Security best practices
The recent Sony Pictures breach has again put the spotlight on basic IT security lapses and the need for organisations to constantly review their IT security strategies
The hacktivist group calling itself “Guardians Of Peace” (GOP) continues to issue threatening statements toward Sony Pictures several weeks after it gained unfettered access to the firm’s email and database servers.
While the tactics used to carry out the data breach continue to be cloaked in mystery, pundits say the widespread access the group apparently had, shows that Sony Pictures had a disregard for some basic security best practices.
Like Sony Pictures, organisations here in the Middle East need to thoroughly assess their backup and recovery processes, identify and protect the core intellectual property, and gain control and oversight of system privileges.
When ITP.Net first reported about the GOP’s latest attack, I was surprised about the amount of time it took Sony Pictures to get essential services back online. In my more than 15 years of covering the channel industry, I have attended numerous business continuity and DR presentations and I was expecting a company of Sony Pictures stature would be better prepared.
Best practices dictate that backups should be conducted weekly and include the OS, application software and data on each system. One way to reduce the potential for a threat on a backup system is to make one backup inaccessible from corporate endpoint systems, system experts say. The backup may be older, but it will ensure continuity of services until newer backups can be analysed for potential threats.
The destructive malware believed to have been used by the Sony Pictures attackers could have caused a delay in getting systems back online. It was designed to evade detection from standard antivirus. Once it steals data on a PC, it then completely erases system files and the master boot loader, the information on the hard drive used to boot up the OS.
Solution providers I have spoken to say the attackers could have gained access by stealing a system administrator’s password or phishing other employees and using their credentials to gain initial access. The GOP’s use of the custom malware, its multi-staged attack and unlimited access suggest the group was well funded and determined to gain access.
The Sony Pictures breach uncovered sensitive information stored on Microsoft Excel files lacking password protection, tokenisation or encryption. IT security experts say even if the files had been encrypted, the implementation could have been faulty or the attackers could have had access to the key to decrypt the information.
In addition to unreleased movies and movie scripts, the Sony Pictures hacktivists leaked email messages; corporate data, including personally identifiable information; salary data; social security numbers; and other sensitive information. Former Sony Pictures employees are suing the company over the security lapse. Sony Pictures is issuing cease and desist orders to media publishers and website owners who post or have posted links to the stolen data or used the stolen data in stories.
Rather than gag media publishers like Sony Pictures is doing, what this breach highlights in my view is the constant need for organisations to review their access control strategy and introduce the strategy of giving employees the least amount of privileges necessary without hindering them from doing their jobs. In this era of BYOD, users should have the level of access they need to do their job and no more.
The theory is that by getting better control over user privileges, which can be expensive, complicated and time-consuming, attackers would be slowed down and might move to easier targets. At a minimum, organisations should be doing an access review and cleaning up unused accounts.
For IT experts responsible for their company’s security, there is need for them to be the jack-of-all-trades of not only trying to fix things, but they also have to have tools in their back pocket to keep up with bad guys.