Over the last few weeks, the data breach at Sony Pictures has become one of the biggest cybersecurity stories of 2014. Following the exposure of approximately 100TB of corporate data, the movie “The Interview,” scheduled for Christmas release in theaters, has been pulled under apparent political pressure from the attack’s perpetrators, a group calling itself the Guardians of Peace. Both Sony and the U.S. government have looked at the possibility that the attack may have been a state-sponsored response to the content of the “The Interview,” which involves the death of a caricatured version of North Korea premier Kim Jong-Un.
For of all the bold headlines and hype, however, it’s worth stepping back and assessing the incident with a level head. So far, there hasn’t been anything to really distinguish either the techniques of the attackers or the malware they created. In other words, this not a campaign on par with something like Stuxnet, which combined groundbreaking technical features with the vast resources of nation-states in order to damage the secretive nuclear power operations of Iran. Sean Gallagher, IT editor at Ars Technica, described the malware that wiped Sony’s hard drives in late November as a mishmash of “slapdash code.” There are other possible issues here, too, such as the preparedness of Sony’s staff and facilities.
Ultimately, it’s important to learn lessons from what happened to Sony without getting overwhelmed by what’s been said about it. The fact that the breach happened to a major Hollywood studio on the eve of a big release, coupled with the attackers’ threats about what would happen to theaters that showed “The Interview,” has elevated its profile far beyond what its fundamental details likely merit. If anything, Sony’s trouble is not an outlier but an instructive reminder of the challenges that enterprises now face in securing core data.
The Sony breach: When hacktivism turns into a targeted attack
The breach at Sony apparently began in late November before Thanksgiving, with the leak of personal and medical information on Sony employees. Since then, a lot of the press about the incident has focused more on what leaked emails have revealed, such as Channing Tatum’s eagerness to out-earn “TED” at the box office, or Snapchat’s recent acquisitions and its CEO’s thoughts on Facebook, than on this actual damage to Sony and its workers.
Make no mistake, though: The attack is a huge setback for the company, with one insider telling TechCrunch that her workgroup was “stuck in 1992 over here,” having to make do with pen and paper, no email attachments and the odd tablet or mobile phone. Another told Fusion that jump drives and hand-delivery were back in vogue due to the current state of IT at Sony.
Moreover, in addition to the 100TB that was lifted, “wiper malware” was distributed throughout the network to damage hard drives and cover the attackers’ footsteps, resulting in a huge step back in Sony’s day-to-day operations. This disruptive outcome may have been what the attackers intended. A recent Trend Micro Security News blog post pointed out that in targeted attacks, disruption of corporate activities is often a more important motive than accumulation of money or information.
The involvement of nation-state actors, namely North Korea, and insiders has been debated ever since the incident came to light. U.S. officials and Wired magazine have disagreed about whether there was enough evidence to hold North Korea accountable. The Korea Herald has noted that North Korea has been building a massive cyberarmy, possibly bigger than that of the People’s Republic of China. A timeline posted at Trend Micro Security News has chronicled the changing stances toward North Korea since the breach came to light.
Sony as a “soft target” for cyberattacks
Given the scope of what happened at Sony, it may seem odd to linger on shortcomings in the company’s systems. But it’s not so unusual considering the mostly unremarkable techniques of the attackers. The breach succeeded in large part because of lapses in cybersecurity:
- Sony has a history of security troubles, going back at least as far as the attack on the PlayStation Network in 2011. Bloomberg also reported that Sony was warned in late 2013 about possible infiltration of its network by cybercriminals who were mining data on a regular schedule and encrypting it to stay out of sight.
- Following the PlayStation Network incident, Sony didn’t move past the decentralized security structure that had caused it problems in the past. Even if one department made significant gains in network security, these improvements wouldn’t necessarily translate to other parts of the company.
- Fundamental IT issues such as email management have caused headaches for Sony, too. Its Microsoft Exchange 2007 server has struggled to keep up with email volume and IT support has been stretched thin. In a 2007 interview, a Sony executive seemed to revel in stating that he wouldn’t spend $10 million on security to prevent a $1 million incident (the price tag for this incident is going to go far beyond that; a Gartner analyst thinks it will be the costliest ever for a company).
- Similarly, Sony only had 11 staff on its information security team at the time of the breach. Given the company’s size and the recent upticks in targeted attacks against prominent corporations, this arrangement just doesn’t work.
Federal Bureau of Investigation assistant director James Demarest claimed that 90 percent of organizations could not have withstood the attack that targeted Sony, but his statement revealed more about the poor general state of cybersecurity than about the sophistication of the Guardians of Peace. The attack would have probably failed against the U.S. federal government or a large tech company like Apple or Google, as Slate’s David Auerbach argued, but would have been effective against many enterprises with stretched resources.
The Sony hack shouldn’t be an occasion to despair over the future of data breaches. Rather, it should be a reminder that cybersecurity practices must be continually updated and refined in order to stay ahead of targeted attacks.