The Sony Pictures Hack and Learning Information Security Lessons the Hard Way

By Patrick McCulley | Other

Introduction

This column is intended for a business audience, and lacks technical details – it is the author’s intent to communicate sound security strategies to C-level personnel tasked with making decisions about them: CIOs haven’t been around for very long, and CISOs are newer still. Worse, security in the Age of Information is a nuanced art, requiring both passion and finesse to effectively pursue and execute. Unfortunately for many, the Information Technology and Information Security industries are filled with just as much bad advice as good, coupled with media sensationalism and misinformation. Hollywood almost always gets everything wrong about hacking… however, one trope stands out in its uncanny predictive power:

Nothing is unhackable.

It is only a matter of time before your business experiences some sort of compromise, and it’s up to you to limit how bad it will be.

Once More, Into A Breach

The recent compromise of Sony Pictures computer systems and subsequent theft and distribution of data by the purported hacker group Guardians of Peace is shocking in its scope and damage. Some reports have suggested that Sony’s internal systems may have been compromised for up to a year before the group executed its actions to render systems inoperable and state their demands.

The breadth and depth of the data released to the public is, simply put, stunning: Human Resources documents detailing sensitive employee information such as home addresses, 47,000 social security numbers, pay scales, performance reviews, healthcare information and more, are now freely available via BitTorrent to any interested party. Recruitment strategies, marketing information, policy documents, multiple pre-release and post-release films, scripts for films not-yet-in-production… the extent of the data is staggering: terabytes worth, much of which would be considered confidential or sensitive.

The scope of the data breach allows deductive reasoning to provide insight into the level of access which the ‘Guardians of Peace’ were able to obtain: pre-release films and scripts are doubtlessly stored in different folders, in different shares and (most likely) on different servers on Sony’s internal network. This is a strong indicator that multiple, independent systems and areas of Sony’s infrastructure were compromised. Lending further weight to this conclusion is the purported seeding of Sony breach data by compromised servers assigned to Sony’s Playstation Network. Sony previously stated that its networks were physically and logically separated.

Calculated Risks, Incalculable Losses

In 2007, CIO Online interviewed the then-executive director of information security at Sony Pictures Entertainment, Jason SpaltroDuring the interview, Spaltro casually dismissed security concerns such as weak passwords, brushing off an auditor’s notation that they were a Sarbanes-Oxley Act violation. Spaltro went on to speak of weighing security concerns versus risk, stating that Sony took “the protection of personal information very seriously and invests heavily in controls to protect it.”

Unfortunately for Mr. Spaltro, this statement appears to be in direct odds with data lifted from Sony Pictures Entertainment and shared via BitTorrent. An Excel spreadsheet containing social security numbers, multiple plain-text files with credentials for Sony social media accounts, credit card accounts, or employee usernames and passwords may be found among other documents of a sensitive or confidential nature. The fact that these documents appear in the leaked data is a clear indicator that Sony did not implement industry-recognised best practices or invest in the application of them.

In the 2007 interview, Spaltro went on to dismiss legal concerns of compliance with Sarbanes-Oxley, stating that the “risks” to an entertainment company from non-compliance with Sarbanes-Oxley are different than, say, to a bank. What Spaltro failed to realise is that the law is the law: selective interpretation of the rules by senior staff at a publicly held corporation is no less than voluntary malfeasance. Continuing that line of thought, Spaltro again dismissed regulatory compliance concerns in a dialog which sounds like something out of Fight Club:

The cost to harden the legacy database against a possible intrusion could come to $10 million, he says. The cost to notify customers in case of a breach might be $1 million. With those figures, says Spaltro, ‘it’s a valid business decision to accept the risk’ of a security breach. ‘I will not invest $10 million to avoid a possible $1 million loss,’ he suggests.

As you read the above, keep in mind that Spaltro is essentially the person most responsible for ensuring Sony Pictures Entertainment’s compliance with regulatory law as well as responsible for ensuring the due diligence of staff under his direction. His job description is to protect the company from just the kind of incident Sony has (once again) fallen victim to. To dismiss security concerns with the notion that it is less expensive to pay off victims than to do your job is the height of negligent hubris: Spaltro should have been fired after that interview, having displayed such an irresponsible attitude towards due diligence: instead, he is now the senior vice president of information security at Sony Pictures Entertainment.

According to the leaked documents, Sony Pictures Entertainment’s budget for Information Security is a paltry $1.5-2 million annually. For a corporation valued in the tens of billions, this amount is so small as to be ineffectual: even if Spaltro were the most motivated and competent professional in the security industry, he would find it impossible to devise an effective security strategy for a corporation the size of Sony Pictures Entertainment on so tiny a budget. To add to the bureaucratic problems, Sony (the parent organisation of Sony Pictures Entertainment) was in the midst of transitioning between Chief Information Security Officers during the latest breach.

The insider threat is always the most dangerous, whether that be from employee negligence or malfeasance: the end result is the same. According toThe Verge, an email purportedly originating from an address associated with the hacker group Guardians of Peace stated: “We worked with other staff with similar interests to get in.” The IT technician who doesn’t follow the security checklist is just as dangerous as the employee who clicks every link available to them, yet they both pale in comparison to the disgruntled employee who seeks to do you harm: a person with both the insider knowledge to be effective and the motivation to see it through.

Whether Guardians of Peace worked with insiders or not, the damage is done. Individually, the details are alarming, but together they paint a picture of systemic negligence by Sony Pictures Entertainment IT and Information Security staff.

When attempting to plan for the worst, examine every avenue available to you: utilise every security feature natively available on the equipment you already own, and make efforts to fill the gaps when they are discovered.

Due Diligence in Depth

When considering the risk to any organisation, the cost of security measures versus the likelyhood that a resource may be compromised must always be considered – however, there are some exceptions in which security risks should never be ignored: personally identifying information is a notable example. The recent breach has exposed the social security numbers of thousands of current and former Sony Pictures Entertainment employees, along with home addresses and even healthcare data. The damage, in this case, is to these employees, both current and former.

This is incalculable: their identities may be stolen, their credit may be ruined, their bank accounts may be compromised, their houses may be robbed; all these things are a direct result of the attitude displayed towards security by Sony Pictures Entertainment as a whole. Spaltro’s continued employment after the 2007 interview referenced above was no accident: it was allowed to continue by those above him, who either did not care or did not know better.

The head of Information Security at Sony Group is Nicole Seligman, whose laundry-list of a job description essentially excludes her from any impactful Information Security role: no reasonable person, no matter how strongly skilled and motivated, could possibly hope to provide a meaningful contribution to Information Security while tasked with the other roles listed. This is not Ms. Seligman’s fault; it is the fault of Sony’s leadership and their demonstrated lack of concern for Information Security.

Defence in depth is a strategy which involves designing your security plan around the concept of securing every operational area, and every interconnect between networks and systems, where possible. Such a strategy leads by proxy to due diligence in depth: a comprehensive and detailed picture of actions taken to ensure your organisation’s security by the staff responsible. Had Sony practiced this strategy and ensured the due diligence of its Information Security employees, there likely would have been no need to write this particular column.

No security strategy, no matter how robust, will be 100 percent perfect – however, adopting strategies like defence in depth contributes greatly to reducing the chance that your systems may be compromised. Every layer of security adds another roadblock in the way of baddies who intend your organisation harm.

Additionally, Blue Coat Lab’s analysis of the malware used to compromise Sony’s systems makes an excellent argument in favour of private VLANs – a networking feature which implicitly forbids workstations from talking to one another – but not servers. According to Blue Coat Lab’s analysis, this security feature would have impeded the malware’s spread. The equipment needed to implement security measure is not particularly costly, and many entry-level devices include the feature. But it requires both prior planning and engineering hands-on to perform its function properly. Furthermore, Blue Coat Lab’s analysis points to a possible point of entry: a phishing-style webpage.

Lead by Example

The case of Sony Pictures Entertainment paints a damning picture of the company’s leadership, and it’s not the first time Sony has faced a serious compromise of their network and systems infrastructure. The attitude towards security displayed by Spaltro is reflected in the way in which Sony IT staff stored critical infrastructure data.

The leaked data includes RSA SecurID tokens, security certificates, employee logins and passwords, as well as administrative access methods and connectivity guides for critical infrastructure. Each of these items alone would be considered extremely sensitive, and as a whole, they present the most serious risk imaginable to Sony’s IT infrastructure: complete compromise. Spaltro could not have been unaware that such a large amount of critical data was stored in plain text files, as opposed to properly secured password managers.

Any organisation’s security strategy is only as good as those responsible for implementing and verifying it. Lead by example, and your subordinates will follow. In the case of Sony Pictures Entertainment, Spaltro’s dismissive attitude towards security likely drowned out any concerns brought to his attention by subordinates, and in this author’s opinion, led directly to the situation in which Sony Pictures Entertainment finds itself today.

Sony follows in the footsteps of Home Depot and Target before it; according to reports, Home Depot middle management ignored warnings from their Information Security staff for years, while Target appointed someone with zero technical background as its Chief Information Officer. Furthermore, Target did not appoint a Chief Information Security Officer until after the 2013 breach. The leadership of any organisation is destined to make or break it – and in the Age of Information, the quickest way to go bust is a catastrophic data breach.

Lessons Learned

As with any security incident, the latest breach of Sony’s data provides a treasure trove of lessons to be learned by vigilant staff at other organisations. 

DON’T dismiss failures of regulatory compliance as ‘acceptable risks’; remedy them. It’s not just a good idea that could save your business in the event of a breach, it’s also the law.

DON’T store usernames and passwords of administrative or user accounts in plain-text files anywhere on your local area network the way Sony did. Secure them in password managers, physically in a locked safe, or out-of-band encrypted storage.

DON’T store the personally-identifying information of employees or customers in unsecured formats on un-encrypted file-shares. Maintain them in a properly encrypted database, and take all measures to secure them in compliance with applicable regulatory law. Secure that database against unauthorised access with multi-factor authentication, not just a simple password. 

DON’T allow your middle management to ignore warnings from subordinates about potential security vulnerabilities or concerns: ensure that there is a clear communications path to allow any employee to report an Information Security concern to your Chief Information Security Officer – directly.

DO ensure you hire qualified Information Security personnel who vigorously perform their duties and display attitudes in favour of personal responsibility towards the areas for which they are responsible: Information Security professionals in your organisation are the ‘data police’; their solemn duty is to ensure that sensitive data such as the personally identifying information of employees is as safe as possible from those who seek to obtain it.

DO hire outside auditors to examine your security posture and provide insights or alternative suggestions for difficult-to-secure areas. Your company has nothing to lose by doing so, other than a good night’s sleep after discovering a security concern through an external audit.

DO conduct penetration tests of your corporate network and systems to ensure that your security strategy protects as many known vulnerable areas as technically feasible. Penetration testers use the same techniques criminals use to break into your network – and if they can get inside, then the criminals are certainly just as able.

DO practice role-based access control, providing granular control over which departments have access to which resources. You don’t want artists accessing financial data on the accounting server, nor do you want your accountants to have access to pre-release scripts or post-production cuts of films.

DO practice defence In depth, to apply granular filters and security measures at every level, in every area of operation. A security strategy which does not comprehensively cover every area is not a sound strategy: the ability to secure your organisation’s data is inversely proportional to how many aspects go overlooked or unattended to.

DO utilise the security features available to you which are already built into your network and systems infrastructure. Why not use a feature when you have the option to do so? Some might not be a good fit, but others may fill a critical gap. Speak with your engineers to see what can be done.

DO examine the attitudes of your Information Technology and Information Security staff towards their professions. Employees who voice dismissive positions towards security or their responsibilities should immediately ring alarm bells. These individuals contribute to the ‘insider threat’; an irresponsible employee is just as dangerous as a disgruntled employee.

The ultimate take-away from the latest and worst Sony data breach is that the company did not learn from its own prior mistakes – or the very public mistakes of Target and Home Depot before it.

DON’T be “that company”.

Note: This column is a guest article by Patrick McCulley, and the views and opinions expressed above are the author’s and do not necessarily represent those of Silicon Allee.