Why the Sony hack should scare feds

The attack on Sony marks an escalation that damaged a network and destroyed data. Experts say feds need to be watchful for similar assaults.

Sony Pictures Plaza in Culver City, California (Photo: Wikimedia Commons)

Sony Pictures Entertainment was brought to a virtual standstill by the recent cyberattack and the damage it caused.

As the fallout from the unprecedented electronic attack on Sony Pictures Entertainment continues, cybersecurity experts said federal IT managers -- while likely facing no immediate threat from the group that attacked Sony -- should be paying close attention.

The Sony Pictures attack -- which has left tens of thousands of the company's employees without computers or network access and scattered terabytes of sensitive data in the wind -- marks a new milestone for cyber "bad actors," according to Greg Bell, U.S. leader for cyber services and information protection at KPMG.

The attack by a group that calls itself "Guardians of Peace" marks a shift by cyber attackers to a more destructive path, Bell told FCW. Traditionally, attackers have focused primarily on monetizing stolen credit card and personal information purloined from U.S. companies. Lower-profile, but more concerning, exfiltration of intellectual property data and competitive business information tied to corporate or national interests have also been part of past attackers' modi operandi.

The attack on Sony marks the first time in the U.S. when an attacker has so blatantly damaged a corporate network and targeted and destroyed data in that system, Bell said. The group didn't ask for money, but demanded Sony block the release of "The Interview," a comedy parodying a CIA assassination attempt on North Korean dictator Kim Jong-un. North Korea is a prime suspect and has praised the attack while denying direct responsibility.

Similar incidents, although rare, have cropped up overseas in the last two years. An attack on Middle East energy company Saudi Aramco in 2012 and cyberattacks in 2013 on South Korean television stations and a bank had similar destructive characteristics, Bell said.

Aramco is said to have replaced tens of thousands of PCs at its headquarters after the existing fleet of machines was rendered useless by the attackers' code. Then-Defense Secretary Leon Panetta remarked at the time that a similar attack on critical U.S. infrastructure, including water and electrical facilities, would cause unparalleled destruction and upheaval.

"This is a relatively new shift," said Bell. "It should be in the minds of federal agencies" that are increasingly amassing vast stores of critical data, as well as critical infrastructure providers who guard crucial assets like electric grids and water supplies. Given the high visibility of the attack on Sony Pictures, he said, "copycats are inevitable" in the coming months.

Rick Dakin, CEO, co-founder and chief security strategist for IT governance, risk and compliance firm Coalfire, said Sony got a cyber wake up call in 2011 when its PlayStation network was crippled by hackers.

90 percent vulnerability

After that assault, Sony hired Phil Reitinger, a former deputy undersecretary for the National Protection and Programs Directorate at the Department of Homeland Security and director of the National Cyber Security Center, as its first chief information security officer.

Before his stint at DHS began in 2009, Reitinger was chief trustworthy infrastructure strategist at Microsoft and executive director of the Department of Defense Cyber Crime Center. He left Sony earlier this year to found his own consultancy, VisionSpear LLC. According to news reports, Sony just moved John Scimone, its former director of security engineering, into the chief information security officer position in September.

Reitinger helped Sony put in place substantial cyber defenses during his tenure, Dakin said, but given the quickly shifting nature of technology and online threats, security can be a fleeting thing. The tactics that breached Sony's IT facilities and data, he added, probably could have pierced a host of other companies' current IT operations.

FBI cybercrime experts have also said the malware in the Sony attack could menace federal agencies.

"The level of sophistication is extremely high, and it was organized and persistent," Joseph Demarest, the assistant director in charge of the FBI's cyber division, said at a Dec. 10 cybercrime hearing before the Senate Banking, Housing and Urban Affairs Committee. "It's a concern, because in speaking with Sony and their managed cybersecurity provider, the malware that was used would have probably gotten past about 90 percent of the defenses that are out there today both in industry and in government."

According to Dakin, mobile capabilities have been a particular catalyst for recent attacks, as the rapid introduction and evolution of mobile phones, tablets and other devices has meant a return to unpredictable security. "With mobile phones, tablets and mobile applications, it's back to the Wild West for security. ... The tech revolution has hit the reset button."

It's unclear if mobile devices were involved with the Sony attack, though. Dakin said the wiper malware used against Sony dives deep into a computer system's coding. It could be used to profoundly alter IT systems, allowing attackers to potentially insert their own communications or data and make it look official -- a capability that could give federal agencies fits. That kind of access can have significant impact on government and critical infrastructure networks, even if the attack is subtle.

"What if an email got sent out by an agency telling workers not to come to work or not to read their email?" asked Dakin. "How would an agency deal with 50 to 70 percent of their laptops being unavailable for 72 hours?" asked Bell. "Agencies have to think about that. Continuity-of-operations plans are critical."

Safety in the cloud?

Bell and Dakin both said, however, that federal IT managers should take some solace in the federal government's emphasis on cyber defenses and, in some instances, its push to the cloud.

Efforts like continuous diagnostics and mitigation and associated FedRAMP cloud-security efforts are a step ahead of many commercial cybersecurity efforts, said Dakin.

CDM and FedRAMP have led to a higher standard for security technology for a large pool of federal users, Dakin said. Such standardization among commercial entities is not as easily accomplished, though Bell said "it's hard to say if federal IT protections are ahead of the commercial side."

Not surprisingly, intelligence and defense agencies are among the best protected, but some civilian agencies might be more vulnerable, according to Bell.

Reports from the tech news site Re/code said Sony is using FedRAMP-certified cloud provider Amazon Web Services for cloud services. AWS is helping Sony carry out an electronic counterattack using denial-of-service techniques to block sites distributing stolen Sony data. Sony and other entertainment content providers have used DDoS attacks before to stop pirated content from being distributed.

Bell said cloud providers could offer a stronger defense against a Sony-type attack, by offering dedicated security teams and potentially more up-to-date platforms than some civilian agencies can manage on their own.

And if the attack marks an escalation in the cyber wars, it might also be the dawning of escalated defenses. According to Demarest, Sony is enthusiastically cooperating with federal agencies with its investigation. Such cooperation, Sen. Charles Schumer (D-N.Y.) said at the Banking Committee hearing, was not the norm even a few years ago.

"Industry didn't want to share information about breaches," said Schumer. "It was sort of like when Churchill asked people to turn off their lights during the Blitz. Some said they didn't want to. I think those days are over."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.