Sony Fallout: The Terrorists Win Our Networks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
Commentary
12/29/2014
09:20 AM
Patrick Hubbard
Patrick Hubbard
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

Sony Fallout: The Terrorists Win Our Networks

It's time to get serious. Sony hack may mark the end of enterprise networks as we know them.

 8 Biggest Tech Disappointments Of 2014
8 Biggest Tech Disappointments Of 2014
(Click image for larger view and slideshow.)

Writing with a strong opinion on current events, with frustration still red hot in the veins, is risky.

First, by the time your words are in the wind, events may have changed, and in hindsight your supposed facts may be erroneous and your passion misguided. Second, it's too easy to turn emotion into finger pointing and dicto simpliciter against hard working network admins toiling in the middle of an unprecedented, epic fail. "I of course would not have made that rookie mistake." Harrumph. But the biggest danger is you're likely to go way out on a limb with speculative statements.

So, consider yourself warned. Because I think it's possible that the Sony hack is an ineluctable tipping point, and nothing short of the end of enterprise Internet connections and perhaps even some enterprises as we know them.

Alternative to cowardice
What got me boiling was not Sony's capitulation when it initially canceled The Interview release. It's easy to proudly protest the hackers by attending a screening at a suburban megaplex, but I might have been less eager in Times Square on Christmas Day. Sony was probably more worried about something random like Aurora, Colo., than the Democratic People's Republic of Korea. We can't blame them for that, especially while trying to make decisions with crippled infrastructure. I do, however, have some choice words for another studio that pulled Team America: World Police from a replacement protest showing. Even as an unhacked, unrelated company, they're so scared that they pulled a years-old film.

[Don't miss Security News No One Saw Coming In 2014.]

Sony is bailing water and defending itself as best it can. The other studio publically cowering in fear, however, merely emboldens future attackers by demonstrating the enormous effectiveness of network terrorism. Will MGM pull the Red Dawn reboot from Netflix or Die Another Day from iTunes? Across the United States, admins, especially security and compliance engineers, are being called to executive offices and asked the same question: "How do we prevent this from happening here?" And again, executives don't like that we have the same answer as five years ago, because it involves cost.

Taking the "E" out of e-commerce
With the Sony hack, the grim reality, teased by hundreds of security failure anecdotes, is laid bare. No one is safe. We're not talking about a Target-level "oops, we lost $400M, we'll recover" compromise. This is the first exposure of a new invisible hand with the power to circumvent the most basic tenet of the corporation: self-determination. Moreover, with the right influence, entire industries or even nations will be vulnerable to unprecedented coercion.

(Source: GR8DAN)
(Source: GR8DAN)

Consider the recent JPMorgan hack. In Sony's case we're talking about an entertainment company. We expect they'll bemoan Adam Sandler movies in email like the rest of us. But what could an attacker do after secretly compromising JPMorgan? What do its emails contain about US financial policy, international markets, major corporations, or the Federal Reserve? Imagine a Sony-level compromise of an institution with real global influence -- but by smarter hackers who reveal potential embarrassment to select corporate officers. What could the attackers do then? Alternatively, what acquiescence could an attacker achieve with control of an energy company, generating stations, or distribution grids?

Do we really believe that this time, after all these years, we'll finally get serious on a national scale about security, or will we rush headlong into even more self-configuring and increasingly unattended interconnections? Conservative admins would simply pull back, even disconnect a bit, until they could be sure better control was achieved. But in IT, we conservative admins don't usually get to make that choice. Poor security isn't generally the fault of IT; it's simply a reflection of top-level corporate disregard, or at least ignorance of the real risks and costs of failure. You can bet that at Sony, more than once someone revealed the network was too flat and needed compartmentalization and segmentation. You can also bet that a sharp systems administrator at least once ran a scan and reported pandemic password-strength and stewardship weaknesses. It's not IT failure when, after discovery, remediation goes unfunded.

If we honestly assess the situation and our history related to security, we might admit that we'll never achieve the necessary technology, oversight, and training to support highly connected networks. With no real alternative, the correct action might be to unplug, or at least physically isolate previously inconceivable portions of our internal networks from the WAN. Yes, people will scream when, after some deep packet inspection, we elect to remove Internet access for a subnet showing too much risky traffic in reports, or discontinue many BYOD services. But if the alternative is to become a hostage with the possibility of a multibillion-dollar brand's destruction at stake, or worse -- physical infrastructure damage -- we must finally stop talking and do something about it. We must promote network security to a top priority and meaningfully invest not just now, but every year hereafter to protect our shareholders and our nation, however initially painful.

Watch everyone forget, again
Do not forget this moment. Pop culture will move on, and in the short term a midmarket film will get a larger audience than expected, and due to the Streisand Effect, millions more people will see the cut-out, extra-gory clip of Kim Jong Un's death on YouTube. But we admins should not move on. And most of all, senior executives who direct IT security investment must not move on.

For security executives, ask yourself these questions: What is hiding in your emails, or even on forgotten tape backups that could give faceless organizations leverage over you? What would your shareholders think if what's happening now to Sony happened to your company? How many questions will be asked about missed security opportunities?

If any of those questions give you a shiver, it's time to get serious. Now they know they can hurt us. The genie is out of the bottle.

Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it? Get the Malware Mutation issue of Dark Reading today.

Patrick Hubbard is a head geek and director of technical product marketing at SolarWinds, an IT management software provider based in Austin, Texas. Hubbard, who joined SolarWinds in 2007, has more than 20 years of experience in product management and strategy, technical ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
batye
50%
50%
batye,
User Rank: Ninja
1/4/2015 | 10:24:20 PM
Re: theaters fear North Korea, or their own patrons?
yes, thank you, but other contries shall not get involve in this process... it should be free choice... How I see it...
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
1/3/2015 | 11:04:30 PM
Re: theaters fear North Korea, or their own patrons?
Batye, you do have the right to watch any movie you want. And you could have here --- this movie was offered on streaming long before theaters picked it back up. But theater owners have the right to carry whatever movie they want.
batye
50%
50%
batye,
User Rank: Ninja
1/2/2015 | 2:21:26 PM
Re: theaters fear North Korea, or their own patrons?
@progman2000 interesting observation... it like saying our taxes at work... but if we gonna see results... but what if...
batye
50%
50%
batye,
User Rank: Ninja
1/2/2015 | 2:19:09 PM
Re: theaters fear North Korea, or their own patrons?
@SaneIT, yes and no... to each his own

 I trust we are free in USA/Canada and have right to free expression... 

I trust we have a right if we decide to see the Movie freely... with out any threats or... for me communism is same like a racism and in my books racism is a disability (like mental defect) I do not judge people with mental problems...
but in my opinion NK leaders need to be helped by mental health professionals...

Myself from what I read about movie, I think I would not like it much... but it should be my right to have a choice to see it or not... 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
1/2/2015 | 7:26:10 AM
Re: theaters fear North Korea, or their own patrons?
@Broadway, I think part of the reason the theaters were OK pulling the movie is that they knew this wasn't an Oscar winner in the first place.  They knew it would be a so-so movie and while it would get some bodies in the door it wasn't a movie that people were clamoring for.  The theaters were not going to put themselves at risk for a goofy buddy comedy.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/1/2015 | 6:33:10 AM
Re: theaters fear North Korea, or their own patrons?
Progman,

You sure have more faith than I do in the Government(and various Government Agencies).

I am really fortunate and lucky to have some experience in this space so I know that the best talent in this space rarely if ever sticks with the Government(rather migrates to the Private Sector where they are compensated very well & usually have the creative freedom to pursue the kind of projects they are most fascinated with).

As far as the NSA Is concerned;Everyone knows its just into Blanket Surveillance.

They can't do much else effectively enough[See how few threats they have prevented or trends they have predicted accurately enough for reference].

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/1/2015 | 6:33:04 AM
Re: theaters fear North Korea, or their own patrons?
Progman,

You sure have more faith than I do in the Government(and various Government Agencies).

I am really fortunate and lucky to have some experience in this space so I know that the best talent in this space rarely if ever sticks with the Government(rather migrates to the Private Sector where they are compensated very well & usually have the creative freedom to pursue the kind of projects they are most fascinated with).

As far as the NSA Is concerned;Everyone knows its just into Blanket Surveillance.

They can't do much else effectively enough[See how few threats they have prevented or trends they have predicted accurately enough for reference].

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/1/2015 | 6:11:01 AM
Re: theaters fear North Korea, or their own patrons?
Broadway,

Its good to see that you are atleast open to the possibility that this maybe the case[As Usual the Government has goofed up].

Companies need to spruce up their insider policies aggressively today.I still can't figure out why they give so much leeway to Insiders (especially someone who is not a part of the Permanent Staff).

Sure you need to take care (as well as give them the Tools to do their Job well) but don't give them blanket access to everything!

Also,have active Logs in place to monitor -Who does what and where.

 
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
12/31/2014 | 10:35:42 PM
Re: theaters fear North Korea, or their own patrons?
It certainly could be an insider hack. Companies ought to focus most of their cyber security efforts internally --- to prevent this type of malicious behavior, as well as to prevent idiotic behavior (like employees who reply to phishing scams).
progman2000
50%
50%
progman2000,
User Rank: Ninja
12/31/2014 | 10:01:48 AM
Re: theaters fear North Korea, or their own patrons?
This is indeed an intriguing story.  I would have to give the government a little more credit than saying that the "bafoons in the FBI" are snooping this one out.  I would believe at this point our cyber intelligence would be pretty sharp.  Besides, isn't it the NSA that would be looking into this also?
<<   <   Page 2 / 3   >   >>
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll