Sony has announced this week that it will be canceling the release of “The Interview” after hackers threatened to attack movie theaters across the United States. Here to comment on the ongoing Sony hack are a number of professionals from prominent information security companies. Tripwire, Kaspersky Lab, Voltage Security, and STEALTHbit Technologies are represented.
Free eBook: Modern Retail Security Risk – Get your copy now.
Tim Erlin, Director of Product Management, Tripwire:
“The average consumer may have a hard time understanding the size and scope of the Sony attack. Not only is it unprecedented for a cyber-attack on a private company to have these kinds of geo-political ramifications, but the technical scope of what the attackers did is unusually large. The attackers claim to have copied nearly 100 terabytes of data out of Sony, and they’ve posted some of it already. Extracting that amount of data from an organization takes time and effort. These attackers not only got into Sony, but they also had the time to assemble and remove this data and then set up a coordinated announcement of their presence via simultaneously displaying an image on systems throughout the organization. We can’t fully understand the scope of the compromise without more information, but it’s substantially more serious than the credit card thefts we’ve seen recently.”
Eugene Kaspersky, CEO, Kaspersky Lab:
“The Sony hack is probably the first one that’s been so globally high-profile. The most worrying aspect for me is that this hacker group was threatening to stage terror attacks. I don’t know if there really is a link between this group and terrorists, but the threat does show that politically-motivated hackers may be embracing terrorists’ methods. A merger between groups of hacktivists and traditional terrorist organisation has been a fear of mine for years.
“Of course, such an attack on the entertainment industry is very damaging and costly, but it’s probably not as dangerous as an attack on critical infrastructure. In any case, it’s a very strong signal that even the most advanced hi-tech companies are not immune to hacker attacks, and we have to prepare ourselves for very serious and painful attacks in the future. Sadly, it’s not easy to say which industry or company will be the next target.”
Brendan Rizzo, Technical Director, Voltage Security:
“The events that continue to unfold at Sony show a startling escalation of cyberattacks that are now becoming a worryingly effective tool for spreading fear and economic damage. This is why it is so important that companies give their utmost attention to protecting their sensitive customer, employee, and company data in a best-practice data-centric manner to shield themselves from any such attacks, including encrypting emails to protect sensitive information. If the recent attack did not result in the theft of unencrypted personal information and digital property, it would have merely been a footnote in an article instead of the global media’s lead story for several weeks running.”
Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies:
“While experts and US government officials wonder whether North Korea, hacktivists, or just another bunch of bad guys are at fault for the hack, what should be giving people chills as they read about Sony is how familiar it all feels. Sony people were emailing passwords around to one another. They were openly discussing their poor security. Perhaps most scary was that there was a lot of discussion about how they were just about to roll out the project to fix it all. If that sounds familiar to you, it’s because it echoes what’s going on at too many organizations today. An alarming number of enterprises have flawed security measures protecting their data. Employees know it, and there are people yelling about it to executives who continue to demand passwords be emailed to them when they forget. As those executives read these news stories and see themselves in these people, maybe it will be a catalyst for change. Or maybe it will be another news story forgotten as soon as the next celebrity gets into another personal crisis. I hope enlightened self-interest kicks in and we see organizations who recognize themselves in the Sony hack and rush to kick off their security program before it’s too late.
“If mercenaries snuck into the country, locked families out of their suburban California homes, and stole their stuff, there’s no doubt the US Government would react like it was an act of war. The tough choice facing the US government right now is if they will treat this digital invasion of Sony Pictures’ Culver City headquarters the same way. The comparison of the crimes is nearly one for one. Sony is locked out of their virtual homes. While they were shutting Sony out, the bad guys also took all their most sensitive documents, containing extremely personal information, embarrassing secrets, and valuable intellectual property. Imagine the attackers shipping stolen goods from a real invasion to newsrooms, where they are examined and publicly broadcasted everywhere. That’s what has happened to all the digital possessions of Sony. All their unstructured data has been trotted out for everyone to see.”
But it gets worse. Sony’s been blackmailed by the invaders, resulting in a lucrative holiday film release being canceled. The nature of the murky world of hacking means US officials are never going to have foolproof digital evidence that North Korea was behind the attack. If it was North Korea or another nation state, then serious questions need answering. There’s no question that if North Korea had rolled into Culver City in tanks and taken file cabinets full of information, there would be war right now. But it’s a very open question whether the same will happen in this instance.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.