6 Sony Breach Lessons We Must Learn

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/6-sony-breach-lessons-we-must-learn-p-1786

After the complete collapse of network security at Sony Pictures
Entertainment - in the wake of its data breach - the organization's
fundamental mistakes deserve to be highlighted; there are lessons to be
learned for all. Here's my macro view of the information security lessons
every organization should take away:

1. Watch Your Risk Tolerance. First, Sony Pictures appears to have chosen a
relatively high level of risk regarding its information security posture.
This conclusion is supported both by comments made by its chief information
security officer and by e-mails leaked by the attackers. In choosing that
posture, it is highly unlikely that Sony's executives anticipated the
consequences that would ultimately befall either their enterprise or the
nation. Perhaps many enterprises need to rethink the duty they owe to their
neighbors.

Sony Pictures is a publishing company. Its "crown jewels" are information
assets. Unreleased movies, scripts, agreements with talent, and even
technology are Sony's "stock in trade." The compromise of one, or even a
few systems on its network should not result in the loss of strategic
assets, much less absolutely everything on the network.

2. This is Vandalism, Not War. North Korea was a huge beneficiary of the
Sony breach, while the "world's remaining superpower" and another prime
adversary - Japan - were both humiliated in name, if not at their
instigation. That said, the Sony breach was vandalism, not an act of war.
It may even have been purely opportunistic, with a patina of justification
added after the fact.

3. Data Exfiltration Must be Caught. The attack used widely available tools
against people and weak system and network configurations, rather than
exploiting glaring software vulnerabilities. Most significantly, the attack
required days to weeks to unfold, and involved all kinds of related,
malicious activity, including the exfiltration of hundreds of gigabytes of
data - if not more - that should not have gone unrecognized.

4. We're All Vulnerable. We're all at risk from the type of attack that
successfully breached Sony. That vulnerability is rooted partly in our
culture of freedom, which is valued, but too easily eroded in the face of
fear. It is also rooted in our technology infrastructure, which we use
widely and depend on heavily, and from which we derive both productivity
and comfort. The success of the Sony attack, however, has raised fears -
which may or may not be true - that our entire infrastructure is vulnerable
to attack, and that as a society we could be not just beneficiaries of the
Internet, but also victimized by it.

5. Beware the Business Impact. I have always argued that outsiders damage
the brand, but insiders bring down the business. Sony may break that rule.
By the time the final cost of this breach is tallied, we will probably have
lost interest, but it may be the most damaging attack against a single
enterprise that wasn't launched by an insider. I expect that Sony Pictures
will survive as a business unit within Sony. Whether it could survive as a
stand-alone business is far less certain.

6. These Incidents Make Us All Look Bad. The changing rhetoric from Sony
has been less than satisfying. The response of the exhibitors can best be
described as craven. The coverage of the media has been gleeful. So far the
government has been reduced to the wringing of hands. None of us looks very
good. One would like to hope that we take all these lessons to heart, but I
fear that in the face of the exponential growth of our information
infrastructure, things are likely to get worse before they get better.

The Way Forward

Breaches, of course, are inevitable. But they should not compromise the
crown jewels - that intellectual property that is crucial to the business
strategy. They should not bring down the business, must not compromise the
integrity of the infrastructure, or threaten our freedoms. Some have
suggested that the President of the United States should have a "kill
switch" that he could use to shut down the Internet so that it cannot be
used to attack the power grid or the financial infrastructure. However,
since both of these depend on the Internet, this is a solution worse than
the problem it sets out to solve.

The solution is this: We must get the fundamentals right. We must use
strong authentication and true-end-to-true-end encryption, everywhere. This
will increase the time required to successfully execute an attack, make the
attack more obvious, and raise the total cost. No less fundamental is the
need to improve how we monitor and react. And we can put these fundamentals
in place - even if it takes months or years to fully implement - using our
available knowledge and tools.

While the Internet is resilient by design, that is a double-edged sword: it
ensures availability, but makes it more difficult to address denial of
service. Better resisting denial-of-service attacks will require further
research, intelligence, new controls, new agreements, and perhaps
legislation and treaties. This will take a little longer, but is no less
important for making us all more secure.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!