December 19, 2014 Leave a comment
While the White House considers the devastating cyber-attack on Sony Pictures Entertainment “a serious national security matter,” and is still evaluating how best to respond, we in the security sector know all-too-well that Sony is just the latest example of how easy it is to penetrate the networks of our most critical private and public infrastructures – stealing valuable data, tampering with critical assets and crippling the operations of market-leading companies.
Sony, like most companies, doesn’t take security seriously until it’s too late. They failed to conduct routine maintenance on their systems, lacked encryption and had no mechanism to detect and respond properly to a breach. Now we have Sony execs and the government saying the breach is most likely the act of a sophisticated hacking network sanctioned by North Korea (Really? Duh!). While Sony attempts to deflect attention away from their own incompetency and slipshod defense, the fact remains – their security was an absolute joke, penetrable by a high-school student with rudimentary computer science skills.
In an article by the Associated Press, Sony Pictures Entertainment CFO David C. Hendler complained to CEO Michael Lynton that the company had experienced significant and repeated outages as a result of limited hard disk space, outdated software, poor system monitoring, and unskilled IT workers. The AP reported that hackers targeted executives to trick them into revealing passwords and that many employees used easy-to-guess passwords. Additionally, strategic plans and medical information about some employees were stored in unencrypted form.
Sadly, Sony’s sloppy security hygiene is commonplace. Most corporations and smaller businesses are no better at securing their data. Breaches like Sony will continue to happen because corporations, security vendors and hackers are complicit.
Companies don’t bother to properly fund IT security or properly secure their critical assets – this is evident by the volume of breaches that occur daily. It’s really easy to be hacked. Companies need to rethink their approach to security and recognize that attacks happen. They need security solutions that quickly detect and investigate anomalous activity and minimize the damage.
Security vendors fail to innovate. They push the same old products that don’t work and provide little more than a false sense of security.
Hackers seeking profit, protest, challenge or just enjoyment will continue to find and exploit weaknesses in computer systems and networks. Stop making it so easy for them.
It’s time for organizations to wake-up and activate change. Make security a top priority every day. Invest in next-generation security products that discover and remediate attacks that escape detection by sandbox tools. Your business and our national security depend on it.