The recent Sony Pictures hack issue has exposed the ever growing threat landscape and the ability of the hackers to poach into corporate networks. In the case of the Sony hacking, it’s little different from other hacks in the sense that the motive of the hackers was to defame Sony Pictures Entertainment (SPE) which is into motion picture, television production and distribution units, and is the subsidiary of Sony Japan. The hackers under the name #GOP released damning information on the inner functioning of Sony Entertainment. Worst was, some of the confidential data landed on to press, which then went on a free ride on matters ranging from how Sony (SPE) treated celebrities to its value systems and certain stuff, which completely embarrassed the company and impacted its core operations.
The hack came to light when SPE employees discovered it on November 24, 2014 in their HQ in Culver City, US. What they saw in their computer screens was the image of the skull with a message stating that: “We already warned you, and this is just a beginning. We continue till our request is met. We’ve obtained all of your internal data including your secrets and top secrets. If you don’t obey us, we’ll release the data shown below to the world.”
Indeed a worst moment of any CIO or CISO. Let’s look and some key learning from this hacking episode. Any security breach has key takeaways, and when we look at an instance like this its has some major lessons to be learnt.
Need Strong Password and Authentication
According to security experts analyzing the leaked documents put up on the public domain said that one of the worst possible practices Sony seems to have adopted is management of passwords. Some of the confidential data in the system folders were unencrypted and those that have been encrypted had a folder titled ‘passwords’ containing keys to those encrypted files. This looks really perplexing like writing your ATM password back on your card given that Sony Pictures is a huge Corporation and it had chosen to have such weak password management policies is indeed surprising. Further more why Sony did not use 2 factor authentication is also not clear.
Lack of Well Governed Email Policy and Digital Shredding
Those days’ organizations heavily used paper shredders to destroy confidential documents. But as intra office correspondence graduated into predominantly email mode, the age of true privacy started eroding. The Sony hack is a classic case of how emails sent without adopting any policies create havoc. The exposed internal emails between key Sony executives and their attitude towards celebrities like Angelina Jolie shocked everyone. Even though it was meant for Sony internal consumption, but its very dim view of many of the celebrities created a very bad image and some said it exposed its true color. If only Sony Pictures had adopted a carefully drafted secured email transactions, it would at least have not exposed some confidential emails.
Need a Tiered Access to Information
This is also surprising. According to reports, Sony seems to have not compartmentalized the access to data, so mission critical data, classified and unclassified all being treated in the same way. So clearly the classification in terms of confidentiality might have given Sony a kind of digital perimeter that at least might have made hackers difficult to break in.
Lack of a Coherent Security Policy
This is probably one of the biggest lessons for any enterprise looking at the Sony hack and how they can use it as an instance to safeguard themselves from those attacks. For instance Sony is not new to hack, it’s got a history and some reports point out that some of the employees and the security experts have pointed out its weak defense systems in the past too. But it’s really an irony that the top management at Sony has not done enough homework to secure its assets even after ample fore warnings. So ultimately they paid the price. Moreover, it will take a long time for Sony to re-build its lost credibility out of this hacking.
Invest in Right Technologies
This is also one of the critical elements for that Sony paid. Observers say that Sony was not able to create a seamless security backbone consisting of right set of policies, technologies, security governance and access best practices. It, some experts’ say has prioritized ease of access at the expense of weak encryption and passwords. While passwords and encryption is just one level of security, and there is a whole lot of others that makes for a security framework. The bottom line is Sony was not able create a security ecosystem that is surely not adjudged at a managed levels, wherein it failed to create one pro-active security system.
Plan and Allocate IT Spend on Network Security
According a December 2014 Forrester report titled, “Understand The State of Network Security: 2014 To 2015” by Heidi Shey and Kelley Mak, in which they said that network security reigns as the largest part of the security technology budget. Network security has historically been the largest chunk of the security technology-spending budget, and 2014 is no exception. The technologies plus maintenance and value-added professional services, in addition to as-a-service offerings for network security, add up.
So clearly, there seems to be an oversight in Sony when it comes to network security and this is a clear valuable lesson for all other organizations to look closely into this and create a proactive network security backbone.
Invest in People
Security and risk executives must continue to invest in people, not just technology and services. At the end of the day, it’s not just technology and one needs to invest in people as well. According to a Forrester Research, lack of staff and unavailability of security staff with the right skills (specifically, security operations, and application security skills) is a major challenge today. As firms continue to compete for skilled staff, they must continue to invest in skills and career development for their current security team.
Leverage Security Analytics
Experts aver that big data analytics has a critical role to play in making foolproof security regime. According to experts at Forrester Research, security analytics and network analysis and visibility (NAV) tools are key components of a Zero Trust network. Business executives demand data for decision-making, and security pros want situational awareness. Security Information Management (SIM) tools are seen as a solution to fulfill both needs, but, currently, SIM is not being used to its full potential.
Big data and NAV tools for security analytics will provide the necessary additional ingredients to overhaul SIM and move it from merely compliance reporting to providing situational awareness for both the business and security. Today, about 34% of network technology decision makers plan to invest in security analytics, either by expanding or upgrading a current implementation or by implementing a new solution in the next 12 months, and 33% say the same for NAV. Organizations are demonstrating a steady increase in interest in such tools YoY.