The SONY HACK — What Happened, How did it happen….What did we Learn?

sony-hacked-again

What Happened?

When Sony Pictures employees got into the office on Monday, November 24, they discovered that their corporate network had been hacked. The attackers took terabytes of private data, deleted the original copies from Sony computers, and left messages threatening to release the information if Sony didn’t comply with the attackers’ demands. Someone claiming to be a former Sony employee posted this screenshot, which (allegedly) shows the message that appeared on Sony employees’ computer screens (Source: Hacked By #GOP).

hacked-by-gop1

News about the hack on Sony Pictures’ infrastructure continue to unfold, with the group calling itself the Guardians of Peace (GOP), circulating un-released movies, emails (32000 were released in public), password lists and personal information of Sony Pictures staff, actors and higher management. The publication of data has been done using torrents with gigabytes of data being made public by GOP almost every day so far this month. Almost 38 million files to date have been stolen and released on various file sharing websites.

How did it happen?

Considering the large amount of information that was released, it is clear that the group gained access to a large portion of Sony Pictures’ network. The GOP initially hacked into one server that was not so well protected, and escalated the attack to gain access to the rest of the network. Looks like Sony Pictures did not have a defense-in-depth approach to their security. The network was not layered well enough to prevent breaches occurring in one part of their network to affect other parts of the network. In addition, the password “password” is obviously not good enough, however this was used in 3 certificates. These certificates were published by GOP, and they were subsequently used to digitally sign malware. (Source: Lessons we can learn from Sony Pictures Hack)

A combination of weak passwords, lack of server hardening (resulted in access to one server and thereby the entire network), not responding to alerts or not having the controls in place to set off such alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness (SETA) all contributed to the Sony Breach.

Motivation behind the Attack?

Hackers hack for various reasons. Some for intellectual property theft, some for monetary reasons, and others for defaming and destroying. Hackers were out to defame Sony probably in light of the soon to be released movie “The Interview” which North Korea has condemned as an “act of war”.

What did we learn?

This can happen to any organization big or small. The hacker community is skilled and well-funded. Organizations need to use a multi-layered defense-in-depth approach to protect their territory by adopting strong security practices that weave policies, people, regulations, and technology. Some of these include – educating the employees about security best practices – using strong passwords and changing them per company policy, using technologies like firewall and VPN, performing periodic risk assessments to understand one’s security posture – which controls are effective and which are failing. Performing a penetration test is important to see where you are vulnerable. Continuously monitoring and responding to the alerts will help you be ready to prevent, detect, and respond in a timely manner.

To conclude the cost of repairing after a security incident is 10 to 100 times higher than preventing it in the first place. Deploy the Defense-in-depth approach. Prevention, Detection and Response is the key.

Online Shopping Tips for Better IT Security

Online sales are expected to be significant  this year. How can you maximize your transaction security? If the offer seems too good to be true, it probably is. Don’t get blindsided by the lure of great discounts – the security of your information is what’s most important. If you aren’t prepared and cautious, you could become the next cyber crime victim, the cost of which could far exceed any savings you might have received from the retailer.

When purchasing online this holiday season—and all year long—keep these tips in mind to help minimize your risk:

1. Secure your mobile device and computer.

Be sure to keep the operating system and application software updated/patched on all of your computers and mobile devices. Be sure to check that your anti-virus/anti-spyware software is running and receiving automatic updates. Confirm that your firewall is enabled.

2. Use strong passwords.

It’s one of the simplest and most important steps to take in securing your devices, computers and accounts. If you need to create an account with the merchant, be sure to use a strong password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters. Use a unique password for every unique site.

3. Do not use public computers or public wireless for your online shopping.

Public computers may contain malicious software that steals your credit card information when you place your order. Additionally, criminals may be intercepting traffic on public wireless networks to steal credit card numbers and other confidential information.

4. Pay by credit card, not debit card.

A safer way to shop on the Internet is to pay with a credit card rather than debit card. Debit cards do not have the same consumer protections as credit cards. Credit cards are protected by the Fair Credit Billing Act and may limit your liability if your information was used improperly. Check your statements regularly.

5. Know your online shopping merchants.

Limit your online shopping to merchants you know and trust. If you have questions about a merchant, check with the Better Business Bureau or the Federal Trade Commission. Confirm the online seller’s physical address, where available, and phone number in case you have questions or problems.

6. Look for “https” when making an online purchase.

The “s” in “https” stands for “secure” and indicates that communication with the webpage is encrypted.

7. Do not respond to pop-ups.

When a window pops up promising you cash or gift cards for answering a question or taking a survey, close it by pressing Control + F4 for Windows or Command + W for Macs.

8. Do not click on links or open attachments in emails from financial institutions/vendors.

Be cautious about all emails you receive even those from legitimate organizations, including your favorite retailers. The emails could be spoofed and contain malware. Instead, contact the source directly.

9. Do not auto-save your personal information.

When purchasing online, you may be given the option to save your personal information online for future use. Consider if the convenience is really worth the risk. The convenience of not having to reenter the information is insignificant compared to the significant amount of time you’ll spend trying to repair the loss of your stolen personal information.

10. Use common sense to avoid scams.

Don’t ever give your financial information or personal information via email or text. Information on many current scams can be found on the website of the Internet Crime Complaint Center: http://www.ic3.gov/default.aspx.

11. Review privacy policies.

Review the privacy policy for the website/merchant you are visiting. Know what information the merchant is collecting about you, how it will be stored, how it will be used, and if it will be shared with others.

12. What to do if you encounter problems with an online shopping site?

Contact the seller or the site operator directly to resolve any issues. You may also contact the following:

• Your State Attorney General’s Office – www.naag.org/current-attorneys-general.php

• Your State Consumer Agency – http://www.usa.gov/directory/stateconsumer/index.shtml

• The Better Business Bureau – www.bbb.org

• The Federal Trade Commission – http://www.ftccomplaintassistant.gov