What is being called maybe the biggest hack and data theft in history has Sony Pictures reeling as details of some of the alleged more than 100 terabytes of data obtained by the hackers begin to emerge. According to reports, the data contained information ranging from employees’ private medical details and salaries to sensitive corporate information and intellectual property. The group supposedly responsible, the so-called “Guardians of Peace,” posted some 40Gb of the data to hacker cloud repository Pastebin and contacted members of the press to detail the attack.
More recent revelations and forensic analysis seem to direct heavy suspicion towards the “Guardians of Peace” being a mere front for the government of North Korea (DPRK), which may be upset because of a mocking comedy that Sony is set to release that picks fun at North Korean Dictator Kim Il Jong. The severity of the attack, as well as other indicators show that this was likely an extremely well organized, disciplined effort. There was no attempt to sell the data or blackmail Sony, motives typically seen of cyber-organized crime.
The sheer scale of the hack has surprised experts. Mushegh Hakhinian, chief security architect at Intralinks, said: “If what the reports say is true, the first lesson for Sony to learn is that its adversaries have resources similar to a state’s. The caliber of the attack was something you’d expect from a state-sponsored army unit—not a hacker in a basement. To take out 100 terabytes of data is like stealing the Eiffel Tower.”
He added: “If what they say in the media is true, these people have virtually unlimited resources—and Sony (and other similar companies) should put their money into protecting against that kind of attack. Some banks spend upwards of 11 percent of their IT budgets on security. Is Sony spending so much? And I bet Sony has more intellectual property than some banks do.”
The Sony story first broke on Reddit when someone claiming to be an ex-employee of Sony posted a screenshot of a message that was apparently displaying on all Sony employee computers. The message was titled “hacked by #GOP” and spoke about warnings that had not been heeded.
Buzzfeed provided information regarding the nature of the data leaked and noted: “The roughly 40GB of company information now available online sat on company servers without encryption, with a vast majority of the sensitive personal and financial files containing no password protection.” From disciplinary letters and financial information to breastfeeding schedules, the range of data obtained by the hackers is immense—and is still available for download online, meaning that employees have more to worry about than just the hack itself.
Patrick Peterson, Agari founder and CEO, emphasized: “There is an increasing prevalence of spear-phishing as a new attack vector to compromise corporate security, intellectual property, and consumer data. All corporations in the U.S. and elsewhere are at significant risk.”
Peterson went on to say that Sony is illustrative of the types of attacks to come. “Sony serves as an example of how company CEOs and boards need to proactive about cyber security and emerging cyber threats from organized criminal groups oftentimes aligned with or tacitly supported by nation-state actors,” he said.
Media outlets were also quick to point out that Sony did not seem to have learned from the 2011 hack of its Sony PlayStation network. While relatively minor in comparison, that attack did point to vulnerabilities in Sony’s security. “That first attack wasn’t economically damaging to Sony. Its gaming unit doesn’t carry that much weight. And given it was really about gamers losing their credentials, it wasn’t a public relations disaster. It seems Sony did not give it enough significance and essentially ignored it,” Hakhinian said.
LogDog’s CEO, Uri Brison, cautioned: “Unbeknownst to us, underneath the sleek user interfaces of the applications and systems we use, a war is being waged. Hackers and cybercriminals are hard at work breaching system after system. Some do it for money, some for power, and some for ideals. The sad truth is that they have the upper hand.”
He added that giant companies, such as Sony, Target and Apple invest tremendous efforts in protecting their systems and reputations. “They have talented engineers and programmers on their security teams and they buy the best protection software available. But time and again they fall at the feet of hackers, sometimes small groups of hackers with resources that are minuscule in comparison. We need to acknowledge that the playing field is uneven,” Brison said.
Hakhinian admitted that, given the determination of the attackers, preventing all attacks is probably an impossible goal. “Detecting them on-time to mitigate the impact is an area that is often overlooked,” he said. It is unclear how long the breach lasted before Sony became aware of it. “Anytime there are terabytes of data leaving a network – it is a safe bet something nefarious is going on. Detecting and responding to attacks are equally, if not more, important and cost-effective as preventing them altogether.”
Brison explained that computer systems have become so complicated and include so many layers and components that they have become almost impossible to secure. “Coupled with the fact that almost all systems are now connected to the Internet and are easily accessible, the situation has become more extreme. Hackers seem to be winning at every turn. Big companies, small companies, personal online accounts,are all breached on a daily basis. In fact, one in four of all online accounts is hacked!” he said.
Brison does not believe that this will continue, however. “The tide will turn. Groups of cyber security innovators are developing new concepts for securing digital systems. These concepts rely less on the old ‘build a better lock’ paradigm and are focused on analyzing abnormal activity by constantly monitoring systems and establishing behavioral profiles,” he said, adding that these baseline “normal behavior” profiles can then be used to detect the anomalies that stem from hacker activity.
“Before any turn in the cyber war occurs, there must be a change in the way ‘security’ is understood,” Brison said.
Trend Micro’s chief cyber security officer, Tom Kellermann emphasized that conventional perimeter security practices are no longer sufficient to guard against these new sophisticated threats. “Companies should be investing one out of every five dollars of IT spend on cyber security including next generation protection, such as breach detection and security information and event management systems, to identify and root out targeted malicious software from their networks,” he said.
Hakhinian said that complacency is the first mistake companies make when trying to secure their data. “The feeling of full security is a sure way of inviting the next breach. Healthy paranoia should be the natural state of any business that has intellectual property to protect,” Hakhinian said.
Sony did not respond to requests for comment.