To me, the Sony breach is noteworthy not just because of its magnitude, but because it doesn’t appear to be driven by profit, unlike the other big breaches in recent memory. Instead, it’s a return of vigilante hacktivism, and entertainment companies are particularly vulnerable because, the Washington Post argues, all movies have an element of politics in them.
That’s a problem for U.S. companies in an interconnected world, because much of the world doesn’t value free speech as the United States does. The plot of the movie “Red Dawn” was changed–China, not North Korea, was the original aggressor–to avoid offending the Chinese government, for example. Search Google for “movies that offended foreign governments” sometime. It’s amazing how many you’ll find.
The case for North Korea being behind the Sony pwnage is largely circumstantial–presumably there’s other data that hasn’t been made public yet–but if it’s correct, it’s also scary. As Adam Boileau and Patrick Gray said a couple of weeks back in Risky Business #348, countries like the United States have laws and chains of command that enforce rules of engagement explicitly prohibiting this type of behavior, but in certain countries, there’s not much that stops a very talented but very junior hacker from obliterating a target merely because the opportunity presents itself. And, in North Korea’s case, it really had nothing to lose by acting without restraint.
And that leads to an interesting twist: In 2012, offending North Korea was a safer bet than offending China. From November 2014 onward, offending China is likely to be the safer bet, because China does have trade relationships it can’t afford to lose. China doesn’t like the United States very much, but we do buy more of their stuff than anyone else does and they’re better off for the foreseeable future if it stays that way.
But I’ll argue that it’s not just entertainment companies that need to be concerned. Perhaps in 2014 it took a nation-state to bring Sony to its knees, but in the technology field, things move fast. Within a few years, non-state actors, such as the Anonymous collective, will be able to match those capabilities. And that ought to be a frightening proposition, because every for-profit company has enemies for one reason or another.
It’s one thing when a consumer group gets its hands on an e-mail address or phone number that goes directly to a company’s CEO and publishes it; it’s entirely another if a consumer group gets into the mail server, exfiltrates the CEO’s mail store, and posts it on a torrent site.
So I definitely would warn against a company looking at the Sony attack and saying it can’t happen to them, because that only happens in the entertainment industry. At best, the rest of industry has a few years before they start seeing similar attacks.
So it’s best to start now. Where to start? That’s pretty easy. Everywhere I’ve worked for about a decade has had a cache of servers somewhere they wouldn’t want me to know about, for whatever reason. Either they knew those servers weren’t secure, or they didn’t think I would agree with them on how secure they were. If you’re uncomfortable with the idea of someone like me knowing about those servers unless you’re in a position to fire me and sue me if I misuse them, then that’s where you need to start.
And if I don’t scare you, keep in mind that while I have the word “senior” in my title, there’s one more pay grade above mine before you start getting into upper management, so think about what you wouldn’t want those “super senior” guys to know about. Because your future attackers will have guys at least as good as them too.