Sony's 7 Breach Response Mistakes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/sonys-7-breach-response-mistakes-p-1785

The response by Sony Pictures Entertainment executives to the hack attack
against their company provides a number of great examples for how not to
handle a data breach.

In the four weeks since Sony suffered its hack attack, the company has
issued very little information about the breach, except to say that it was
"a very sophisticated cyberattack."Sony's claim has been vindicated by the
FBI, which says 90 percent of businesses would have also fallen for the
attack, which it's attributed to North Korea - although not specifically
its government. The FBI also commended Sony for quickly reporting the hack
attack to law enforcement agencies.

But while the attack might have been advanced, Sony's response was not. To
date, here are seven mistakes the company has made, many of which could
likely have been avoided:

1. Failure to Spot the Breach. Sony's attackers were able to access the
company's network for some period of time prior to the attack. While it's
unclear if the breach lasted days, weeks or months, Sony doesn't appear to
have detected the intrusion until attackers' malware had already
exfiltrated large amounts of Sony data to attackers, then "detonated" on
November 24,erasing hard drives and "bricking" systems by overwriting their
master boot record.

2. Poor Breach Response. Sony has been slammed, most notably by President
Obama, for caving to a demand from Guardians of Peace - the group that's
claimed credit for the attack - that the studio never release a comedy that
centers on an assassination plot against North Korean leader Kim Jong-un.
"Pulling 'The Interview' was exactly the wrong thing to do, as there was no
credible threat and it just emboldens the hackers," says security expert
Bruce Schneier in a blog post. "But it's the kind of response you get when
you don't have a plan."

3. Shooting the Messenger. After Guardians of Peace began leaking stolen
Sony data, the studio hired a high-profile attorney and threatened to sue
media outlets that reprinted leaked data.

4. Contradicting Themselves. After hiring a celebrity spin doctor, Sony
Pictures executives dug themselves in deeper by claiming that they had
always meant to release "The Interview," despite previously saying the
opposite. It's now due to open in some theaters on Christmas Day.

5. Ceding Control of the Conversation. After the breach, and indications
that attackers had stolen executives' Outlook e-mail spools, the company
could have proactively stepped forward, apologized in advance for the
contents of those communications, and "rallied the troops" by vowing to
never back down. By failing to do so, however, Sony executives allowed the
attackers to, in effect, control the conversation. "Here's the brilliant
thing they did," actor George Clooney told entertainment outlet Deadline,
referring to Sony's attackers. "You embarrass them first, so that no one
gets on [their] side."

6. Failure to Take Responsibility. Sony executives also failed to take
proactive responsibility for the security breach, which resulted in current
and former employees' personal information being leaked. "I don't think
that anybody thinks that this was anyone's fault who works here, and I
think continuity and support and going forward is what's important now,"
Sony Pictures executive Amy Pascal told Bloomberg News earlier this month.
The attempted spin followed her issuing an apology to President Barack
Obama after a racially insensitive e-mail conversation that she
participated in was leaked by "G.O.P."

7. Hoarding Old E-Mails. Sony general counsel Leah Weil warned a studio
executive this past year that employees should be purging their e-mail on a
regular basis, Gizmodo reports, citing e-mails leaked by G.O.P. "While
undoubtedly there will be e-mails that need to be retained and or stored
electronically in a system other than e-mail, many can be deleted and I am
informed by our IT colleagues that our current use of the e-mail system for
virtually everything is not the best way to do this," Weil said.

Breach experts estimate that Sony's clean-up tab - including relating
lawsuits - could hit $50 million or $100 million, thus nearly equaling or
doubling the reported $44 million it spent to make "The Interview." State
Department spokeswoman Marie Harf has called on North Korea to "admit their
culpability and compensate Sony for the damages this attack cost."

Here's betting that Sony is left to pay that tab, in no small part because
of executives' mistakes. But if executives play their cards right now and
continue to release "The Interview" - hint: invite President Obama to a
Washington-area premiere - together with some choice retorts to G.O.P.,
they could settle the breach bill and pave the way for a sequel. Sony, the
next move is yours:

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!