On hearing about the Sony hacking attack back in 2014, one of our 2-sec penetration testers speculated it would probably be an inside job – a recently fired ex-employee that knew all about the vulnerabilities in the Sony system, or maybe sensitive data being leaked and distributed from contract software developers.
These types of breaches and cyber attacks are unfortunately going to become much more common into 2015 and beyond.
Sony’s recent comment on being a “canary in a coal mine” is a little disingenuous. Hackers have been able to disrupt its PlayStation networks since 2003.
Sony had a full complement of IT security professionals supposedly attempting to protect their systems. And it knew of other hacking attacks on similar companies in the public eye.
Sony's comment on being on “completely new ground” is also evasive – the recent substantial attacks on industry leaders Target, eBay and JP Morgan Chase, among others, occurred in 2013 and 2014. The steps taken by these companies to recover after the breaches certainly provided enough warning on the damage that cyber attacks can do to a company’s brand and reputation.
Sony is trying to conceal the fact that it had not been taking proper cyber security precautions for some time. The Sony management team obviously did not place enough emphasis on online security and certainly did not understand how their brand and reputation could so easily be damaged by an attack.
Among other issues, important documents on Sony’s clients and their passwords were stored in easily accessible files in Sony's system and sensitive information was left unencrypted and unprotected.
This attack is unfortunately a real sign of the times – the new normal, as it were. More importantly, we need to look at the hack as a useful tool to remind businesses of their need to be more cyber-wise to protect themselves.
Lessons from Sony breach
So, what can be learned from the Sony breach?
The hack shows preparing your company for the worst is one of the most important things you can do. Start imagining the worst case scenario. Where will the most likely breach occur? Maybe your employees are your weak point and have little understanding of cyber security basics.
If you have not done so already, this very public breach of security should indicate that you need to write an incident response plan to identify when and how your company has been hacked
If your senior managers do not understand how important online security is to the company brand then the allocated budget for training and securing your network system is probably inadequate.
Just consider where your most important information is. How is it secured? Where are the weaknesses and vulnerabilities? Do your suppliers and contractors have robust security measures in place?
One of the main points about the Sony hack was that the attackers were able to stay undercover for so long, giving them time to assess the network, download files, map weaknesses and vulnerabilities.
If you have not done so already, this very public breach of security should indicate that you need to write an incident response plan (IRP) to identify when and how your company has been hacked.
A correctly prepared IRP will determine your company’s usual network behaviour, thus creating a baseline for your IT infrastructure activity. Then, the IRP will contain procedures to identify abnormal or anomalous network activity. You can then actually identify when an attack is occurring and you will be in a position to respond.
Having identified all threats and prevented all dangerous network activity, you can start to restore the company systems and begin re-creating you company’s reputation among clients, customers and your own employees
Creating an IRP may be one of the most important things you can do in 2015.
An IRP should reduce your cyber insurance premium, make improvements to your network and physical security and limit any legal liability in the case of an attack.
Sony was unfortunate in that its inadequate IT security was exposed by the hacking attack. The huge media circus surrounding the hack was due to its high-profile clients and subject matter. It is important now to identify the information at risk if a similar attack was aimed at other prominent companies.
Be among the leaders in your industry and differentiate yourself from your competitors by showing how seriously you take cyber security and the safety of customer and supplier data.
This article was first featured in Computer Weekly in February 2015