Sunday, December 14, 2014

Lessons from Sony

There's been a big story lately on a hack of Sony Pictures. Terabytes of sensitive data were exfiltrated and posted publicly. There're several theories about the motivations behind this but I want to focus on the security practices. Let's be slow to throw rocks because this could be you.

I'm a big proponent of leveraging size to reduce cost. Sony, Sony Pictures' parent company, had consolidated security management into its global organization. At first that seems like a good idea.


But the result was that the global organization couldn't/didn't focus on local issues. The global team was failing to monitor 149 out of 869 of Sony Pictures systems in their scope. That's 17% of the systems unmonitored.


And the global organization's IT management was aware of this gap and didn't remedy it. Even with 17% of the systems being unmonitored, almost 200 security incidents were reported to the global organization between September 2013 and June 2014.


It is not known if the penetration leveraged any of these unmonitored systems but they certainly were vulnerable.


Lesson: Cost should not be a primary consideration in IT security decisions.


There were also several issues that emanated from the leaked data. In the data were hundreds of RSA SecurID tokens, Lotus Notes IDs, passwords, and certificates - many of them with the required passphrase. One of the certificates was a certificate Sony Pictures used to sign code. Its password was the filename.


Lesson: Lock up the family jewels.


One of the other firestorms has been the content of the leaked e-mails. Beside all the sensitive business discussions were some pretty damning dialogs concerning actors and actresses.


Lesson: Have a policy about what is allowed in e-mail and recurrency training on the necessity of this policy.


Finally, face up to the fact that your company will be hacked.


Articles that I used in this post:

     Gizmodo
     Forbes
     CSOonline
     TechTarget
     TechTarget

No comments: