What CEOs Can Learn From the Sony Cyberattack

A closer look at what happened to Sony suggests that the nature of the recent cyber breach was more serious than first thought. As the story continues to unfold, we may find out that the North Koreans are not the true hackers. However, regardless of the origin of the perpetrators, it is clear that the incident should serve as a wake-up call for board members and CEOs.

In a recent attempt to survey 580 CEOs about security, we received a response rate of less than 1 percent. Today, thanks to the impact of Sony’s cyber attack, we believe that number would be much higher.

While Sony’s breach spawned the broadcast of an embarrassing amount of sensitive data, it also shut down the company’s computers and put the company in limbo for several days. Sony tried to continue with manual systems but simply couldn’t keep up. Even worse, it was unable to pay actors, suppliers and employees. Sony had to suspend operations until the company could rebuild the computer systems and networks.

“While one cannot address all security risks, there are things CEOs can do to mitigate the risk of a breach.”

Known as “Destover,” this class of malicious software (“malware”) is dangerous because it disrupts computer and company operations by first copying data and then erasing the “Master Boot Record,” disabling the computer storage. Similar disruptions occurred in 2012 at Saudi Aramco, where 30,000 terminals were shut down by the Shamoon virus, and in Iran in 2009, where the Stuxnet worm destroyed a thousand centrifuges.

To create further damage, the hackers posted online several unreleased films that undoubtedly cost millions in production expenses. Plus, they exposed thousands of sensitive and embarrassing emails, movie scripts, HR data, salaries, legal reports, passwords and the personal information of hundreds of employees and actors.

The Sony experience comes on the heels of a recent breach at JPMorgan. In June 2014, hackers stole an employee’s password and deposited malware on the company’s servers. Over several months, they eluded the company’s sophisticated alarms by extracting a huge amount of data very slowly.

While one cannot address all security risks, there are things CEOs can do to mitigate the risk of a breach. The answer lies in analyzing all areas of vulnerability and consciously deciding what to protect—and to what degree.

Cyberattacks come from hackers who breach company firewalls and security systems, stealing data and/or disabling the computers. Some believe that hackers are stopped by robust firewalls and sophisticated detection software, but that is only a part of the solution. Hackers gain easy access through three pathways—people, processes and systems.

People Problems
Most breaches (some say 80 percent) come through the “people route,” employees, subcontractors, suppliers and anyone else who has authorized access. It’s the easiest way. The “people route” includes:

1. Negligence. Many penetrations occur through simple negligence—misplaced or stolen laptops and cellphones or due to leaving passwords in plain sight. A hacker may ask to borrow your phone for an “emergency call.” These are by far the easiest and quickest ways hackers penetrate security barriers and insert malware in company systems, creating hidden pathways for instant or later access. It takes only seconds.

“Weak company processes are another major area of vulnerability that hackers frequently exploit.”

2. Disgruntled Employees. A disgruntled employee might simply hand over his passwords or lend the hacker his phone for a few minutes. Some believe the Sony hackers had inside help because they said, “Sony doesn’t lock their doors physically, so we worked with other staff with similar interests to get in.”

3. The “Candy Drop.” The hacker provides free CDs or thumb drives to conference attendees. Ostensibly loaded with conference information, they are also infected with malware that the  conference attendee unknowingly loads onto his laptop and subsequently onto the company’s computers. Free CDs and thumb drives may also be passed out by third parties in company classrooms, social functions and even company gyms.

4. Phishing. The hacker sends enticing emails with a “click on this offer” invitation. Once opened, the hacker uploads malware to the computers, unbeknownst to the employee.

5. Greed. A cash-strapped employee sells his access information to a hacker. Employee and supplier awareness sessions and training are mandatory for people to understand the risks, the methods and their obligation and responsibility to protect company assets. They must be told the impact of failing to do so. Constant effort must be made to identify and resolve disgruntled-employee situations. Other people with access (contractors, suppliers, etc.) must be contractually bound to company security.

Process Issues
Weak company processes are another major area of vulnerability that hackers frequently exploit. These include:

1. Weak network access controls. While it is recognized that strong network security controls frustrate ease-of-use, weak security controls are easily penetrated and provide ready access to hackers. Restricted access, robust firewalls, segmented and secure networks and applications, and diligent network traffic monitoring are the minimum measures companies should have in place to reduce risk.

2. Insufficient physical access controls. Hackers and thieves with ready access to company offices can easily steal equipment containing access codes and passwords.

3. Poor third-party security:

• The cloud. There are many stories of private data and photographs downloaded from insecure public and private clouds. Also, unintentional “leakage” of data from one customer to another has been documented.

“Companies must ensure that business partners maintain the same (or stronger) levels of security control and they must continually monitor data inputs.”

• Systems development, maintenance, testing and operations. Third-party contractors usually require access to company computers. Plus, sensitive data in the hands of third-party contractors is always a risk. Third-party security controls that are at least as strong as those for employees must be contractually established. A restricted-development environment, as well as additional monitoring, may also be necessary.

• Infrastructure. Outside infrastructure providers must be governed by strong security controls.

• Facilities. Third-party contractors who maintain your facilities (building personnel, cleaning people, etc.) must also be governed by strong security controls.

4. Insufficient business-partner access controls. In today’s integrated supply chain, business partners are connected electronically and pass forecast-to-order-to-cash data back and forth, over the wire, to company systems. Malware can easily be inserted in these transmissions. Companies must ensure that business partners maintain the same (or stronger) levels of security control and they must continually monitor data inputs.

5. Weak employee onboarding (vetting) and termination processes. Stopping the problem at the door is critical. Personnel with checkered backgrounds must not be allowed access to the computer systems. The access and information possessed by exiting employees must be immediately neutered.

6. Poor personnel training and awareness. Employees, contractors and other personnel must attend frequent awareness and training sessions to be reminded constantly of their risk mitigation obligations, especially new people. All must be advised of new hacking techniques as they emerge.

7. Poor equipment disposal processes. When disposed of, computers and mobile devices must be electronically “wiped clean” of all data, access and security codes. This is especially challenging for BYOD (bring your own devices) environments.

Systems Safeguards

1. Weak cyber security:

• A hacking ‘industry’ exists—largely offshore with smart hackers and sophisticated computers that continually “ping” thousands of networks, day and night, with random and “continuous-learning” codes to unearth security holes. Called Advanced Persistent Threats (APT), sometimes the loot is used directly by the scanning party, but often it’s sold to other parties with a malicious interest in the victim. The scanners could be individuals or maybe even a nation-state that can afford sophisticated “pinging” equipment and staff. One can reduce the risk of this type of penetration with superior network-monitoring tools and a skilled staff.

“Hackers exploit security holes in web and customer portals, thereby gaining access to company computers.”

• Once planted, malware may go active immediately or sit dormant until activated. Sophisticated, up-to-date malware-detection software must be constantly run to sniff out the offending code and remove it. To the extent possible, applications should be discrete to contain damage and well-thought-out procedures must be in place to contain damage if and when malware goes active.

2. Vulnerable web and customer portals. Hackers exploit security holes in web and customer portals, thereby gaining access to company computers. Robust firewalls, sophisticated network security software, discrete applications and skilled staff are necessary.

3. Insecure mobile and teleworking access. Personnel must use secure Wi-Fi channels when communicating with company computers. Otherwise, hackers can sit nearby and piggyback on unsecure Wi-Fi channels to gain access to the logged-on devices and computers.

Often, successful penetrations are the results of not just one but two or more techniques. In addition, the actual data theft or disruption may take place days or weeks after the initial penetration and may continue undetected for some time. At Target, the data on 80 million credit cards was slowly copied over three weeks from production Target computers and staged in Target backup computers.

It was subsequently transmitted undetected, in big batches at odd hours to offshore entities from Target’s backup computers. At Sony, the hackers used Sony’s PlayStation servers to distribute their loot. The JPMorgan data theft occurred slowly over three to four months in order to avoid detection. Security breaches are now a way of life and are potentially very damaging. It’s not “if” you’ll get hit but “when” and “how badly.”

Thomas L. Pettibone: