Sony & North Korean Sanctions : Is the finger-pointing relevant to us?

Super User

On 25 November 2014, Sony was forced to shut down its entire network following a cyber-attack by a group of hacktivists who identified themselves as #GOP, or Guardians of Peace.  Data released following the attacked demonstrated the wide range of data that was retrieved, and included detailed employee records, passport and visa information about actors and unreleased films. The Guardians of Peace criticised Sony’s poor security, posting some of the stolen data to Pastebin.

The U.S. administration believed that the attack was backed by North Korea, and imposed sanctions on the already heavily sanctioned country.  The White House said the sanctions were in response to the cyber-attack, which came in the wake of Sony's film The Interview which concerns a plot to assassinate North Korean leader Kim Jong Un.  However no evidence has been offered to the public to substantiate the claim.

In a response, a North Korean foreign ministry spokesman denied any role in the cyber-attack and accused the US of stirring up hostility towards Pyongyang.

Industry insiders are not so sure about where the accusing finger should be pointed.  It is notoriously difficult and often impossible to accurately determine the source of an attack, and even though an attack may be routed through a particular state, that does not necessarily implicate that state in an act of cyber-terrorism.  You might have a reasonable suspicion, but evidence is likely to be circumstantial.

In the end, it may not really matter to us.  The cold fact is that the attackers, be they a rogue state, individual, hacktavist group, or criminal gang, inflicted huge damage on a global company.

So perhaps the real question for us is: Why is it that a company as large as Sony cannot protect its data assets?  Maybe a breach is inevitable in the face of a concerted and well-coordinated attack, but once that breach has occurred, why was the data not in a state where it would be useless to the attackers?

It does look like sensitive Sony assets were unencrypted and unprotected.  This is no longer an acceptable approach.  Plenty of damage might have been done anyway, even if best practice was followed, but the exposure would have been minimised, and the eventual costs would have been less awful.

So, lessons learnt?  I suppose the key lesson, yet again, is that encryption must be used more widely to safeguard our data. We can reduce our exposure, protect our customers and businesses, by using encryption, properly done. 

Also, as usual, it seems the original line of attack was to phish and load Trojans to discover passwords, and they went on from there.  Using a Two-Factor Authentication (2FA) solution could have saved the day.  Have a look at our partner’s blog post about this – what 2FA does and why you should have it.  As he says “Two-Factor Authentication is now in use by Google, Microsoft, Yahoo, and all major banks. There's no longer a credible security strategy that omits it.”

The solution works for IBM i (iSeries), but many of the points made are generally applicable.

IBM i 2FA Solution