The SONY Hack

Deathmage

You know this whole ordeal with SONY pulling out of "The Interview" is seriously going to undermine a number of things; 1) Freedom of Speech, 2) censorship, and 3) Hollywood as a whole.

I read a tweat online that all this will do is drive people to private the movie and move people father away from going to the theater.

The things that also puzzles me from a IT perspective is you would think Sony would have learned from these mistakes 2 years ago and beefed up their network security, heck even I know that a 3 stage juniper firewall with features like IPS would have stopped DDOS attacks and SQL injection attacks. it just really surprises me that a company like Sony would still have so many 'holes' in there networks...

"This only guarantees that this movie will be seen by more people on Earth than it would have before. Legally or illegally all will see it."

Iristheangel

This is definitely going to be a resume generating event from the executive level down to the IT team. I really feel bad though for anyone working in the security/IT team *if* they weren't given the tools or budget to fix the holes and they made recommendations that were ignore. That's an "if" but I've seen a lot of IT folks recommendations ignored by management because it cost money to make the changes. If anyone was working in any part of IT security at Sony and have to start looking for a job, they're better off taking Sony off their resume because at this point.

MTciscoguy

A good part of my time while in the Army after I was wounded was in electronic security, over 2 years working in the Pentagon working on these types of situations, only it was on the DOD computers and after talking with a few of my friends still working there, this was a targeted attack by some of the best in the world. It did originate in N. Korea but there were some very good Chinese hackers showing them how to do it. Many departments of the Federal government are taking this attack very seriously and alert levels have been raised because of it in certain sectors. It is a shame it happened, but hopefully it will wake some of these companies up to the fact the wars of the future are not going to be fought on the battlefield, but in cyberspace.

Deathmage

Iristheangel wrote: »

I've seen a lot of IT folks recommendations ignored by management because it cost money to make the changes.

Sadly this is 100% accurate nearly 80% of the time. Hence why things hardly ever get done, however it's funny when sh*t hits the fan management always blames it on IT even if they said they didn't want it...

MTciscoguy

Deathmage wrote: »

Sadly this is 100% accurate nearly 80% of the time. Hence why things hardly ever get done, however it's funny when sh*t hits the fan management always blames it on IT even if they said they didn't want it...

Didn't you read that part of the job description, we always take the blame, never get the glory and still have to pay for our own drinks, it was spelled out right there in little tiny letters wrote in lemon juice, you only need to heat the paper so you can read it for about 30 seconds before it fades into oblivion!

JoJoCal19

MTciscoguy wrote: »

It is a shame it happened, but hopefully it will wake some of these companies up to the fact the wars of the future are not going to be fought on the battlefield, but in cyberspace.

I agree with this. Yesterday I was reading a blurb about how the President has been hesitant to release our cyber warfare team to go on the offensive but now with not just the hacking itself but essentially the cyber-terrorism aspect, that may change.

tpatt100

JoJoCal19 wrote: »

I agree with this. Yesterday I was reading a blurb about how the President has been hesitant to release our cyber warfare team to go on the offensive but now with not just the hacking itself but essentially the cyber-terrorism aspect, that may change.

I doubt the US is just about to go on the offensive "now" lol. Well at least hopefully this will increase opportunities/job security for all of us.

the_Grinch

Goes to show that you need to document, document, document, and when you think you have enough document some more. When the music stops playing you don't want to be the only one at the table without a seat. Working in regulation my greatest tool is email. I can show what I said and asked so in the event I get called in or have to go to court I can say here is what I said/did.

Sony didn't learn the last time this happened and it shows that by not penalizing companies heavily for their failures they will continue with business as usual.

JoJoCal19

tpatt100 wrote: »

I doubt the US is just about to go on the offensive "now" lol. Well at least hopefully this will increase opportunities/job security for all of us.

Oh I'm sure it's not like they've been sitting around doing nothing But I do think opportunities and job security in the InfoSec realm will definitely increase.

Deathmage

the_Grinch wrote: »

Goes to show that you need to document, document, document, and when you think you have enough document some more. When the music stops playing you don't want to be the only one at the table without a seat. Working in regulation my greatest tool is email. I can show what I said and asked so in the event I get called in or have to go to court I can say here is what I said/did.

Sony didn't learn the last time this happened and it shows that by not penalizing companies heavily for their failures they will continue with business as usual.

document everything but encrypt that excel document and then password protect it with a 20 digit code with special characters...

that's what I did at my last job before I left, I made one document with only the subnet information but the other document that everything in it was a 650 tab excel spreadsheet (350 MB's in size, if anyone knows a excel document you know that's one beefy and taxing file), to this day my former boss calls me from time to time because he forgets the passcode. I found out from a former colleague that the current MSP tried for a week to crack the excel document before calling me, so I think that's pretty impressive..

but needless to say I was looking forward to this movie but things like this make me push harder toward my goals. I want to be fluent in security but VMware is what's 'hot' in my area so that's my focus but Network Security is so much in demand it's not even funny because working for a MSP you get to see how naive companies are to security of any form it's astonishing...

but baby steps, need to get infrastructure down 1st but Networking + Virtualization + Security could be interesting, leave Windows to a Microsoft nerd (I know enough to get Windows working and stable but not MCSE stuff, but hey that's what google is for)

JoJoCal19

Deathmage wrote: »

I want to be fluent in security but VMware is what's 'hot' in my area so that's my focus but Network Security is so much in demand it's not even funny because working for a MSP you get to see how naive companies are to security of any form it's astonishing...

but baby steps, need to get infrastructure down 1st but Networking + Virtualization + Security could be interesting, leave Windows to a Microsoft nerd (I know enough to get Windows working and stable but not MCSE stuff, but hey that's what google is for)

That's funny, I've been working in InfoSec for 8 years, but would love to move over to Virtualization, but I am not in a position to start over at the bottom of the Virtualization ladder paywise.

YFZblu

From a defender's perspective, it must be a really gut-wrenching feeling to see virtually everything get taken. Generally, security people have this macabre fascination with seeing technology abused in novel ways; I do at least. But nobody wants to experience it at this level. In terms of this being a resume' producing event, that might matter for some people - the fringe security folks who got lucky and entered an expanding field. But for dedicated professionals, they won't have issues getting a job in California where (as least some of) the team is based.

I haven't gotten very deep at all into the technical aspect of what happened at Sony, besides hearing what was taken/released. That being said I am not very many degrees separated from actual information about their infrastructure. What I can say, is that Sony's network was not defensible to begin with. One could be quick to blame the security team for that; however today's security ecosystem is often comprised of several security teams that do not communicate. The Operations/IR guys may simply be firefighters who arrive on the scene to clean up, and not people that are empowered to elicit real change in the environment. Meanwhile the risk/policy/standards people may have a completely separate leadership structure and goals. Often times both just punt to each other without any real meaning. I'm not saying that last part is exactly what happened at Sony, but it does happen at a lot of places.

.02

Edit: Today I noticed a tweet that Newt Gingrich posted. He stated that the Sony incident marks the United States losing its first 'cyber war'. It's really concerning that people at his level are so uninformed about cyber and its history.

colemic

Does anyone know if cyber insurance policies have a act of war clause? I don't think NK is behind this, but if Sony's policy had one, given that the US gov. has effectively blamed DPRK for the attack, if I were an insurer, that would be good enough for me to deny a policy payout... just thinking out loud here.

Deathmage

ROFL, I made a post on there facebook page and just a second ago I had a attempt to gain access to my home network with the IDS on my Sonicwall triggered and then my ASA 5505 right behind the Sonicwall with IPS blocked it, needless to say just changed the Sonciwall to IPS, thought that was cute.... gotta love gateway firewall protection...

Cyberscum

You will never be able to completely defend against a determined criminal(s). They had a target and exploited it. Even if Sony had a more hardened posture it still would have happened. Security is an illusion.

Chivalry1

My problem with this are the public individuals/Sony senior executives thinking the government should step in an fix/correct/investigate this incident. These are the same individuals that complain about "big" government. Excuse me.....I am a tax paying citizen and I don't want a single dime of my tax dollars going to Sony's Information Security negligence. Are we going to do this each time there is an attack on a American company. The irony of it all is they get caught sending racist emails about the President; then turn around and ask the government for help. (GTFO)

Like most corporations....I guarantee 99.9% that Sony's Information Security team had been informing senior management about potential threats but they ignored. This is normally the case for most companies but Senior Executives are too worried about the profit margin. I went to the movies the other day and payed $8.25 for a ticket. Sony makes billions a year, let them fit the bill and respond to there attackers. Sorry Sony hire appropriate Information Security Staff/CISO/Auditors or suffer the consequences instead of crying to the government like a wussy!!!

--chris--

Chivalry1 wrote: »

My problem with this are the public individuals/Sony senior executives thinking the government should step in an fix/correct/investigate this incident. These are the same individuals that complain about "big" government. Excuse me.....I am a tax paying citizen and I don't want a single dime of my tax dollars going to Sony's Information Security negligence. Are we going to do this each time there is an attack on a American company. The irony of it all is they get caught sending racist emails about the President; then turn around and ask the government for help. (GTFO)

Like most corporations....I guarantee 99.9% that Sony's Information Security team had been informing senior management about potential threats but they ignored. This is normally the case for most companies but Senior Executives are too worried about the profit margin. I went to the movies the other day and payed $8.25 for a ticket. Sony makes billions a year, let them fit the bill and respond to there attackers. Sorry Sony hire appropriate Information Security Staff/CISO/Auditors or suffer the consequences instead of crying to the government like a wussy!!!

I agree 100%, but I will play the devils advocate.

The US gov already works to protect, investigate and secure US corporate interest world wide in a physical/strategic sense. Why wouldn't they step in when an attack occurs on US soil? Anyone remember the Maersk Alabama?

UnixGuy

Cyberscum wrote: »

... Even if Sony had a more hardened posture it still would have happened. Security is an illusion.

I don't have enough knowledge in the security field but this is alarming. So you think if there is a criminal group that wants to target a bank for example, would they be able to do damage to financial records/transactions etc etc EVEN if there are PROPER security measurements? If there is proper security/forensic readiness, wouldn't there be a guarantee to consumers?

E Double U

Cyberscum wrote: »

You will never be able to completely defend against a determined criminal(s). They had a target and exploited it. Even if Sony had a more hardened posture it still would have happened. Security is an illusion.

My old SOC manager said that same exact thing during my interview. He said we make the customer feel secure, but if someone really wants to get you, they will.

docrice

Security efforts and readiness come down to knowing your environment in-depth, having the data to identify potential issues, actively monitoring across these data points with the ability to validate events correctly, having the resources to respond in a timely manner, and most importantly having the existing policy groundwork laid out to be able to get it done. Infosec I feel tends to be brushed aside by management at most organizations (except for lip service) because it tends to be high-maintenance, resource-intensive, business disrupting, and only superficially understood. It's mostly about compliance and passing the audit first, and then cleaning up the mess later. Remember, those quarterly numbers have to please shareholders and if you can roll the dice and hope it doesn't happen to you...

cyberguypr

+1 on what docrice said.

If you talk to any real Infosec pro they will all tell you the same: NOTHING is completely secure. Richard Bejtlich touched on this topic the other day. You need to understand the the good guys just can't keep up with with the bad guys. They are always ahead of the game. So how do you play ball? Assume you'll be compromised at some point and just focus on early detection and containment. Understand your assets, your vulnerabilities, monitor egress, restrict lateral communication, continuously monitor your systems, use DLP, and a zillion other things. And the point where a lot of companies fail: have talented people doing analytics on all that stuff being monitored. Otherwise, it just a bunch of fancy flashing lights.

tprice5

cyberguypr wrote: »

And the point where a lot of companies fail: have talented people doing analytics on all that stuff being monitored. Otherwise, it just a bunch of fancy flashing lights.

If a network monitor triggers an alert and no one is around to read it, did it really happen?

.... or something like that. lol

JeanM

Very good points guy! Good read, I feel for the guys who got affected by this

Cyberscum

UnixGuy wrote: »

I don't have enough knowledge in the security field but this is alarming. So you think if there is a criminal group that wants to target a bank for example, would they be able to do damage to financial records/transactions etc etc EVEN if there are PROPER security measurements? If there is proper security/forensic readiness, wouldn't there be a guarantee to consumers?

Of course they could get in if they wanted, that is why the whole defense in depth concept is practiced.

The goal is to make it so difficult or unattractive that A:the target becomes less desirable compared to other low hanging fruit or B:The hacker takes so much time penetrating through layers they get noticed.

Think about it this way. A security guy has no idea when, how, or what someone is going to attack at any given time. A hacker has the advantage in any given situation because they have the element of surprise.

And there are no proper security measures that you speak of.

To enable businesses to utilize technologies you introduce security vulnerabilities alongside those technologies. For every service we provide to our customers I can list 3-4 vulnerabilities these services have with no patches or no possible way to mediate the vulnerability aside from no longer using the service…

Its all comes down to how much risk a CEO or executive is willing operate with…..But no, you cannot secure everything.

tpatt100

Lol in the near future bike couriers will become "cyber runners".

Madonna turns to the sneakernet after album leak
After her next album gets leaked, Madonna's team gets serious about security.

Sony Pictures isn’t the only entertainment giant dealing with a massive breach.

Music icon Madonna quickly released six tracks from her latest album last week after someone stole 13 prereleased recordings—reportedly the entire album—and leaked them to the Internet. The Material Girl is now keeping all of her production material off the networks, requiring her production crew to avoid wireless and deliver files by hand-carrying hard drives, according to an interview with Billboard magazine published on December 21.

“We don’t put things up on servers anymore,” she said. “Everything we work on, if we work on computers, we’re not on WiFi, we’re not on the Internet, we don’t work in a way where anybody can access the information.”

It’s uncertain when the attack happened. A single track from the album, "Rebel Heart," appeared online in November, leading the musician and her manager, Guy Oseary, to castigate the perpetrators. While the stolen music could have been leaked by an insider, the additional release of unpublished pictures of Madonna suggests that online attackers somehow gained access to her personal systems.

“I would be grateful to any @madonna fans that can assist us in finding those responsible for the leak,” Oseary tweeted on November 28. “We appreciate your help.”

UnixGuy

Cyberscum wrote: »

...

B:The hacker takes so much time penetrating through layers they get noticed.

...But no, you cannot secure everything.

See, I think what you described in point B is how you actually secure something. If it makes the hacker noticed and stopped, then this is one way of securing something or maybe it's one way of giving some kind of a guarantee?

Cyberscum

UnixGuy wrote: »

See, I think what you described in point B is how you actually secure something. If it makes the hacker noticed and stopped, then this is one way of securing something or maybe it's one way of giving some kind of a guarantee?

I see what you are saying, but this is a generalization I was making. Without writing a page worth of details…

To achieve the true defense in depth posture you are speaking of would be impossible by most measures because of lack of funding, lack of trained personnel, lack of certified devices, lack of trusted partners, lack of attention, lack of concern, lack of legal pressure etc...

This is all negating the fact that most government sponsored missions bypass these defense devices with little to no problems.

But yes, companies out there use the defense in depth architecture to make money off companies that feel "kinda guaranteed security." Although I do not know of one company that offers a guarantee, if they do it is because they are making so much money they can afford the lawsuits.

JustFred

I personally love this. I could look at it all day.

Norse - IPViking Live

Verities

Interesting read...Norse thinks the Sony hack started internally and then expanded to hacktivists: Norse – Norse Investigation Focusing on a Small Group, Including Sony Ex-Employees

Cyberscum

Verities wrote: »

Interesting read...Norse thinks the Sony hack started internally and then expanded to hacktivists: Norse – Norse Investigation Focusing on a Small Group, Including Sony Ex-Employees

These companies like Norse and Fire eye are doing their own investigations of the crime from a million miles away.

From what I understand, when an attack is suspected to be from another country involving a foreign government the case is handed over to the government to investigate the crime and the severity of the incident. I highly doubt that Norse and Fire Eye are working with relevant evidence or with the same evidence the FBI has obtained. The FBI has made it known that there is information that they cannot disclose for investigative purposes so I think that these private security companies are trying to get some free publicity.

http://www.politico.com/story/2014/12/fbi-rejects-alternate-sony-hack-theory-113893.html