Sony Breach Expands, Lapse Exposed Celebrity Data

The Sony Pictures Entertainment breach is getting increasingly distressing for the company’s movie studio executives who are struggling to recover and regain control of their systems.

An analysis of the leaked data uncovered Excel spreadsheet files and other documents containing tens of thousands of employee Social Security numbers, including the personal information of noted celebrities who have appeared in the company’s films in recent years. Actor Sylvester Stallone and director Judd Apatow were among the notables whose data was reportedly exposed in the lapse.

Solution providers interviewed by CRN said the considerable scope of the leaked data makes it appear that the criminals gained the ability to probe Sony’s database servers with impunity. The analysis identified Excel files labeled ’passwords,’ void of encryption or any other protection. The incident highlights how difficult it is to mitigate risks and the need for organizations to be proactive about security, said Brian Hess, president of Gibsonia, Pa.-based service provider TEQ Guys.

[Related: Sony Breach: Leaked Salaries, Confidential Data Points To Major Lapse]

’It doesn’t matter how big or small you are, you have to have a commitment to security,’ Hess said. ’Multinationals have a lot more complexity to deal with but they also have the resources, so there’s no excuse for not having protective measures in place.’

Hess and security experts from other solution providers said organizations are failing to address basic security measures. Vulnerability and configuration management processes must be adequate; strong password policies must be enforced and employee access privileges regularly reviewed.

’No one particular breach for me is more significant than the other,’ Hess said. ’The companies that do security well do the more role-based security: They focus on properly implemented encryption and business partner security.’

Emerging security technologies can identify threats, but often businesses fail to develop an incident response plan to address the alerts generated by them, said Kevin Wheeler, founder and managing director at Dallas-based information security services company InfoDefense. An incident response plan must be thoroughly tested and regularly reviewed until the processes are carried out in a methodical and consistent manner, Wheeler said.

’Companies deploy technologies but they trip on the processes that go along with those technologies,’ Wheeler said.

Sony shut down its corporate network last week and is still recovering systems impacted by the breach. An FBI ’flash’ alert sent out to companies this week reportedly warns about the threat posed by destructive malware and security experts who have analyzed malware samples.

Trend Micro and Kaspersky Lab analysis of the threat on Thursday identified the malware’s capability to override data on the hard drives of infected systems and wipe the master boot record, preventing machines from starting.

The technique is similar to the Shamoon malware used in a targeted attack in 2012 against Aramco, Saudi Arabia’s national oil company. The malware apparently used in the Sony breach had encrypted components and could halt the Microsoft Exchange Information Store service before it forces a system reboot. Rebooting then triggers the file deletion processes, wiping files in fixed or remote network drives.

’The malware involved in the Sony Entertainment attack is called Trojan Destover, and is capable of wiping disk drives and MBR,’ wrote Kurt Baumgartner, a researcher at Kaspersky Lab. ’It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.’

PUBLISHED DEC. 5, 2014