Home » Technology » Security » Sony Pictures attack ushers in new era of hacking
We can safely call 2014 “the year of the data breach,” with 720 breaches as of Dec. 9 and more than 81 million records exposed, and Home Depot, JP Morgan, Michael’s, and now Sony Pictures Entertainment having the most headline-grabbing incidents.
Many of these breaches involved credit card and identity theft, except for the Sony Pictures attack, in which information such as Brad Pitt’s phone number, Channing Tatum’s emails, Jennifer Lawrence’s salary, box office projections and movie scripts were leaked. Experts say we’ve entered a new era of hacking, in which the harm from information leaked is in some cases more irreparable than the financial breaches.
“The attack represents a tipping point where cyber crime merges with information warfare, and it’s that concept that bothers me,” according to Tom Kellermann, chief cybersecurity officer at Trend Micro.
Hackers calling themselves the Guardians of Peace leaked 100 terabytes of data, embarrassing top Hollywood brass, and then destroyed Sony Pictures’ systems using wiper malware, which wiped hard drives and rendered machines unusable. The crippled media conglomerate is still struggling to recover from the Nov. 24 attack, and the situation could get worse with hackers threatening to wreak more havoc on Christmas Day.
Destroying an entire system’s infrastructure after stealing data is unprecedented for hackers, Kellermann noted.
“We’ve gone from pickpocketing to burglary to home invasion. It not only affects homes; it affects entire neighborhoods,” Kellermann said, referring to the pervasive nature of the attack and all the parties it affected.
Other security experts contend that entertainment and media companies are perhaps more vulnerable to these kind of attacks because they have information that interests the general public and their security infrastructure lacks rigorous protocols such as FDIC regulations.
“I’m not sure that it’s hitting companies hard enough that they need to protect their intellectual property, not just their financial information,” said Alex Holden, founder and chief information security officer at Hold Security. “The amount of damage that can be done with that can be absolutely devastating.”
Kellermann agreed, adding that the entertainment industry in particular doesn’t think about cybersecurity as much as it should.
“The entertainment industry spends a tremendous amount of money in personnel security,” he said. “Why don’t they invest in cybersecurity?”
Experts agree that the attack involved multiple people and took weeks or even months to execute. Jim Penrose, executive vice president of cyber intelligence at Darktrace and a former National Security Agency employee, said he believes the perpetrators used a combination of techniques, such as phishing, spear-phishing, and installing malware to gain access to the system.
“Maybe it wasn’t a zero day attack or sophisticated, but it was a well-engineered effort,” he said. “I think in 2015 cyber actors are going to continue using this kind of asymmetrical behavior to coerce companies to behave differently.”
It’s unclear whether the attack came from North Korean hackers who were unhappy with the way leader Kim Jong-un was depicted in the Seth Rogen and James Franco comedy “The Interview,” as some media outlets suggested. What is clear, however, is it will take a while to identify those responsible, Penrose said.
“It can take weeks, months and even years to narrow down who did this, and it’s even harder for us to find out when it comes from outside of the United States and we need to obtain records and research,” he said.
There are multiple reasons why a breach of this kind happened to Sony. First, a security audit of Sony Pictures’ computer network conducted months ago showed gaps in the way the company monitored its systems, according to Recode.
Sony should have had someone monitoring server logs, because 100 terabytes of data is a glaring amount of data to lift, said Tom Chapman, director of the Cyber Operations Group at EdgeWave.
“Even if someone looked at those logs once a day, they’d have noticed,” he said.
Companies can take a few precautions to prevent breaches of this scale. Organizations should deploy a Dmarc system, which authenticates emails, to guard against spear-phishing. They should also test websites more thoroughly to ensure bad links aren’t being circulated and opened, Kellermann said.
To keep its system as secure as possible, Sony should have had a fully integrated host-based protection system, a breach detection system and a security event manager, Kellermann said. Most companies have front-end security protocols to prevent hackers, but not enough security to identify hackers once they’re in-house. This kind of three-part system is the solution.
“You need more than just a guard dog outside the house, because most of the time companies can’t understand what has been moving around in the house,” Kellermann said.
Overall, IT departments should change their approach to security in this new world of cyber warfare, Kellermann said.
“As cynical as it is, we need to develop security solutions where we assume the cyber criminals are going to get in, rather than these max security systems that keep them out,” he said. “Because this is a new form of cyber destruction.”