Security Think Tank: Lessons to be learned from Sony breach

In the light of November 2014’s cyber attack on Sony Pictures, what can every company do to ensure they are more prepared for this kind cyber assault?

While there is still some debate around how the attack on Sony was facilitated, what we do know is an attack this successful and of this magnitude will have required significant preparation and planning.

It would appear that one of three things has transpired – either it was facilitated by the acts of a malicious insider or ex-insider; it was a non-malicious insider or human error; or it was successful because of poorly configured, patched and locked-down networks.

I can not think of a successful hack of this nature that did not rely upon some kind of failing, and although it is possible a super hacker so bright that a vulnerability did not need to be exploited to achieve the completion was behind the attack, it seems unlikely.

Whether you think the Guardians of Peace, North Korea or a bunch of hacked-off hackers are responsible, it was still a hugely successful hack and one which only came to light after the hackers themselves – or those who knew about it – chose to announce it.

We have seen that before, so it is a far from isolated turn of events. Look at retail giant Target – it was the authorities knocking on the door to tell them they had been breached, not the other way around. So there are more questions than answers, which seems to be pretty much the way it goes with these mega-breaches.

So given we do not know what truly happened, is it right to speculate about what Sony might or might not have done wrong? Or indeed what facilitated the attack? Well possibly not, however we can question what happened once the breach had occurred and the hackers were on the inside. 

This was a sustained attack of various visits and Sony was not aware until it was pointed out, and that is worth discussing.

Attack saw loss of highly sensitive information

This was a wholesale scouring of the Sony digital estate and resulted in some highly sensitive and personal information being removed or destroyed, not to mention the intellectual property theft. This attack saw the loss of personal medical information of employees, as well as other highly personal material. 

It really is not shocking many employees who have had details of their salary, their medical histories and human resources records stolen, have decided to sue. They had a right to believe their employer would keep their personal information safe, segregated and protected. The information taken was perfect for ID theft and therefore could spawn a thousand further frauds or cyber crimes.

Once the attackers had found their way in, they took time to build a picture of the network architecture and then returned at a future point to attack specific servers – stealing information and then deleting the original files with sophisticated malware. 

Depending on the effectiveness of the Sony backup regime, the malware trashing of the Sony servers could have left information permanently deleted – forensic recovery may not be possible

It is estimated at around 100TBs of data has been destroyed in total. Depending on the effectiveness of the Sony backup regime, the malware trashing of the Sony servers could have left information permanently deleted – forensic recovery may not be possible. 

A bit like burglars breaking into your home then coming back and wiping down all the surfaces with bleach, no trace would remain. Sony may never know the full extent of what has been deleted.

There does not appear to have been effective segregation of data and this seems to be across the corporation as the hackers were able to easily move between areas, taking whatever they picked. If they were able to access all areas, was this failure to segregate also an internal failure? Were insiders allowed relative ease of access across areas that were not appropriate?

The lack of segregation of data is very poor security hygiene and given the details released by the hackers of usernames and passwords, this was not the only neglected area of security hygiene at Sony.  

Not only were individuals’ passwords revealed but also admins. Some of the passwords were woeful to say the least and proved a terribly low security awareness level, with no enforced secure password regimen or parameters. 

It seems astonishing to many security practitioners that given Sony’s history, they would allow such lax internal security posture. I reiterate, we do not know how the attackers actually breached Sony, but once inside, Sony certainly made it easy for them to move around and take what they wanted with impunity. 

So giving advice on how a business could prevent what happened to Sony happening to them could currently run to standard perimeter security that is appropriately and securely procured, installed, patched and maintained. 

Organisations such as CESG have been talking about the same threats to information for years and the top ones rarely seem to change. Year after year we see similar breaches enabled by similar vulnerabilities being exploited.

Steps to prevent a cyber attack

Without knowing the full story of the initial breach it is difficult to advise what any other organisation should do to protect themselves from a similar type of attack. However, it is clear that certain steps could be taken to prevent the level of loss that Sony has experienced, including the following:

  • Installed, configured and proactively managed perimeter security controls which provide defence in depth.
  • Properly segregated network infrastructure with effectively hardened and locked-down components ensuring non-essential services are not left running.
  • Identification of particularly sensitive information assets enabling them to be afforded additional protection. The use of effective and properly trained information asset owners is invaluable here.
  • Have a fully documented and effective patching and configuration management regime in place.
  • Enforce an appropriate access management and user identification process ensuring quality passwords are selected – and not then left in plain text on the server – and regularly changed.
  • Implement a high-quality protective monitoring system and make sure you have the ability to react to the alerts it generates.
  • Incident management plans should be fully documented and regularly tested ensuring all staff involved in incident responses know exactly what they should be doing.
  • Carry out regular internal and external IT health checks/penetration testing. This should also be an activity that is intrinsically linked to good change and configuration management processes to ensure testing also occurs following any significant changes to the infrastructure.
  • Good recruitment processes utilising appropriate vetting and background checks, supported by ongoing pastoral care to minimise the risk posed by the insider threat.
  • High quality employee (including C-suite) security awareness training that is role-related, appropriately positioned and regularly updated to reflect the current threat landscape.
  • A well developed and regularly tested business continuity plan should be implemented and effectively communicated to all key personnel.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Hackers and cybercrime prevention