As with everything, there are lessons that are to be learned from the security breach.
Lessons that even small businesses can learn from Sony’s mistakes…
In IT security, there are 2 types of attacks: opportunistic and targeted.
There are 2 ways to assess hackers: skill and focus.
Using this assessment, there are 3 levels of hackers:
- Hackers using point-and-click hacking tools are low-skill and low-focus. They grab what they can if the low-hanging fruit (ie the no IT security) is available.
- Hackers that have high-skill, but low-focus are the causes of the high-profile attacks we read about in the newspaper regularly (Target, Home Depot, JP Morgan Chase, and now Staples).
- Sony is a good example of high-skilled and high-focus hackers. A large hacking team from (allegedly) the Democratic People’s Republic of (North) Korea (DPRK) hacked into Sony and, for all intensive purposes, shut them down. Sony didn’t make the hackers’ job too hard, by using third-rate security.
Assuming it wasn’t an inside-job, there are 3 ways the Sony hackers could have gotten in: Mis-configured servers that allowed unauthorized access; Software vulnerabilities, either known holes or unknown zero-days; or Social engineering untrained employees that simply allow the hackers in by clicking on a spear-phishing link.
What are the lessons that can be learned, and used, by other businesses?
1. If you are the target of a high-skilled, high-focus attack, you can count on them getting inside. Your focus should be on defending the most important of your data, and make sure it does not get exfiltrated (stolen). The fact that Sony did not notice terabytes of data leaving their network is an example of third-rate security.
Lesson: Use ecryption and breach detection tools.
2. If you handle a lot of credit cards, Russian cybercriminals has you in their cross-hairs, but with a million other businesses. This type of hacker is in it for the cash, and their time is money – if they encounter proper security, they will move to a weaker target. If Home Depot would have upgraded their POS system in time from XP to Windows 7, their systems would not have had the security holes, and they wouldn’t have been hacked. Good security, and up-to-date software, makes the hackers’ jobs a lot harder, more expensive, and more risky for them.
Lesson: Create enough IT security budget to give your IT security team (or person) the time and tools to implement security best practices. Make sure the software you are using is up-to-date, and security patches that are released regularly by the software company, are being installed.
3. As evidenced by the high-profile cases of Home Depot, etc., a lot of businesses do not look at their IT security until after they have been hacked. The time to start thinking of IT security is BEFORE the attack, and be prepared. IT security is really 3 things: Protection, Detection, and Response.
Lesson: “You need prevention to defend against low-focus attacks, and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security, and manage fallout.”
Think your business is too small to worry about security?
The fact is, it’s not very hard to hack into a computer system that has little or no security.
Think about the fallout if your computer system got hacked. What information would you lose: pictures, personal information, banking information, financial information…and now the REALLY scary stuff…customers’ personal information, customers’ financial information, customers’ credit card information.
Not to mention the difficulty in retrieving that information, and putting your computer system back together, think about the legal ramifications and business lost.