The December 2022 issue of IEEE Spectrum is here!

Close bar

How Not to Be Sony Pictures

Lessons learned from the recent Sony Pictures hack

3 min read
Sony Pictures headquarters
Photo: Getty Images

The scope of the recent hack of Sony Pictures — in which unidentified infiltrators breached the Hollywood studio’s firewall, absconded with many terabytes of sensitive information and now regularly leak batches of damaging documents to the media — is only beginning to be grasped. It will take years and perhaps some expensive lawsuits too before anyone knows for certain how vast a problem Sony’s digital Valdez may be. 

[shortcode ieee-pullquote quote=""The new approach today that people have shifts away from prevention — which everyone knows is not achievable — to a focus on attack sequence and consequence."" float="right" expand=1]

But the take-away for the rest of the world beyond Sony and Hollywood is plain: Being cavalier about cybersecurity, as Sony’s attitude in recent years has beencharacterized, is like playing a game of corporate Russian roulette.

According to a new study of the Sony hack, one lesson learned for the rest of the world is as big as the breach itself. Namely, threat-detection is just the first step.

Snuffing out malware, trojans and phishing attacks is of course an important front line battle, but that battle is only one front of a multi-front war. For instance, any organization that thinks cybersecurity is as simple as installing and regularly updating their anti-virus software risks similar nightmare scenarios as what Sony Pictures now stares down.

Fengmin Gong, chief strategy officer and co-founder of Santa Clara, Calif.-based Cyphort security, says today the best security strategies also include continuous monitoring of their networks for suspicious movements of their most carefully guarded data. Security is best, in a sense, presuming that security sometimes fails.

“The new approach today that people have shifts away from prevention — which everyone knows is not achievable — to a focus on attack sequence and consequence,” he says.

So a company that follows his approach, he says, might build a security strategy in which some leakiness is expected. After all, in age of pervasive connectivity, from laptops and servers to smartphones and tablets to wearables and smart appliances, it’s increasingly pie-in-the-sky to suppose that a group of determined hackers couldn’t find holes somewhere in a target company’s networks.

There's at least one earlier round of security breaches at Sony that haven't yet been fully uncovered...

Instead, Gong says, the smart company expects occasional hacks to get through but also knows what digital assets it values most. And those are the nodes, computers and networks it monitors most closely. The reported terabytes worth of Sony Pictures scripts, films, spreadsheets, marketing and sales data and communications that hackers downloaded — clearly a centerpiece of the company’s revenues — would never be shipped out through company networks without network monitors also discovering such a massive breach, he says.

And it’s not just Hollywood studios that need to shift their thinking, he says. (Though Gong says he has also been consulting lately with another prominent Hollywood studio, who he says are applying similar lessons learned to develop smarter cyber security practices.)

For instance, Target and Home Depot suffered recent security breaches in their point-of-sale (POS) networks, leading to many customers’ credit card numbers and other sensitive information being released.

“Today we have to make assumptions that something could fail,” he says. “Continuous monitoring allows you to watch what is the data movement into and out of your POS system. That’s what we mean by focusing on consequences. [Y]ou want your organization to be the first one to realize something just happened or is happening. Then you can contain the damage and anything else. Right now the problem is people getting told by someone else many months later that something happened. Then the damage is already done.”

In Sony Pictures’ case, Gong says, the structure of the malware itself also points to a larger systemic security failure at the company. Some of the malware files, as Cyphort’s report details, actually contain Sony Pictures’ employees usernames and passwords already hard-coded into the malware scripts.

That means there’s at least one earlier round of security breaches at Sony that haven’t yet been fully uncovered — because the authors of the malware must have somehow previously obtained these usernames and passwords in order for them to be able to write and upload the malware they used for the current breach.

“When this [breach] happened, it happened over multiple points in time,” Gong says. “We see the hope that if people start adopting these new approaches to their security posture, we feel confident these things would have been discovered and stopped earlier than what is happening now.”

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
Horizontal
An illustration of a series
Carl De Torres
LightBlue

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less