The attack on Sony's computer system before Thanksgiving -- which leaked employee data, controversial emails among executives, internal company strategy information, and yet-to-be-released movies -- stands out from previous corporate cyberattacks in more ways than one, many security experts agree.
The first is how sophisticated the attack was. According to Joseph M. Demarest Jr., assistant director of the FBI's cyberdivision, the malware used by the Guardians of Peace, the hacking group that claimed responsibility for the attack, was so complex that it "would have slipped and gotten past 90% of the net defenses that are out there today in private industry and been a challenge to state governments."
Second, the Sony data breach is different because it used "wiper" malware, which in addition to stealing data also deletes documents and cripples computers, making data recovery much more challenging. Where wipers are common, though, is in state-sponsored attacks, the Financial Times points out, which is another reason why North Korea, on top of its apparent displeasure with Sony's upcoming release of The Interview, is suspected to be involved.
But what really makes this attack stick out from others is that it would appear the objective was not only to expose sensitive corporate information, but also to harm Sony employees. "People like to steal corporate information, but to attack employees indiscriminately and widely really opens up a new front in corporate cyberwarfare or espionage," Jules Polonetsky, executive director of the Future of Privacy Forum, told The Washington Post.
Making Sony's employees collateral damage, as The Post's Andrea Peterson put it, represents a new, frightening wrinkle in corporate cyberwarfare. Plus, unlike banks or retailers, which know they hold sensitive data that is likely to be the target of cyberattacks and have contingency plans to limit the damage (or should), companies like Sony are less equipped to handle the aftermath of this attack on its employees.
Because of these differences, the Sony hack has spurred another round of advice from experts for the keepers of corporate security.
A first step is to provide identity theft protection. In a recent study on consumer sentiment by the Ponemon Institute, which surveyed 797 people, approximately 400 of whom say they were the victims of a data breach, most of the respondents felt that companies should be obligated to provide identity theft protection services (63%), followed closely by credit monitoring services.
Another is to use internal corporate communications to sell your company on the importance of a security culture, something we've covered before. According to The Post's Peterson, Sony didn't follow several security best practices, including encrypting clearly labeled files that contained passwords. One former employee even went so far as to call Sony's security team "a complete joke," recounting to the digital TV network Fusion the many times when security violations were reported to the department -- and were ignored. Leaked documents reveal that only 11 people were assigned to Sony's security team.
Finally, face up to the fact that your company will be hacked -- now. According to Forrester Research's Heidi Shey, acknowledging that you could be breached and preparing for that likelihood plays a vital part in being able to mitigate your losses. "By assuming that information assets will be lost or compromised, data breach planning and cost analysis can help identify vulnerable assets, show the cost implications of a breach, help prioritize protection efforts and justify current and future security investments," she wrote on SearchSecurity. At the most basic level, she says, start with inventorying your data assets and assessing their value, and then evaluate what your organization's breach response plan should involve in terms of estimating the costs of cleaning up the aftermath of a breach.
So is the Sony hack the canary in the coalmine that companies will finally heed? Some security experts, like Kurt Baumgartner of Kaspersky Lab, aren't holding their breath. "I think it's going to require lawsuits and more financial losses before companies start to take this seriously," he told The Washington Post. But maybe now is the time to prove him wrong.
One last piece of advice for businesspeople? Take it from Sony's Amy Pascal and the producer Scott Rudin -- when you have something nasty to say, don't put it in an email.
CIO news roundup for week of Dec. 8
And here is more technology news from the past week:
- Apple and IBM are finally releasing the first products of the alliance they announced back in July. These initial 10 apps -- part of what would eventually be 100 apps in the IBM MobileFirst suite -- will focus on specialized tasks in specific fields that include retail, banking, airlines and law enforcement.
- You can now buy that game of Grand Theft Auto you've been eyeing with bitcoins. That's right, Microsoft has now joined the likes of PayPal and Expedia in accepting the virtual currency to pay for various Microsoft services, including apps for Windows phones and Microsoft software.
- Pirate Bay, we hardly knew ye. The Washington Post details the demise of the popular peer-to-peer file-sharing site, including the capture of its founders, the raiding of its offices in Sweden and more.
- Rev. Jesse Jackson this week entreated the high-tech companies of Silicon Valley, including Google, Cisco Systems and Microsoft, to hire more African Americans, Latinos and women. "There is nothing we can't do," Jackson said in a 25-minute speech at the summit hosted by his Rainbow PUSH coalition.
Take a look at SearchSecurity's coverage on the Sony data breach, including the wiper malware linked to the attack, as well as the extortion emails Sony executives received. Then, learn about how to craft a breach response plan on SearchCIO.