When a major organization suffers a security breach, it’s no surprise to see the victim’s computer systems in a state of total chaos: incident response teams freezing machines, day-to-day work grinding to a halt, and confusion as to the depth and breadth of the compromise. Many attacks will end with this havoc: stolen passwords, legal confusion as breached systems are used as “jump boxes” for further hacks, and bandwidth depleted for use in distributed denial of service attacks.
Unfortunately, despite the damage these antics can cause, many breaches have an even graver outcome.
According to research conducted by Brian Krebs , the personal information of thousands of current and former Sony employees has been compromised and leaked to the Internet. It’s currently being shared via BitTorrent sites – and the destruction may not even be finished yet. As the story continues to develop, more and more pieces of information appear to have been stolen – including healthcare information, compensation figures, internal audits conducted by Pricewaterhouse Coopers, and more. It seems as if no area of the Sony corporate network has been left unscathed.
As Sony continues to perform incident response investigations, work with law enforcement,and gradually get their systems back online, the looming question remains: who is responsible for this attack? Although some sources point to a North Korean-backed advanced persistent threat (or state-sponsored attacker), it can be very difficult to accurately pinpoint a source for an attack such as this. As always, it’s important to remember that when systems are exposed to the Internet, they are also exposed to attack: turning a blind eye does not make them more secure. Although the details of exactly how this attack occurred have not yet been confirmed, it stands to reason that unless “zero day” exploits or social engineering tactics were used, then this attack may have been preventable.
Redspin recommends regular penetration testing, social engineering assessments, and web application security assessments to identify and neutralize vulnerabilities before they are exploited in the wild. While it is not clear what security posture Sony may have had, it does underscore that even large and well-funded organizations are vulnerable to attack.