Frequent readers of my periodic postings on cyberattacks know that I receive literally hundreds of emails from various members of community every time there is a major event. The ongoing hack of Sony has created a treasure trove of opinion on the matter. Without going into all of the ramifications of the latest cause célèbre, especially the ones about the role of the press in publishing the leaked materials and the decision of theater owners to not show the movie “The Interview,” which apparently set off the attack, I wanted to share some of the observations from my go-to experts on such matters.
Before providing the views of the experts, note that they are longer than usual, which seems befitting of the magnitude of what has happened and will likely continue to evolve. Plus, obviously these are the opinions of the commentators and their views while representative of the many I have received are strictly their own.
That said here are my top 3 from the past few days.
Tim Erlin, Director of Product Management, Tripwire:
“The average consumer may have a hard time understanding the size and scope of the Sony attack. Not only is it unprecedented for a cyberattack on a private company to have these kinds of geo-political ramifications, but the technical scope of what the attackers did is unusually large. The attackers claim to have copied nearly 100 terabytes of data out of Sony, and they’ve posted some of it already. Extracting that amount of data from an organization takes time and effort. These attackers not only got into Sony, but had the time to assemble and remove this data, and then to set up a coordinated announcement of their presence through the image simultaneously displayed on systems throughout the organization. We can’t fully understand the scope of the compromise without more information, but it’s substantially more impactful than the credit card thefts we’ve seen recently.”
Brendan Rizzo, Technical Director, Voltage Security:
“The events that continue to unfold related show a startling escalation of cyberattacks that are now becoming a worryingly effective tool for spreading fear and economic damage. This is why it is so important that companies give their utmost attention to protecting their sensitive customer, employee, and company data in a best-practice data-centric manner to shield themselves from any such attacks, including encrypting emails to protect sensitive information. If the recent attack did not result in the theft of unencrypted personal information and digital property, it would have merely been a footnote in an article, instead of the continued lead story in the global media for several weeks running.”
Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologiesl:
“While experts and US government officials speculate about if North Korea, hacktivists, or just another bunch of bad guys are at fault, what should be giving people chills as they read about Sony is how familiar it all feels. Sony people were emailing passwords around to one another. They were openly discussing their poor security. Perhaps most scary was there was a lot of discussion about how they were just about to roll out the project to fix it all. If that sound familiar to you it’s because that sounds like too many organizations today. Too many organizations have flawed security protecting their data, they know it, and there are people yelling about it to executives who continue to demand passwords be emailed to them when they forget. As those executives read these news stories and see themselves in these people, maybe it will be a catalyst for change. Or maybe it will be another news story forgotten as soon as the next celebrity gets into another personal crisis. I hope enlightened self-interest kicks in and we see organizations who recognize themselves in the mirror of Sony Pictures rushing to kick off their security program before it’s too late.
If mercenaries to snuck in, locked families out of their suburban California homes, and stole their stuff, there’s no doubt the US Government would react like it was an act of war. The tough choice facing the US government right now is if they will treat this digital invasion of Sony Pictures’ Culver City headquarters the same way. The comparison of the crimes is nearly one for one. Sony is locked out of their virtual homes. While they were shutting Sony out, the bad guys also took all their most sensitive documents, containing extremely personal information, embarrassing secrets, and valuable intellectual property. Imagine the stolen goods from a real invasion shipped to newsrooms to be examined and shown on the news. That’s what has happened to all the digital possessions of Sony. All their unstructured data has been trotted out for everyone to see. It gets worse. Sony’s been blackmailed by the invaders, resulting in a possibly lucrative holiday film release being shut down. The nature of the murky world of hacking means US officials are never going to have foolproof digital evidence that North Korea was behind the attack. If it is North Korea or other nation states, then serious questions need answering. There’s no question that if North Korea had rolled into Culver City in tanks and taken file cabinets full of information, there would be war right now. But it’s a very open question if having rolled into Culver City with computers to take file servers worth of data if North Korea will get the same response.”
Given that this is report and prediction season for those in the security industry we have already seen and will see more data on just how good a year the bad guys had in 2014 and why 2015 is shaping up as a continuation of the trend. What the reports continue to highlight is that for the most part, even in sectors that should know better or think they are well-protected like financial services, healthcare and retailing (we can now add entertainment to the list), even basic best practices are not widely deployed or used if deployed. Indeed, if nothing else the failure to encrypt information end-to-end when it is on the move and use multi-factor authentication top the list of “what are they thinking?”
One keeps wondering what it is going to take for all companies, regardless of size, to invest in capabilities which while never are likely to be perfect at least lower the risks of attack. Who knows, maybe Sony will prove to be the one that spurs aggressive action.
As a disclaimer, I am not a stock analyst. Hence, I am not in the business of providing investment advice in any way, shape or form. What I do know is that if the performance of online security firms in the next quarter is not robust, then we all have a lot to worry about. After all, e-commerce rest solely on trust.
My opinion is that right now not just Sony, but the entire notion of whether what happens online is trustworthy is under attack and everyone needs to be part of the solution or the bad guys will continue to win.