Not So Fast: Valuable Lessons from the FastCompany Hack

When FastCompany's website was hacked late Tuesday night, it sent shockwaves through the media world, underscoring the importance of routine cybersecurity inspections for media companies. Now, in the wake of the prominent hack, media companies are scrambling to secure their content management systems.

So, what happened and how?

Well, the hacker (who went by the name "postpixel") managed to infiltrate FastCompany’s content management system (CMS) and post stories that looked like they were from FC’s editorial team. They also hijacked FastCompany's Apple News feed (a first), broadcasting obscene push notifications replete with racial slurs and, uh, an “invitation for a particular sexual act,” according to The Verge.

In a statement, FastCompany responded with the following:

“The messages are vile and are not in line with the content and ethos of FastCompany. We are investigating the situation and have shut down fastcompany.com until the situation has been resolved.”

As of this writing, Fast Company was still offline.

Source: FastCompany

In a warning of sorts, the hacker also left a message to FastCompany’s readers, detailing their execution of the hack while criticizing FC’s feeble attempts at security remediation:

Source: FastCompany via The Verge

According to “postpixel,” they were able to gain access to FastCompany's systems by exploiting an insecure password shared by an FC site administrator. They also claimed to have traded FC’s data in a forum for black-hat hackers, including sharing records on FastCompany employees and even sharing unpublished FastCompany articles.

This may be headline news today, but this is just the latest hack in a string of cyberattacks on media companies. In recent months, both The New York Times and The Wall Street Journal have reported that their systems had been compromised by hackers. You can bet that there will soon be a new headline to replace FastCompany.

The bottom line: These incidents serve as a reminder that media companies need to take steps to secure their data and protect their employees.

Most of all…

Trust No One.

In the wake of high-profile hacks at major media companies like Fast Company, it's clear that traditional approaches to cybersecurity are no longer enough. One of the most important things companies can do to protect themselves is to implement stronger internal security models.

The shocking conclusion tech and media companies are just now coming to terms with is that people are the weakest links in security. As a result, they’re taking a firm “trust no one” stance.

The security buzzword for this is “Zero Trust,” which simply assumes that a company can be breached no matter what, including by its own unwitting users. The un-named FastCompany “administrator,” for instance, shared passwords inside the firm.

With zero trust, every user and every device is treated as a potential threat. This means that all traffic must be authenticated and authorized, regardless of where it's coming from. What’s more, a core component in a proper zero-trust environment is behavioral analysis. In a nutshell, your software should monitor network behavior and flag suspicious activity. This makes it much harder for hackers to gain access to a company's network because they would need to have valid credentials each step of the way.

Zero trust also includes comprehensive vulnerability management. This means regularly scanning for vulnerabilities and patching them as soon as possible. Behind the scenes, I’d wager that FastCompany is arguing over how to best implement new security measures and protect itself from future attacks.

But creating a new security architecture is no easy task, especially for a major media company. For FastCompany, it will likely involve completely gutting its current system and renovating it from top to bottom. That will require education and buy-in from FastCompany’s senior leadership, middle management, and even its freelancers.

We have some advice, if you’re listening, FastCompany…

So You’ve Been Pwned. What to Do Next.

Every journey begins with a single step. For FastCompany, one of the most important things it (and other media companies) can do is to regularly inspect their cybersecurity protocols and make sure they are up to date. This includes ensuring that passwords are strong and, ahem, not openly shared and/or reused across multiple accounts.

While it may seem like I’m picking on FastCompany, it’s just one example – this type of attack could happen to any media outlet. In order to protect themselves, media companies need to make sure they have a robust vulnerability management program in place.

Vulnerability management is all about identifying, prioritizing, and fixing security flaws within an organization's systems. If a media company doesn't have a good handle on its vulnerabilities, it’s leaving itself wide open to attack.

There are a few key things that all media companies should do to shore up their defenses:

• Conduct regular security audits: By regularly assessing their systems for vulnerabilities, media companies can stay ahead of the curve and fix any problems before they're exploited.
• Keep software up to date: Relying on outdated software makes it easy for hackers to gain access to a company’s systems. Make sure all software is up to date. This way, media companies can close off this avenue of attack.
• Educate employees: Hackers often exploit human error through social engineering to gain access to systems. By educating employees on security best practices, media companies can make it much harder for hackers to succeed, even if they’ve already breached their walls.
• Implement strong security controls: FastCompany's hack highlights the importance of having strong security controls in place. By implementing measures like two-factor authentication (2FA), media companies can make it much more difficult for hackers to gain access to their systems.
• Plan for the worst: No matter how many safeguards a media company puts in place, there's always a chance that they could be hacked. That's why it's important to have a plan in place for how to handle a breach if one does occur.

In today's world, it's not enough to simply have strong security measures in place.

Organizations also need to constantly monitor their systems for vulnerabilities that could be exploited by hackers.

In the wake of the FastCompany hack, it's also important for media companies to consider how they share information internally. In many cases, it may be necessary to restrict access to certain sensitive data or conversations to a smaller group of people.

By taking proactive measures to address vulnerabilities, media companies like FastCompany can dramatically reduce their chances of being hacked and safeguard their content from being hijacked by malicious actors.

Also published here