Writing with a strong opinion on current events, with frustration still red hot in the veins, is risky.
First, by the time your words are in the wind, events may have changed, and in hindsight your supposed facts may be erroneous and your passion misguided. Second, it's too easy to turn emotion into finger pointing and dicto simpliciter against hard working network admins toiling in the middle of an unprecedented, epic fail. "I of course would not have made that rookie mistake." Harrumph. But the biggest danger is you're likely to go way out on a limb with speculative statements.
So, consider yourself warned. Because I think it's possible that the Sony hack is an ineluctable tipping point, and nothing short of the end of enterprise Internet connections and perhaps even some enterprises as we know them.
Alternative to cowardice
What got me boiling was not Sony's capitulation when it initially canceled The Interview release. It's easy to proudly protest the hackers by attending a screening at a suburban megaplex, but I might have been less eager in Times Square on Christmas Day. Sony was probably more worried about something random like Aurora, Colo., than the Democratic People's Republic of Korea. We can't blame them for that, especially while trying to make decisions with crippled infrastructure. I do, however, have some choice words for another studio that pulled Team America: World Police from a replacement protest showing. Even as an unhacked, unrelated company, they're so scared that they pulled a years-old film.
[Don't miss Security News No One Saw Coming In 2014.]
Sony is bailing water and defending itself as best it can. The other studio publically cowering in fear, however, merely emboldens future attackers by demonstrating the enormous effectiveness of network terrorism. Will MGM pull the Red Dawn reboot from Netflix or Die Another Day from iTunes? Across the United States, admins, especially security and compliance engineers, are being called to executive offices and asked the same question: "How do we prevent this from happening here?" And again, executives don't like that we have the same answer as five years ago, because it involves cost.
Taking the "E" out of e-commerce
With the Sony hack, the grim reality, teased by hundreds of security failure anecdotes, is laid bare. No one is safe. We're not talking about a Target-level "oops, we lost $400M, we'll recover" compromise. This is the first exposure of a new invisible hand with the power to circumvent the most basic tenet of the corporation: self-determination. Moreover, with the right influence, entire industries or even nations will be vulnerable to unprecedented coercion.
Consider the recent JPMorgan hack. In Sony's case we're talking about an entertainment company. We expect they'll bemoan Adam Sandler movies in email like the rest of us. But what could an attacker do after secretly compromising JPMorgan? What do its emails contain about US financial policy, international markets, major corporations, or the Federal Reserve? Imagine a Sony-level compromise of an institution with real global influence -- but by smarter hackers who reveal potential embarrassment to select corporate officers. What could the attackers do then? Alternatively, what acquiescence could an attacker achieve with control of an energy company, generating stations, or distribution grids?
Do we really believe that this time, after all these years, we'll finally get serious on a national scale about security, or will we rush headlong into even more self-configuring and increasingly unattended interconnections? Conservative admins would simply pull back, even disconnect a bit, until they could be sure better control was achieved. But in IT, we conservative admins don't usually get to make that choice. Poor security isn't generally the fault of IT; it's simply a reflection of top-level corporate disregard, or at least ignorance of the real risks and costs of failure. You can bet that at Sony, more than once someone revealed the network was too flat and needed compartmentalization and segmentation. You can also bet that a sharp systems administrator at least once ran a scan and reported pandemic password-strength and stewardship weaknesses. It's not IT failure when, after discovery, remediation goes unfunded.
If we honestly assess the situation and our history related to security, we might admit that we'll never achieve the necessary technology, oversight, and training to support highly connected networks. With no real alternative, the correct action might be to unplug, or at least physically isolate previously inconceivable portions of our internal networks from the WAN. Yes, people will scream when, after some deep packet inspection, we elect to remove Internet access for a subnet showing too much risky traffic in reports, or discontinue many BYOD services. But if the alternative is to become a hostage with the possibility of a multibillion-dollar brand's destruction at stake, or worse -- physical infrastructure damage -- we must finally stop talking and do something about it. We must promote network security to a top priority and meaningfully invest not just now, but every year hereafter to protect our shareholders and our nation, however initially painful.
Watch everyone forget, again
Do not forget this moment. Pop culture will move on, and in the short term a midmarket film will get a larger audience than expected, and due to the Streisand Effect, millions more people will see the cut-out, extra-gory clip of Kim Jong Un's death on YouTube. But we admins should not move on. And most of all, senior executives who direct IT security investment must not move on.
For security executives, ask yourself these questions: What is hiding in your emails, or even on forgotten tape backups that could give faceless organizations leverage over you? What would your shareholders think if what's happening now to Sony happened to your company? How many questions will be asked about missed security opportunities?
If any of those questions give you a shiver, it's time to get serious. Now they know they can hurt us. The genie is out of the bottle.
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it? Get the Malware Mutation issue of Dark Reading today.