The scope of the recent hack of Sony Pictures — in which unidentified infiltrators breached the Hollywood studio’s firewall, absconded with many terabytes of sensitive information and now regularly leak batches of damaging documents to the media — is only beginning to be grasped. It will take years and perhaps some expensive lawsuits too before anyone knows for certain how vast a problem Sony’s digital Valdez may be.[shortcode ieee-pullquote quote=""The new approach today that people have shifts away from prevention — which everyone knows is not achievable — to a focus on attack sequence and consequence."" float="right" expand=1]
But the take-away for the rest of the world beyond Sony and Hollywood is plain: Being cavalier about cybersecurity, as Sony’s attitude in recent years has beencharacterized, is like playing a game of corporate Russian roulette.
According to a new study of the Sony hack, one lesson learned for the rest of the world is as big as the breach itself. Namely, threat-detection is just the first step.
Snuffing out malware, trojans and phishing attacks is of course an important front line battle, but that battle is only one front of a multi-front war. For instance, any organization that thinks cybersecurity is as simple as installing and regularly updating their anti-virus software risks similar nightmare scenarios as what Sony Pictures now stares down.
Fengmin Gong, chief strategy officer and co-founder of Santa Clara, Calif.-based Cyphort security, says today the best security strategies also include continuous monitoring of their networks for suspicious movements of their most carefully guarded data. Security is best, in a sense, presuming that security sometimes fails.
“The new approach today that people have shifts away from prevention — which everyone knows is not achievable — to a focus on attack sequence and consequence,” he says.
So a company that follows his approach, he says, might build a security strategy in which some leakiness is expected. After all, in age of pervasive connectivity, from laptops and servers to smartphones and tablets to wearables and smart appliances, it’s increasingly pie-in-the-sky to suppose that a group of determined hackers couldn’t find holes somewhere in a target company’s networks.
Instead, Gong says, the smart company expects occasional hacks to get through but also knows what digital assets it values most. And those are the nodes, computers and networks it monitors most closely. The reported terabytes worth of Sony Pictures scripts, films, spreadsheets, marketing and sales data and communications that hackers downloaded — clearly a centerpiece of the company’s revenues — would never be shipped out through company networks without network monitors also discovering such a massive breach, he says.
And it’s not just Hollywood studios that need to shift their thinking, he says. (Though Gong says he has also been consulting lately with another prominent Hollywood studio, who he says are applying similar lessons learned to develop smarter cyber security practices.)
For instance, Target and Home Depot suffered recent security breaches in their point-of-sale (POS) networks, leading to many customers’ credit card numbers and other sensitive information being released.
“Today we have to make assumptions that something could fail,” he says. “Continuous monitoring allows you to watch what is the data movement into and out of your POS system. That’s what we mean by focusing on consequences. [Y]ou want your organization to be the first one to realize something just happened or is happening. Then you can contain the damage and anything else. Right now the problem is people getting told by someone else many months later that something happened. Then the damage is already done.”
In Sony Pictures’ case, Gong says, the structure of the malware itself also points to a larger systemic security failure at the company. Some of the malware files, as Cyphort’s report details, actually contain Sony Pictures’ employees usernames and passwords already hard-coded into the malware scripts.
That means there’s at least one earlier round of security breaches at Sony that haven’t yet been fully uncovered — because the authors of the malware must have somehow previously obtained these usernames and passwords in order for them to be able to write and upload the malware they used for the current breach.
“When this [breach] happened, it happened over multiple points in time,” Gong says. “We see the hope that if people start adopting these new approaches to their security posture, we feel confident these things would have been discovered and stopped earlier than what is happening now.”
Margo Anderson is the news manager at IEEE Spectrum. She has a bachelor’s degree in physics and a master’s degree in astrophysics.