Whomever and wherever the Guardians of Peace are, at least three things are becoming clear.
One: They almost certainly had privileged access or insider-level access to Sony’s business-critical organizational assets, information, plans, content and contracts.
Two: Much of what they took were files that were either highly sensitive, long dormant, or large in size, and their actions certainly created some type of footprint that is discernable from standard line-of-business communications, from preparation and malware infection to a deep intrusion with network exploration, which should have triggered internal alarms via-off-the shelf network software and appliances. But no alarms sounded. This begs the question: if a publicly-held company’s out-of-date network security falls within a forest of hackers, does it make a sound that shareholders hear?
Three: Some of the data released seems vindictive in nature – personnel and payroll files, for example. Maybe these are the kinds of records a rogue nation would use to squelch a movie’s release. They’re definitely the types of files that a disgruntled former associate or past employee would use to embarrass and destabilize a former employer.
Free eBook: Modern Retail Security Risk – Get your copy now.
If GOP had privileged access, SONY’s laughable password protection scheme (passwords consolidated into a file named “passwords”) becomes a moot issue. Even an end user’s passwords can make child’s play out of the task of breaking through advanced, multi-tiered schemes and embedding malware to access, copy, and even corrupt or delete critical data assets.
If that’s the case, certainly it’s not the first such occurrence in recent history: Edward Snowden was someone who used an associate’s privileged access and password credentials. He didn’t hack anything.
Out-of-date corporate networks are a rich target for would-be cyber thieves, for whom advanced persistent threat attacks (APTs) are the preferred strategy of attack. More than 100 public US companies were recently hacked in an APT wave to gaming stock prices with R&D, sales and other critical data.
The fact is that passwords are like car door locks. They’re important and definitely always useful, yet the most determined of malicious players will likely get through anyway. Security and diligence now require that companies secure unstructured data and deploy behavioral network traffic analysis with advanced intrusion prevention systems (IPSs) within their networks. Standard IPS, firewall, and endpoint security systems guard the front door, where in-network technologies actively scan and detect internal attacks to protect the network within.
The next step lies in doing the known security hygiene procedures right, such as understanding that BYOD (bring your own device and applications) is a fact of life that makes the management of applications, permission policies, and risk levels at the data and subnet levels essential.
By Carmine Clementelli, Security Expert and Manager, PFU, a Fujitsu Company
Bio: Carmine Clementelli is a security expert and manager with PFU, a Fujitsu Company. Clementelli and his team help healthcare, pharmaceutical, banking and finance, educational and other institutions and corporations throughout North America secure their networks, data and critical information assets. Fujitsu is a global security leader.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.