Poor Security on Display at Sony as Gigabytes of Data take Wing

Revelations this week about the extent of the breach at Sony Pictures Entertainment should scare the pants off corporate America.

Sony shouldn’t be where it is today. More than three years ago, in 2011, the company found itself in the crosshairs of the hacktivist group Anonymous. Irked by a Sony lawsuit against famed hacker George Hotz (aka GeoHot), Anonymous allegedly crippled Sony’s PlayStation Network and stole personal information on 77 million PlayStation Network accounts. The attack shut down the network for 24 days – leading to huge costs for the famed electronics firm.

One would think the Anonymous attack would have been a wakeup call on the need for Sony to bring its game up. But here we are, three years later, with news of an even more damaging breach in which gigabytes of sensitive corporate data have been stolen and dumped online. The trove includes priceless pre-release movies as well as sensitive salary and healthcare data on Sony employees, according to reports.

How did this happen? We don’t yet know the circumstances by which Sony’s network was breached. But if recent attacks on other sophisticated firms like JP Morgan are any example, this one probably started with targeted, spear phishing attacks on senior employees or administrators. Alternatively, it might have begun with attacks on public facing servers, such as web application servers or hosting sites. Those may have provided access to systems deeper within Sony’s network. Finally, Sony might have been breached by way of a third party contractor – from building maintenance to accountants to IT support. We don’t know, and the specifics may not be all that important.

What is clear from the breadth of the breach, however, is that Sony was unable to do what most security experts these days would say is the most important job of any security team: identifying and isolating malicious activity on its network and protecting vital corporate data.

Rather, Sony’s hackers appear to have almost unrestricted access to Sony’s networks: getting their hands on the crowned jewels of Sony Pictures studios: three, complete but unreleased films. If reports by Brian Krebs and others are to be believed, they also pilfered HR records on thousands of employees, confidential salary and health data. Those files suggest, among other things, that Sony may have been paying male, female and minority employees on different scales. And, as this article indicates, sensitive data was often stored, unencrypted, in plain spreadsheets and text files. Finally, systems that were infected and pilfered finally had their hard drives erased. Ugly!

By all indications, this was a very targeted attack. An alert released by the FBI on the malware that is believed to have been used in the attack documented a list of hard-coded IP addresses and host names used by the malware. But the malware wasn’t new. The firm PacketNinjas notes that both the malicious file used in the attack and three IP addresses used as “beacon” sites by the malware once it was active had been identified as early as July of this year and were known – at least to Cisco’s Threatgrid and other security information sharing sites. Had Sony been tracking and integrating that “threat” intelligence, it might have identified and blocked the malicious attachment. Similarly, had Sony been closely monitoring its own data activity, it might have spotted the suspicious, outbound traffic to known, malicious IP addresses.

Sony was no doubt surprised by the ferocity of the attack, which is widely believed to have been carried out by hackers working on behalf of the government of North Korea and its petulant leader, Kim Jong Un.

But the company shouldn’t have been surprised – similar destructive attacks have been carried out both against Saudi Aramco and, last year, against South Korean news agencies. Nor should Sony have been naïve about the desire of hackers to make off with its valuable intellectual property including pre-release films. Sadly, it will fall to Sony, and its shareholders, to bear the burden and the costs of cleanup.

Paul Roberts

Please post your comments here

How to Protect Unstructured Sensitive Data

Organizations' most valuable data assets often exist in unstructured form, making them increasing challenging to protect. Learn about Digital Guardian's approach to securing unstructured data in this whitepaper.

Download now

Related Articles
Irish Data Protection Puts Google on Notice for Data Privacy - Again

Ireland's Data Protection Commission has announced that it's looking into Google yet again - this time for the way it processes user location data and transparency.

What Happens When There’s No Data Left to Steal?

What would it mean to have a post-breach society, in which there’s no data left to steal because it has all been stolen? We may be about to find out.

Friday Five: 7/13 Edition

A study on how how few companies knew where their sensitive data is kept, a major cryptocurrency theft, and more - catch up on the week's infosec news with this roundup!