Cyberattacks take new and frightening turn

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thetimesnews.com/opinion/our-opinion/cyberattacks-take-new-and-frightening-turn-1.414736

The last year has been marked by headline-grabbing cybercrimes, including
the theft of stunning amounts of personal information from Target, Home
Depot and online photo-storage sites. Now, the hackers who targeted Sony
Pictures’ computer network have opened a new front in cyberwar: thefts
motivated not by money, but by malice. The severity and sophistication of
the attack are alarming, yet aside from launching the obligatory FBI
investigation, the response from government officials and from Hollywood’s
other studios has been strangely muted.

A group that calls itself Guardians of Peace struck a devastating blow to
Sony Pictures’ network in late November, extracting copies of a huge number
of internal documents and then erasing them from Sony’s computers. It
caused enough damage to shut down the network for days, forcing employees
to revert to working on paper and whiteboards. Since then the hackers have
leaked emails and other material online, revealing secrets about the
company’s salaries, business model and executives’ deliberations. Unlike
conventional industrial espionage, the point wasn’t to give a company’s
secrets to its competitors. It was to make them public on a grand scale,
embarrassing the victim and crippling its ability to do business.

The damage is ongoing, with the hackers leaking documents incrementally and
reporters mining them for news. Regardless of whether you think the news
media are amplifying the attack or just documenting it, one important
lesson the coverage has conveyed is the need for companies to take better
care of the sensitive information they’ve collected. It’s not just banks
and retailers that have to worry about the credit card numbers they have on
file. Corporations have to assume they’ll be targets, and never leave such
things as passwords and Social Security numbers unencrypted.

Few, if any, companies could defend themselves successfully against
assaults of the scale and destructiveness as that on Sony, which rivaled
the Stuxnet attack on Iran’s nuclear program and other government-sponsored
malware. (There’s some evidence suggesting that the hackers were backed by
North Korea, although the government there denies it.) Had it been a
physical attack instead of an electronic one, local officials and Hollywood
studios would have rallied around Sony. They haven’t, reflecting the
intangible nature of the damage and the other studios’ desire not to
attract their own hacks. And it’s all the more reason for Congress to allow
companies and government agencies to share what they’re learning about the
nature of cyberattacks and how to defend against them. Sadly, while Sony
was scrambling to contain the damage from the hack, Congress was punting —
again — on a bill to permit that sort of information sharing, which has
been held up by privacy concerns. Such a law might not have protected Sony
against the Guardians of Peace, but it could help the next victim.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!