Resist ‘Sony Psychosis’, so you don’t lose your head (and 2015 budget) when planning cybersecurity spend.
I”ve been pretty quiet on the subject of the Sony hack so far. Mainly because I like to get into solutions mode and at the moment no-one quite knows how to define the problem. However, for the sanity of every security team in the land, we felt someone had to say that.
More on that below, but first a bit of background on the current fun and games;
In the news
Obama critisized Sony for dropping release of The Interview
Sony responded by saying they had no choice
Sony were considering a partial U-Turn by finding alternatives to releasing in cinemas
Hackers issued renewed threats, demanding the film is never released
North Korea volunteered to jointly investigate with the US
North Korea reportedly vowed to step up their nuclear program to counter ‘hostile’ US policy
North Korea’s internet access went down a few times (apparently victim of a comprehensive Denial of Service attack)….then, after a few hours, it came back
Norse investigated some persuasive digital breadcrumbs pointing to a small group including Sony ex-employees
An Android app offering download of The Interview is serving up banking malware. The twist? Code checks the location of your device and if you are in South Korea, off it goes.
The FBI reiterated that North Korea is to blame and trade sanctions have been approved
To ease production of all those “What does the Sony hack mean for us?” exec briefing papers, Risk Based Security are regularly updating this FUD stripped article with new information.
The main sides in the ‘who did what & why’ bun fight to date (links to articles espousing each theory embedded):
- North Korea definitely did it and it is an act of terrorism (FBI press release).
- North Korea maybe did it. Kaspersky told The Register about similarities to previous NK attacks early on and the FBI press release reinforces that. However, there’s noisy disagreement about who did the deed and it’s level of sophistication. Malware re-use is commonplace among hackers, Trend Micro said the virus that triggered system disruption and data exfiltration isn’t new and is available to buy on the black market and Ars Technica calls quality of code into question.
- It may or may not be North Korea, but it’s not, by any reasonable definition, an act of terrorism. According to Bruce Schneier it’s “beyond the realm of stupid” to say it is
- Whoever did it, if you’re calling it terrorism, Sony just set a disasterous precedent for dealing with cyber terrorists and other cyber criminals
- Sony just have ropy security and a ropier corporate culture. Shamefully concealing that behind FUD and the media frenzy
- Sony may have ropy security, but even if they don’t, it looks like a long game was played. There’s potential insider collusion and speculation that malware with delayed detonation capability was planted some time ago. If so, Sony were largely helpless to prevent this.
- This highly public, but non-lethal ‘terrorist’ act is convenient given rafts of pending and recently passed cybersecurity legislation and suspected underlying plans to take North Korea down a peg or two
Lessons for other businesses?
Outing my perspective specifically on the Sony debacle:
Don’t get between a leviathan of a nation state and another country they need an excuse to have a go at.
Back to everyday realities, our precis of a constructive way forward is this:
- Invest in staff and systems to enable them to promptly identify abnormal human and IT behaviour. Old school AV and other IT defenses looking for known bad code are increasingly ineffective and your people (on the ground floor as well as in IT and security), are your first and best line of defense.
- Take a long hard look at your existing IT estate and change assurance practices, then out yourself about basic security controls that are broken
- Build real risk (not FUD) based business cases to get fixes in place for things that are economic (in the medium term) to sort out, not forgetting the people and process costs to embed and mature use of solutions.
- Review and enhance your resilience, user education, local threat and vulnerability detection and incident response capabilities for those things it is uneconomic to fix (those expert targeted attacks that really are hard to spot, stop and sort out).
- While you’re at it, spend proper time looking at the decidedly unsexy physical and staff screening controls, so you can weed out folk who may walk in and do mischief
- Don’t kid yourself that cyber insurance is an alternative to investing in good security. It’s there to repair your bank balance, not your brand. Not just that, cyber insurers just don’t have the stats to accurately model cyber risks as yet. It may be a gamble that premiums (and exclusions to protect them against this uncertainty) offer you proportionate cover for your specific set of risks.
- Put some serious thought into penetration testing your staff (if you’ll excuse the phrase) and understanding hacker motivations in the context of what’s tempting about your business. Don’t underestimate the risk of phishing and more general social engineering (particularly targeting dissatisfied insiders), but don’t despair. Benchmarking your insider threat and educating staff to spot problems are very effective mitigations.
- Finally…remember that attribution is REALLY hard