What We Can Guess From the Sony Hack
Sony Corporation was under a withering attack by hackers and, at one point, displayed a locked ransom screen on every endpoint in the enterprise.
The hackers have made off with quite a bit of data from their network, including feature length movies, spreadsheets of financial data and much much more. From Variety here:
In the attack on the studio’s corporate systems Nov. 24, an image of a skeleton appeared on company computers with a message that said, “Hacked by #GOP,” with the group behind it calling itself “Guardians of Peace.” The message threatened to release “secrets and top secrets” of the company. Currently being investigated is a connection between upcoming Sony movie “The Interview,” and North Korea.
So what does a hack of this magnitude tell us about Sony’s security apparatus? Quite a bit, actually.
First, they are on a Windows NT network with trusted service accounts that would allow an adversary to own every endpoint. You can’t change desktop images without the proper permissions. A weak password and one that was common on every system was exploited to allow that to happen. Idiots.
Second, the Sony Security staff can’t identify or detect attacks against the network. And once an attack starts and movement across the network begins, Sony has no ability to detect that either.
Third, Sony can’t detect abnormal network traffic like gigs of data leaving the network, likely via FTP. Giant files being uploaded to a remote share is usually what people would call a clue.
Fourth, Sony has shitty firewall rules and router blacklists. No data should ever leave the network to an untrusted destination without tripping an alarm, and if alarms weren’t tripped it was because Sony was way too liberal with what they allowed in and out of their network, and the routers and firewalls are responsible for that.
Fifth, Sony has a horrible information security policy, unless of course, they didn’t think the data that was stolen was actually of value.
Sixth, The Security Operations staff must have had their heads up their asses to miss all of the indicators of compromise that should have been glaringly obvious. I feel sorry for any of those bastards working in that SOC. I’m sure they will all get fired, and only a fool would put any of them back into a security monitoring job.
Finally, as Sony used to put rootkits onto their music CDs, I gotta say, this hack couldn’t have happened to a bunch of nicer guys.