Risk
3/11/2015
10:30 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

6 Ways The Sony Hack Changes Everything

Security in a post-Sony world means that a company's very survival in the wake of a cyber attack is more of a concern than ever before.

Sony Pictures experienced what many are calling the most devastating cyber attack to date, disrupting a movie release, knocking its corporate systems offline for weeks, threatening its distribution channels with terroristic threats of mass violence, and ultimately costing Amy Pascal, Sony Pictures Co-Chairman, her job. Throw in the nation-state component and how the attack played out in a very public way, and I see the Sony Pictures hack as a seminal security event that will forever change the way we view cybersecurity.

Aside from spending the better part of the holidays responding to concerned parties on the topic, after reflecting on the situation, I feel even more strongly that the Sony hack changes everything. Here’s why:

1. Company survival is now a central concern for companies dealing with cybersecurity risk. The nature of attacks has evolved immensely from the earliest days when attackers would compromise a company’s web server and deface its website. That type of attack was the equivalent of a graffiti artist tagging the corporate sign outside its headquarters – embarrassing, not terribly disruptive, and not impactful. Then companies began to experience full-blown data breaches where attackers would steal sensitive customer data in order to clone credit cards or steal identities. Many, if not most, of the current breach stories focus on that scenario.

In contrast, the Sony attack was much more serious. Sony Pictures’ systems were knocked offline for several weeks during the holiday season. Embarrassing emails and pre-release feature films were dumped online, but the most serious part of this attack was that Sony Pictures didn’t have email, control or confidence in its systems, and for days didn’t have a true understanding of how far-reaching the break-in was, nor how long it would take to recover. Like the 2012 Saudi Aramco attack, computers throughout the company were unusable and the company was not operating as a going concern for several days. This attack hit their bottom line in a major way, arguably having a material impact on their financial numbers and confidence in their ability to operate. That may have ultimately cost executives their jobs.

2. Cybersecurity risk is squarely a board and CEO issue.  As a result of this pervasive and devastating attack, combined with other breaches, cybersecurity is no longer a CIO problem, but now a CEO and board level problem, given potential for business disruption. Boards and executives are going to have to deal with cybersecurity risk like they do with legal, regulatory, geopolitical, or labor risk. It has to be central to the way business leaders think, and a planning consideration for those keeping sensitive information or transacting commerce online. For example, when energy companies consider capital intensive exploration projects in less-than-friendly countries like Venezuela or Russia, they factor in geopolitical risk and the “friction” of interacting with that country, as well as how they intend to get their product and profits safely out of country. CEOs must have the same view of the digital realm, working with the CIO and Chief Information Security Officer, to better understand the risk.

3. Sophisticated cyber attacks combined with a credible terrorism threat is a new hybrid.
The sophisticated attack against Sony Pictures combined with the direct threat of violence to any of the movie theaters that showed the movie was a seminal event. This led directly to two outcomes. First, the four major theater chains, no doubt on advice of counsel, decided not to show the movie on Christmas Day, effectively banning the movie from nearly 20,000 movie screens in North America. Second, Sony followed suit by dropping the film themselves, hustling behind the scenes to distribute the movie via streaming sites and other non-theater based channels.

Evoking 9/11, the attackers caused a major studio and its distributors to stop a release midstream after a vague threat. This lowers the bar for similar hybrid attacks. Sony Pictures was a sophisticated attack, but the ability of the North Koreans or whoever was actually responsible to follow through on threats of physical violence, was questionable. However, if a more credible threat, say ISIS, began a Distributed Denial of Service (DDoS) attack against US targets (which is arguably much easier to initiate than the type of attack launched against Sony)- and then tweeted they were going to conduct terrorist attacks in the physical realm against those same targets, one can only imagine the impact. Are we as a society prepared for such a threat? How would we deal with it?

4. We are more susceptible to this attack, and have few options to respond. Do an image search for “North Korea at night” to see that there are few options for the United States to retaliate in kind if, in fact, North Korea was the source of the Sony Picture attacks. There is no Sony Pictures equivalent in North Korea to shut down -- no Viacom, no NBC Universal, no Walt Disney Corporation -- just the Korean Central News Agency, whose prolific propaganda publishing is entertaining but not economically important. By the way, the film industry has a disproportionate effect on how the US is perceived internationally. “The Interview” notwithstanding, Hollywood has huge influence around the globe, so any effort to disrupt US entertainment and media industries has leveraged effect.

5. Cybersecurity insurance and its coverage just got more expensive.  To date, cybersecurity insurance has focused on covering the risk of data loss, including the cost to notify clients whose data was lost during a breach. The focus has been on that facet of cybersecurity risk, not total business interruption or full-blown disaster recovery. Sony Pictures probably changed the expected loss number, which will likely have a ripple affect across the industry, driving up cybersecurity insurance premiums.

6. Business executives are now much more aware of cybersecurity risks.  Sony Pictures ups the ante even further making cybersecurity a CEO concern -- not something buried in the bowels of information technology departments. Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently, which will make their organizations more resilient to the risk of sophisticated attackers, or at least be more prepared when they experience a full-blown cybersecurity failure.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/23/2015 | 2:46:21 PM
Tipping Point
While we may have reached a Tipping Point with regard to Software Secuirty I don't think the Sony Hack by itself could be sufficient to have forced that.   Consider the financial penalty being assesed against Target.   There's more: what about Home Deport?   or Heartland Payment Systmes?   Tax Fraud?

the list goes on, as you know, and then on and on. and it doesn't take a genius to figure out: Unless we turn over a new leaf and mend the error in our ways hacking will continue to get worse.   Will you be next ?

the solution is available,-- and has been. First it is essential to use a secure operating system.   A secure Operating system is one which will not allow itself to be corrupted by the activity of an application program.

second: we need to take up the practice of authenticating transmittals.    transmittals include not just eMails but also software downloads and financal instruments of every sort, -- Forms 1040, online puchasing, and the like.    The broadcast system used with x.509 certificates is a start but the bradcasting is too susceptible of intrusion as hackers have demonstrated in their attacks on Diginotar, RSA, and Comodo.   x.509 certificates should be sent with marginal trust only.    each of us needs to use PGP or the Gnu Privacy Guard (GPG) to countersign those x.509 certificates that we actually need to trust.   this will dramatically reduce the attack surface against x.509


to do this we all need a copy of PGP or GPG --and local services such as Credit Unions need to provide the needed authentication service for our Public Keys.

Today we are forced to conduct busines in a compromised environment: all our usual credentials, such as SocSec Number, name, address, Date of Birth, dog's name etc -- have all been compromised and are easily available to crooks operating from the DarkNet market ( See Brian Krebs article on SuperGet ).  

to conduct business in this compromised environment we need s a signature such that can be offered and verified (authenticated) in public -- but which we can retrain control of the use of privately.    this is precisely what PGP or GPG does; it's what that software was created to do.   we should use the new Eliptic Curve option with PGP and GPG.

these are initial steps; refinement will be needed and in particular, change in product liability law -- as has been noted by Bruce Schneier.  

where is the "Tipping Point" ? 

when it is no longer economical for merchants to just shrug off hacking as "part of he cost of doing business" then action will have to be taken.    we all need to note carefully: passwords are NOT the problem: Hacking is facilitated by un-authorized programming.

Un-Authorized Programming, often called "Malware", or "Computer Virus" are changes to the programming in a victim's computer.  Examples would include the BLACKPOS or BACKOFF malware that was inserted into the Point of Sale terminals in merchants who have bveen recently victims of credit card theft.   malware is generaly inserted into a victim by making advantage of a weakness in an operating system or by "phishing".   "Phishing" involves sending fake messages to persons having update authority.   Proper authentication of messages such as eMail will make "phishing" much more difficult.  Today,-- "phishing" is trivial.

these un-authorized programs do not need you password: they operate AFTER the victim computer is running and use the victim's credentials to do their Dirty Deeds.
tbruch320
50%
50%
tbruch320,
User Rank: Apprentice
3/15/2015 | 11:26:59 PM
Re: I disagree that anything will change
True, but in response laws are on the books due to enron they have SOX Sarbanes oxley. SOX can mean jail time or heavy fines but for some reason they rarely ever use it. until they bring that back and start holding people liable stuff like that will continue to happen and CEOs  will not take it seriously.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:08:35 AM
Re: I disagree that anything will change
I think there isa greater chance for change, assuming that John's final point  (that cybersecurity execs and board members start paying attention comes to fruition. It would like to believe that "Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently." But I don't see that much evidence of that right now...

 
mistersilver134
50%
50%
mistersilver134,
User Rank: Guru
3/12/2015 | 9:29:05 AM
I disagree that anything will change
After reading the Quartz article "Sorry Consumers, companies have little incentive to invest in better cybersecurity" it is clear that the cost, after insurance and (can you believe it tax reduction for having inadequate security and zero executive buy in to improve?!) tax reduction, the cost is probably less than they spend on the exectuive cafateria and "entertainment" yearly.

Until there is serious legal risk associated with negligent leadership (and i mean either jail time or multi-year profit level fines to incentivize shareholders to fire negligent executives), the disgraceful level of spending on cybersecurity will continue as normal business, no risk, no budget.
anon7282095628
50%
50%
anon7282095628,
User Rank: Apprentice
3/11/2015 | 3:30:34 PM
They made an earlier business decision
I think that we also learned that theft of confidential information at Sony is an example of a company that is wide open and did not encrypt sensitive information. They made an earlier business decision to not secure their databases.  

Unfortunately, current security approaches can't tell you what normal looks like in your own systems and the situation is getting worse according to Verizon. Verizon is reporting that this a growing issue. Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.  

Attackers will always figure out how to get around defenses, so you need to lock down the data that they want to steal. So we need to protect our sensitive data itself with modern data centric security technology.  

Ulf Mattsson, CTO Protegrity
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.