Taking a trip down memory lane, does anyone remember “The Interview”, a comedy about two journalists who are recruited by the CIA to assassinate North Korean leader Kim Jong Un. Funny movie, tragic outcome – to say the least. As a result of its release, the Pyongyang government condemned the movie, accusing it of backing terrorism. Many people see this incident as the precipice for the hacking of Sony Pictures Entertainment in 2014.
The Sony Pictures electronic intrusion took a massive toll on the company. It was executed effortlessly by a North Korean spy, Park Jin Hyok, also known as Pak Jin Hek. He worked for North Korean military intelligence agency Reconnaissance General Bureau (RGB) according to the U.S. Department of Justice. Hyok’s exploit landed him large amounts of sensitive data, such as upcoming movie scripts, celebrity phone numbers, confidential employee data, and the high-grade versions of 5 then-unreleased films.
The virus obliterated all the data on half of Sony’s personal computers and servers. There were reports of Sony tech staff having to run to Best Buy and purchase computers and minor networking equipment just to maintain a corporate presence. And, remember the exposed emails? Well, many were later circulated on Wikileaks. Yikes!
The Justice Department just announced charges Thursday against Hyok. U.S. authorities have accused him of being behind the massive hack of Sony in 2014 and the Wannacry ransomware attack last year. The full criminal complaint can be found here.
As a nation, we need a program or practice to support a major corporation that is actively under assault. What if it was GM or Exxon who was under attack? Most companies would have been out of business under the same circumstances. Most corporations lack the financial prowess to replace their entire IT infrastructure. Experts concede that corporate and government attacks will increase in frequency. And, nation-state level attacks are also likely to become more common.
Could Sony have received assistance prior to seeing the worst possible consequences from the assault. Could the Sony hack have been prevented? Maybe not, but it didn’t have to escalate to such heights. Sony did not encrypt its corporate data. They didn’t even have third party audits, and most importantly, Sony never created a culture of cybersecurity.
Developing a culture of cybersecurity requires that companies invest in the cyber education of their employees. In some cases, the expectation should also extend to companies that might contribute to their supply chain. Businesses must teach employees that major damage to the company is a direct assault on the company’s ability to compensate and grow them as team members. Cybersecurity should be lived and breathed as demonstrated in the consistent use of best security practices.
Even when employees want to do the right thing many are confused about activities. For example, when is it appropriate to use public WiFi and how abandoned laptops can be used to access company files. It is company’s duty to make employees a part of the security posture for the entity. This is done best with programs leading to the culture of cybersecurity, not IT compliance drills administered to claiming true awareness of threats.
Meanwhile, IT professionals need to step to another level. The IT professional that looks at a problem and only views it as an access issue could be a part of the problem. They have to be curious and want to know what has occurred to deny the access or the endpoint to not function correctly. If the IT professional in the company doesn’t want to be a cybersecurity professional, you should find some new staff.
Cybersecurity requirements and the exploits launched to access networks are continuously changing. Unfortunately, there will be more Sony like incidents over the next few years. At some point, more Black Hats will form the teams working against companies. Those companies who take the risk will deserve what the consequences that are delivered. There is a reason jewelry stores lock up their most precious jewels in a vault at night. There is a reason many other companies invest in physical security. Everyone knows that if you have something of value someone will come for it sooner than later.
SC Magazine said that “one of Sony’s biggest problems wasn’t being hacked; it was failing to detect the hack until it became public. By then, it was too late.”