Sony hack: What CIOs should do

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itworldcanada.com/blog/sony-hack-what-cios-should-do/100802

As the story of the Sony hack unfolds, it becomes more and more dramatic.
The impact of the events on CIOs is profound.

To recap events:

On June 11, 2014, the North Korean government denounced the Hollywood film
“The Interview” as “undisguised sponsoring of terrorism, as well as an act
of war” and promised a “decisive and merciless countermeasure if the U.S.
administration tacitly approves or supports” the movie.

On November 21, “God’sApstls” emailed Sony demanding money and threatening
to hack the company. They said “we’ve got great damage by Sony Pictures.
The compensation for it, monetary compensation we want. Pay the damage, or
Sony Pictures will be bombarded as a whole. You know us very well. We never
wait long. You’d better behave wisely.”

On November 24 all employees at Sony Pictures headquarters in Culver City,
California were welcomed to work with a skeleton image at login with the
message: “This is just the beginning… [W]e’ve obtained all your internal
data”.  They were warned that Sony’s secrets would be released unless it
agreed to “obey” the demands. The hackers identified themselves as
“Guardians of Peace.” Since they say, “We’ve already warned you, and this
is just the beginning”, they are likely the same group/person as
“God’sApstls.”  At that point, security experts believed that it was an
inside job.

Sony staff were shaken.  It appeared that all documents were inaccessible,
so work came to a standstill.  Employees were offered a service to help to
monitor credit, as it was almost certain that their personal information
was breached.

A week later, reports began to appear that North Korea may be responsible.
North Korea denied any involvement.  Associated Press reports some
cyber-security experts saying there are “striking similarities between the
code used in the hack of Sony Pictures Entertainment and attacks blamed on
North Korea which targeted South Korean companies and government agencies
last year.”

On December 5, a message from hackers claiming to be Guardians of Peace
emailed an ominous message to Sony employees: “Many things beyond
imagination will happen at many places of the world. Our agents find
themselves act in necessary places. Please sign your name to object the
false of the company at the e-mail address below if you don’t want to
suffer damage. If you don’t, not only you but your family will be in
danger.”

North Korea denies involvement calling the charge “a wild rumor.” But it
calls the hacking a “righteous deed.”

On December 8, the Guardians of Peace warned Sony to “Stop immediately
showing the movie of terrorism which can break regional peace and cause the
War!” This is the first time the hackers implicitly reference to “The
Interview”.  The first direct reference came on December 16 via an email to
reporters stating: “We will clearly show it to you at the very time and
places The Interview be shown, including the premiere, how bitter fate
those who seek fun in terror should be doomed to. Soon all the world will
see what an awful movie Sony Pictures Entertainment has made. The world
will be full of fear. Remember the 11th of September 2001. We recommend you
to keep yourself distant from the places at that time.”

Although the FBI indicated they were aware of the threat, Sony announced
that they will NOT release “The Interview” on Christmas Day as planned.
They later announce that they will not release the movie at all.

On December 19, the FBI publicly accused the government of North Korea of
the hack and threats towards moviegoers. “The FBI now has enough
information to conclude that the North Korean government is responsible for
these actions…. North Korea’s actions were intended to inflict significant
harm on a U.S. business and suppress the right of American citizens to
express themselves.”

At his year-end press conference President Obama repeats the FBI’s
allegation and publicly disagreed with Sony’s decision not to release the
movie.

Although North Korea continued to deny their involvement, a State
Department spokeswoman tells reporters: “The government of North Korea has
a long history of denying responsibility for its destructive and
provocative actions, and if they want to help here, they can admit their
culpability and compensate Sony for the damage they caused.”

Shortly after, the North Korean internet is shut down for 9 hours. U.S.
does not comment.

On December 23, Sony announced it would release the film.  Obama praised
the decision. The movie released to a few hundred theatres, and was
streamed to over 2M viewers.

This raises grave concerns for IT departments on two fronts.

As the source of the hack is still questionable (was it really North Korea,
was it Russian or American hackers, or was it an inside job), you can be
sure that the hack involved some sort of social engineering or a leak by a
disgruntled sysadmin.

Never in the history of organizations has so much information been
entrusted to just a few people.  Think about the information that your
sysadmins could gather if they really wanted to. A disgruntled email
administrator could cull all emails from a certain person.  If they are
good, they could do this undetected.  A knowledgeable database
administrator could gather information from your ERP’s.  And a sloppy
sysadmin could forget security patches, or improperly secure networks and
servers.

The impact of any of these could, now, be enormous.  In the past, data
breaches were largely a public relations concern. Damages could be
managed.  The Sony incident, however, raises the stakes.  Not only are your
employees or your clients impacted, the impact could be much, much greater.

It is critical for all CIOs to evaluate the level of access sysadmins
have.  Further, it is imperative that any performance or attitude issues
with sysadmins be dealt with immediately, before they escalate.  And
finally it is critical to ensure any irregularities be dealt with
immediately.

With this incident, we are witnessing the first major public international
blackmail case using the internet.  When employees of a company can be
threatened with the use of the data they have provided their employer
(perhaps inadvertently by using their employer’s computers for personal
business), they are now exposed at higher level than ever before.

This means that IT departments have an even greater responsibility to
ensure the safety and security of employee data.  The stakes have been
raised.

Although the US may not have been involved, this appears to be the first
time cutting off internet access was used as a punishment for an action.
You can be sure that all national defense departments are watching these
events with great interest. Although cutting off the internet is much more
difficult than, say, attacking a radio station, in a connected world, the
results would be much more effective.

As CIOs, it is important to recognize the enhanced risks and impacts of
breaches, and to do everything in our power to protect our company and its
employees.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!