What CISOs Can Learn from the Sony Pictures Attack

by Ross Dyer

One of the things you’ll hear some CISOs grumble about from time to time is how tricky it can be sometimes persuading the business to release more funds. The skill of the good security chief, of course, is in translating highly technical concepts into a language the board will understand. But even so, it can be a tough sell when the end result of thousands of pounds of investment is … precisely nothing. With cyber security you’re effectively buying insurance against a damaging breach.

So it was interesting last week to see Sony declare that it spent a whopping $15 million on investigation and remediation after major cyber attack last year. It gives just a small insight into the potential financial impact of failing to adequately ‘insure’ your organisation against attack.

What went wrong?
It’s still unclear exactly what happened to Sony Pictures Entertainment or who did it. What is known, however, is that hackers stole and posted a large amount of corporate data including sensitive internal emails, employee details and even valuable IP like the script to the next James Bond film. Even worse, the destructive malware blitz that followed shut down the firm’s corporate network for days. It’s not known if there’ll be any lasting damage.

A report from US security firm Taia Global last week has alleged that Russian cyber criminals were involved, if not in that attack then in an ongoing cyber incursion which is still lifting sensitive files from Sony. They carried out a classic APT-style campaign, firing spearphishing emails to targeted Sony employees in Russia, India and other parts of Asia, with attachments containing a Remote Access Trojan (RAT). Once downloaded, the RAT gained access to Sony Pictures Entertainment network in Culver City, the report alleges.

A costly business
Now $15m might be little more than loose change to Sony, but the bad news for the entertainment giant is that it’s likely to be just the first of many direct and indirect costs to come as a result of this breach. First, it’s facing legal action from some employees who are claiming the firm could have done more to prevent their personal details – including social security numbers and medical history – from being stolen and posted online.

Then there’s the impact on senior executives. Already co-chair Amy Pascal has been forced to resign, no doubt in part due to the embarrassing revelations that were made public when some of her private emails were hacked and posted. Will others follow her?

But what we can’t quantify is the indirect impact of the cyber attack – on staff morale, and on Sony’s brand and reputation. The company’s share price is one indicator, but it can’t accurately reflect what ordinary customers think of Sony and its products post-breach.

Staying safe
Sony Pictures represents a cautionary tale – albeit an extreme one – of what can go wrong if security bosses don’t adequately fortify systems against attack. Targeted attacks and APTs in particular are crafted specifically to bypass traditional defences, entering the network silently and hiding – sometimes for weeks or months – while they steal your organisation’s most sensitive data.

An effective strategy to combat this next generation of cyber threat will include at least the following:

  • Lock down software flaws with a proactive patch management and vulnerability scanning
  • Implement principle of least privilege to minimise damage from social engineering attacks
  • Revisit employee awareness and training programs to help them spot spearphishing emails
  • Consider advanced tools like Deep Discovery which can detect targeted attacks and APTs
  • File integrity monitoring and log inspection to spot unusual behaviour inside the network

Leave a Reply

Your email address will not be published. Required fields are marked *