Be scared: The Sony-style hack is no rare event

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/article/2856872/security/how-unusual-was-the-sony-hack-less-so-than-you-think.html

Last week the media was in full meltdown over the Sony hack, particularly
the company's loss of 100TB of data, including unreleased films. Worse,
personal information was exposed, including Social Security numbers and
addresses for thousands of current and past employees, as well as Hollywood
stars.

Sony employees have received threatening emails from the perpetrators. The
entire company is in a multiweek digital shutdown. It doesn't get any worse
than this.

Was North Korea the attacker, bent on revenge for Seth Rogen’s latest film,
"The Interview," which features a CIA plot to assassinate Kim Jong-Un?
We'll probably never know for sure.

But there's no disputing -- I speak from experience -- how common this sort
of hack is. A hack that exposes 100TB of data on the public Web may be
unusual, but only in the above-average quantity of data and the intent to
embarrass and financially damage a company, rather than quietly spirit away
information that can be used to steal money and/or intellectual property.

In truth, hundreds of terabytes of data are stolen from companies all the
time. I personally know of dozens of companies where hundreds of gigabytes
of data are stolen every day, with an average of about eight months
elapsing before a breach is discovered. This seems par for the course when
I investigate an APT (advanced persistent threat). The only difference is
that the stolen data is kept and used by the hacker instead of posted on
the Web.

At least Sony knew what was stolen right away. Sony understood the damage
and closed the holes -- at least temporarily -- by shutting down its
network and computers. Most companies that discover they’ve been hit find
hundreds of gigabytes of stolen data in a single day’s maliciously exported
data file -- then must figure out what else was stolen and when. In a way,
Sony is lucky.

The sad truth is that almost any company could be Sony. No company
connected to the Internet could have stopped an attack like this one. Most
wouldn’t have a clue it occurred. The majority of companies are completely
pwned by one or more hacking groups, and those that aren’t could easily be
broken into in an hour or less. The overall state of computer security at
most companies is pathetic.

By turning off its network for a few weeks, Sony is responding more
aggressively than most companies would. Ultimately, I'm betting Sony will
follow the same pattern set by other big companies hit over the last few
years (Home Depot, Target, and so on): fire the old guard, hire new
“experts,” and spend tens of millions of dollars on new security systems.

Those millions will barely move the needle. Any dedicated, decent hacker
will be able to break back into Sony or any of these companies at will --
the overall problem isn’t specific to one infrastructure and can’t be
prevented by a security product. No amalgam of network and endpoint
security defenses will prevent badness from breaking in.

Toward a real solution

To significantly reduce Internet crime, you have to fix the Internet and
get global accountability. What do I mean by "fix"?

Well, we don’t have to invent new Internet protocols or rocket-science
technologies. We have all the technology we need. As I've proposed for
years, what we need is an open, global early-warning system -- and to agree
on a scheme that positively identifies Internet users with minimal
violation of privacy. Sure, that's a tall order. But if we get the right
security leaders in one room to hammer out the details, it can be done.

We also need global enforcement. As long as the bad guys can get away with
malicious actions and escape punishment, we’ll never stop Internet crime.
Sadly, today, even if we have all the evidence in the world about who did
what, when the perps sit on the other side of the right global boundaries,
we can’t touch them. Until we make it painful for countries to ignore
home-grown cyber terrorists, Internet crime will continue to pay.

Don’t get caught up in the hype that the Sony hack was huge, devastating,
and unique. It wasn’t -- it’s much worse. The real story is that nearly
every company could be Sony. Many already are and don’t know it.

The public nature of the Sony hack was good because it pulled back the
curtain on the woeful security landscape. The grandiose, punitive nature of
the attack made it more dramatic -- though it was likely accomplished by
hackers with ordinary skills. Almost anyone can see we can't carry on this
way.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!