Last Thursday, Thanksgiving in the US,
details of an extremely damaging hack into Sony Pictures began to spread across
the web.
The latest reports indicate that Sony's
internal communications were knocked offline and all the internal files of Sony
were taken and are now readily available on the web. One report states that the
data stolen totals in the terabytes.
Putting aside how it happened and why such
an attack/exfiltration of data was not seen and stop, the Sony hack is being
reported as unique and a "cyber landscape game changer."
The reason for these claims is that
purportedly the hack was state sponsored by the North Koreans. Even more unique
is the motivation. The attack is in response to a movie Sony has produced, a
comedy about killing the Premier of North Korea. (Again let’s put aside the
decision to make such a movie.)
In essence, the North Koreans are upset
because a company has decided to poke fun at its leader. Their ire has
manifested itself in an attack to steal all the companies’ secrets and lay them
bare to the public for inspection.
As I stated, a number of cyber security
pundits are calling this unique and game changing and a new chapter in cyber-attacks.
Nevertheless, they are wrong.
For years, I and several others in the
information security/cyber world have been pointing out the 4 true cyber
threats:
- Crime- focus is profit
- Espionage- focus is information theft
- Warfare- focus is destruction of system
- Activism- focus is to embarrass or discredit
Of the four, the last, Activism, is the scariest
because of the motivation. The attacks are intended to "lay bare" a
company's, government's or person's secrets. Once this data is made public, the
other cyber underground actors can then use it for their purposes, namely
Crime, Espionage and/or Warfare.
The attack on Sony is no different than the
attack on JP Morgan or any of the "Ops" launched by Anonymous. The
intention is the same. The attackers want the information to force a change and
are willing to go public with it to effectuate the change. "To Hell"
with all the others hurt by the attack, who identities and credentials are now
in the public domain or whose businesses will go under because the victim can
no longer operate as normal. For the attacker, those companies never should
have started working with such corrupt businesses, like Sony. Because making a
bad comedy about Kim Jong un, the Megalomaniac Dictator with horrible hair,
makes you corrupt.
My point is that the reason for attacks is
not always what we assume. The motivation of attackers is equally if not more
important than the methodology of the attack. (In the Sony case, Ill bet it
turns out to be a phishing attack where malware was installed by someone with
admin access to their computer and from there a version of Shamoon was
installed to infect the network. Thanksgiving was the targeted launch date
because it would generate the most press and potentially the most damage if the
virus ran its course over the 4-day weekend, but that is just a guess.)
Companies need to understand what data they
hold and how valuable it is. It’s not always about credit card or financial
data.
How many deals, operations, projects have
fallen apart because of leaks of information? How many will fall apart because
of the Sony hack?
Stop waiting for the attack and take
proactive steps to secure your company.
Sony's hack will cost upwards of $400
million by the time it’s done, all totaled. If only they had spent 1% of that
on a proactive review.
One parting thought, I asked this before
but Ill share it again. If you run a business, sit on a board or are in
management in any way you need to be able to answer these ten questions:
- Who specifically is responsible for information security within your company and your supply chain?
- What company data is the most valuable, who has access to it and why?
- Who decides who has access to what information stored within your company?
- Can you see what is coming into AND out of your system?
- Do you have a cyber-incident response, management, remediation and resiliency plan?
- Does your company have a threat awareness program for employees, management and day-to-day operations?
- Who is responsible for monitoring social media and the internet for threats and attack information?
- When was the last cyber security audit conducted, by whom and where is the report?
- Do you do Information Security Due Diligence on your suppliers?
- Does anyone in your security team think like a bad guy?
