nov 5, 2014 - Sony Pictures Hacked
Last week Sony admitted to having suffered a major cybersecurity breach; hackers not only erased data from its systems, but also stole, and released to the public, pre-release movies, people's private information, and sensitive documents. Near hysteric articles began to appear in the press – portraying the breach as heralding a new generation of super-sophisticated attacks that could cripple any major corporation and harm its employees if they both did not succumb to the wishes of criminals. Much of this, however, is grossly exaggerated.
So here’s the truth that you need to know, and my take on what you should – and should not — do:
Claim #1: The attack was an “unparalleled crime” that was “unprecedented in nature.” Such a claim was allegedly made by Kevin Mandia, the head of Mandiant, the cybersecurity group that Sony retained to investigate the breach and help prevent future such breaches, and relayed in a memo to Sony employees from its CEO. Among the “unprecedented” elements of the attack, they claimed, was the fact that the malware used was not detectable by antivirus programs.
Reality: Characterizing the attack as “unprecedented” or “unparalleled” might be an attempt to help shield Sony from liability, but it does not seem to reflect reality. Malware that has been undetectable by its contemporary anti-virus checkers has been around for over two decades. In fact, for many years, a large percentage of new viruses were undetectable by anti-virus software until cybersecurity companies found them propagating and damaging computers, and subsequently created signatures to detect them.
I experienced this personally. In the late-1990s, a virus infected my team’s network at the firm at which I was working at the time which had standardized on the anti-virus software sold by a particular major vendor. To clean up the mess, I literally walked to the nearest Egghead Software (remember them?), bought another vendor’s offering (that had updated its downloadable signatures for the particular virus in question faster than had our group’s standard security tool), and ran it that one time.
Attacks that both steal and wipe data – as occurred at Sony – are also not new. In fact, the Sony attack reminds me very much of Shamoon, a virus discovered a couple years ago that also steals data and wipes it from its lawful hosts, which wrecked havoc at the Saudi oil company, Aramco.
Unless someone presents evidence to the contrary, the attack on Sony does not seem unprecedented or unparalleled.
Claim #2: This attack was a major crime that the FBI is investigating.
Reality: Under US law the attack certainly seems like a crime, which is why the FBI is involved. But, the perpetrators may have been foreign. North Koreans – either working for their government or in support of its positions – are, in fact, primary suspects; Sony is a logical target as it has been preparing to release a movie that various North Koreans have stated they find offensive. I am certainly no expert on North Korean law, but, if its laws permit, or encourage, the attacking of parties who make light of the North Korean Supreme Leader, as Sony’s movie allegedly does, the perpetrators may have not only been acting in accordance with their local laws, they may have been seeking to enforce them. To the hackers, Sony may have been a perfectly legitimate target. As such, were their actions really a crime, or were they simply an act of war?
Before answering, keep in mind that American agents may have also created and spread malware onto commercial computer systems and networks for intelligence gathering purposes.
Either way, there is an important lesson to learn: In today’s world you should realize that outside parties, including some sponsored by resource-rich parties such as nation states, might target you or your employer with cyberattacks, so protect your systems and valuable data accordingly.
Claim #3: Sony’s employees, and various celebrities, were collateral damage of this attack
Several articles bemoaned the fact that innocent bystanders suffered along with Sony -- having their private data leaked onto the internet, and in some cases from being threatened as well.
Reality: Demoralizing Sony’s employees and thereby reducing their productivity, instilling fear in Sony’s employees and causing celebrities to fear working with Sony, creating opportunities for employees and others to potentially sue Sony, are all tactics intended to seriously hurt Sony, which seems to be the primary goal of this attack. To attackers, Sony’s employees are to the corporation what soldiers are to the Armed Forces: they are not bystanders, but people who have chosen to be the lifeblood of the organization without which the firm cannot function. Likewise celebrities are often Sony’s de facto business partners. It should be of no surprise, therefore, that these people were targeted, nor is this unprecedented or unparalleled; attacks by the hacker group, Anonymous, for example, involved leaking personal files belonging to people associated with organizations that the group had selected for attack.
Lesson: It may be wise to ask your employer’s HR department how any data the firm stores about you is protected, and to seek data protection assurances from businesses with which you do business.
Claim #4: There is nothing that Sony could have done to prevent this attack other than not producing a movie out of fear of reprisals.
Reality: Almost a decade ago, Sony was warned about potential deficiencies in its information security program, including the use of weak passwords. In 2011, Sony suffered a major breach of its Playstation network. Were adequate changes put into place since then? How well did Sony actually protect its data if hackers managed to steal a treasure trove of materials including unreleased movies – perhaps the crown jewels of Sony’s data assets requiring protection – as well as highly-confidential documents including salary schedules, lists of social security numbers, and even private, sometimes embarrassing, communications? Was everything stored in a properly encrypted format, with people given access to only those materials that they needed in order to perform their jobs? We may never know the answers to these questions. Some of the documents leaked, however, seem to show that Sony employees were using weak passwords and that poor data management policies were in place, raising questions about how much the firm actually learned from its experiences. Data belonging to another firm may also have been inappropriately stored on Sony computers. Was that the result of poor policy or poor enforcement? One must also wonder: how did the malware enter Sony’s infrastructure in the first place? Was human error a factor?
Consider how difficult it is to sneak into a Sony executive's office or onto the set of a movie Sony is producing. Did Sony treat its data security with the same level of concern as it does physical security?
Lesson: Sophisticated attackers can inflict serious harm if you are not proactively vigilant with information security. Don’t make it easy for them.
Claim #5: Sony was exceptionally vulnerable.
Reality: A tremendous number of businesses would likely suffer the same fate as Sony did – or worse – if targeted with a similar attack. While cybersecurity has aroused plenty of attention in recent years, and related budgets have grown, the reality is that far fewer resources are expended on cybersecurity than are actually needed. How many firms can truly claim that all of their data is properly secured, accessible to only parties that actually need it, and that all employee passwords are properly constructed?
Lesson: Cybersecurity is important. As Sony and others have learned this year, an ounce of prevention may be worth many tons of cure. So, act now.
Added to timeline: