The stars in Sony Picture’s latest drama are not actors. They’re heading up what the FBI and media have loosely referred to as Sony Pictures Entertainment’s IT security team. And instead of bringing in box office dollars, they’re very likely going to cost the studio a ton.
After an epic cyber attack on November 24, Sony has yet to address the problems that led to the attack, which is unsurprising since they’ve been repeatedly warned of these vulnerabilities for years and haven’t responded. Additionally, the most recent attack led to the leak of a security audit, which revealed 193 more security incidents within less than a year.
As your company grows, it’s important that the right hand knows what the left is up to.
Here’s what your IT service desk can learn from the Sony breach, so your team doesn’t end up co-starring with Sony’s IT department in the comedy, The Keystone Kops and the Really Mean Hacker Guys.
The IT Department Needs to be Consolidated
Apparently, Sony lacks a consolidated IT team to oversee the various aspects of each branch and department. In a multi-national company operating under a variety of regulations and security issues, this is unacceptable. Only with a consolidated IT service management team overseeing the entire IT infrastructure can your company assure that all the cyber windows and doors are locked, so to speak.
Enterprise-Wide Asset Management is Crucial
Asset management tracks all of the hardware and software components, and part of a good asset management plan is frequent backup of critical data. Out of 869 systems, Sony failed to track 149 of them, meaning 17 percent of their IT assets were unaccounted for and unmonitored. Without asset management, breaches can’t even be identified promptly, let alone resolved in a timely manner.
Encryption Isn’t Optional
One of Sony’s branches in Europe held a contest where people went online and entered personal identifiable information, yet the form wasn’t even encrypted, leaving all those trusting folks at risk for identity theft and more. Audits revealed that much of Sony’s sensitive information was neither encrypted or password protected. Additionally, passwords were stored in files blatantly named, “Passwords.” This was like handing a map to the hackers with X marking the sweet spots for extortion.
Strict User Policies Must Be Developed, Implemented, and Enforced
A previous Sony breach was caused by an employee in Europe leaving a laptop in a cafe logged into Sony’s internal system. Other incidents involve repeated warnings that employee passwords were ridiculously easy to hack, to which Sony’s IT department countered that an easily-breached password was more secure than employees writing hard-to-remember passwords on sticky notes and putting them on their monitors. These Sony bumbles are easily resolved with solid user policies that are strictly and consistently enforced. There are much better ways to help users develop and remember secure passwords. Two-factor authentication is another option to consider.
Risk Assessments Have to Serve a Useful Purpose
This one is simple. Sony paid for a risk assessment, which identified a number of vulnerabilities. Additionally, users repeatedly warned IT about vulnerabilities they discovered in the system. All of these warnings were ignored. Don’t worry, your IT service desk would never make this mistake.
Following a Security Breach, Communication is Essential
Hackers claim to have stolen “just under 100 terabytes” of data. The FBI believes most of this data is unrecoverable by traditional forensic techniques. Much of it has already been dumped on the Internet, informing the world of sensitive information like security certificates and signing keys, executives’ salaries, workers social security numbers, info on employees’ health, passwords, movie budgets, and more. Yet Sony hasn’t reached out to its former employees nor offered them the credit monitoring extended to their current staff. Additionally, Sony has not revoked those security certificates, leaving other systems that default to trust Sony vulnerable, as well. Don’t be these guys. If a security breach occurs (and in this age, it likely will), reach out to the affected people and companies. Try to make things as right as possible. It won’t erase the damage, but it sure builds goodwill, which can’t be bought at any price.
At this point, it’s unclear whether extortion was the motive or if the hackers are demanding copyright reform. One theory holds that North Koreans targeted the company over a comedy film Sony made mocking Kim Jong-un. Another theory holds that it’s disgruntled employees within the company. Whatever their reasons, the issue is a PR nightmare for the entertainment giant, and likely will be for some time.