Lessons To Be Learned From The Sony Hack

UPDATE: Sony Pictures Co-Chair Amy Pascal has stepped down in the wake of the cyberattack.

It seems that most of the mainstream media are concerned these days with attributing the Sony hack to North Korea, a recently discharged insider, some lone hackers, or a combination thereof.

What hasn't been discussed much is just how badly Sony was penetrated and the ramifications to not only the executives of the company, but to the rank-and-file and to individuals who don't work for Sony directly, but were contractors or vendors at some point in time, even before The Interview was conceived. The posted data included trade secrets, details of sexual harassment complaints (including the names of the alleged perpetrators AND victims), personal data of contractors (including names, social security numbers, addresses, and phone numbers), personal medical information (one executive takes an ADHD medication - not the sort of detail that inspires confidence in the board room, presumably), and much, much more.

The bottom line, then, is that this attack nearly redefines the term "owned". Even though the released data represents a small portion of the data that the attackers claim to have stolen, it still ripped open many wounds; some embarrassing, and some potentially very harmful.

So what can we learn from this?

Encrypt sensitive data and prevent it from being read by those who don't need to read it.

This might seem to be an obvious recommendation from someone who works in the encryption field, but it's an absolutely valid observation. The data that was compromised included data from Human Resources, Finance, the Executive team, and more. No one at Sony Pictures should have been able to access all of that data.

In intelligence, this is called "compartmenting", in the military, it's called "need to know". One of the theories concerning the attack is that a recently fired systems admin provided the access to the data. The absolutely unmistakable takeaway from this is that no one user should have access to all that data, and no admin should have been able to read the contents of these files at all. The best way to prevent this is through encryption with associated access control. Admins could have been provided with the tools to do their job while being prevented from reading (and copying) data - this is especially important when considering a potential compromise of a trusted admin's credentials.

After the earthquake, rebuild the city.

Sony had seen their fair share of breaches before - albeit in other areas of the company - but still hadn't taken these warning signs as reason to shore up their information security company-wide. Sony Entertainment may very well have considered themselves a low-risk target; after all, they aren't a financial institution, where most attacks are concentrated. However, motivation can spawn from many places, and more than a few companies have been compromised by frustrated (ex-)employees, competitors, and others looking to steal trade secrets, get information for spear-phishing attacks, or to gain access to networks to stage DOS attacks or the like. In other words, everyone can be a target, and not every motive is predictable and obvious before the attack occurs.

Some time ago. I set up a honeypot server - just to see what would happen. Within 12 hours of it being set up, and with no notification to anyone or anything that it was running, it was being probed nearly constantly, and it's weak root password was used roughly every hour. Most of the intruders downloaded DDOS malware to the system. They didn't know who owned the server, and didn't care. Bottom line, anything connected in any manner to a network is potentially vulnerable. Protect it!

Don't underestimate the tangible and intangible costs of a breach.

Sony at one point essentially considered breaches to be part of the cost of business and not worth the investment to prevent against them.

Of course, they also likely never considered a hack of this magnitude and the direct and collateral damage that resulted. Presumably, they have rethought this stance and are spending the money to shore up their defenses now, which is something they can plan and budget for. They can estimate revenue loss from The Interview and other, similar losses. A dollar amount can be affixed to the costs to refit their corrupted servers and workstations.

But how can you estimate the intangible costs associated with the breach?

What if vendors decide they don't want to work with Sony after their information was breached, or if they raise their prices in response to the perceived risk of doing said business? How many disparaged movie stars, directors, and other industry professionals will refuse to work on their projects? How many lawsuits will be filed by Sony's employees and contractors, and how much negative publicity surrounding these will further tarnish Sony's name? All of these are costly in one form or another, and assuredly well above and beyond anything that Sony imagined.

Update: Speaking of tarnished names, Amy Pascal has stepped down.

Those who do not learn from history are doomed to repeat it.

As IT and security professionals, we must learn not only from our own mistakes, but from those made by others. While circumstances change from company to company and network to network, much of what is being done elsewhere is surely applicable to your environment, in theory if not in outright practice. This is why industry groups such as ISSA and Infragard are invaluable to security professionals, who can exchange experiences in defending data that can benefit everyone. Not only can we learn what to do, we can also learn what NOT to do.