likely to see more OTT platforms move to cloud-based solutions, such as WAF, DDoS, and bot detection/mitigation. DDoS Protection is crucial as the latest data suggests it’s a matter of when, not if, a platform experiences this type of attack. Typically, specialized hardware has been used as the first line of defense against DDoS attacks, but they require regular maintenance and support, and they often struggle to keep pace with high-volume DDoS attacks. On the other hand, scrubbing stations, cloud protection, and CDN protection are fast becoming the preferred tools for these types of threats.
Additionally, phishing is one of the oldest and most successful methods for acquiring account passwords. Phishing can involve using users’ email addresses and passwords to start phishing attempts, obtain access to other accounts, or retrieve the billing and credit card information linked with the account. This is where Web Application Firewalls (WAFs) come in handy as they help in eliminating application vulnerabilities that hackers exploit in DDoS, app, credential stuffing, and phishing attacks. They protect servers by analyzing HTTP/HTTPS traffic and applying rules to conversations between the server and clients. The WAF is uniquely positioned to protect against app threats such as SQL injections and cross-scripting attacks. They can help defend against API attacks via mobile apps, malicious botnet attacks, and phishing attacks by ensuring access policies are up to date and enforced. WAF solutions effectively prevent attacks targeting Internet applications. It is worth remembering that these solutions are constantly evolving and that no tool can eliminate all the application’s vulnerabilities. It is often necessary to use more than one type of security.
Bots may become helpful in the battle against cybercriminals. Bots are most commonly thought of as tools to help consumers shop and keep support costs low for services by assisting people to self-diagnose problems. However, they have also become one of the cybercriminal’s favorite tools. Attackers use bots to orchestrate DDoS attacks and handle the massive number of login attempts required for credential stuffing attacks. We’re seeing more streaming services move to cloud-proxies for bot management solutions that are fully integrated into a cloud or CDN service provider implementation. The cloud or CDN provider handles all aspects of the bot management solution for the service provider.
One of the standard approaches to bot management is fingerprinting. The bot looks for changes in behavior, such as if the request seems right based on the browser the requester claims to be using or any unusual behavior, like keystrokes hitting faster than is humanly possible. Once a bot is detected, the security solution must be careful with dealing with the threat. Simply blocking the request or giving a standard error will alert the hacker that they have been blocked. The hacker may then resort to enhanced techniques or a different sort of attack. In this scenario, it is better to fake a response to trick the bot into thinking it has launched a successful attack.
Streaming services are vulnerable to cyberattacks, which will only grow in line with the popularity of these platforms. There is an urgent need for these businesses to work with security experts to identify the gaps between their security priorities and their preparedness and implement robust security solutions to minimize the risk of content and user data falling into the hands of cybercriminals.
About the Author
Darren Lepke is the Head of Video Product Management for Verizon Media. With over 15 years of technology leadership, Lepke has built a proven track record in product management, marketing, and business development. He has deep technical knowledge in software development (large scale cloud SaaS, mobile apps, connected device applications), web services APIs, online advertising, streaming media formats, and metadata management.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.