Sony Hack Lessons

By Henry Bagdasarian

In light of the Sony Pictures Entertainment hack, many companies have realized the importance of all data and unimaginable consequences and impact of a security breach to their survival. In the case of Sony, 100 terabyte of data were estimated to have been stolen which is equal to about all the publications of the Library of Congress.

Stolen Data

What we learned from the Sony hack lessons is that anything stored on the company computers can become targets and used for a variety of reasons. In the case of Sony, emails exchanged between executives, salaries, social security numbers, actor aliases, movie scripts, movies currently in theaters, movies not yet released, and various confidential documents were stolen.

Culprits

Reading from various news articles, there have been accusations pointed at North Korea but there are some experts who refute these accusations for reasons which we’ll cover later. But the truth is that it can be anyone, any country, or even an insider who had access to such information.

Methods

Believe it or not, the old method of identity theft is believed to have been the major means of access to the systems. Apparently, system administrator password was stolen and used to access the systems but there are many questions which we won’t be able to answer even after the investigations are completed. Misinformation and disinformation are so widespread in this large and unprecedented case that even Sony management and investigators are scratching their heads.  

Motives

From the demands of the hackers, it appears that they want specific things which may rightfully point to the motives and identities of the hackers or not. They have asked to stop the showing of the movie "The Interview" which depicts a plot to assassinate the leader of North Korea. But, this can change as they leak more information and demand cash.

Partially Leaked Data

The method to convince the company executive to cave in to the hackers’ demands is a partially leaked data with a promise to release more information as a Christmas gift. Some of the embarrassing emails and personal information of employees and actors have been released in file sharing sites and emailed to targeted recipients. This method of partial release is a sure way to scare management which by the way caved in and decided not to release the movie, at least for the time being.

Assumptions

From everything we have read, there are many assumptions that we have to be mindful of before making judgments about who did it, why, how, and what type of response we need to make. For example:

  • This type of operation probably took months and years rather than weeks as initially reported
  • North Korea has only one major ISP and lacks the bandwidth to execute this hack. Also, many other parties have strong motives such as other countries, organized groups, and possibly insiders
  • Malware was written in Korean but so what. Many other malware have been written in other languages
  • Highly probable that an insider was involved
  • Weak password was compromised or password was shared with hackers
  • Upload activity was not detected by Sony because either they lack effective monitoring or the upload was made over a long period of time in piecemeal to bypass Sony’s detection controls

Lessons

Now, let’s talk about the most important section of this article which is about what companies can do to protect themselves about similar hacks and their consequences. It may not be comprehensible that a large company like Sony can disappear from the business world because of this incident but it is highly possible depending  on the nature of stolen data not yet leaked, motives of the hackers, and Sony’s response as they move forward. Obviously, Sony has many resources to survive this type of incidents, but not many companies can afford the costs of lawyers, investigations, damage control practices, lawsuits, lost customers and revenues, and angry cast members. I suspect many actors and actresses will stop working with Sony as a result of their exposed thoughts and opinions about them and competing salaries. Only time will tell whether Sony can survive the hack but this incident is just beginning to unravel and its unimaginable consequences are very similar to an imaginary movie in which fantasy becomes harsh reality. This case is not easy for any company to deal with emotionally and financially and we can only imagine and sympathize with what the Sony company is going through.

Sony Hack Lessons

Stick to the basics Password attacks are still among the most preferred methods for hackers to gain access to various accounts and systems. Some systems are not designed properly to require strong passwords from users and as such, admin and other powerful accounts are prime targets. It was reported that the Sony hack might have been facilitated by taking over an admin account with a stolen password. In addition, network traffic monitoring could help detect data transfers of this magnitude which may also occur at odd hours unless they transfer in piecemeal over a a very long period of time.

Don't Jump to Conclusions - When a data breach story breaks out, there seems to always be some misinformation, disinformation, and conclusions. It could be easy for any company to jump to conclusions about who hacked the company and why, but businesses are best served when they avoid quick conclusions based on limited facts and just stick to their plan while remaining calm after an incident occurs knowing that they have a plan for investigation, remediation, and communication. Motives and consequences of similar attacks are not always obvious as we can witness in the Sony hack case, and even if they are known, they can change depending on the nature of the company’s business, how offensive their products and services might be in the global marketplace, hackers' frame of mind, and what value the targeted company and its data can offer to hackers.

Think Differently - An area where companies should think differently is the classification of their data for risk management purposes. Up to now, companies might have considered their proprietary business information or customer personal data to be critical assets to protect but what we have learned from the Sony hack is that many other types of information that we consider "normal" can be very valuable targets such as email exchanges between employees and management, salaries, and project plans for extortion purposes.

Think no privacy - Everyone should be mindful about the nature of their communications and consider that anything that they write down or post to the internet can be shared with others, stolen, and leaked. This may be sad but any thoughts and opinions written down can become targets and used to extort people and companies. Think different, think no privacy. This is only going to get worse when we start using devices that can read minds.

Invest - Businesses should invest in data security folks and technologies. Often, information security is neglected with the lowest possible reporting level and budgets which do not empower the function to protect company assets. And, make security an integral part of the business to be aligned with corporate communications, training, data classification and risk assessment, and business strategy.

Apply a multi-discipline approach - Finally, I have yet to cross a security professional who is an expert in all areas of operations, technology, compliance, governance, and risk management. What companies must do is to take a multi-discipline and layered security approach to data protection whereby only the best are hired and assigned to specific tasks for which they are experts. These experts whether internal or external resources can collectively address all risks and report to a security leader who manages the function and brings all the pieces together to mitigate enterprise risks. Layered security refers to combined mitigating security controls to protect resources and data and reduce the overall security risks.

Return to workplace security after reading about the Sony hack.

Identity Management Certifications

Identity Theft Courses