Impact of Sony Pictures hack on the future of security

hmmm · 17-12-2014 11:44pm #1

Despite all our technologies and policies and mailing lists and patches and protocols and encryption and whatever, most security people will tell you that the world is full of security holes, and the situation is only getting worse. Not only do security teams have problems inside their own networks, they also have to deal with the increasing proliferation of "cloud" services that are largely uncontrollable, most of which have absolutely terrible security.

We won't fix security the way we are going because most company management & Boards see security as something that's important but nothing too critical - I've long thought that it would take something major to make us change direction.

Is the Sony hack that "something major"? Sony Pictures is a multi billion dollar company and it will struggle to survive. This hack isn't an inconvenience or an embarrassment like all the others we've seen, it's a material event that has the potential to end the company.

I can't see the US standing by and letting their companies be wiped out by what is more than likely a cyber-war attack from a country they consider an adversary. I also can't see the US allowing companies to continue on the way they have been to date, with each company having a small group of well intentioned and dedicated security staff being overwhelmed by outsiders with greater resources. Something will have to change, and the change I foresee is an effective forced withdrawal inside a perimeter that is patrolled by resources provided by a government.

Mr. G · 18-12-2014 1:25am

hmmm wrote: »

Despite all our technologies and policies and mailing lists and patches and protocols and encryption and whatever, most security people will tell you that the world is full of security holes, and the situation is only getting worse. Not only do security teams have problems inside their own networks, they also have to deal with the increasing proliferation of "cloud" services that are largely uncontrollable, most of which have absolutely terrible security.

We won't fix security the way we are going because most company management & Boards see security as something that's important but nothing too critical - I've long thought that it would take something major to make us change direction.

Is the Sony hack that "something major"? Sony Pictures is a multi billion dollar company and it will struggle to survive. This hack isn't an inconvenience or an embarrassment like all the others we've seen, it's a material event that has the potential to end the company.

I can't see the US standing by and letting their companies be wiped out by what is more than likely a cyber-war attack from a country they consider an adversary. I also can't see the US allowing companies to continue on the way they have been to date, with each company having a small group of well intentioned and dedicated security staff being overwhelmed by outsiders with greater resources. Something will have to change, and the change I foresee is an effective forced withdrawal inside a perimeter that is patrolled by resources provided by a government.

Until it hits hard at home nobody will take it as "critical". Data Protection isn't taken seriously in the majority of cases.

The impact on Sony won't change the minds of management over here. "Why would anyone want our data anyway?" Is always the question asked. Simply put, a company could potentially hold very confidential info that ends up on pastebin. Or face blackmail and forced to pay up. Or computer systems disrupted business and loss of profits. It's very real, they just don't see it.

I'd hope not to see a perimeter walled by resources provided by a Government. They do that in China- It's called the great "firewall"of China and you can see how well that worked. There will never be a perfect solution, but people need to take responsibility and I wouldn't rely on the Govt to take care of it. They can barely keep roads in good condition, let alone protect our internet activity. There is also the issue of what happens our data when it's transmitted over the internet. What is done with it? It gives them more power for censorship etc.

Furthermore, the only way to do it would be through individual ISPs as there are several undersea cables connecting Ireland to the rest of the world and the Govt don't control the ISPs network. ISPs have so much data passing that they just can't sift through it all. It's very difficult also due to emerging technologies like Tor etc. and increasing encryption on data transmission to do this. You can of course see patterns, but they can only tell so much.

It's certainly a scary world out there and worse to come most definitely.

dalta5billion · 18-12-2014 1:40pm

Reaction to the Sony Hack Is 'Beyond the Realm of Stupid'
http://motherboard.vice.com/read/reaction-to-the-sony-hack-is-beyond-the-realm-of-stupid

syklops · 18-12-2014 1:46pm

One of the things I read was they had a flat unencrypted file with usernames and passwords. Future of security? A bit of common sense people!

We were talking about PCI in the offfice the other day.

The general concensus was PCI v1:
Do you have a firewall?
Yes.
Ok, your compliant.

PCI v2:
Do you have a firewall?
Yes.
Where is it?
In a box in the basement.
Ok, you need to take it out of the box, and plug it in. Then you will be compliant.

PCI v3
Do you have a firewall?
Yes.
Is it switched on?
Er.. no.
Ok, you need to switch it on.

It doesnt go as deep as "Do you have unencrypted passwords lying around somewhere", because most people would assume thats a stupid question. Seemingly not.

hmmm · 18-12-2014 5:42pm

dalta5billion wrote: »

Reaction to the Sony Hack Is 'Beyond the Realm of Stupid'
http://motherboard.vice.com/read/reaction-to-the-sony-hack-is-beyond-the-realm-of-stupid

This is more than "annoying". This could just as easily happen to a major bank, or to some essential piece of infrastructure. Whether Sony had encrypted passwords or not would not have protected them.

dalta5billion · 18-12-2014 6:12pm

hmmm wrote: »

This is more than "annoying". This could just as easily happen to a major bank, or to some essential piece of infrastructure. Whether Sony had encrypted passwords or not would not have protected them.

Sony are known for bad security practices.

The whole reaction to it (pulling the movie, accusing North Korea of "cyber terrorism") suits many interests both in Sony and the White House.

The whole thing stinks if you ask me.

Khannie · 18-12-2014 6:19pm

syklops wrote: »

It doesnt go as deep as "Do you have unencrypted passwords lying around somewhere", because most people would assume thats a stupid question. Seemingly not.

Not in the slightest. I would guess that most companies have unencrypted passwords (or some brand of "local default password") floating around all over the place. Sharing passwords securely becomes an issue, especially when people leave the company. IT guy leaves - do you then go about updating all the admin passwords that they had access to? No chance. "Be grand".

hmmm · 18-12-2014 8:46pm

Khannie wrote: »

I would guess that most companies have unencrypted passwords (or some brand of "local default password") floating around all over the place. Sharing passwords securely becomes an issue, especially when people leave the company. IT guy leaves - do you then go about updating all the admin passwords that they had access to? No chance. "Be grand".

Internet warriors & professors come up with prescriptions for perfect security, and what you've described is exactly the scenario that most security people encounter on a day to day basis. Sony might have had a few lax practices, but I bet you won't find a company out there that doesn't.

hmmm · 18-12-2014 9:06pm

Newt Gingrich ✔ @newtgingrich

No one should kid themselves. With the Sony collapse America has lost its first cyberwar. This is a very very dangerous precedent.
10:05 PM - 17 Dec 2014

dalta5billion · 19-12-2014 12:28am

hmmm wrote: »

Newt Gingrich ✔ @newtgingrich

No one should kid themselves. With the Sony collapse America has lost its first cyberwar. This is a very very dangerous precedent.
10:05 PM - 17 Dec 2014

Oh for Christ's sake

Manach · 19-12-2014 12:41am

Rather like the Estonia Cyberincidents of 2007 (as per book Cyber Operations and the Use of Force in International Law by Marco Roscini) perhaps this will in fact spur companies to take personal security and data protection as a key factor of a business instead of a nice to have. Then again, I've personally been trying to get across the importance of having protocols to deal with processing of data and to ensure that a firm gets ready for the new Data Protection direction coming down the line which mandates a reasonably level of security or else the fines will accumulate.

Impetus · 21-12-2014 5:01pm

Sony started the war by installing rootkits on the computers of customers that purchased CDs*.

Live by the sword, die by the sword.

http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

Impact of Sony Pictures hack on the future of security

Comments