Hollywood is a place that can be driven mad by star-studded gossip, where the talk of the town is rarely private and where people are accustomed to their secrets not staying secret for very long. Yet, this state of play hasn’t made it any easier for the victims of last month's cyberattack against Sony, carried out by shadowy assailants calling themselves the Guardians of Peace.
As the public knows by now, it seems as though the attackers spared nothing in their initial leak of 27 gigabytes worth of data. They released the type of information that seems to be exposed after seemingly every corporate hack, from the personal information of employees to the company’s classified assets, which in this case even included the script for an upcoming James Bond film.
But that wasn’t all.
They also exposed the kind of information unique to an entertainment giant like Sony – the lurid Hollywood gossip, revelations of celebrity aliases and even off-the-record studio executives’ opinions about some of today's box office smashes.
Sony’s Imperfect Network Security History
So how could this have happened? Although the finger-pointing has been ongoing since the attackers revealed themselves to Sony employees at the end of November, what's clear is that the malware used by the Guardians of Peace was undetectable by antivirus software, and, as is often the case with attacks as broad as these, human error within Sony– passwords that were both easy to crack and stored in a file directory marked “passwords” – may also have been a factor.
Unfortunately, these aren't new criticisms of the company.
Sony's network security defenses, from poor access control to weak passwords, were so lacking in 2007 that an auditor told the company’s executive director of information security, "If you were a bank, you'd be out of business." Then there was the 2011 hack of Sony's Playstation network – an attack that was preceded two weeks earlier by the company laying off two employeeswho were responsible for network security.
In retrospect, it's easy to construct a seven-year trail of breadcrumbs back to Sony being hacked, and to allege that executives should have known they needed to do more to shield the company from attack. But, as it was suggested by the FBI's Joseph Demarest, assistant director of the agency's cyber division, the high sophistication of the attack proved to be just as much a factor as how porous the company's network security may have been.
He said, "The malware that was used would have slipped or probably gotten past 90 percent of [Internet] defenses that are out there today in private industry and [likely] challenged even state government."
Preventing the Next Great Hack
The massive Sony breach has shown, yet again, just how expeditious and ruthlessly efficient attackers today are. One minute, the network security fortress of a company like Sony is seemingly secure, and the next, documents and correspondence that were intended to be private are splashed across every news outlet. It should be more than enough to give network administrators significant pause, and make them wonder, "If it can happen to Sony, why couldn't it happen to me?"
Fortunately for network administrators, there is no shortage of steps they can take to prevent attackers from breaching their walls, and there are just as many ways to limit the damage in a worst-case scenario where hackers are able to make it inside.
We're talking about a defense-in-depth approach– a multi-layered, redundant strategy that seamlessly weaves together overlapping network security products, like strong VPNs and firewalls, with proven processes, like employee training and encryption protocol, to help network administrators defend against a range of threats looming right on their doorsteps. Additionally, if hackers do get in, layering security technologies can help mitigate the range and damage caused by the attack, making it more difficult for attackers to actually escape with sensitive information.
It's impossible for network administrators to know for sure they have the upper hand against attackers who seek to do them harm – their methods evolve too rapidly. But with a defense-in-depth strategy, network administrators at least know they have fail-safes in place should they become the next target.
This was cross-posted from the VPN HAUS blog.