Sony Hack: Hard Lessons

January 20, 2015

By Dennis Kneale

 

One meme working its way through the cybersecurity business is that it’s no longer a question of whether you have been hacked, it’s a matter of when, and whether you ever find out about it.

In that sense the Sony hack-attack was all but inevitable, the surprise came in how destructive were the effects. At The Montgomery Summit presented by Macquarie Capital and set for March 10-11 in Santa Monica, Calif., half a dozen early-stage firms will show off their latest weaponry in the war on hackers. I’ve been talking to some of their people in my role as summit MC, and herewith they offer a few lessons from the Sony Snafu.

LESSON #1: Sony wasn’t paranoid enough. Its PlayStation network had been the target of myriad intrusions previously, yet in the latest invasion hackers were able to set up shop for months, take control of the company network, destroy data and steal intellectual property. “They would have been hacked anyway, but the level of disruption in Sony is deeper than anyone expected because they weren’t security-focused, so the infrastructure was weaker,” says Julien Bellanger of Prevoty, in Los Angeles.

LESSON #2: The barbarians have cleared the gates. Focus inside.

By some estimates, the invaders may have been creeping around inside Sony for up to 18 months before being detected. McAfee-style virus detection is “trying to solve the wrong problem,” says George Kurtz of CrowdStrike in Irvine, Calif. “We need to look at tactics and techniques of what the bad guys do,” after they have set up shop inside a company network.

LESSON #3: Hackers’ motives and methods have gotten meaner.

Twenty years ago hackers were impish social maladroits wanting to look around. Today they are more likely to be overseas mobsters, spooks for rival governments or anti-government “hacktivists.” They compromise only a small portion of hack attacks, but they are especially relentless. Their goals are theft, profit, intelligence, espionage, extortion and even destruction. “The bad guys are much more sophisticated than five years ago. Virus outbreaks now have much more criminal intent,” says Ravi Devireddy of E8 Security in Palo Alto, Calif.

LESSON #4: Don’t trust your own.

“When a hack happens there’s always something more behind it, something deeper,” says Prevoty’s Bellanger. “Don’t trust your insiders, unfortunately.” In 2014, 35% of cybersecurity incidents were attributed to current employees (whether intentional or accidental) and 30% to ex-staff, according to PwC’s U.S. State of Cybercrime Survey. In the Sony case, some cyber-sleuths cite evidence indicating a former employee had to have been involved. A purported hacker with a group known as Lizard Squad told the Washington Post his group had provided Sony employee logins to Guardians of Peace, the “hacktivist” group that claims to have infiltrated Sony defenses and set off the brouhaha over “The Interview,” a film that otherwise might have disappeared into the ether.

LESSON #5: Don’t trust your vendors, either.

While there isn’t yet any indication they played any role in the Sony cyber-invasion, it is becoming clear they do pose extra risk for businesses. In another infamous, big-brand hack, Target ended up losing millions of credit-card records to hackers who had gained online access via the Internet-lined air-conditioning system, stealing login codes from an HVAC contractor. Companies cite current service providers, consultants or contractors in 18% of cases and former ones in 15% of incidents, PwC says.

LESSON #6: Cybersecurity is now a boardroom priority.

It used to be the purview of the IT department, relegated to housekeeping status. Suddenly cybersecurity is mission-critical, worthy of a major mention in President Obama’s State of the Union speech last Tuesday (20th). “Now it’s a boardroom conversation. People understand this is, in fact, an enterprise risk problem, with everything that goes into that,” says Robert Ackerman, managing director of Allegis Capital. It also is a risk to the brass: At Target, which lost 70 million account records to hackers, the CEO resigned in May, and a shareholder advisory service recommended voting against seven of the 10 Target board members (they were re-elected).

LESSON #7: It’s time for new math in the security budget.

Security spending is viewed as a component of the corporate IT budget, typically 4% to 8% of a company’s total tech spend. That’s the wrong way to look at it, says Donald More of Signal Hill, an investment bank. He suggests measuring the security budget as a percentage of a company’s total revenue, because that’s what is at stake: the whole business. At Sony, tote up the multiple millions of dollars in losses and costs—in destroyed data, blacked-out networks, stolen films, damaged relationships and brand humiliation—and whatever the security budget was, when measured against the hundreds of millions of dollars in revenue at risk at Sony Pictures Entertainment, it wasn’t quite enough. Or maybe it wasn’t for the right stuff. The cyber-warriors gearing up to present at The Montgomery Summit have an answer for that one.

 

Cover image from http://www.strikerpierce.com/chad-baptiste-striker-pierce-discusses-sony-hack/