The SONY Hack

Node Man · December 2014

Hi Everybody,
I have nearly no involvement in network security but I am curious for informed opinions about what the SONY Hack means for the networking world. I didn't see any posts about it yet. So anyone have any opinions? Is this good or bad for networkers or security people?

Thanks!

tprice5 · December 2014

Node Man wrote: »

Is this good or bad for networkers or security people?

I would say good. Increased demand and job security.

JB3 · December 2014

For those following it, this is the best write-up I've seen so far: https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/

slinuxuzer · December 2014

So I made it about half way through the article posted by JB3, I am not 100% sure, but I have heard that their overall Infosec team was unbelievably small and the number of managers above said team out weighed it by several fold. That said I have seen that scenario many times in the past, management gets too comfortable and starts dolling out promotions like crazy to everyone they are fond of. Sadly some organizations have to learn the hard way that IT isn't something you should play around with.

To some degree this is good for the IT job market, specifically in security, it SHOULD be a wake up call to other companies.

tprice5 · December 2014

JB3 wrote: »

For those following it, this is the best write-up I've seen so far: https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/

Yeah I read the whole thing and it was A LOT of information. Seems as if malware titled, BKDR_WIPALL, along with some pretty poor security practices at Sony are responsible for the breach.

MTciscoguy · December 2014

slinuxuzer wrote: »

it SHOULD be a wake up call to other companies.

And there is the key, it SHOULD be, but will it, after all of the large hacks that have happened in the last year, it doesn't seem to be the wake up call they need or they are simply living in a Nirvana state, thinking it will never happen to them!

techfiend · December 2014

I think this one will be a wake up to other companies especially if it basically destroys a giant company. It's already taken a huge hit. The past hacks were mainly consumers taking the brunt of it, and most companies look at consumers as just another number. The consumer has a voice by no longer using the service but they've always recovered by taking a little loss to sell something much cheaper than other places to get the consumers back.

What looks really bad is security minded companies getting hacked, like avast. That must really change companies minds on spending money on security.

Edificer · December 2014

Damn. Sad times for Sony, they got whooped! It mention an 'unique malware' not seen before, and undetectable by antiviruses. The North Koreans?? Right, more like trained Chinese and Russian hackers.

tprice5 · December 2014

Edificer wrote: »

Damn. Sad times for Sony, they got whooped! It mention an 'unique malware' not seen before, and undetectable by antiviruses. The North Koreans?? Right, more like trained Chinese and Russian hackers.

Only a select few people in North Korea even have access to the internet. The idea that this originated from them is laughable. Chinese or Russian for sure.
And Sony CEO was calling it unique, the article stated that it was believed to have been used in several earlier attacks. The scary part is that this malware is probably sitting on some server harvesting data right now, or even scarier, malware that we don't even know about (looking at you, NSA).

I kind of wish the part about using sony's own servers to seed the torrent would have been true. That would have been brilliant.

the_Grinch · December 2014

They fell into the same trap that most companies fall into. You buy several products that tell you that you'll be able to do more with fewer people. You promote some people, never fill the positions, and then keep what's left to do the work. One of the big questions is if their response is the way to go. Allegedly, Sony has been counterhacking the websites that have posted the leaked information.

This mirrors exactly what happened with the Sands hack. They had a team of two people working on the security of their entire organization. It got so bad, like Sony, they took to unplugging PCs so that they didn't wipe themselves. Luckily, the attackers (at least at the moment), didn't appear to go after the core infrastructure. Now they either stopped or they set up a foothold that they'll utilize later.

No analysts leads to the above two cases. What they spent on license fees and consulting they could have built a team who utilized open source products to gain the same visibility, but actually have the ability to respond to the first incident that occurred.

Khaos1911 · December 2014

I feel for my company, only 8 of us on the security team and only 5 of us really know Security, supporting 100,000+ employees.

docrice · December 2014

I haven't taken any surveys, but I'd guess that the "too small of a security team" story is probably very common among most organizations. Technical security is almost always a complex endeavor that might seem like black magic to non-technical management and it's easy to be seduced by the idea that new tools/firewalls/endpoint agents/SIMs will reduce the need for additional headcount. I think most businesses don't have a strict level of consistency from device to device, machine to machine in order to make security management via a small team really practical.

For most business leaders the main concern is the bottom line and IT security is expensive, high-maintenance, typically business-impacting, and it makes the numbers on paper look bad. We're in an age where they're starting to feel the heat (although it's still relatively rare) and the accountability and spotlight is starting to shine brighter from shareholders and news media.

Senior management is there to take those risks. In a time where first-to-market and meet-quarterly-numbers is prioritized, I'm sure they're hoping to dodge the bullet by placing investments in areas which are easily sellable during earnings calls. Maybe for Sony this event might be a catalyst for change, or it may be bucketed as an acceptable short-term trade-off and written off as a temporary problem to weather through. It's pretty damning what's happening to their reputation right now. We'll have to see if there's a cultural change after all this.

In any case, I think the pace of technological evolution and the risks that come with it has increased the knowledge gap for many in management so they're not really able to estimate the impact from these attacks. Most people when under pressure would rather just throw money at the problem and hope it'll go away. There's a reason why all the security vendor literature is littered with fancy phrasings like ROI, threat-mitigation, and the like.

tpatt100 · December 2014

Small security team is one thing, management willing to listen to small security team is another.

Holy crap definitely saving the link JB3 posted......

MSP-IT · December 2014

Khaos1911 wrote: »

I feel for my company, only 8 of us on the security team and only 5 of us really know Security, supporting 100,000+ employees.

I don't even want to know.

the_Grinch · December 2014

One thing I tend to believe is that it is the age of management that is partially getting in the way. You have to figure most never dealt with the sort of technology or threats when they initially came up. Now they're in-charge of teams that they have no understanding of. When you lack understanding, as others have stated, you fall for the buzz words the vendors throw at you.

tkerber · December 2014

Khaos1911 wrote: »

I feel for my company, only 8 of us on the security team and only 5 of us really know Security, supporting 100,000+ employees.

You know having diverse experience myself and having worked for some fortune 500 companies I can say this doesn't surprise me in the smallest way. Companies just don't see security as a necessary expense until something actually happens. I'm also a motorcyclist and know a lot of riders who don't wear helmets because they're uncomfortable and clunky, etc... Well you sure will wish you were wearing a helmet if you crash and survive to be missing your face or part of your head.

I find even worse sometimes are small to medium sized businesses... I once did some work at a smaller law firm (10 - 20 people) when I was a Network Administrator Consultant for an MSP and I WILL NOT say their name. They were a completely new client to us and so I initially did sort of inspection of their infrastructure and talked to the main contact to get as much information as I could. After ten minutes of talking to him and looking around I was astonished at my findings.

- One small Netgear wireless consumer grade router with all default passwords and user names / default config and basic 'firewall'
- Their 'server' was an old IBM desktop with no backup or redundancy and probably 10+ years worth of files on it with an expired AV subscription
- Some of their PCs were still on XP -- including their server

Sad thing is that this was actually pretty common and any 10 year old kid could have logged into their wireless, connected to their file server and had their way with 10+ years of invaluable company information and documents. When we tried to sell these people an enterprise grade firewall and better storage solution they were appalled by the price and did not budge. It's crazy that people trust companies like this with their information. My home network is undoubtedly more secure than most of the networks I worked on.

the_Grinch · December 2014

tkerber man that reminds me of the MSP I worked at. Salesperson would go out, sell them on the service, and then we'd do our initial infrastructure check. They'd ask no questions (we really needed pre-sale engineers) so you never knew what you were walking into. The minute you told them what they needed to be up to spec and they'd simply say "we've done this well with what we have we'll just keep going." One client was sold VOIP to lessen their phone bill, but the salesperson never asked what their internet connection was like. It would drop constantly and of course they'd lose their phones. Let's just say they didn't stay a customer for long....

tpatt100 · December 2014

Last government contract I was on as the auditor, every person that was in an IT role that I called for documents referred me to "one" person. come to find out he "was" the only security/network person that knew IT.

techfiend · December 2014

I didn't realize getiing a network up that 'just works' was so common in SMB's. Just getting started in the field and that's the first thing I noticed at my current position, it isn't as insecure as I originally thought. Nothing like what tkerber mentions and you'd think a law firm would be very focused on security, maybe it wasn't in their budget.

MSP-IT and others in the twin cities how accessible is a security position around here? I saw very few when I was job hunting. Given the tiny IT staff at companies these days it's not surprising IT unemployment is high, it's a shame. Are MSP's partially to blame?

tkerber · December 2014

@ the_Grinch -- Haha "VOIP uses the internet? Like the same internet my Facebook uses?" Did we work for the same MSP?

@ techfiend -- I can't speak for security because I'm not really in that field. However, the IT market in the Twin Cities seems to be pretty hot if you have some decent experience and exposure. I get calls a lot and there seems to be a lot of Systems Administrator / general support type of roles. I know downtown has some smaller tech companies and a newer tech scene where as the suburbs is mostly established businesses.

One thing I will say about security is that I think it's mostly just a sign of the times. When the market crashed companies had to cut back and make decisions just to stay afloat. Although security is 100% necessary a lot of companies seem to be okay with just shrugging it off and getting away with the bare minimum which is only their fault. I worked at several companies that didn't address blatant security flaws solely because they didn't have the money to. A long with the beautiful story I posted above I was also remote support for over 1,000+ retail stores earlier on and one day noticed every store I was logging into was getting brute force attacked and it was taking their POS terminals and server down to their knees. I reported the logs to management and wrote up a big document with my findings. A long with this I told the customers (store owners) the issue and that I was working to resolve it.

After I sent the email to my manager he firmly warned me to never do that again and told me next time he WOULD write me up for telling the customer. Apparently upper management had known about these attacks and they were happening for years due to the company using an outdated version of Symantec pcAnywhere code. They didn't currently have time or money to address it and we had no security personnel of our own - just an internal Network Admin and us (the customer facing support). I'll just say I didn't work there for much longer and due to terrible security policies and implementation I will never shop or swipe my credit card anywhere near any of their stores.

--chris-- · December 2014

techfiend wrote: »

I didn't realize getiing a network up that 'just works' was so common in SMB's. Just getting started in the field and that's the first thing I noticed at my current position, it isn't as insecure as I originally thought. Nothing like what tkerber mentions and you'd think a law firm would be very focused on security, maybe it wasn't in their budget.

MSP-IT and others in the twin cities how accessible is a security position around here? I saw very few when I was job hunting. Given the tiny IT staff at companies these days it's not surprising IT unemployment is high, it's a shame. Are MSP's partially to blame?

That is very common at smbs. They pay for a business outcome that is either necessary to do business or enables them to make more money. They usually don't even consider security beyond the username and password needed to login to windows or an ERP.

Blanket statements are bad, so I will say there are a few smbs that actually request security and are willing to fund it. I've seen two. Out of a hundred lol.

MSP-IT · December 2014

techfiend wrote: »

MSP-IT and others in the twin cities how accessible is a security position around here? I saw very few when I was job hunting. Given the tiny IT staff at companies these days it's not surprising IT unemployment is high, it's a shame. Are MSP's partially to blame?

Having had a resume out for the past 3 months or so, I'd say the 60%+ of the security positions are in healthcare. You'll find a lot of openings for Mayo, HealthPartners, UnitedHealth, Univita, Prime Therapeutics, etc. Healthcare is something I'm actually actively trying to avoid, tbh. This is primarily one of the main reasons I'm attempting to relocate. If you are trying to find a job, I'd recommend working with TekSystems here in Bloomington.

--chris-- · December 2014

MSP-IT wrote: »

Having had a resume out for the past 3 months or so, I'd say the 60%+ of the security positions are in healthcare. You'll find a lot of openings for Mayo, HealthPartners, UnitedHealth, Univita, Prime Therapeutics, etc. Healthcare is something I'm actually actively trying to avoid, tbh. This is primarily one of the main reasons I'm attempting to relocate. If you are trying to find a job, I'd recommend working with TekSystems here in Bloomington.

Ive worked next to security roles in a larger hospital, they were always considered a "hassle" (obstruction to work) and viewed as an expense that was necessary because of compliance (much like the ERP mandate).

That does not sound like a fun environment.

MSP-IT · December 2014

--chris-- wrote: »

Ive worked next to security roles in a larger hospital, they were always considered a "hassle" (obstruction to work) and viewed as an expense that was necessary because of compliance (much like the ERP mandate).

That does not sound like a fun environment.

My thoughts exactly, and this is primarily the reason I want to avoid it.

techfiend · December 2014

I can understand avoiding healthcare and that and retail is what's big around here. I asked because I'm trying to decide between going with my current plan at wgu of security or switch to network admin to please my current employer.

I'm happy where I am now, a JOAT in training at an SMB. I worked with TekSystems for an opening at prime but they never got back to me, it was in the southern suburbs and I'm north. A 2 hour commute on a morning like today isn't unrealistic. I interviewed at UHG help desk but didn't get it, Medtronics is around here but their hours are terrible, I didn't even consider them. Did Target ever hire security after their breach? I don't remember seeing openings.

It seems almost everyone in security on TE is working in government. Given the lack of government agencies around here I think a relocation would be necessary to really get into security. I have a passion for linux but my heart isn't into locking systems down to the point of it being a hassle to use.

Things keep getting worse for Sony, now their employees are suing them, hopefully it wakes up other companies for the sake of people in or trying to get into the security field. This has to be the worst public display from a company dealing with a hack that I've ever seen. Trying to take down every leak in a very weird manner that hasn't and won't work. Now, weeks later, when leaks get more damaging they start giving in to the original demand of pulling 'the interview'. I never thought a few kids could make a large company look like such fools.

Shdwmage · December 2014

It is funny, I work for a records archive company and we have far more stringent security in place than what Sony did. Because we are an archive we fall under more than a dozen different security laws. We work towards the most strict standards HIPPA/PCI, and we even pay external auditors to try and penetrate our network. All of this just for a bunch of boxes, and Sony which has far more valuable data just stands there with its pants down bent over for the world to see. Pretty sad.

Params7 · December 2014

Just read that Amy Pascal (the person who pretty much turned Sony Pictures around) might be resigning over personal emails which were leaked. Also Sony has halted production of all its films at the moment. This hack is affecting them worse than those PSN hacks ever did. I wonder if Sony will learn after this and strengthen security in not just departments which are hacked but throughout the organization.

HorizonThief · December 2014

techfiend wrote: »

I never thought a few kids could make a large company look like such fools.

Weren't recent reports indicating a professional Chinese attack?

I hope it was a group of kids because that revelation, I'm sure, would be the icing on this disastrous cake...

techfiend · December 2014

Today it's North Korea... again, but I think the odds are on some freelance hacking group, who aren't necessarily young enough to be kids but they are doing childish things.

wes allen · December 2014

"These are armies, not introverted smart kids"
--Dual Core

US government fingers North Korea as the Sony hackers | Ars Technica

I think this is a good read as well:

Errata Security: All malware defeats 90% of defenses

--chris-- · December 2014

techfiend wrote: »

I can understand avoiding healthcare and that and retail is what's big around here. I asked because I'm trying to decide between going with my current plan at wgu of security or switch to network admin to please my current employer.

Its worth mentioning that the security folks at the hospital didn't really seem to care. They seem to know that the experience they were getting would help them later on in life and were content with that. They did their jobs, appreciated the people who wanted to help them and ignored almost everyone else.

The SONY Hack

Comments