CIOs and CISOs Can Learn From the Massive Sony Data Breach
Rachael King and Steven Norton
Reporters, The Wall Street Journal December 5, 2014
The destructive cyberattack at Sony Pictures Entertainment represents a major shift in the techniques and motivations attackers use, security experts say. As this shift occurs, technology executives may need to rethink how they manage and protect broader swaths of information across increasingly complex and interconnected networks.
The Sony attack "represents a kind of seismic shift in the techniques we see some of these attackers use," said Greg Bell, the U.S. leader for cyber services and information protection at KPMG. Until recently it has mostly seen the theft of information, such as credit card numbers, that could then be sold on the black market. The firm has been tracking more cases involving wide-scale destruction or modification of data, with no other apparent purpose in mind.
The Sony case illustrates that money is no longer the sole motivator for an increasing number of attackers, Mr. Bell said. The attack on Sony - which some experts say could be the work of the North Korean government looking to express its unhappiness with Sony's new comedy about their country - simply may have been motivated by the desire to do harm or embarrass a firm, rather than steal information for financial or strategic gain.
The Sony Pictures breach extracted a huge amount of sensitive data, including the Social Security numbers of more than 47,000 current and former employees and some Hollywood celebrities, the Journal's Ben Fritz and Danny Yadron reported. Identity Finder LLC analyzed 33,000 documents, much of them stored in Microsoft Excel files without password protection, according to the WSJ. Sony declined to comment.
Companies can learn from Sony's experience, which underscores how important it is for them to understand the particular information that is stored in their various IT systems, and to provide extra protection where necessary. One way companies can do this is by doing data discovery on their own systems before an attack ever happens, said Eric Cole, cyberdefense curriculum lead at SANS Institute, a cybersecurity research and education organization. Data loss prevention tools can automate about 85% to 90% of that task. Those tools can unearth sensitive information such as Social Security numbers or corporate financial information that might be stored in an insecure manner.
Another problem is making too much data available on one network. Companies today often push for integrated environments, making data available for use by many people on many systems, said Jay Heiser, an analyst at research firm Gartner Inc., in an email. "There is huge productivity benefit in this, but the issue it raises is the potential for single points of failure," he added.
The malicious software that wiped data off an unknown number of Sony Pictures servers and interrupted communications appeared to spread quickly, which may have indicated that there wasn't enough segmentation in the network, said Dr. Cole. Even critical services like email can be segmented. Instead of having one mail server with 80,000 accounts, a company might want to create 10 servers with 8,000 accounts each. "If one gets hit, then it doesn't take down the whole organization," he added.
In Sony's case, the malware capitalized on existing basic tools resident in the Microsoft operating system, masking its operations as seemingly normal system behavior, said Carl Wright, president and general manager at TrapX Security and former chief information security officer for the U.S. Marine Corps. The malware traveled laterally very rapidly through the network where each computer would order the wipe of the computer next to it in a domino effect, he said.
Technology is rapidly evolving to boost visibility of this so-called east-west traffic, but many companies still lack the necessary visibility into those movements, said Tim Eades, CEO of security company vArmour.
Preparing for attacks of this nature will also involve significant changes to security culture at companies, said KPMG's Mr. Bell. Training and education programs, clearly articulated response plans, increased threat intelligence capabilities and buy-in from the board of directors are among the critical elements that companies will have to address. "As opposed to saying just deploy this new technology or new process, we really will have to think more broadly about whether we have the right strategy or approach," he said.
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (http://www.sans.org)