Sony Hack, Part 2 – How to protect your business network
In part 1 of our in-depth coverage of the Sony Hack saga we discussed the brutal attack on the Sony Pictures Networks that caused a prolific breach of data and a leak of sensitive email messages among other things. This followed an already shaky history of previous attacks to their Playstation Network, credit card and data breaches, DDOS assaults and other devastating attacks which led to class action lawsuits starting in 2011. But could Sony have prevented this? Lets dig a little deeper to find the answer.
Protect your business network
While the malware that took down computers at Sony Pictures in December was compiled just days before it was triggered, an earlier version of the code used to unleash the destructive attack may have been in use much earlier within Sony’s network. Malware with the same cryptographic signature and filename as the “Destover” malware was spotted by the security firm Packet Ninjas in July. Furthermore, details have emerged that suggest the attack may have begun much earlier this year, or even earlier, and that the attackers were able to collect significant intelligence on the network from Sony Pictures’ own IT department. It’s clear that those behind the attack were deep inside Sony’s network for a long time before they set off the malware that erased Sony hard drives.
None of this should have been a surprise to Sony, considering that in April 2011 their Playstation Network was knocked offline for 23 days by a separate group of hackers. In that attack, personal details from approximately 77 million accounts were stolen and prevented users of PlayStation 3 and PlayStation Portable consoles from playing online through the service during the blackout. Between April of 2011 and November of 2014, Sony had over 3 years to strengthen the security on their networks and use best practices to protect their valuable intellectual property and coveted private business data.
Could it have been avoided?
On December 11th, 2014 Joseph Demarest, assistant director of the FBI’s cyber division told congress that the malware that thoroughly penetrated Sony Pictures Entertainment was “so sophisticated it likely would have worked against nine out of 10 security defenses available to companies“. However, new details have emerged about the actual malware that was used, and it contradicts what the FBI said about the attack.
On December 17, 2014 analysts at Cisco announced that they researched a malware sample matching the MD5 hash signature of the “Destover” malware that was used in the attack on Sony Pictures. They revealed that the code was full of bugs and anything but sophisticated. It was the software equivalent of a crude pipe bomb. Compared to other state-sponsored malware that researchers have analyzed, “It’s a night and day difference in quality,” said Craig Williams, senior technical leader for Cisco’s Talos Security Intelligence and Research Group, in an interview with Ars. “The code is simplistic, not very complex, and not very obfuscated.”
So if the attack was actually simple, full of bugs, and not very sophisticated, how could they have done so much damage? The answer comes in two parts. The first part is that the hackers most likely had help from a disgruntled employee on the inside, and the second is that Sony failed to use even the most basic of security protections on their systems.
Network Security is all about best practices
The website BlackStratus provides an excellent list of 17 Best Practices for Maintaining Data Security in a Business Environment.
Together, ISO 27001 and ISO 27002 represent the most comprehensive set of best practices for data security in a business environment. Implementing ISO 27001 or ISO 27002 controls is the easiest way to keep your corporate data safe on an ongoing basis. Many of the following tips are drawn directly from ISO guidelines.
Plan-do-check-act (PDCA) protocol is the cornerstone of ISO 27001 standards. Working towards ISO 27001 certification is a worthy goal for any facility. Even if your organization doesn’t require certification, PDCA is an important litmus test for any data security policy. Make sure you have protocol in place to plan your security processes ahead of time, do the difficult work of integrating these processes, check that they are being followed and act quickly in cases of non-compliance.
Regular auditing of your security practices will ensure business rules are being implemented properly by all team members. ISO27001 and ISO27002 mandate that a third party audit be carried out every 12 months. Regular internal auditing on a quarterly or monthly basis is also recommended — frequent or ongoing audits will ensure that both letters and the spirit of your security policies are being fulfilled on a daily basis.
4. Identifying Assets:
Identifying your assets is the first step to developing an advanced security posture. Not coincidently, it is also one of the first steps in an ISO 27001 or ISO 27002 security audit. Begin by making a list of all hardware, software, media, data and applications that contain sensitive data. Assign a location and ownership to each one, and ensure that each owner is aware of their responsibilities. To simplify things, assets can be graded according to their priority level.
Over half of all security breaches are caused by insiders rather than malware or web-based attacks. Either through negligence or deliberate sabotage, your employees are the greatest risk to your data. Policies should be in place to minimize the risk of data loss, both by properly screening applicants and ensuring that appropriate responsibilities are set at the contractual level.
Requirements for backing up data vary according to industry. Most IT security professionals recommend daily back up of all files that have changed in the past 24 hours, followed by a complete backup on a weekly basis. Data should also be regularly archived for long-term storage.
7. Access Control:
Part of identifying and prioritizing your security assets involves assigning and maintaining access levels among staff. Creating a consolidated list of password and storing it in an encrypted location is an excellent way to begin this process.
8. Physical Security:
Physical security involves not only barrier protection limiting access to sensitive resources by unauthorized personnel, but it also involves keeping critical servers, workstations and cables protected from damage by floods, earthquakes, fires, theft, etc.
ISO 27002 standards dictate that a company-wide encryption policy is designed and implemented, covering standards and responsibilities for digital signatures, keys, certificates and any other encryption tools.
10. Real Time Monitoring:
Threats against your network are constantly evolving. The best way to maintain a vigilant security posture is by implementing SIEM tools that keep track of logged data and correlate information from different sources, indentifying malicious behavior and giving your IT team tools/data to respond to emerging threats.
11. Log Collection:
To simplify the auditing process, it is recommended that policies are put in place for the collection and long-term storage of log and report data. This will allow you to keep track of your security posture over time and can aid in future forensic investigations.
Scalable security solutions grow with your business, making it easy to add users, expand your security coverage or implement new procedures, protocol and business rules. When choosing SIEM software and other logging/data safety appliances, go with a product that will be easily expandable to meet your future needs.
13. Manage Removable Media Devices:
Flash drives and other removable media devices can easily lead to a breach of sensitive information, whether it’s by the accidental loss of an important device, or by malicious users sneaking information out of your compound. If possible, implement company-wide policies that restrict or limit the use of removable media devices.
14. Manage Mobile Devices:
Mobile device management is an important area of concern as more and more organizations move to BYOD (bring your own device) policies. Implementing lost-phone policies, restricting the use of third party apps and enabling remote swiping of data are all important requirements for a secure BYOD workplace.
15. Remove Data Securely:
Remember that extremely sensitive data can still be recovered, even when deleted from workstation. Investing in secure wiping utilities is useful, and make sure old equipment is thoroughly destroyed/de-magnetized to prevent data from being recovered.
16. Keep software up to date:
External threats against your network are constantly evolving. Keeping your IT resources updated, such as antivirus programs and other security software, will reduce the likelihood of breaches and better prepare your team to respond to threats.
Investing in ongoing training for your team will likely deliver a better return than the latest security software ever will. Educating users greatly reduces the risk of vulnerabilities caused by operator error. Make sure all staff members have access to proper training, even on things that seem rudimentary to an IT professional — such as remembering to log on and off their workstation, and how to use email safely.
Keeping electronic assets safe in a business environment requires taking both a micro and a macro view of your security posture. ISO27001 and ISO27002 compliance provides a useful framework for implementing ongoing security best practices, but at BlackStratus we believe effective risk mitigation must go beyond that.