In late November, on a day like most any other, Sony employees arrived at their offices and powered up their computers only to be greeted by a sight unlike most any other. The first sign of a hack occurred early that morning when the image of a menacing, red skeleton simultaneously appeared on every employee’s screen. This was accompanied by an ominous warning, along with a number of threats.
This initial event was only the beginning of a painful and drawn-out saga that continues to plague Sony. As the events continue to unfold, the public watches with bated breath, wondering just how much more information the hackers will be able to obtain. Because of this hack, the public’s overriding sentiment is now one of fear and uncertainty. People are worried that if a powerful and well-protected company like Sony is this vulnerable, it must mean their own business and personal information is at risk, as well. The truth is, they are right. As, our businesses and lives become increasingly reliant on technology it is essential to have protection.
By studying the Sony hack, we can gain insight into current data security vulnerabilities and prevent these disasters from happening in the future.
Goal of Hackers: Cause Financial Ruin
During the holidays, the hackers leaked a number of Sony’s films online including the Brad Pitt, WWII movie “Fury,” the musical “Annie” and the Oscar-nominated film, “Still Alice.” Within it’s first week of being leaked, “Fury” had already been downloaded 1.2 million times.
These illegal downloads of “Fury” simply illustrate a much larger issue, that is the economic damage that hackers can inflict. In fact, Hollywood isn’t the only industry reeling from cyberattacks. The global economy loses as much as $575 billion annually due to data theft, according to a study published in June by McAfee and the center for Strategic and International Studies.
Solution: Encrypt Data
Data encryption is critical. If Sony had encrypted its film files using a ‘Zero-Knowledge’ privacy system, hackers would have found it impossible to steal and disseminate “Fury” along with all of the other stolen movies.
Key encryption is also an important component of intellectual property protection. Even if a company’s data is encrypted during transit or storage, many data security companies store the company’s encryption keys along with its data. This means that anyone with access to the location of the company’s data, will also have access to the keys, and therefore complete access to the data that is thought to be secure.
Goal Of Hackers: Paralyze The Company
Once hackers infiltrated Sony’s system, all global operations came to an electronic standstill. As Sony tried to deal with the massive security breach, employees were forced to find other means of communication in order to keep the company functioning. In what could be a scene straight out of the 1980s, employees communicated using fax machines and hand-delivered letters, all in an effort to avoid logging on to the internet in case the hackers would deliver another threat.
To add insult to injury, hackers released a folder called “Password.” The name of the folder is exactly what it is, the company’s most sensitive passwords. This file contained thousands of the company’s private passwords, all stored in plaintext, all lacking protection of any kind. Some of the passwords were personal, while some were tied to financial accounts such as American Express.
In the midst of the chaos, finger pointing began as Sony tried to unravel the mysterious identity of the hackers. At first the media focused on a comment made by an anonymous source that North Korea was behind the attack in retaliation for the movie “The Interview.” Recently, the FBI backed this allegation up, stating that there is evidence showing the hackers utilized IP addresses that were exclusively used by the North Koreans. Meanwhile, private security firms say this hack looks like it could be the work of a disgruntled former employee.
Two months later, as Sony is still trying to unravel this web, they continue to grapple with computer systems that do not work. In fact, Sony has been forced to delay its third quarter earnings report as the company struggles to repair the damage done to its systems.
Solution: A Strong Identity Management System
On top of data encryption, it is also critical for a company to know who has access to what files. In the case of Sony, the topic of Identity Management is now taking center stage. The question is still very much open as to the identity of the hackers.
By utilizing a secure Identity Management system, a company has full knowledge of the identity of any user attempting to access any file. In the case of Sony, it is not clear if the attack was caused by an outside hacker or an internal threat. With a sound identity management system, companies have the ability to grant and revoke access to files or see if certain users attempt to access files more often than approved. If there are signs of malicious intent, it is important for a company to be notified quickly, before damage occurs. By utilizing a robust Identity Management system, companies have the power to protect themselves from people, both outside and inside the company, who wish to do harm.
In addition to controlling user access, it is also important to protect the way in which users sign-on. In the case of Sony, which stored thousands of passwords in a folder called “Password,” security was lacking. By utilizing multi-factor biometric identification, a company can ensure that the person looking at the company’s data is who they say they are, even if their username and password are stolen.
Goal Of Hackers: Ruin Reputations
In addition to losing valuable intellectual property and dealing with a paralyzed computer system, Sony also had to deal with a humiliating public relations crisis as the hackers released private emails. The contents of these emails ranged from personal insults to confidential information concerning pay disparities and business practices.
The backlash from the release of these emails has been intense as the company now faces potential lawsuits and shunning from powerful players within the entertainment industry. The release of these emails has most certainly ruined reputations.
Solution: Encrypted Email
It is absolutely crucial that a company protects its email communications. In the case of Sony, stolen emails have caused a great deal of harm to the company’s reputation. In addition, any intellectual property or confidential information is also at risk when sending insecure emails.
By using a secure and encrypted email system, a company can ensure its emails are fully encrypted on the company computers and during transit. In order to open an encrypted email, a recipient must present the correct authentication.
To take it a step further, for an additional layer of protection, companies should utilize a revocable email system. By using this system, a company has the power to always revoke emails even after they have been read, no matter where they have been sent and even years after sending. For example, if an employee of a company sends out an email, that employee can also set permissions to prevent forwarding, printing or downloading of the email. In addition to that, the employee will also be provided with a full audit trail showing every time their email was accessed and read.