Sign up to our newsletter
The recent hacking of Sony Pictures offers valuable lessons in cybersecurity from which every company and consumer can learn. When you set aside the politics and gossip about nation states and Hollywood celebs, some practical implications are clear:
Why? If you need to ask you haven’t been reading the emails that hackers found on Sony Pictures’ computers and then leaked over the last few weeks. These join the countless other embarrassing and/or incriminating emails and images leaked over the years from assorted companies and government agencies. As the lawsuits against Sony Pictures mount, plaintiffs already possess evidence of the company’s lack of due care, no subpoena required. This evidence includes a critical IT auditor’s report that was reportedly shared via email as an unencrypted attachment.
Just to be clear: email is not a secure channel of communication. By default, email travels in plain text, readable to anyone snooping on the many connections and servers through which it travels. And emails that you send to someone are only as secure as that recipient and their computer. As for sharing sensitive documents as unencrypted email attachments, that should be against company policy, with severe repercussions for violators, whether they are C-level executives or hourly employees.
A good rule to live by is this: Never put anything in a digital communication that you wouldn’t want your mother (or enemies) to see. At this point in time, and for the foreseeable future, nobody can guarantee that those digital communications will never be hacked, leaked, subpoenaed, or otherwise made public. This applies to text messages, comments on web pages, messages on forums, and picture-sharing as well as email. In other words, this is really basic cyber-hygiene that has been common knowledge for decades, a fact that makes Sony Pictures’ apparent ignorance of digital realities all the more shocking.
We’ve said it before and we’ll say it again: classify your documents and segment your networks. Sony Pictures could have saved itself a lot of grief if it had been enforcing a classification system that branded documents like contracts with actors and directors as Top Secret, and a policy that forbid the storing of Top Secret documents in an Internet accessible database. Too many organizations have grown their networks with maximum convenience in mind, effectively giving access to everything to everyone. Unfortunately, that means access to outsiders as well if there is even a small chink in your cyber-defenses.
Networks need to be segmented, with access controls between them to limit who can see what. Target learned this lesson the hard way last year, when hackers found it was possible to get from a supplier portal that the retailer had created, all the way to the card payment terminals in its stores. Now would be a good time to audit your networks for inappropriate connections and unfiltered access.
This lesson is as head-slappingly obvious as “Don’t write down your workstation password on a Post-it note and stick it to your monitor.” Yes, passwords are a pain, but there are secure methods of managing them. The failure of Sony Pictures to enforce a policy of not storing passwords in plain-easy-to-read-text will be one of the biggest strikes against them in court when employees whose privacy was violated in this attack bring suits claiming negligence.
Many “ordinary” computer users already know this: if something seems wrong, don’t ignore it. Take a screenshot, write down the error message, call support, run an antivirus scan. Sometimes it turns out to be nothing, or even a new feature you didn’t know about. Other times it means you are under attack. Various parts of the Sony empire have been under attack for years now and many attacks have succeeded. That should have told Sony executives that IT security was a priority, even before Sony Pictures decided to proceed with a movie that was 100% guaranteed to upset at least one nuclear-armed nation already suspected of carrying out cyber attacks. Consider this statement:
“I’ve lost count of how many times Sony’s online properties have been hacked now—I just don’t have that many fingers—but it’s happened again. Databases used to operate sonypictures.com, sonybmg.nl, and sonybmg.be have been compromised…using SQL injection…being susceptible to SQL injection is embarrassing enough…but what makes this hack even worse is the data that has been compromised…with one major feature in common: they included plaintext passwords.”
That was Peter Bright writing in Ars Technica in June of 2011. Three years later, in June of 2014, Sony Pictures released a teaser trailer for The Interview, a film graphically depicting the North Korean dictator’s head exploding (in a sequence without which the director Seth Rogen, complained “the joke won’t”). In other words, Sony was forewarned, but not forearmed. We see a past history of weak security combined with a failure to tighten the hatches before proceeding with a project that was bound to cause anger in at least one part of the world.
When news of the Sony Pictures breach started to leak, the company’s response demonstrated a lack of planning. Actions taken were sometimes contradictory or inflammatory. In short, the company clearly lacked an appropriate incident response plan. Why this should be is hard to fathom. One of the most consistent themes in IT security publications over the past few years has been: It’s not if you get hacked but when. In other words, any responsible organization will put in place a plan for responding to a breach. And stick to it when a breach occurs. Here’s a link to some good incident response advice that has been freely available for several years: NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide (.pdf).
Some of these lessons are stark and obvious, but they should not obscure the fact that Sony Pictures has been victimized by criminal hackers. Drawing lessons from a crime is not the same as “victim blaming”. The failure to lock the door of your car does not make you culpable if it is stolen. We should never accept that crime is inevitable. At the same time, there are many layers of victimization in a crime of this magnitude. Current and former Sony employees who have had their lives turned upside down by the breach of privacy that these criminal hackers perpetrated have every right to seek redress from an organization that could fairly be said, just on the evidence published so far, to have failed the standard of due care for protection of its employees.
For additional perspective on this evolving situation, there is a good article in Businessweek and a detailed timeline on this blog. You might also want to monitor Krebs on Security, from Brian Krebs (he’s the guy who broke the Target breach story about this time last year, some lessons from which Sony failed to learned).
And of course we’d like to hear what you think the lessons from the Sony hack might be, so leave a comment and let us know.
Author Stephen Cobb, ESET