Eat. Pray. Love. – Three Words that Comply with Sony’s Password Policy

Thursday, January 01, 2015

Scott Garber


While evaluating the Sony hack and explosion of related press, our team discovered an eerie tie-in to the titles and taglines in Sony Pictures massive movie library, which might have been an early indicator of the inevitable breach. Some of our favorites include:

  1. 30 Minutes or Less: How Fast a Company is Destroyed by Hackers
  2. Something’s Gotta Give: Guess it’s Sony’s Revenue
  3. Stranger than Fiction…Except it’s True
  4. Yours, Mine, and Ours: Sony Employee’s Personal Information
  5. Click: A Story about Sony’s Downfall
  6. Stealing Harvard…and the Entire Sony Network

Quirky twists on Sony movie titles can be fun and though the Sony hack story has been dissected by every major and minor news source, we’ve connected the dots in a different manner:

Ever dream of being a celebrity, even for a day? Wondered what it be like to have Brad Pitt’s real number in your phone? Today may be your best chance, thanks to the recent hacking incident on Sony’s network and massive public release of sensitive personal information.

While the Bling Ring disrupted and distracted the A-List in 2008/2009, the “Sonypocalypse” has devastated and derailed the entire Sony organization. At a minimum, Sony will be paying for the privilege of tracing, triaging, and treating the downright disastrous damage for years to come.

Sony did not err in producing in “The Interview,”” but it did make some very compelling and critical errors in its internal IT policies. Password policies were stuck in the 1990’s, document naming conventions pinpointed juicy targets, and nothing was encrypted/everything was hosted on the network (including passwords to very sensitive accounts).

While corporate networks are generally viewed as safe havens for information via email or enclosed in documents, complacency is ultimately very common. This complacency is manifested behind the prevailing mantra that “it will never happen here.” Unfortunately, the reality is that 97% of Fortune 500 companies have been hacked.

Fortune 500 companies are tantalizing targets for hackers – for intellectual property, competitive advantage, state-sponsored terrorism motives, vast troves of employee information, and because there are often multiple, simple ways to hack their networks.

Think of a Fortune 500 company’s network as a celebrity’s mansion – any decent local thief knows where their homes are, the best times to attack, and the types of riches these homes hold. In many ways, these homes are very tempting targets and should be secured at all times with multiple lines of protection (door locks, interior hiding places for valuables, an alarm system, etc). However, the Bling Ring, like Sony’s corporate network, illustrates that a spotlighted target isn’t necessarily secure.

Paris Hilton’s front-door key was under her front mat…which wasn’t needed – her door was unlocked. Audrina Patridge and Orlando Bloom’s doors were also unlocked. Only two stars had security cameras and after a year of countless burglaries, the Bling Ring members took millions of dollars in shoes, jewelry, clothes, and celebrity property. The damages in the Sony case will be dramatically larger – and unlike the real world, a security camera can’t help ID the thieves in the act.

Sony’s digital forensics team (Mandiant/Fireeye) has a main culprit, but no smoking gun and no conclusive evidence. While the Bling Ring members were eventually apprehended after members bragged about their burglaries at parties, the ringleader only served 30 days on a 180-day sentence.  If the hackers are ever caught, chances are, no one will be punished.

While Sony will have to sift through 100 terabytes of publicly-shared sensitive data, the hack does offer a somewhat shocking benefit – starting over from scratch. Sony executives will be focused on fortifying the foundation of a functional IT infrastructure, and most importantly, ready to invest in the people and products to push promises into present-day security measures.

Passwords will be stronger and not stored on central servers in plain text. Documents and sensitive communication will be solidified behind encryption – and tracked with robust access policies and procedures. Insider threats will be mitigated, or at the very least tracked and contained with an active remote monitoring solution. Outside threats to ports and firewalls will be identified with vulnerability scanners and fixed quickly through internal remediation. Cyber security products will be reinforced with an intrusion detection system. Executives and engineers will keep track of all important alerts through a granular, multi-conditional alarm system. Most of all, everything from application activity to minor asset malfunctions and peer-to-peer network uploading will be actively tracked, correlated, and stored in real-time – to give future forensic teams full look-back capabilities across the entire network next time their network is compromised.

At least, that’s the hope.  Sony clearly didn’t learn any lessons from its 77 million Playstation Network breach in 2011 – 1 million passwords were stored in plaintext and half of the passwords only used one character type.

Possibly Related Articles:
Enterprise Security Policy Breaches
Sony breach hack
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.