When Sony Pictures employees got into the office on Monday, November 24, they discovered that their corporate network had been hacked. The attackers took terabytes of private data, deleted the original copies from Sony computers, and left messages threatening to release the information if Sony didn’t comply with the attackers’ demands. Someone claiming to be a former Sony employee posted this screenshot, which (allegedly) shows the message that appeared on Sony employees’ computer screens (Source: Hacked By #GOP).
News about the hack on Sony Pictures’ infrastructure continue to unfold, with the group calling itself the Guardians of Peace (GOP), circulating un-released movies, emails (32000 were released in public), password lists and personal information of Sony Pictures staff, actors and higher management. The publication of data has been done using torrents with gigabytes of data being made public by GOP almost every day so far this month. Almost 38 million files to date have been stolen and released on various file sharing websites.
How did it happen?
Considering the large amount of information that was released, it is clear that the group gained access to a large portion of Sony Pictures’ network. The GOP initially hacked into one server that was not so well protected, and escalated the attack to gain access to the rest of the network. Looks like Sony Pictures did not have a defense-in-depth approach to their security. The network was not layered well enough to prevent breaches occurring in one part of their network to affect other parts of the network. In addition, the password “password” is obviously not good enough, however this was used in 3 certificates. These certificates were published by GOP, and they were subsequently used to digitally sign malware. (Source: Lessons we can learn from Sony Pictures Hack)
A combination of weak passwords, lack of server hardening (resulted in access to one server and thereby the entire network), not responding to alerts or not having the controls in place to set off such alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness (SETA) all contributed to the Sony Breach.
Motivation behind the Attack?
Hackers hack for various reasons. Some for intellectual property theft, some for monetary reasons, and others for defaming and destroying. Hackers were out to defame Sony probably in light of the soon to be released movie “The Interview” which North Korea has condemned as an “act of war”.
What did we learn?
This can happen to any organization big or small. The hacker community is skilled and well-funded. Organizations need to use a multi-layered defense-in-depth approach to protect their territory by adopting strong security practices that weave policies, people, regulations, and technology. Some of these include – educating the employees about security best practices – using strong passwords and changing them per company policy, using technologies like firewall and VPN, performing periodic risk assessments to understand one’s security posture – which controls are effective and which are failing. Performing a penetration test is important to see where you are vulnerable. Continuously monitoring and responding to the alerts will help you be ready to prevent, detect, and respond in a timely manner.
To conclude the cost of repairing after a security incident is 10 to 100 times higher than preventing it in the first place. Deploy the Defense-in-depth approach. Prevention, Detection and Response is the key.