Sony Pictures Breach: Saga Yields Insight On Basic Security Lapses
The hacktivist group calling itself "Guardians Of Peace" continues to issue threatening statements toward Sony Pictures more than two weeks after it gained unfettered access to the company’s email and database servers.
While the tactics used to carry out the data breach continue to be cloaked in mystery, solution providers say the widespread access the group apparently had shows that Sony Pictures had a disregard for some basic security best practices. Organizations need to thoroughly assess their backup and recovery processes, identify and protect the core intellectual property, and gain control and oversight of system privileges, said Andrew Sherman, security practice lead at Eden Technologies, a New York-based security consultancy.
’I was kind of surprised about the amount of time it took to get essential services back online,’ Sherman said. ’We do business continuity and disaster recovery tools around the loss of a site in a natural disaster, so perhaps the business continuity planning people need to think and plan for events like this as well.’
Best practices dictate that backups should be conducted weekly and include the operating system, application software and data on each system. When the recovery process is in full motion, incident responders need to determine if backups also contain the malware used in an attack. That investigation is what could have caused a delay getting systems back online at Sony. One way to reduce the potential for a threat on a backup system is to make one backup inaccessible from corporate endpoint systems, system experts say. The backup may be older, but it will ensure continuity of services until newer backups can be analyzed for potential threats.
The destructive malware believed to have been used by the Sony Pictures attackers could have caused a delay in getting systems back online. It was designed to evade detection from standard antivirus. Once it steals data on a PC, it then completely erases system files and the master boot loader, the information on the hard drive used to boot up the operating system.
The hacktivist attack used to gain initial access to the corporate network is still unknown. Solution providers say the attackers could have gained access by stealing a system administrator’s password or phishing other employees and using their credentials to gain initial access. The hacking group’s use of the custom malware, its multistaged attack and unlimited access suggest the group was well funded and determined to gain access.
The Sony Pictures breach uncovered sensitive information stored on Microsoft Excel files lacking password protection, tokenization or encryption. Even if the files had been encrypted, solution providers tell CRN that the implementation could have been faulty or the attackers could have had access to the key to decrypt the information.
NEXT: Previous Hacktivist Attacks Used Similar Tactics
Solution providers point to a hacktivist attack against security vendor HBGary in 2011 as proof of the strength behind determined attackers. The company, founded by security researcher and security industry veteran Greg Hoglund, was attacked by a hacktivist group called LulzSec. The group compromised the HBGary website and used social engineering to obtain an administrative password. Thousands of HBGary and HBGary Federal emails were released over apparent revenge for the company executives’ attempt to infiltrate Anonymous and conduct cyberattacks against Wikileaks. The LulzSec attack included erasing system files and embarrassing the company. HBGary was acquired in 2012 by ManTech International.
In addition to unreleased movies and movie scripts, the Sony Pictures hacktivists leaked email messages; corporate data, including personally identifiable information; salary data; Social Security numbers; and other sensitive information. Former Sony Pictures employees are suing the company over the security lapse. Sony Pictures is issuing cease and desist orders to media publishers and website owners who posted links to the stolen data or used the stolen data in stories.
The Sony Pictures attackers are now threatening an "11th of September"-style attack on movie theaters showing "The Interview," a film set to open on Christmas and starring Seth Rogen and James Franco as journalists contracted by the CIA to assassinate Kim Jong Un.
Organizations need to review their access control strategy and introduce the strategy of giving employees the least amount of privileges necessary without hindering them from doing their jobs. ’Users should have the level of access they need to do their job and no more,’ Sherman said. ’You shouldn’t have access to something you needed two years ago when you were in another role at the organization.’
The theory is that by getting better control over user privileges, which can be expensive, complicated and time-consuming, attackers would be slowed down and might move to easier targets. At a minimum, organizations should be doing an access review and cleaning up unused accounts, Sherman said.
In addition, network monitoring tools should have detected a spike in activity when stolen data was uploaded to remote servers, say solution providers. Organizations should be monitoring network traffic to identify suspicious activity, but ultimately incident response is falling to outside firms, according to Jon Sargent, president of Norfolk, Va.-based security services firm Padlon. A lack of skilled incident responders is forcing organizations to seek help in dissecting security system alerts to weed out false positives and identify the threats that pose the biggest risk, Sargent said.
’I think the IT guy not only has to be the jack-of-all-trades of trying to fix things, but they also have to have tools in their back pocket to keep up with bad guys,’ Sargent said.
PUBLISHED DEC. 17, 2014