Last month’s data breach left mud on the faces of the leaders of Sony Pictures Entertainment with the release of thousands of files including financial documents, E-mails, and unreleased movies. The hackers stole and deleted much data from Sony’s servers, and journalists downloaded and released reams of sensitive data. Sony’s network was down for days as IT staff members attempted to repair the damage.
How did this attack occur? How could it have been prevented?
For well over 20 years, I have consulted for thousands of companies worldwide finding vulnerabilities, advising on how to avoid a breach, and offering suggestions after one has occurred. I’ve seen clear patterns in the decisions of and results for the companies I’ve worked with.
We can’t change what happened to Sony – nor to Target, Home Depot or any of the other companies that endured major breaches. But we can step back, learn from those tragedies, and work to ensure that similar events don’t happen to us.
Here are five lessons from this fiasco:
1. Think ahead — Assume attackers will try to breach your company, because they probably will. They are often unsuccessful – but that risk could be catastrophic. Strong leadership can make the difference by taking these matters seriously and spending what is necessary to secure their company. Given that a breach can cost millions – Sony may lose more than $100 million – the right spending can drastically minimize the risk both to the company and to its personal reputation. A company should do a simple risk analysis; how much can it lose if I breached? How much is it wiling to spend to guard against this?
2. Focus on the basics — Most companies don’t even do many of the preliminary steps that stop an attacker from gaining a foothold on a network, such as sufficient patching (fixing potential vulnerabilities) and setting strong passwords. A Sony-sized company is usually hard-pressed to keep track of all its systems. For some, a system inventory database can keep management informed about every system on its network – as well as its operating system, software, version levels, and more. As an ethical hacker, I can tell you that just one unsecured system can give intruders a foothold, which is very dangerous.
3. Follow the patterns — Although the FBI described the level of sophistication for the Sony breach as “extremely high” and the malware was sophisticated enough not to be picked up, as with all attacks, it followed a pattern. Hackers may probe a network, scan its ports for vulnerabilities, attempt to login using default or simple-to-guess passwords (causing failed login alerts), look for and reuse admin credentials, copy data, and more. No guarantees, but a company can pick up these patterns with proper monitoring systems. Although it may not detect stealthy attackers right way, it’s more likely to detect them he longer they are in its network. The hackers who breached Sony transferred terabytes out of the network – and weren’t even detected.
Every log should be collected from servers, firewalls, intrusion prevention systems, etc., and sent to a Security Information and Event Management (SIEM) tool. It should be monitored 24/7 by an organization with expertise in reading the alerts. If a company tries to do this independently, the system will either sit in the corner gathering dust or it will – as Target did – dismiss all alerts as false positives.
4. Protect the crown jewels — Obviously, if data is a company’s main business, it needs to do all it can to protect it, a process known as data loss prevention (DLP). How did Sony not know that such huge amounts of data were being sent out of its networks? Did they employ no DLP technology, or even monitor key systems to know when such things occurred?
Any company that wants to protect key data assets simply must have a strong DLP program. Some of these steps are easy: segmenting and placing sensitive data in its own network, protecting the data by using a firewall, only giving access through the firewall to those that need it, and setting strong outbound (egress) filtering on all firewalls to prevent data leaking out. Additionally, it might consider purchasing DLP software that stops data from being e-mailed, printed, or copied onto a thumb drive, and tying its logs into its managed SIEM systems. There. You’ll have another way to know if a breach is occurring.
5. Plan for the worst. Accept it — Companies get breached. But a company must be able to continue operating after an attack. The fact that that some Sony employees had to use whiteboards because they lost all access to sophisticated technology makes me wonder if they had a Business Continuity / Disaster Recovery (BCDR) plan in place. With a good BCDR and employees trained about what to do in event of an emergency, the company can continue to operate despite the attack. Historically, companies would only have emergency plans in case of fires, tornados, and earthquakes. Nowadays, companies also need written plans for the event of an attack, so they won’t be sent back to the 1800s if a major breach occurs.
These lessons aren’t a magic bullet for preventing or minimizing a breach. They do, however, offer good strategies to avoid Sony-style mistakes.
Alexander Jones is the chief information officer of Trojan Horse Security (TrojanHorseSecurity.com), a Washington-based security-consulting firm with headquarters. A recognized expert in cyber security, he has consulted for many of the world’s largest companies.