• United States




Be scared: The Sony-style hack is no rare event

Dec 09, 20144 mins
Data and Information SecurityHackingSecurity

Only the wanton destructiveness of the Sony attack made it an outlier; the scale was not uncommon. Maybe the bad publicity will be a wake-up call

Last week the media was in full meltdown over the Sony hack, particularly the company’s loss of 100TB of data, including unreleased films. Worse, personal information was exposed, including Social Security numbers and addresses for thousands of current and past employees, as well as Hollywood stars.

Sony employees have received threatening emails from the perpetrators. The entire company is in a multiweek digital shutdown. It doesn’t get any worse than this.

Was North Korea the attacker, bent on revenge for Seth Rogen’s latest film, “The Interview,” which features a CIA plot to assassinate Kim Jong-Un? We’ll probably never know for sure.

But there’s no disputing — I speak from experience — how common this sort of hack is. A hack that exposes 100TB of data on the public Web may be unusual, but only in the above-average quantity of data and the intent to embarrass and financially damage a company, rather than quietly spirit away information that can be used to steal money and/or intellectual property.

In truth, hundreds of terabytes of data are stolen from companies all the time. I personally know of dozens of companies where hundreds of gigabytes of data are stolen every day, with an average of about eight months elapsing before a breach is discovered. This seems par for the course when I investigate an APT (advanced persistent threat). The only difference is that the stolen data is kept and used by the hacker instead of posted on the Web.

At least Sony knew what was stolen right away. Sony understood the damage and closed the holes — at least temporarily — by shutting down its network and computers. Most companies that discover they’ve been hit find hundreds of gigabytes of stolen data in a single day’s maliciously exported data file — then must figure out what else was stolen and when. In a way, Sony is lucky.

The sad truth is that almost any company could be Sony. No company connected to the Internet could have stopped an attack like this one. Most wouldn’t have a clue it occurred. The majority of companies are completely pwned by one or more hacking groups, and those that aren’t could easily be broken into in an hour or less. The overall state of computer security at most companies is pathetic.

By turning off its network for a few weeks, Sony is responding more aggressively than most companies would. Ultimately, I’m betting Sony will follow the same pattern set by other big companies hit over the last few years (Home Depot, Target, and so on): fire the old guard, hire new “experts,” and spend tens of millions of dollars on new security systems.

Those millions will barely move the needle. Any dedicated, decent hacker will be able to break back into Sony or any of these companies at will — the overall problem isn’t specific to one infrastructure and can’t be prevented by a security product. No amalgam of network and endpoint security defenses will prevent badness from breaking in.

Toward a real solution

To significantly reduce Internet crime, you have to fix the Internet and get global accountability. What do I mean by “fix”?

Well, we don’t have to invent new Internet protocols or rocket-science technologies. We have all the technology we need. As I’ve proposed for years, what we need is an open, global early-warning system — and to agree on a scheme that positively identifies Internet users with minimal violation of privacy. Sure, that’s a tall order. But if we get the right security leaders in one room to hammer out the details, it can be done.

We also need global enforcement. As long as the bad guys can get away with malicious actions and escape punishment, we’ll never stop Internet crime. Sadly, today, even if we have all the evidence in the world about who did what, when the perps sit on the other side of the right global boundaries, we can’t touch them. Until we make it painful for countries to ignore home-grown cyber terrorists, Internet crime will continue to pay.

Don’t get caught up in the hype that the Sony hack was huge, devastating, and unique. It wasn’t — it’s much worse. The real story is that nearly every company could be Sony. Many already are and don’t know it.

The public nature of the Sony hack was good because it pulled back the curtain on the woeful security landscape. The grandiose, punitive nature of the attack made it more dramatic — though it was likely accomplished by hackers with ordinary skills. Almost anyone can see we can’t carry on this way.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author