Wednesday, 22 April 2015

The Sony Hack. There is Something Wrong With This Picture?

The Attack. 
Let’s get something clear from the start, Sony wasn't hacked, it was Nuked.  The information taken from the servers included staff financial and medical information, unreleased movies, confidential screen plays and millions of emails.   The data loss was in excess of one hundred thousand gigabytes of data.  When the hackers had finished their digital heist they then planted malware that wiped Sony’s servers and knocked over their network.  The Network was so devastated that the only way they could operate was to reissue legacy BlackBerry phones for email and connect up old workstations in order to do the basic things such as issuing cheques for staff salaries.
According to the Chief Executive of Sony Pictures, Michael Lynton “There was no precedent for how to deal with a hacking attack on the scale of that which hit Sony Pictures.”  He said his firm had "no playbook" on how to respond.  He went on to say his firm was "adequately prepared" but "just not for an attack of this nature", which he said that no firm could have withstood.
U.S. investigators have evidence that hackers stole the computer credentials of a system administrator to get access to Sony's computer system, allowing them broad access, U.S. officials briefed on the investigation tell CNN.
It has also come to light that employee's were subjected to a prolonged Phishing attack that allowed the hackers to gain access to passwords and then plant Malware within Sony's systems. 

According to Stuart McClure, CEO of cyber security firm Cylance, a phishing attack against Apple IDs was at the root of the Sony hack. Stuart goes on to say "The Apple ID verification looked very convincing and was spot on for what users would normally expect to see, except of course that it's completely phished and fake"  I have seen several different versions of Apple Phishing emails and I can agree wholeheartedly that they are very well crafted.

So, to summarise, a stolen admin password apparently allowed a Hacker to extract 100,000 gigabytes of data and bring down the servers of one of the biggest media companies in the world.  It seems that the only thing unprecedented about the Sony hack was its poor security systems.
What could have been done differently? 
The most basic thing that could have been done is to train employees to never click on links in an email and enforce the policy using readily available email monitoring software.  That alone would most likely have stopped the hack.

If we move up the complexity chain  It is very simple to monitor network data and automatically spot unexpected movements of data.  This is done simply by installing software that records “typical” data movement and flags unexpected events.  The best solutions will not only monitor raw data leaving the business but will flag behaviour that indicates an employee or peer group may be planning to leave employment and take business information with them
Part of the stolen data included embarrassing emails, how many emails were stolen?  Probably all of them!  The really surprising part of this admission is that securing emails is one of the most mature technologies in the corporate sector.  If it's important for a business to secure its email system (and it would be odd to suggest otherwise) then It is simple to do.  The Gold standard for email security is the BlackBerry BES EMM.  It runs on its own secure servers called NOC (Network Operating Centre)”. The  BlackBerry NOC moves and secures more mobile data than anyone else, 35,000 terabytes per month on average.  It does not rely on a carrier’s basic consumer security but runs on its own network.  This is why Sony could re-commission its old legacy BlackBerry handsets and could start communicating by email even though its own servers were knocked out.
What else should Businesses do
What data have you got? Consider the  types of information that your company handles (e.g., social security numbers, payment card numbers, patient records, designs, human resources data), and make a priority list of what needs to be protected.  
Where is the data? Cloud, file servers, workstations, laptops, removable media, smart phones, databases).

How important is the data it? Assign a priority rating to your information. Consider a 1-5, no more complex than that

Conduct a threat-modeling exercise. What is the worst that could happen? Rate the threats and make sure insider threats are always rated highest

Based on the information above decide on the levels of Data Security required.
There are many levels but can be divided into three
  • Standard security measures,
  • Advanced/intelligent security measures,
  • Designated DLP & DRM systems.
Standard security measures
Firewall, Antivirus, Intrusion detection system, , staff policies
Advanced security measures
Anomaly detection, activity-based verification, thin client. Can set traps for would be data thiefs
Designated DLP & DRM solutions
Scans data-in-motion, data-in-use and data-at-rest.  DRM (Digital Rights Management) controls circulation of documents and media.  It ensures that files are not shared (leaked) by accident or by design.

The Human Factor

It is a fact that employees are the weakest link in the security chain.  A recent survey by Sailpoint uncovered a widespread level of employee indifference towards protecting sensitive corporate data, including personal information of customers. In fact, an alarming number of employees surveyed admitted they would sell their passwords, some for as little as $150 U.S. dollars. These stats are based on a global survey of 1,000 employee’s at large organizations.
In addition the survey also confirmed that employees are lax about password management in general. Specifically, 1 in 5 employees routinely share login information for corporate applications with other members of their team, which increases the potential that the passwords they sell might not even be their own. Compounding the problem, 56% of respondents admitted to some level of daily password reuse for the corporate applications they access, with many as 14% of employees using the same password across all applications.
Even if a business locked down its data using the best possible practices it only takes one individual to sabotage the entire system and steal valuable data.  It is an imperative that businesses create and enforce organization-wide data handling policies based on industry regulations and on the organization’s specific requirements.
It is essential to clearly map how data is handled and secured in an organization. Policies should state strict rules for handling this data, such as discarding or archiving unneeded personal data and creating access control mechanisms for authorized employees only. The creation of a data handling policy should be accompanied by appropriate training that informs employees of the rules and a requirement. It is critical that employees sign binding statements regarding their responsibilities and their commitment to work according to the policy.