News Stay informed about the latest enterprise technology news and product updates.

How is the Sony hack different from other attacks?

The Sony data breach marks a new and scary frontier in corporate cyberwarfare. Also in Searchlight: Apple and IBM alliance bears fruit; the downfall of Pirate Bay.

The attack on Sony's computer system before Thanksgiving -- which leaked employee data, controversial emails among executives, internal company strategy information, and yet-to-be-released movies -- stands out from previous corporate cyberattacks in more ways than one, many security experts agree.

The first is how sophisticated the attack was. According to Joseph M. Demarest Jr., assistant director of the FBI's cyberdivision, the malware used by the Guardians of Peace, the hacking group that claimed responsibility for the attack, was so complex that it "would have slipped and gotten past 90% of the net defenses that are out there today in private industry and been a challenge to state governments."

Second, the Sony data breach is different because it used "wiper" malware, which in addition to stealing data also deletes documents and cripples computers, making data recovery much more challenging. Where wipers are common, though, is in state-sponsored attacks, the Financial Times points out, which is another reason why North Korea, on top of its apparent displeasure with Sony's upcoming release of The Interview, is suspected to be involved.

But what really makes this attack stick out from others is that it would appear the objective was not only to expose sensitive corporate information, but also to harm Sony employees. "People like to steal corporate information, but to attack employees indiscriminately and widely really opens up a new front in corporate cyberwarfare or espionage," Jules Polonetsky, executive director of the Future of Privacy Forum, told The Washington Post.

Making Sony's employees collateral damage, as The Post's Andrea Peterson put it, represents a new, frightening wrinkle in corporate cyberwarfare. Plus, unlike banks or retailers, which know they hold sensitive data that is likely to be the target of cyberattacks and have contingency plans to limit the damage (or should), companies like Sony are less equipped to handle the aftermath of this attack on its employees. 

Because of these differences, the Sony hack has spurred another round of advice from experts for the keepers of corporate security.

A first step is to provide identity theft protection. In a recent study on consumer sentiment by the Ponemon Institute, which surveyed 797 people, approximately 400 of whom say they were the victims of a data breach, most of the respondents felt that companies should be obligated to provide identity theft protection services (63%), followed closely by credit monitoring services.

Another is to use internal corporate communications to sell your company on the importance of a security culture, something we've covered before. According to The Post's Peterson, Sony didn't follow several security best practices, including encrypting clearly labeled files that contained passwords. One former employee even went so far as to call Sony's security team "a complete joke," recounting to the digital TV network Fusion the many times when security violations were reported to the department -- and were ignored. Leaked documents reveal that only 11 people were assigned to Sony's security team. 

Finally, face up to the fact that your company will be hacked -- now. According to Forrester Research's Heidi Shey, acknowledging that you could be breached and preparing for that likelihood plays a vital part in being able to mitigate your losses. "By assuming that information assets will be lost or compromised, data breach planning and cost analysis can help identify vulnerable assets, show the cost implications of a breach, help prioritize protection efforts and justify current and future security investments," she wrote on SearchSecurity. At the most basic level, she says, start with inventorying your data assets and assessing their value, and then evaluate what your organization's breach response plan should involve in terms of estimating the costs of cleaning up the aftermath of a breach.

So is the Sony hack the canary in the coalmine that companies will finally heed? Some security experts, like Kurt Baumgartner of Kaspersky Lab, aren't holding their breath. "I think it's going to require lawsuits and more financial losses before companies start to take this seriously," he told The Washington Post. But maybe now is the time to prove him wrong.

One last piece of advice for businesspeople? Take it from Sony's Amy Pascal and the producer Scott Rudin -- when you have something nasty to say, don't put it in an email. 

CIO news roundup for week of Dec. 8

And here is more technology news from the past week:

  • Apple and IBM are finally releasing the first products of the alliance they announced back in July. These initial 10 apps -- part of what would eventually be 100 apps in the IBM MobileFirst suite -- will focus on specialized tasks in specific fields that include retail, banking, airlines and law enforcement.
  • You can now buy that game of Grand Theft Auto you've been eyeing with bitcoins. That's right, Microsoft has now joined the likes of PayPal and Expedia in accepting the virtual currency to pay for various Microsoft services, including apps for Windows phones and Microsoft software.
  • Pirate Bay, we hardly knew ye. The Washington Post details the demise of the popular peer-to-peer file-sharing site, including the capture of its founders, the raiding of its offices in Sweden and more.
  • Rev. Jesse Jackson this week entreated the high-tech companies of Silicon Valley, including Google, Cisco Systems and Microsoft, to hire more African Americans, Latinos and women. "There is nothing we can't do," Jackson said in a 25-minute speech at the summit hosted by his Rainbow PUSH coalition.

Check out our previous Searchlight roundups on why Uber matters for CIOs and Facebook's enterprise play.

Next Steps

Take a look at SearchSecurity's coverage on the Sony data breach, including the wiper malware linked to the attack, as well as the extortion emails Sony executives received. Then, learn about how to craft a breach response plan on SearchCIO.

Dig Deeper on Enterprise data privacy management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you have a policy on what employees should and should not say in emails?
My company has issued a new set of rules regarding email communications and content ever since the news broke regarding the Sony hack. There is now a company-wide policy that forbids any sensitive company data or decisions in emails. Email content may be used to set up phone conversations or to arrange for a transfer of the data and information, but from this point on, sensitive communications are to be done via phone.
thanks for the response, Carol! how has this new policy been going, in your experience? are employees fully on board?
There's been a mixed reaction. Since the Sony hack we worked on a series of new protocols that restricts what forms of data and information may be conveyed through email. Many employees fought it, calling the rules silly, while others simply accepted the changes and began the protocols very quickly. We have learned that employee misses and non-adherance is a big security threat, and now, any employee who breaks the new rules gets a reprimand and if the behavior continues, is dismissed. Security must come first.
This is a hack, but it's also blackmail. And because hollywood and entertainment thinks differently than regular businesses, they aren't using common sense in their response. As I said to an earlier post, they data is out there. It's stolen. It WILL be released. So don't bow down to the blackmailers. Release your movie, deal with the fallout from embarrassing emails, move on. 'Nuf said.
I also want to see the movie, so I hope it does get released somewhere. 
Sony was not a typical target for hackers. There was no financial gain for the hacker(s). It was to inflict financial losses. It goes to show that nobody is immune to attacks. You may think no one cares about your company data, after all what could happen?? They can steal anything that may cause you to lose customer contacts, preferred vendors, top secret projects in development, or as simple as company photos on an internal website could be used for blackmail... Everyone needs to step up their security before it's to late.
agreed, companies can no longer afford to just say, "here we go again, another for-profit hack" -- motivations are just more complex now, and blackmail's part of the list as you guys brought up. any ideas as to how exactly companies should step up security in 2015? in addition to greater transparency and stronger after-breach response plans, etc.? and do you agree with the washington post, that the sony breach wasn't enough to wake companies up and that it will take even more losses?