When Sony Pictures Entertainment was reportedly hacked last October, it became the most significant cyber-attack to receive nation-state attribution. Shortly after the company leadership announced the breach, anonymous US government sources whispered to major media sources from the shadows they believed hackers affiliated with the government of North Korea were responsible for the breach and subsequent extortion of Sony Pictures Entertainment executives. Straining credulity even further, these same sources said the motivation for the attack was the impending release of a predictably lame comedy movie about two bumbling journalists tasked with assassinating North Korean dictator Kim Jong-un.
As this crazy scenario played out during the final quarter of last year, numerous Sony executives were exposed for crass (and allegedly racist) email exchanges, and the pseudonyms of a bevy of movie stars were brought to light in the purloined information. Missing in all the words written by journalists, technology reporters, and security researchers was a detailed description of the exploited vulnerabilities, and an explanation of how the sheer volume of data exfiltrated happened without anyone on the Sony security team noticing.
While Hollywood executives were being exposed as nasty industry infighters, and movie stars as snobby narcissists, the breached financial data and strategy document ripped the covers off a treasure trove of sensitive corporate data. The repercussions of this breach aren’t reflected in the sheer numbers alone, nor the dodgy attribution. It should also be a wake-up call for all security practitioners as well.
First and foremost is understanding the specific vulnerabilities that were exploited in the Sony infrastructure. Remember, it’s not just the technical vulnerabilities, but the policy and human factors failures as well. In addition, one of the most glaring lessons of the Sony breach is to watch for unusually large amounts of data leaving your network for unknown destinations. Even though the Sony attack got lots of media attention, it didn’t even enter the Top Ten for the number of records breached in 2014. That dubious distinction belongs to eBay that exposed nearly 150 million records in 2014. When data leaves your organization at those levels, you need security oversight to ensure it’s authorized.
The other observation I want to cite in these high-visibility attacks is the seemingly newfound desire to run to the media with attribution. As one of my old-school colleagues likes to point out, attribution in cyberspace is hard. But even more significant, it is usually irrelevant. Sony can’t launch a kinetic counterattack against a nation-state like North Korea. Sony can’t even sue them. So let’s spend less time on attribution in jurisdictional-less cyberspace, and more time observing the first rule of security: protect thyself.