What to make of the Sony hack
- By H. Mark McGibbon, J.S. Hurley
- Mar 03, 2015
The cyber security hack suffered by Sony Pictures Entertainment late last year was a significant event in terms of that company's reputation, financial concerns and cybersecurity readiness posture. Regardless of the perpetrator(s) behind the cyber breach, Sony revealed to the world how vulnerable it was to a cyber intrusion. This begs the question: What other major organizations could suffer the same type of attack? According to CNN reports, 100 terabytes of data were stolen and much of this data was shared with the world. A major breach, indeed!
Since the start of this cyber intrusion, Sony suspected North Korea as the culprit, due to a then-imminent film with North Korea as the topic. The FBI agreed and publicly confirmed with Sony’s suspicions about North Korea’s guilt. However, North Korea was adamant in declaring its innocence, and requested proof of their involvement from the U.S. And numerous cyber forensic experts questioned the FBI findings.
Sam Glines, head of the cybersecurity company Norse, suggested other actors who had “probable cause” to conduct this cyber hack, such as the former disgruntled Sony employee known as Lena.
Taia Global, a U.S.-owned cybersecurity company, examined the incident from another perspective -- analyzing the imperfect English within the “cyber threat messages” sent to Sony. Based upon the stylometry of 20 English-translation errors, Taia Global computational linguists found nine (or 45 percent) to be of Korean origin and 15 (or 75 percent) to be of Russian origin, according to boingboing.net reports. “Korea is still a possibility," Taia Global’s Chief Scientist concluded, "but it’s much less likely.”
Tracing cyber-attacker's footsteps can be difficult because of their ability to obfuscate their trail in cyberspace. Hijacked computers can, for example, send an email with a malware payload by using another person’s computer, which masks the true identity of the originator. An even simpler means of hiding one’s identity on the internet is to register a false domain name, making it difficult for forensic experts to conclusively identify expert hackers. Those seeking to mask a cyber identity can also use an “anonymizer program” that hides a person’s real IP number address and encrypts all traffic. And there are thousands of hackers willing to provide their services for the right motivation (money, prestige, the challenge, etc.), and anyone in the world can hire them. Determining the true identity behind this hack is a highly difficult task even for cyber forensic experts.
And yet for other organizations, the identity of the Sony hackers is almost beside the point. Far more important are the lessons that can be learned about protecting themselves from similar attacks.
To help counter cyber malicious threats at Salesforce.com, for example, the chief trust officer (a role known at many other institutions as the chief information security officer) has institutionalized a cyber security program that rewards employees in making cyber security a daily part of their job. The Salesforce.com cybersecurity team tests its employees with general phishing campaigns, spear-phishing emails, and malicious USB flash drives placed in common places. (When the USB flash drive is plugged-in, it alerts the Salesforce.com cyber security team which employee plugged-in the malicious USB flash drive.)
All of this is to ensure cybersecurity practices become routine. If the employee does not fall victim during these cybersecurity tests, then the employee is rewarded by the CTO, who notifies the employee’s boss of the employee’s good cyber security posture, which is later reflected positively within the employee’s end-of-year evaluation.
The main emphasis for the Salesforce.com cyber team is to change employee behavior so that it helps prevent malevolent cyber related activities. As employees are reminded during the firm's cyber training program, “if it is too good to be true, then it’s actually too good to be true!” The goal is to avoid the simple social engineering tricks that so often secure a hacker’s access to an organization’s information systems or data.
These are common-sense steps that any organization can encourage so that employees don't compromise systems' security:
- Don't plug in “found thumb drives” or any home storage medium into work computers.
- Select only known websites and do not “click on” suspicious looking URL links found in emails.
- Do not respond to any “official looking” emails that request a change of your password or provide personal identifiable information (PII).
- Use strong passwords that contain upper case letters, lower case letters, numbers and a special character, and that are at least 6 and preferably 8 characters in length.
- Turn off the “Auto Run” feature on all company computers.
- Use anti-virus and anti-spy software.
- Scan all incoming emails and attachments.
- Use only updated firewalls and intrusion detection systems (IDS). Password-protect and encrypt all files in storage.
- Encrypt all sensitive emails before sending.
- Overwrite deleted data with a program that truly erases all data placed into the computer’s trash, such as the software programs: CCleaner (Windows), Eraser (Windows) or Secure Empty Trash (Apple)
Another major challenge is the lack of attention paid to securing the applications and the firmware. As we increasingly move to the use of web-based applications for the convenience, easy access and availability, a number of vulnerabilities are consistently being ignored that can be very easily exploited. Often times, a simple web browser is all that is needed -- providing a very inexpensive, yet effective vulnerability which enables unwanted access (and in some cases, control) of applications. Cross-site-scripting (XSS) has become a very popular because of its simplicity, yet formidable for its ability to yield unwanted access to user accounts. Google and many others have had to repair cross-scripting flaws that have enabled unwanted access and control of user accounts.
In addition, the ability to circumvent firmware is especially troubling because it can provide hackers with the capability of taking over total control of routers. This is especially troublesome in the case of wireless routers that are running Linux-based firmware. Unfortunately, this problem is prevalent in a wide range of routers that are utilized in platform environments that are running legacy software and applications. What has typically been the approach is to basically circumvent the firmware and inject malware that at a minimum allows unwarranted access and at an extreme provides control to the attacker.
Finally, organizations can inspect all new and old computer laptops and workstations for original hardware components (e.g., integrated circuits) using an “Authentico USB flashdrive” that inspects and reports any deviance from the factory produced product settings within seconds
This is not a comprehensive list of cybersecurity practices to be institutionalized, of course. It is, however, a good start -- and a reminder that technology alone can't secure a large organization's systems.
Is your organization ready???
H. Mark McGibbon serves as the Lockheed Martin Visiting Chair at the National Defense University Information Resources Management College.
J.S. Hurley is currently a faculty member at the National Defense University Information Resources Management College.