The cyber attack on Sony Corp. was stunning not just in the breadth of the hackersí reach into Sonyís assets, but also in Sonyís wide-open vulnerabilities. Given Sonyís blatant security holes, itís not surprising the company is now facing lawsuits from some of those who were damaged by the attack.
The hacking revealed that Sony failed to protect itself in two very basic areas of confidentiality and security, one that is stupidly simple, and another only slightly more complicated. The first lesson is basic email discretion; the other is internal asset protection. In an upcoming article we talk with security experts about the finer points of the attack. For now, letís consider some of the surprising weaknesses in Sonyís IT world.
Watch what you say in emails
The embarrassing emails from Sony executives, staff, and affiliates boggles the mind. Didnít we all learn this lesson 15 years ago? Email is a document that goes public as soon as you click ďsend.Ē The people who receive your emails can share them with whomever they want. In most cases they are not legally restrained from forwarding the emails they receive. And believe me, they often do. Sony Pictures Entertainment co-chairman Amy Pascal and producer Scott Rudin embarrassed themselves in emails that spewed nasty slights on their collaborative business partners. Just like teenagers.
You can certainly understand the need to talk honestly about team members when projects go off kilter. Thatís when you pick up the phone -- and not to send a text, which is also a document out in the world. Itís astounding that corporate leaders of such a major enterprise would allow their immature gripes, attacks, and outright smears to go public. Even if the corporation had not been hacked, thereís a decent chance those emails would have been circulated if one of the executives receiving the emails had a falling out with those who sent the emails.
Take the casino approach to internal security
The casino approach to IT network security is becoming widely accepted, since it includes the concept of protecting individual internal assets. At a casino, the security team realizes it canít keep all the bad guys out of the building without also barring customers. So the strategy is to protect each individual asset within the casino. Corporate and network security is beginning to take the same approach. Letís assume the bad guys will breech the perimeter. Now letís protect our assets.
In the Sony attack, it looks like the hackers had cart blanche once they entered the companyís IT gates. A stolen administratorís password seems to have given the hackers access to all of Sonyís corporate jewels. This included payroll records (salaries, medical records, SS numbers, home contact info, everything). It also included emails and diverse digital files such as unreleased movies.
If the individual assets had sufficient protection, the hackers would not have been able to crack those jewels before the perimeter breach was detected. Welcome to the brave new world of embedded security. Sony could have used some.