Risk
3/11/2015
10:30 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

6 Ways The Sony Hack Changes Everything

Security in a post-Sony world means that a company's very survival in the wake of a cyber attack is more of a concern than ever before.

Sony Pictures experienced what many are calling the most devastating cyber attack to date, disrupting a movie release, knocking its corporate systems offline for weeks, threatening its distribution channels with terroristic threats of mass violence, and ultimately costing Amy Pascal, Sony Pictures Co-Chairman, her job. Throw in the nation-state component and how the attack played out in a very public way, and I see the Sony Pictures hack as a seminal security event that will forever change the way we view cybersecurity.

Aside from spending the better part of the holidays responding to concerned parties on the topic, after reflecting on the situation, I feel even more strongly that the Sony hack changes everything. Here’s why:

1. Company survival is now a central concern for companies dealing with cybersecurity risk. The nature of attacks has evolved immensely from the earliest days when attackers would compromise a company’s web server and deface its website. That type of attack was the equivalent of a graffiti artist tagging the corporate sign outside its headquarters – embarrassing, not terribly disruptive, and not impactful. Then companies began to experience full-blown data breaches where attackers would steal sensitive customer data in order to clone credit cards or steal identities. Many, if not most, of the current breach stories focus on that scenario.

In contrast, the Sony attack was much more serious. Sony Pictures’ systems were knocked offline for several weeks during the holiday season. Embarrassing emails and pre-release feature films were dumped online, but the most serious part of this attack was that Sony Pictures didn’t have email, control or confidence in its systems, and for days didn’t have a true understanding of how far-reaching the break-in was, nor how long it would take to recover. Like the 2012 Saudi Aramco attack, computers throughout the company were unusable and the company was not operating as a going concern for several days. This attack hit their bottom line in a major way, arguably having a material impact on their financial numbers and confidence in their ability to operate. That may have ultimately cost executives their jobs.

2. Cybersecurity risk is squarely a board and CEO issue.  As a result of this pervasive and devastating attack, combined with other breaches, cybersecurity is no longer a CIO problem, but now a CEO and board level problem, given potential for business disruption. Boards and executives are going to have to deal with cybersecurity risk like they do with legal, regulatory, geopolitical, or labor risk. It has to be central to the way business leaders think, and a planning consideration for those keeping sensitive information or transacting commerce online. For example, when energy companies consider capital intensive exploration projects in less-than-friendly countries like Venezuela or Russia, they factor in geopolitical risk and the “friction” of interacting with that country, as well as how they intend to get their product and profits safely out of country. CEOs must have the same view of the digital realm, working with the CIO and Chief Information Security Officer, to better understand the risk.

3. Sophisticated cyber attacks combined with a credible terrorism threat is a new hybrid.
The sophisticated attack against Sony Pictures combined with the direct threat of violence to any of the movie theaters that showed the movie was a seminal event. This led directly to two outcomes. First, the four major theater chains, no doubt on advice of counsel, decided not to show the movie on Christmas Day, effectively banning the movie from nearly 20,000 movie screens in North America. Second, Sony followed suit by dropping the film themselves, hustling behind the scenes to distribute the movie via streaming sites and other non-theater based channels.

Evoking 9/11, the attackers caused a major studio and its distributors to stop a release midstream after a vague threat. This lowers the bar for similar hybrid attacks. Sony Pictures was a sophisticated attack, but the ability of the North Koreans or whoever was actually responsible to follow through on threats of physical violence, was questionable. However, if a more credible threat, say ISIS, began a Distributed Denial of Service (DDoS) attack against US targets (which is arguably much easier to initiate than the type of attack launched against Sony)- and then tweeted they were going to conduct terrorist attacks in the physical realm against those same targets, one can only imagine the impact. Are we as a society prepared for such a threat? How would we deal with it?

4. We are more susceptible to this attack, and have few options to respond. Do an image search for “North Korea at night” to see that there are few options for the United States to retaliate in kind if, in fact, North Korea was the source of the Sony Picture attacks. There is no Sony Pictures equivalent in North Korea to shut down -- no Viacom, no NBC Universal, no Walt Disney Corporation -- just the Korean Central News Agency, whose prolific propaganda publishing is entertaining but not economically important. By the way, the film industry has a disproportionate effect on how the US is perceived internationally. “The Interview” notwithstanding, Hollywood has huge influence around the globe, so any effort to disrupt US entertainment and media industries has leveraged effect.

5. Cybersecurity insurance and its coverage just got more expensive.  To date, cybersecurity insurance has focused on covering the risk of data loss, including the cost to notify clients whose data was lost during a breach. The focus has been on that facet of cybersecurity risk, not total business interruption or full-blown disaster recovery. Sony Pictures probably changed the expected loss number, which will likely have a ripple affect across the industry, driving up cybersecurity insurance premiums.

6. Business executives are now much more aware of cybersecurity risks.  Sony Pictures ups the ante even further making cybersecurity a CEO concern -- not something buried in the bowels of information technology departments. Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently, which will make their organizations more resilient to the risk of sophisticated attackers, or at least be more prepared when they experience a full-blown cybersecurity failure.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
3/23/2015 | 2:46:21 PM
Tipping Point
While we may have reached a Tipping Point with regard to Software Secuirty I don't think the Sony Hack by itself could be sufficient to have forced that.   Consider the financial penalty being assesed against Target.   There's more: what about Home Deport?   or Heartland Payment Systmes?   Tax Fraud?

the list goes on, as you know, and then on and on. and it doesn't take a genius to figure out: Unless we turn over a new leaf and mend the error in our ways hacking will continue to get worse.   Will you be next ?

the solution is available,-- and has been. First it is essential to use a secure operating system.   A secure Operating system is one which will not allow itself to be corrupted by the activity of an application program.

second: we need to take up the practice of authenticating transmittals.    transmittals include not just eMails but also software downloads and financal instruments of every sort, -- Forms 1040, online puchasing, and the like.    The broadcast system used with x.509 certificates is a start but the bradcasting is too susceptible of intrusion as hackers have demonstrated in their attacks on Diginotar, RSA, and Comodo.   x.509 certificates should be sent with marginal trust only.    each of us needs to use PGP or the Gnu Privacy Guard (GPG) to countersign those x.509 certificates that we actually need to trust.   this will dramatically reduce the attack surface against x.509


to do this we all need a copy of PGP or GPG --and local services such as Credit Unions need to provide the needed authentication service for our Public Keys.

Today we are forced to conduct busines in a compromised environment: all our usual credentials, such as SocSec Number, name, address, Date of Birth, dog's name etc -- have all been compromised and are easily available to crooks operating from the DarkNet market ( See Brian Krebs article on SuperGet ).  

to conduct business in this compromised environment we need s a signature such that can be offered and verified (authenticated) in public -- but which we can retrain control of the use of privately.    this is precisely what PGP or GPG does; it's what that software was created to do.   we should use the new Eliptic Curve option with PGP and GPG.

these are initial steps; refinement will be needed and in particular, change in product liability law -- as has been noted by Bruce Schneier.  

where is the "Tipping Point" ? 

when it is no longer economical for merchants to just shrug off hacking as "part of he cost of doing business" then action will have to be taken.    we all need to note carefully: passwords are NOT the problem: Hacking is facilitated by un-authorized programming.

Un-Authorized Programming, often called "Malware", or "Computer Virus" are changes to the programming in a victim's computer.  Examples would include the BLACKPOS or BACKOFF malware that was inserted into the Point of Sale terminals in merchants who have bveen recently victims of credit card theft.   malware is generaly inserted into a victim by making advantage of a weakness in an operating system or by "phishing".   "Phishing" involves sending fake messages to persons having update authority.   Proper authentication of messages such as eMail will make "phishing" much more difficult.  Today,-- "phishing" is trivial.

these un-authorized programs do not need you password: they operate AFTER the victim computer is running and use the victim's credentials to do their Dirty Deeds.
tbruch320
50%
50%
tbruch320,
User Rank: Apprentice
3/15/2015 | 11:26:59 PM
Re: I disagree that anything will change
True, but in response laws are on the books due to enron they have SOX Sarbanes oxley. SOX can mean jail time or heavy fines but for some reason they rarely ever use it. until they bring that back and start holding people liable stuff like that will continue to happen and CEOs  will not take it seriously.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:08:35 AM
Re: I disagree that anything will change
I think there isa greater chance for change, assuming that John's final point  (that cybersecurity execs and board members start paying attention comes to fruition. It would like to believe that "Savvy CEOs and concerned outside board members are well-suited to ask tougher questions about cybersecurity risk more frequently." But I don't see that much evidence of that right now...

 
mistersilver134
50%
50%
mistersilver134,
User Rank: Apprentice
3/12/2015 | 9:29:05 AM
I disagree that anything will change
After reading the Quartz article "Sorry Consumers, companies have little incentive to invest in better cybersecurity" it is clear that the cost, after insurance and (can you believe it tax reduction for having inadequate security and zero executive buy in to improve?!) tax reduction, the cost is probably less than they spend on the exectuive cafateria and "entertainment" yearly.

Until there is serious legal risk associated with negligent leadership (and i mean either jail time or multi-year profit level fines to incentivize shareholders to fire negligent executives), the disgraceful level of spending on cybersecurity will continue as normal business, no risk, no budget.
anon7282095628
50%
50%
anon7282095628,
User Rank: Apprentice
3/11/2015 | 3:30:34 PM
They made an earlier business decision
I think that we also learned that theft of confidential information at Sony is an example of a company that is wide open and did not encrypt sensitive information. They made an earlier business decision to not secure their databases.  

Unfortunately, current security approaches can't tell you what normal looks like in your own systems and the situation is getting worse according to Verizon. Verizon is reporting that this a growing issue. Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.  

Attackers will always figure out how to get around defenses, so you need to lock down the data that they want to steal. So we need to protect our sensitive data itself with modern data centric security technology.  

Ulf Mattsson, CTO Protegrity
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.