One aspect of information security that many managers, administrators and CISOs haven't thought about is what they...
would do if everything just stopped. What would happen if the network was effectively disabled? If files and emails disappeared? If sensitive information got exposed?
That's exactly what Sony Pictures Entertainment had to deal with in its recent network breach. In the wake of the Sony Pictures hack, several outlets have revealed the company had major holes in its network security, including a lack of monitoring, incomplete inventory of corporate devices, and minimal backup and failover capabilities.
In hindsight, there are a number of enterprise network security lessons that can be learned by investigating what Sony could have done better or differently. Considering what's known about the breach and its environment beforehand, here are five things that may have helped Sony avoid its data breach fate.
Get the right executives on board
Every business has its own priorities. Still, too many times executives are not truly on board with what's taking place. Interestingly, the first head to roll after the Sony attack was not an executive responsible for security, but rather a co-chair of the company who made derogatory remarks about the president of the United States. This speaks volumes. It hasn't happened yet, but at some point, we'll reach a tipping point where business leaders will see information security as a core business function rather than a mere task the IT team is handling. Security professionals must find the ear of someone at the top and then develop that relationship and work on better communicating the need -- and value -- of security to those in charge.
Fix the network security intelligence problem
A majority of enterprise security analysts and managers don't have a true picture of what's really taking place on the network. There are too many moving parts combined with not enough technology to provide the visibility that's needed to gather the proper information and make good decisions, which all makes network security intelligence a difficult task to complete. Or perhaps those that have the technology are not using it in the proper ways at the endpoints, the cloud and everywhere in between. Be it a training problem or a timing problem, security "intelligence" may exist in spirit, but there's often no substance. The solution? Enterprises could outsource network monitoring and alerting to someone who has the tools and expertise to do it well -- it's really that simple.
Treat advanced persistent threats seriously -- and do malware protection the right way
As much as they're overhyped by vendors and the media, advanced persistent threats (APTs) are real. There's no telling how long Sony's network was compromised before the attack; a recent report even claimed that it's still infiltrated. On the same note, organizations should stop relying on traditional antimalware software. Many high-profile breaches were executed even though the enterprise's computers were protected with name-brand antimalware software. Relying on such a weak control as a last line of defense for enterprise security is a dead end. Instead, enterprises should use technologies that look at odd network protocols and DNS queries, and implement whitelists that only allow specific executables to run; these strategies are tremendously more effective.
Update the software that's being exploited
As each year passes, it becomes more shocking how many people ignore the reality that unpatched software facilitates network breaches. "It will break stuff" is no excuse to not upgrade. Find a way. Organizations can do this by fixing their existing patch management program. Move beyond Microsoft’s SCCM if needed and invest in a third-party tool that will help manage all patches across the board, third-party patches included. Unless and until enterprises gain a foothold on patching the buggy software that criminal hackers are seeking to manipulate, practically all other network security measures are moot.
Change the approach to passwords
Apparently Sony was known for its weak approach to passwords. It's becoming tiresome to keep revisiting the password problem in 2015, several decades after what's required to resolve the issue is well known. Still, it's a problem that's not being addressed -- mostly for political/cultural reasons. Again, that's no excuse. Enterprises likely already have a password policy. What most organizations need is a technical means for enforcing policies across all enterprise systems, even those that executives use. This goes back to my earlier point: Management has to be on board with security if it’s going to work.
Could these five actions have prevented the Sony Pictures hack from occurring? While there's no way to know for sure, it has been shown in the research time and again that most security breaches are the result of people ignoring proven security basics. At this point, it's water under the bridge; the circumstances cannot be changed. Sony must now learn from its security shortcomings and tweak its philosophy and tactics to minimize the risk of a breach happening again.
In the end, every organization's security is lacking in one area or more; Sony Pictures just got called out on it and made the headlines because of its name recognition and the political slant to the breach.
Whether or not an organization plays at this level is irrelevant; it can still be a target. The Sony Pictures hack cost that organization and movie theaters dearly. Private businesses cannot fight sovereign nations such as North Korea, which many believe is behind the Sony attack. As clearly indicated by the Sony breach, the government is not going to be there to provide protection. Even less visible or non-politically motivated attacks can cripple the most seemingly resilient of enterprises.
While organizations can have all the "cybersecurity" the government wants to bestow upon them, it won't matter if the enterprise itself is still part of the problem and facilitating threats by having lax security measures.
Starting today, organizations must do what they can to pull their own security weight. Learn from the mistakes of Sony Pictures and others, but be sure to do what's best for the organization's specific business needs -- not what the researchers, analysts or vendors claim is best.
One thing is certain: If an enterprise doesn't follow the core security approach of knowing what it already has, understanding how it's at risk and then taking the proper steps to do something about it, a security breach is inevitable.
About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website and follow him on Twitter at @kevinbeaver.
Don't miss SearchSecurity's guide to data breach prevention
Check out SearchNetworking's latest network security advice and news