Experts: Lessons to be Learned from Sony Cyber Attack (CDSA)

By Chris Tribbey

With Sony Pictures still reeling from the biggest cyber attack to ever hit the entertainment industry, the need for aggressive cyber security — and a plan to address security breaches when they occur — has been brought to the forefront.

The Media & Entertainment Services Alliance (MESA) sat down with four experts in the cyber security industry to discuss what happened to Sony, and how other media and entertainment companies can look to avoid a similar breach.

Rod Simmons, product group manager for the Privileged Identity Management division of security software provider BeyondTrust

MESA: With the information we have on hand, what could Sony have done differently to prevent this attack?

Simmons: A common challenge organizations such as Sony Pictures are faced with is balancing end user productivity with security. From what we have learned, it appears they leaned too far towards meeting all end users’ needs regardless of the security implications. It appears the model they operated under permitted the attackers to move freely throughout the organization once compromised.

There are a number of security practices that would of assisted based on our limited knowledge. Network segmentation and isolation is just one of the options that would have assisted. The most obvious would be using a proper password management solution vs. clear text documents on network share and desktops. It is typical that companies that permit users to run as administrators are more susceptible to a breach. If this was the entry point, removing end user admin permission would be another key change.

There are a number of other things that could be implemented such as egress filtering, so you understand what is leaving your network; multi-factor authentication; data encryption; better management of personally identifiable information; and ensure the limited resources they employ make security a primary focus.

MESA: Is what happened to Sony unique in the world of cyber crime, or are other companies (and specifically other studios) at risk of something similar happening? 

Simmons: This security breach is not unique. What is unique is the desire to humiliate an organization. Every organization is a potential target, and that is nothing new.

What is new is how this breach and threats impacted their short term revenue stream, having a movie pulled from theaters. Imagine if the threat was anyone who distributes Sony Pictures content, including DVD and digital downloads. We know the theaters will comply, but would an entire distribution channel?

The impact in other organization will vary based on internal practices. You can only imagine organizations with sensitive passwords stored in clear text documents are at least considering encrypting the files and renaming to something less obvious if they are not in talks with vendors to implement solutions already.

MESA: Following the Sony attack, what’s the takeaway for other companies confronting cyber attacks, both in terms of prevention and reaction?

Simmons: The obvious takeaway is to have better controls in place to prevent breaches. That said it is equally important to be able to determine you have potentially been breached based on traffic leaving your network.

Hopefully this is a wakeup call that the cost of a breach is beyond your wildest imaginations. Also it is critical we understand that the tradeoff between security and productivity is important. Inconveniencing a user to insert a smart card or type in a six-digit OTP maybe isn’t such an issue given the security benefits. Often it is not about added inconvenience, it is about a change in business process that end users — including administrators — resist.

Bryan Ellenburg, content security consultant for MESA and former VP of global content security and technology for Paramount Pictures.

MESA: What can other companies learn from the Sony attack?

Ellenburg: For years the media and entertainment industry has embraced the “access your content anytime, anywhere” mentality, with all the benefits of working from home, accessing all your files while traveling, on your own personal mobile devices, phones, tablets, and laptops. This exposes personal information and other confidential data to great risk.

Quite often this information is simply guarded with a username and password, no 2-factor authentication, no special privilege granted to access content, no mandatory watermarking of documents for viewing, printing, copying, forwarding. At best, there is passive logging of system activity, but this is only of use in investigation after the fact.

MESA: How might social media play a part in cyber attacks like this?

Ellenburg: It’s very simple to target an organization, or individuals, by using sites such as LinkedIn. It doesn’t take much of an effort to create an org. chart by picking a company, like Sony Pictures, search by current or past employees, search within a business unit (such as information security), and build out a chart based on title and “People Also Viewing.” Then just begin a phishing expedition for passwords. Another problem is that it’s very easy to launch these phishing attempts, since most companies have a very easy to “crack” e-mail convention, typically “First Name underscore Last Name @” Many systems that access content also use this as a log-in username. Clearly, this is a problem.

MESA: How can corporations — and content companies in particular — better secure their data?

Ellenburg: Confidential corporate information must be treated the way pre-release audio-visual content is stored and accessed: on an air-gapped corporate network with no access to the outside world via the Internet. Access to this network should be extremely limited, with additional management approval on accessing certain data. Those files must be watermarked while viewing, printing, copying, and forwarding, or these activities must be disabled. Networks should be monitored for large amounts of data movement onto unauthorized devices, with active alerts sent out. There needs to be two-factor authentication, typically to a mobile device, to access such content.

Further, all companies, especially those in the media and entertainment sector, should have annual training on the dangers of cyber threats from the outside, as well as being ever-vigilant to threats from trusted insiders and former employees. The information security teams need to pro-actively plan out a response to a cyber attack. Corporate and production networks need to be completely separate from those used by third party companies and productions. And finally, companies should assume they have already been hacked, and take a deep dive into they systems to clean up any vulnerabilities that currently exist.

Richard Henderson, security strategist for network security company Fortinet’s FortiGuard Labs division.

MESA: What might have occurred with the Sony attack?

Henderson: Attacks like these share two common attack vectors: the technology portion of the attack, and the human portion. We don’t know (and likely won’t learn much more as time passes) much about the former, but the latter is likely nothing that we haven’t seen time and time and time again. A targeted (or semi-targeted) spear-phishing campaign against key persons inside Sony either gathered credentials used to gain access, or the victims visited a page online that silently installed malware on their machines, allowing an initial foothold.

Once the attacker establishes their beachhead, in many cases it becomes a trivial matter to begin to move throughout the network and gather information.

MESA: Is there anything Sony could have done differently?

Henderson: It appears their staff dedicated to network security was woefully inadequate. My understanding is that in a company with 7,000 employees, there were only three staff dedicated to security. Three. When you consider that it’s improbable that those three people were working eight hours each, in three shifts, seven days a week, there were likely times where there were no staff live at all, meaning Sony was counting on automated systems to alert non-security IT staff of an issue. Companies today need to not only have a Network Operations Center (NOC), but a Security Operations Center (SOC). It’s just too much to ask your regular network administration team to also handle security.

We know that [the hackers] were able to traverse Sony’s network and gain access to virtually every corner of the network. Nothing went untouched: not the email servers, not the payroll systems, not their data warehouses. Everything was visited and untold terabytes of data [stolen]. There is really no reason why the payroll sub-network should ever be accessible from most other parts of the network. There are many different technologies available to properly segment your network into more secure ‘chunks.’ It’s no guarantee it will prevent a breach, but it likely makes it easier to detect anomalous activity and should slow an attacker down as they move throughout the network. Further, it appears highly unlikely most of the data (if not all of it) wasn’t encrypted at rest. Companies are going to have to pay some very serious considerations to the idea of spending the computational resources to start ensuring all sensitive data beyond that which is required for their compliance needs (PCI-DSS, SOX, HIPPA, etc.) is encrypted and their keys safely protected.

And until companies do a better job training staff — especially staff with sensitive data access, or execs and their admin staff — and then do regular surprise testing of trained staff, these attacks will never end.

MESA: Is there anything comparable to what happened to Sony, or was this something unique?

Henderson: The Sony attack is both unique and not unique. It’s unique in that we’re seeing a bunch of different things that happened in one singular incident, but not unique in that all of these things have happened in the past. The data wiping portion of the attack is definitely similar to the DarkSeoul attack last year and the attack on Saudi Aramco in the past. The huge data loss and leaks have happened to many companies in the past.

MESA: Are other companies at risk of the same?

Henderson: Absolutely. In fact, I’d honestly be surprised if there aren’t other organizations out there completely infiltrated by attackers as we speak. I certainly wouldn’t bet against it. As far as studios specifically, it’s a reasonable assumption that either another GOP attack will happen or (more likely) a copycat attack will happen.

If I were in charge of a studio, I would immediately bring in a team of professionals to do a complete top-to-bottom assessment and penetration test of my network, starting with the assumption that my network was already compromised. Leave no stone unturned, and treat everything as suspicious. If I needed to spend tens of millions of dollars rebuilding infrastructure, and tens of millions more attracting new talented staff, then so be it. It’s money well spent — especially when you consider what the likely cost of remediation and the incalculable cost to image and brand was for Sony.

Corey Nachreiner, global director of security strategy for network security company WatchGuard

MESA: With the information we have on hand, what could Sony have done differently to prevent this attack?

Nachreiner: It’s unclear at this point as we don’t have all of the information on the attack methods, or even the full scope of the tools used. We do know that the FBI stated that 90% of companies could not have defended against the Sony hack. That’s a scary number, and deserves some attention. The global cyber security industry — especially corporate IT and security professionals — should see that number as a definite catalyst for action.

It’s worthwhile to mention that the hackers leveraged a Sony admin password, so it’s probably wise to review password policies and practices. Sony stored a large number of passwords in a clear text file. Better password management and encryption could have minimized some of the damage.

MESA: Is what happened to Sony unique in the world of cyber crime?

Nachreiner: I would not call the Sony cyber attacks unique. We’ve seen corporate attacks time and again throughout 2014, from Target to Home Depot to Dairy Queen. What is unique is the direct tie to nation-state-funded cyber terrorism/warfare. It’s a natural evolution as hacking motives go from vandalism to financial gain to outright intimidation and terrorism.

I predict we’ll see cyber warfare and terrorism become a major threat in 2015. We know that global nations are ratcheting up cyber defense and attack capabilities, quietly launching espionage campaigns against one another, and even stealing industrial intellectual property. The quite demonstrations in 2014 are sure to be more visible in 2015.

MESA: What’s the takeaway for other companies confronting cyber attacks, both in terms of prevention and reaction?

Nachreiner: We’re really stressing that global IT professionals take the Sony hack as a call to strengthen their security infrastructure. You can’t expect to defend a 5-day old threat with 5-year old technologies. Today’s threats are advanced and persistent.