iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

CIOs and CISOs Can Learn From the Massive Sony Data Breach


Rachael King and Steven Norton

Reporters, The Wall Street Journal
December 5, 2014

The destructive cyberattack at Sony Pictures Entertainment represents a major shift in the techniques and motivations attackers use, security experts say. As this shift occurs, technology executives may need to rethink how they manage and protect broader swaths of information across increasingly complex and interconnected networks.

The Sony attack "represents a kind of seismic shift in the techniques we see some of these attackers use," said Greg Bell, the U.S. leader for cyber services and information protection at KPMG. Until recently it has mostly seen the theft of information, such as credit card numbers, that could then be sold on the black market. The firm has been tracking more cases involving wide-scale destruction or modification of data, with no other apparent purpose in mind.

The Sony case illustrates that money is no longer the sole motivator for an increasing number of attackers, Mr. Bell said. The attack on Sony - which some experts say could be the work of the North Korean government looking to express its unhappiness with Sony's new comedy about their country - simply may have been motivated by the desire to do harm or embarrass a firm, rather than steal information for financial or strategic gain.

The Sony Pictures breach extracted a huge amount of sensitive data, including the Social Security numbers of more than 47,000 current and former employees and some Hollywood celebrities, the Journal's Ben Fritz and Danny Yadron reported. Identity Finder LLC analyzed 33,000 documents, much of them stored in Microsoft Excel files without password protection, according to the WSJ. Sony declined to comment.

Companies can learn from Sony's experience, which underscores how important it is for them to understand the particular information that is stored in their various IT systems, and to provide extra protection where necessary. One way companies can do this is by doing data discovery on their own systems before an attack ever happens, said Eric Cole, cyberdefense curriculum lead at SANS Institute, a cybersecurity research and education organization. Data loss prevention tools can automate about 85% to 90% of that task. Those tools can unearth sensitive information such as Social Security numbers or corporate financial information that might be stored in an insecure manner.

Another problem is making too much data available on one network. Companies today often push for integrated environments, making data available for use by many people on many systems, said Jay Heiser, an analyst at research firm Gartner Inc., in an email. "There is huge productivity benefit in this, but the issue it raises is the potential for single points of failure," he added.

The malicious software that wiped data off an unknown number of Sony Pictures servers and interrupted communications appeared to spread quickly, which may have indicated that there wasn't enough segmentation in the network, said Dr. Cole. Even critical services like email can be segmented. Instead of having one mail server with 80,000 accounts, a company might want to create 10 servers with 8,000 accounts each. "If one gets hit, then it doesn't take down the whole organization," he added.

In Sony's case, the malware capitalized on existing basic tools resident in the Microsoft operating system, masking its operations as seemingly normal system behavior, said Carl Wright, president and general manager at TrapX Security and former chief information security officer for the U.S. Marine Corps. The malware traveled laterally very rapidly through the network where each computer would order the wipe of the computer next to it in a domino effect, he said.

Technology is rapidly evolving to boost visibility of this so-called east-west traffic, but many companies still lack the necessary visibility into those movements, said Tim Eades, CEO of security company vArmour.

Preparing for attacks of this nature will also involve significant changes to security culture at companies, said KPMG's Mr. Bell. Training and education programs, clearly articulated response plans, increased threat intelligence capabilities and buy-in from the board of directors are among the critical elements that companies will have to address. "As opposed to saying just deploy this new technology or new process, we really will have to think more broadly about whether we have the right strategy or approach," he said.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)