Sony
Published on Nov 19, 2015
No Description
MORE DECKS TO EXPLORE
PRESENTATION OUTLINE
IT wasn't your average hack.
A watershed event in the information security world.
For the first time, we saw a highly public disclosure of breached material, coupled with an extortionist threat, coupled with international politics.
For the first time, we saw a highly public disclosure of breached material, coupled with an extortionist threat, coupled with international politics.
Photo by kjetikor
THE DAMAGE WASN'T JUST FINANCIAL
The attack was expected to cost Sony over $35 million in direct costs.
Photo by 401(K) 2013
IT WASN'T JUST DISRUPTIVE
Essentially the bulk of Sony's desktops were erased, forcing the staff to resort to smartphones, tablets, and even typewriters to conduct business.
Photo by ⣫⣤⣇⣤
IT WASN'T JUST TIME CONSUMING
It took Sony months to restore their IT infrastructure - and the damage was so bad that they had to ask regulators to allow them to delay reporting their third quarter earnings because the systems that stored and prepared the data had not yet been repaired.
Photo by becosky...
IT WASN'T JUST EMBARRASSING
Dozens of embarrassing revelations included executives thoughts on various actors and their relative worth; racial and other slights, and the fact that one of the executives was actively taking Ritalin. HR files revealed the names and circumstances of sexual harassment complaints.
Photo by fakelvis
IT DIDN'T JUST GENERATE LAWSUITS
Seven class action lawsuits filed against the studio over the massive leaking of personal information such as Social Security numbers and alleged inadequate cyber protection. The plaintiffs claim that the hacking has left them vulnerable to identity theft, tax fraud, and financial theft because their Social Security numbers and other information has been made “publicly available to anyone with an Internet connection.”
Among other things, the lawsuit points to reports that the breach exposed more than 47,000 Social Security numbers, including 15,200 from current and former employees. Some of the employees last worked at the studio as long ago as 1955, the suit claims, raising concerns about data retention policies.
It also points to reports that the initial leak included a spreadsheet that listed the names, birthdates and Social Security numbers of 3,803 employees. And it contends that hackers used the stolen data to threaten employees and their families with physical harm.
Among other things, the lawsuit points to reports that the breach exposed more than 47,000 Social Security numbers, including 15,200 from current and former employees. Some of the employees last worked at the studio as long ago as 1955, the suit claims, raising concerns about data retention policies.
It also points to reports that the initial leak included a spreadsheet that listed the names, birthdates and Social Security numbers of 3,803 employees. And it contends that hackers used the stolen data to threaten employees and their families with physical harm.
Photo by srqpix
IT was ALL OF THESE THINGS.
and more.
The intangible costs:
Loss of reputation due to damaging commentary in emails about actors, public figures, competitive companies, and partners.
Unwillingness of business partners (actors, contractors, suppliers) to work with Sony due to disclosure of emails, PII.
Difficulty of attracting employees due to failure to secure SS#s, other damaging information.
Loss of reputation due to damaging commentary in emails about actors, public figures, competitive companies, and partners.
Unwillingness of business partners (actors, contractors, suppliers) to work with Sony due to disclosure of emails, PII.
Difficulty of attracting employees due to failure to secure SS#s, other damaging information.
The lowlights:
- Movies released
- Systems wiped
- Emails published
- PII disclosed
- Proprietary data disclosed
- Employees threatened
47,000 SS#s
Names, birthdates and Social Security numbers of 3,803 employees
Salary data
Contractors used
Prices paid
Information on upcoming movies - plots, directors, actors, etc.
Employees & their families threatened by GOP
Names, birthdates and Social Security numbers of 3,803 employees
Salary data
Contractors used
Prices paid
Information on upcoming movies - plots, directors, actors, etc.
Employees & their families threatened by GOP
The ramifications
- 7 Class action lawsuits filed
- 4+ months to get IT back online
- Damage to reputation
- Loss of revenue
- Amy Pascal Quit/Fired
what we think we know
- Current or former employee involvement
- Privileged access
- Malware introduction
- Long term access without detection
Photo by IntelFreePress
Untitled Slide
WHat was released?
- 33,880 files in 4,864 folders.
- 47,426 unique Social Security Numbers
- Internal emails
- Plaintext passwords
- Employee lists with names, DOB, SSN, employment details, etc.
WHat was released?
- X.509 certificates for servers, users, and services
- Credentials for social media accounts
- 121 FTP plaintext credentials, including the main Sony Pictures FTP server.
- Plaintext credentials for partner web sites and internal/external servers.
WHat was released?
- Bank statements, account information including wire transfer info, reports, projections, budgets, and other financial data.
- Licensing contracts.
- Scans of driver licenses, passports, etc detailing names, home addresses, full names, date of births, social security numbers and more.
the bad and the ugly
- Inadequate access control
- No encryption
- No meaningful auditing or DLP
- Failure to learn from past breach
- Woefully atrocious credential management
“It’s a valid business decision to accept the risk (of a cyberattack), I will not invest $10 million to avoid a possible $1 million loss.”
- Jason Spaltro, then-Executive Director of Information Security at Sony Pictures Entertainment, speaking to CIO Magazine in 2007
Photo by cogdogblog
Untitled Slide
Untitled Slide
Untitled Slide
SO HOW DO WE AVOID THIS?
There are two types of organizations: Those that have been breached, and those who haven't realized it yet.
defense strategies over time
- Perimeter (Us vs. Them)
- Network segmentation
- 802.1x
- Internal firewalls
- Controls on data itself
Perimeter defense fosters an "us vs the world" mindset, which must retain the idea that all of "us" are trustworthy and under control.
Network segmentation is only useful as far as keeping the non-privileged users from accessing resources that they don't need to use - until they do - or in the case of admins.
802.1x brings it down to the individual workstation, but doesn't stop malware.
Using internal firewalls recognizes that not all internal traffic is legitimate and harmless.
Network segmentation is only useful as far as keeping the non-privileged users from accessing resources that they don't need to use - until they do - or in the case of admins.
802.1x brings it down to the individual workstation, but doesn't stop malware.
Using internal firewalls recognizes that not all internal traffic is legitimate and harmless.
Photo by akk_rus
TODAY'S THREATS REQUIRE THOUGHT RE-ORIENTATION
Photo by Howdy, I'm H. Michael Karshis
the realities
How are organizations, by and large, addressing security today?
Photo by entirelysubjective
Regulatory & Compliance Concerns Are Too Often Driving Security Practices
Modern day expression of the squeaky wheel getting the grease.
Hammering the nails.
Doing the minimum to pass audits
These organizationsdo not contemplate the worst case scenario for the entire organization, just what happens when the PCI/PII/PHI gets compromised.
Hammering the nails.
Doing the minimum to pass audits
These organizationsdo not contemplate the worst case scenario for the entire organization, just what happens when the PCI/PII/PHI gets compromised.
Photo by herzogbr
"Admins Cannot Be Controlled"
Admins need god-like powers to perform their jobs. Operating systems do nothing to curb this power.
In reality, admins do not need to have this power.
They don't need to be able to access everything.
They have no "need to know".
And when this power is used for evil rather than good, what happens?
Sony happens.
In reality, admins do not need to have this power.
They don't need to be able to access everything.
They have no "need to know".
And when this power is used for evil rather than good, what happens?
Sony happens.
Photo by Kalexanderson
THE DATA IS WHAT MUST BE DEFENDED.
The perimeter defense must be brought down to its logical conclusion, and the data itself must be defended.
Yes, this means identifying it.. Protecting it... Detecting when it leaves the network and understanding how and why.
Yes, this means identifying it.. Protecting it... Detecting when it leaves the network and understanding how and why.
Photo by Abode of Chaos
EXPECT TO BE BREACHED!
It's not if, it's when. Too many attack vectors, from malware to vulnerabilities in libraries to mobile devices to rogue employees to phishing attacks etc etc etc.
Do you have locks on your doors? Perimeter defense.
An alarm system? Motion detectors? Why? Because we know that if someone wants to get in, they can find a way to get in. We want to know that.
Do you have a safe? Why? THAT is defending your valuables - AKA your data.
Do you have locks on your doors? Perimeter defense.
An alarm system? Motion detectors? Why? Because we know that if someone wants to get in, they can find a way to get in. We want to know that.
Do you have a safe? Why? THAT is defending your valuables - AKA your data.
Photo by [AndreasS]
Untitled Slide
Photo by thewhitestdogalive
PROACTIVE STEPS
- Strong Encryption
- Strong Access Control
- Effective Auditing
- Proactive Risk Mitigation
- Data Loss Prevention
- "Encrypt Everything"
Don't make the mistake of thinking that encryption alone will solve the problem. FDE
Auditing with SIEM is crucial.
Be proactive! Address what you can before the breach - even if you don't prevent it, you can mitigate the results.
What kinds of security mistakes have you made? Did you learn from them and prevent them from happening again?
93% of organizations surveyed by Vormetric were concerned about insider threats.
"Defense in depth" has never be more important.
Auditing with SIEM is crucial.
Be proactive! Address what you can before the breach - even if you don't prevent it, you can mitigate the results.
What kinds of security mistakes have you made? Did you learn from them and prevent them from happening again?
93% of organizations surveyed by Vormetric were concerned about insider threats.
"Defense in depth" has never be more important.
Photo by CarbonNYC [in SF!]
