Why Sony needs to share responsibility with its hackers
Tue 13 Jan 2015
by Richard Morrell
[Opinion] Unless you’ve been entirely off grid for the last few weeks you’ll have read about what the press and spectators are calling the biggest cybercrime of the century: the infamous Sony hack that the FBI and US administration have described in terms of a nation state attack.
Whilst not a ‘cloud security’ incursion, the Sony affair does pertain to bricks-and-mortar security, and its handling demonstrates a huge imbalance on the part of the US Government. The cornerstone of the story is a critical failure of a company to have process control, security segregation, alerting procedures or any kind of handle on baseline security and governance.
In an interview this week, Michael Lynton, CEO of Sony Entertainment Inc., went on the record regarding the weight of the attack that the company’s network platforms were under; reading it I caught myself thinking that this was like putting a Band-Aid on a gaping wound after the event.
Having spent fifteen years writing firewall technology, a portion of it as a UK Government CLAS consultant certified by the intelligence services, and being the author of security standards and a qualified certified auditor, I get a nervous twitch when I’m being fed just enough to tick the ‘security qualification’ box. Everything about the Sony hack bespeaks a massive failure of corporate and network security architecture design and implementation, and a reliance on proprietary technologies married to a laissez faire attitude to risk.
This “it will never happen” stance is all too common to many organisations across the globe; once inside a network perimeter, the security authentication and trusted routing gives the casual intruder so many places to look that they hardly know where to begin.
There are three key points to consider regarding what occurred after the attackers gained access to the network, and how Sony responded:
Firstly an amplified Denial of Service (DoS) attack took place against specific hosts and services – a core action in a multi-faceted attack on a public-facing entity. Secondly an attack occurred against corporate platforms supposedly surrounded by governance; platforms which, holding public data, had to meet auditable security standards. Finally Sony failed to file any publicly available records on the incident – a strong indicator that corporate failure is at the core of this ‘hack’.
Sony’s own publicly-available code-of-conduct [PDF] for corporate governance and internal risks framework [PDF] hail from the era of the Daisy-wheel typewriter, and offer very little for the company’s management to hide behind.
In the interests of due diligence, I read the Sarbanes Oxley filings and the auditor reports that form the SEC reporting that Sony, like any other trading organisation, makes annually. All of them combined present a single prognosis: Sony, like many other corporations comprising a multi-cultural, multi-territory framework of organisations and sibling companies, was ripe for attack. Sony instituted no monitoring of disparate network interfaces and hardware, and demonstrated insufficient or non-existent understanding of traffic management and hardening of platforms. It was not a question of ‘if’ but ‘when’. No organisation of that size can afford to point fingers and say anything other than ‘there but for the grace of God…’.
The Sony attack profile does not conform to a purely external DDoS, but rather that of a multi-faceted incursion which had prior access to an inside resource, to provide mapping and routing details. The FBI and the U.S. administration contend that this was a nation state attack which revealed a great deal about the resources of the attackers; instead it reveals far more about the fragility of Sony’s system of governance, and its negligent submission of audits in order to accommodate SEC filings.
The subsequent revelation of out-dated practices, codes of conduct and accounting and process controls in a major public-facing platform put Sony’s directors and personnel in a far more accountable position than they are currently admitting to. Without a realistic level of accountability, the east-facing reaction of U.S. authorities makes a mockery of the notion of security governance and filings.
The views expressed on this blog are Richard’s personal views and do not reflect or represent the views of his employer, Red Hat.