What CEOs Can Learn From the Sony Cyberattack

Systems Safeguards

1. Weak cyber security:

• A hacking ‘industry’ exists—largely offshore with smart hackers and sophisticated computers that continually “ping” thousands of networks, day and night, with random and “continuous-learning” codes to unearth security holes. Called Advanced Persistent Threats (APT), sometimes the loot is used directly by the scanning party, but often it’s sold to other parties with a malicious interest in the victim. The scanners could be individuals or maybe even a nation-state that can afford sophisticated “pinging” equipment and staff. One can reduce the risk of this type of penetration with superior network-monitoring tools and a skilled staff.

“Hackers exploit security holes in web and customer portals, thereby gaining access to company computers.”

• Once planted, malware may go active immediately or sit dormant until activated. Sophisticated, up-to-date malware-detection software must be constantly run to sniff out the offending code and remove it. To the extent possible, applications should be discrete to contain damage and well-thought-out procedures must be in place to contain damage if and when malware goes active.

2. Vulnerable web and customer portals. Hackers exploit security holes in web and customer portals, thereby gaining access to company computers. Robust firewalls, sophisticated network security software, discrete applications and skilled staff are necessary.

3. Insecure mobile and teleworking access. Personnel must use secure Wi-Fi channels when communicating with company computers. Otherwise, hackers can sit nearby and piggyback on unsecure Wi-Fi channels to gain access to the logged-on devices and computers.

Often, successful penetrations are the results of not just one but two or more techniques. In addition, the actual data theft or disruption may take place days or weeks after the initial penetration and may continue undetected for some time. At Target, the data on 80 million credit cards was slowly copied over three weeks from production Target computers and staged in Target backup computers.

It was subsequently transmitted undetected, in big batches at odd hours to offshore entities from Target’s backup computers. At Sony, the hackers used Sony’s PlayStation servers to distribute their loot. The JPMorgan data theft occurred slowly over three to four months in order to avoid detection. Security breaches are now a way of life and are potentially very damaging. It’s not “if” you’ll get hit but “when” and “how badly.”