Small business security stories: CineSoft.

We are starting a series of articles “Small business security stories” in which executives of formally small business companies talk about the role of IT and particularly data protection in their activities. Today we are going to speak about CineSoft, the Russia-based developer of the ERP-system Cerebro. This is a media project management software with a wide set of tools for collaboration on visual content. The users of the solution are, respectively, motion picture studios, television networks, advertisers and video game producers.

The organization of data protection in companies depends almost entirely upon those employed and the way they deal with information technologies. Nevertheless, it is logical to presume that companies in IT business may boast of a higher level of protection than, for example, any car service station. But it is still an open question if their protection is really flawless.

CineSoft develops software for media content producers. The company is a positive example of a small organization of only nine employees with an extremely scrupulous attitude towards protecting not just the company’s IT perimeter but their clients’ as well.

“Our main product is a SaaS called Cerebro, it is a project management system for computer graphics and animation producers. In addition, we develop and maintain other programs as “individual projects”, but they all relate to storing and distributing media content in a way”, the head of the company Konstantin Kharitonov said. “Movies, videos, photos and music. In our case, for instance, Cerebro is used to store “fragmented” movies and cartoons for animators and special effects artists to work with. In our other products the media content can imply something different. For example, we developed two systems for Cinelab. The first one was to deliver new movies and trailers in DCP format (Digital Cinema Package) via satellite communications to Russian movie theaters. The second was a program to inventory and store cinema and video archives where the media content does not comprise only movies and trailers, but posters, audio tracks in different languages, either. The media content in general is the picture and the sound”.

According to Kharitonov, their customers have to deal with huge amounts of data. For example, one movie frame of “industrial” quality is 12 Mb, and there should be 24 of them per second, that means a 90 minute movie is as big as 1.5 Tb. Cerebro is adapted to operate with that much information (including data transmission over a distance).

In addition, the software complex processes users’ personal data:

“Cerebro stores users’ personal data – their names, phone numbers, email addresses. The database contains metadata of files and projects. But the files of most users are stored on their local servers”, Kharitonov explained. “Moreover, Cerebro is available not only as a cloud or hybrid SaaS, but as a classic client server system entirely with the client company. By the way, more than half of our customers chose this configuration“.

Data processing requires protection, and CineSoft shows a serious approach to the problem. According to Konstantin Kharitonov, information is particularly backed up in two physical locations. The data (personal data and some metadata) are encrypted during storage and transmission (metadata and files) using the SSL protocol; files are transferred by means of a proprietary binary protocol with optional SSL and user certificates implementation.

With regard to information threats Kharitonov said that “reasonably sufficient” measures were being taken. On the server side there are neatly configured firewalls, a VPN, SSL keys for remote administration without password, protection from brute force. On the client side there are passwords generated on first login, a weekly saved password reset on the desktop client, the ability to login without a password using Active Directory, password policies, SSL and user certificates for encrypted transmission of files and metadata.

“There are no absolutely secure systems in the world, so any developer should set the level that corresponds to the economic value of the data to be protected” Kharitonov said. “An excessive degree of protection harms user-friendliness. Well, I think, there is no need to talk much about the insufficient level of protection. So we try to provide a reasonable balance between the degree of protection and usability”. 

Answering the question about his assessment of the likelihood of targeted attacks at CineSoft’s infrastructure, Kharitonov said that they were very unlikely as there were no significant financial benefits to potential intruders.

“Projects’ metadata are not very valuable for hackers and the source video files are stored on users’ local servers. They cannot be accessed by means of a cyberattack on our system. Moreover, a significant share of users prefers full local installation, and then we do not have any data on them at all. I cannot see any reason to attack us”.

Reality shows that hackers are not too interested in the way their potential victims assess the likelihood of cyberattacks. If a company has any intellectual property or – even better – someone else’s personal information, then the company already attracts cybercriminals. Cybercriminals also understand that small companies who believe that they are too small to fascinate hackers usually neglect serious protection of their infrastructures.

This naturally does not apply to CineSoft. Employees of the company are IT professionals of the highest rank who, according to Kharitonov, “would be hackers if they did not have a conscience“. So there is no need to doubt the security and reliability of their flagship software.

However, in other cases the “we-do-not-attract-hackers-because-we-are-small” approach often leads to hackers successfully abusing arrogant employees. After that companies have to spend time and big money. According to the recent study of main corporate risks by Kaspersky Lab and B2B International, a successful cyberattack may cost a large company up to $2.4 million in direct and indirect losses. The harm of small businesses is respectively less, however the loss of $92,000 (this is an average amount of damage from a cyberattack at a medium company) may lead to the collapse of the whole company.

All of this suggests that it is reasonable and ultimately thriftier to assume that the probability of a targeted attack at any company, even a small one, is significantly higher than zero, and everyone had better take protective measures in good time.