Sony’s Big Takeaway

As a reporter, I’ve covered many breaches over the years. Attacks of the magnitude we’re witnessing at Sony Pictures, a subsidiary of Sony Corp. are rare. The breach is quite bad as far as data breaches go. But other companies would be short-sighted to think their organizations are protected from, and are above, data breaches of similar magnitude.

I’ve interviewed many CIOs and CISOs on and off the record over the years – and they all believe that they are quite vulnerable. Vulnerable to determined attackers, a disgruntled insider, or a careless IT misstep that proves itself quite serious and damaging.

What makes the current Sony breach unusual, but not entirely unique, is that it wasn’t purely about the attacker making money. Most breaches are still about the attacker making a profit, and they target credit cards, financial records, medical records, or anything else that could be used to conduct fraud or espionage. That doesn’t appear to be so in this case.

We’ve seen far fewer attacks over the years targeting large enterprises that have been politically or even revenge motivated. Despite being in the minority, we certainly have seen an increase in politically motivated attacks in recent years.

In 2000, I reported and co-wrote the InformationWeek hacktivism cover story Beware Cyberattacks about enterprises that were threatened with cyber attacks from politically motivated attackers. In mid 2002, I covered the Deceptive Duo, a hacker team that broke into government and other critical infrastructure networks and defaced Web sites. Their mission was to highlight shoddy security practices. Hacking for political change is nothing new.

More recently we’ve all been aware of the publically motivated anonymous breaches: Hacktivists have the enterprises' attention. Now what? We are well aware of the ruckus many of the attacks from Anonymous have caused. In fact, Hacktivism was the leading cause for compromised data in 2011, according to the Verizon Data Breach Report that year.

In late 2012 there was a series of distributed denial-of-service attacks aimed at US banks, that many believe were the work of Iran, in retaliation for serious bank sanctions.

 

And, of course, insiders have always been a part of attacks motivated by revenge and not necessarily financial gain. This has been true going back to, at least, the famous Omega Engineering Corporation attack in which Timothy Lloyd installed a logic bomb on the company’s systems. Lloyd was convicted for the act, and the estimated cost of the resulting destruction of Omega’s design and production systems reached $10 million. Lloyd’s logic bomb was long regarded as one of the largest insider sabotage attacks.

While the Sony breach doesn’t seem to be (but certainly could be or involve) an insider attack, it does look like vengeance and inflicting damage. Most theories now point to the narrative that North Korea was behind the attack as a way to strike out in retaliation for the upcoming release of the movie The Interview. The plot involved an attempted assassination of Kim Jong-Un, the North Korean leader.

The attackers also sent, as The Verge covered here, a mass email threat to Sony employees, warning them of their lack of hope and the demise of Sony Pictures.

While the country denied any involvement, North Korea did call the Sony hack 'a righteous deed'.

Whoever was behind it, the damage so far was massive. The attackers initially released sales projections for a number of television shows. That data dump was shortly followed up by the release of 11,000 files, with more than 100 that contained passwords and details on the company’s internal IT systems – a virtual roadmap. And as CSOonline’s Steve Ragan covered in Sony’s IT blueprints leaked by hackers, information on how to access internal quality assurance, staging, and production servers (including topologies) were released, as were many access credentials for file transfer servers.

These systems, for who knows how long, were accessible to the attackers.

The cleanup of this part of the breach alone, and the hardening of these systems, will likely cost Sony millions.

In addition to all of that, the company found itself moving fast to try to cleanse stolen movies from the Internet. More about that at Sony hustles to remove stolen films from file-sharing sites. Also within the data there are 30,000 HR documents that contain employee personally identifiable information, as well as payroll and compensation data.

As a result, Sony finds itself having to answer to not only to its customers, but also employees, shareholders, and regulators if personal health information is involved. Shareholders will also be keeping an eye out for potential lost sales (because a number of the movies set free on file-sharing sites were pre-release). Business partners may also be on the lookout for potential lost sales and revenue. The fallout from this one will be tremendous. The lawyers will have a good time.

What is the lesson here for the typical enterprise? What is their big takeaway?

That anything they do, or say, that upsets and motivates a group (or nation) with enough skills to lash out can and may do exactly that. And companies need to know how to prepare and respond to these types of attacks. Enterprises can’t assume that it’s just money or the theft of assets of monetary value that attackers will seek. They have to prepare themselves for the possibility of revenge attacks. These attacks will be a lot less business-like than is common with traditional attacks. And they’ll be much more public, vindictive, and potentially much more damaging when they do occur. And the motivation for, and the delivery of, these types of attacks can come unexpectedly and from anywhere.