In light of the recent Sony Pictures hack, it’s important to clarify the facts and examine how such an attack might have taken place, to serve as a learning experience for other companies.
News about the hack on Sony Pictures’ infrastructure continue to unfold, with the group calling itself the Guardians of Peace (GOP), circulating un-released movies, emails, password lists and personal information on Sony Pictures staff, actors and higher management. The publication of data has been done using torrents with gigabytes of data being made public by GOP almost every day this December. News agencies are struggling to identify the real motives behind the hack, possibly the largest of the year, with some pointing fingers at North Korea. GOP seem to enjoy leaving notes, making threats and scare-mongering with the promise of a ‘Christmas gift’ being made lately. They’re like the Jack the Ripper of cyber criminals, boasting of their accomplishments.
Every hack leaves us thinking about how this could have been prevented, and what we can all learn from it. After analysing the information currently available about this hack, I am presenting some thoughts about how this hack could have been prevented and/or mitigated. Being the CSO for Sony Pictures is surely no simple feat. The number of servers and workstations that need to be protected must easily be running in the tens of thousands. The leakage of .ost files containing thousands of emails from top managers seems to indicate that their workstations had been compromised at some point.
The first thing everyone learns in security is to use good passwords. The password “password” is obviously not good enough, however this was used in 3 certificates. These certificates were published by GOP, and they were subsequently used to digitally sign malware. It turned out that this was a prank by a team of security researchers, however it goes to show the extent of problems that might arise from weak passwords. This was not the only incident of usage of weak passwords. It seems that weak passwords were also used to protect internal and internet facing critical servers. Read tips on choosing the right password.
Considering the stash of information released by GOP, it is clear that the group gained access to a large portion Sony Pictures’ network. Many people are scratching their head trying to figure out how the hack may have happened, however we can speculate that the GOP initially hacked into one server that was not so well protected, and escalated the attack to gain access to the rest of the network. That indicates that Sony Pictures’ network was not layered well enough to prevent breaches occurring in one part of their network to affect other parts of the network. This can also happen when higher management demand access to critical information within the organisation, while also expecting that their workstation should be easy to use; in other words, not protected very well.
While Sony did outsource various security assessments of their infrastructure, it is clear that unfortunately, this was not enough. These did not detect the usage of weak passwords and did not prevent information being stolen from their network. Most organisations see security investment as an optional cost, and will only implement what is required to be compliant. Penetration tests should be done regularly, using both automated pen-testing tools and manual security checks. Companies should avoid taking the easy way out when it comes to security testing.
It is also clear that numerous alarms should have been triggered while the network was being compromised and data was being pilfered by the hackers. These notifications would have allowed them to identify the attack immediately, and mitigate the damages at an early stage. These alarms were either not in place, not taken seriously (possibly due to many false alarms) or completely ignored. Security training should ideally be done throughout the organisation, explaining things such as what complex passwords are and the reasons to use them, reporting anti-virus warnings as opposed to ignoring them, recognising attempts at social engineering and avoiding connecting to work resources from public WIFI networks.
Actively monitoring logs, including event logs, syslogs, web server logs, firewall logs, anti-virus logs and logging of the various systems running in the organisation is tedious, but it would have saved the day for Sony Pictures and allowed them to sound the alarm before it was too late. Various tools exist that allow the automation of log monitoring, and these often include notification systems allowing the admin to be notified when a breach is detected. In this case, Sony Pictures have been left sifting through what logs the hackers have left behind, in order to identify the source and the real magnitude of the attack.
Finally, each and every organisation should have a plan of what should be done should security fail. Sony Pictures acknowledged the breach days after the attack was originally reported and they admitted that they were still struggling trying to identify “the full scope of information that the attackers have or might release”. Considering that this is not the first time that Sony Pictures had been breached, more care could have been taken; planning ahead and documenting the steps that need to be taken when the next breach occurs. Given time, a sophisticated attacker can break into any system. While the network should be protected, the organisation should also have a plan of what should happen should the system be compromised.
We would like to end by clarifying that Sony Pictures are not an Acunetix customer and therefore we are not aware of the measures they had in place.