23 Dec 2014
Much has been said about Sony, and much remains to be said. But the bottom line is that Sony was a cyber attack that was simply waiting to happen. This is a company that has been repeatedly hit by malicious hackers who, angered by Sony’s approach to Digital Rights Management, were determined to wreck havoc on Sony systems. And yet the company apparently did not encrypt personal data and other sensitive information. While blaming a victim is never nice, Sony could have done much more to protect itself. The successful attack on JP Morgan Chase is the attack that we should all be focused on and learning from. There were protections in place at JP Morgan. And yet hackers still found an vulnerability to exploit and managed to grab gigabytes of information, including customer-account data, undetected from June until mid-August when a routine scan triggered an alert. Sony’s attackers were also rambling around in the network for months. Which leads to the obvious question: how many systems are currently harboring malicious hackers? Less than 14% of breaches are detected by internal security tools according to the most recent annual international breach investigations report by Verizon. We all know that the internet was built for friendly sharing of academic and technical info. We have built a world economy on a platform that is fundamentally insecure in a myriad of ways.The “OMG It’s The Biggest Hack Attack of All Time” is quickly superseded by an even bigger attack a week or so later. What to do? We know throwing money at cyber security doesn’t solve the problem. Security is an attitude, a decision not to take the easy way out. We’ve all had a good laugh over that folder cleverly named “passwords” on Sony’s network that contained a long list of passwords in clear text. It’s amusing in a horrible sort of way, but be honest — how many best practice violations exist on your laptop, mobile phone and network? Plenty. It’s so easy to get sloppy. We all need to straighten up and start doing the things we know we need to do, rather than giving lip service to security. 2015 will almost certainly bring a tsunami of cyber attacks. Batten down the hatches now. As the “Year of the Breach” winds down, it’s also good to remember that being in compliance with a data protection standard does not equal security. Standards tend to describe the bare minimum necessary to protect data at capture, in transit and at rest. Likewise standards address a wide common denominator with necessarily wide definitions of what one should and should not do. (And yet, companies routinely find these baselines too difficult or costly to implement, as the executive director of information security at Sony Pictures Entertainment explained to a reporter in 2005.) Compliance is but the beginning of a comprehensive security posture. Don’t make the mistake of spending money strictly to comply with a specific standard. Instead run a gap audit to determine your weakest points. And conduct a risk audit to understand where the danger lies — why would an attacker target your company, and where do the most likely attack vectors lie? Develop a plan to address these issues. Consult with a compliance expert who can ensure the regulatory demands are covered by your comprehensive security plan. Team this with a business culture that recognizes the vital importance of maintaining best security practices and you’ll be far better equipped to survive the coming storm.