Sony was on the receiving end of a cyberattack once again. Hackers managed to take the Sony Pictures website offline on Monday. This isn’t Sony’s first experience with such attacks, though—Sony has been repeatedly targeted by attackers, up to and including having its Playstation Network knocked offline in August.
The motivations most likely vary from one attack to the next. The one thing that’s consistent is that Sony is a very large organization with as many enemies as fans, and it has tons of valuable data accessible over the Internet.
“Sony Pictures (and for that matter every other entertainment company) need to come to grips with the fact that they are now software companies having to the defensive measures of any other software company,” stressed TK Keanini, CTO of Lancope. “This transformation happens to every business whose livelihood is based solely on intellectual properties and the controlled distribution of such a medium. The structure of this business is not easy to secure because the making of these properties involve a very complex supply chain or vendors all of which could be a successful target for the attacker.”
The type of data compromised in the attack was diverse, ranging from financials, employee data, entertainment product production files, etc.. This suggests that either multiple systems were compromised or that a few people who were compromised had way too much entitlement to data.
What lessons can other organizations take away from Sony’s experience? Keanini shared a couple things organizations should consider:
1. It could happen to you
When you look at the data, you quickly realize that you too have data like this and this could be you. What measures are in place so that this does not happen to you? If it has happened to you, how would you know? Use this as a wakeup call because these events are here to stay in the information age.
2. Not all data is created (or protected) equally
When thinking about the countermeasures for this stolen/disclosed information, one has to look at the mutability – how easily changed this information is so that it can no longer be utilized. Passwords are only effective if they work, change the password or better yet employ two factor authentication and this information is useless. Information on people and physical property is much less mutable and once disclosed, it is less feasible to render it useless. When performing the threat modeling, you need to ask yourself how mutable and feasible is it to change this data in mass for this is the ongoing process of securing data.
Your company may not have the sort of intellectual property that Sony does, and you might not have as many enemies looking to take you down, but that doesn’t mean you’re invulnerable. Make sure you take steps to guard against attacks like these so the next data breach headline doesn’t have your company’s name in it.