Unlike previous high-profile security breaches we’ve reported here, the attack on Sony Pictures appears to be more than a “smash-and-grab” attack to steal customer information. In this particular case, the attackers have apparently acquired many sensitive internal documents, including lists of passwords and financial records, and are threatening to release those documents unless their undisclosed demands are met. Known as “doxxing” in the security industry, the threat began to appear on computers throughout the company on November 24, and effectively shut down normal operations. According to internal reports, the hackers gained access to a single internal server within the company, and spread from there.
What this means for you:
The details of how the attackers penetrated Sony security haven’t been released, but I’m willing to bet it was because an employee opened an attachment or clicked a link they shouldn’t have. No matter how competently implemented your security perimeter is, all it takes is a single human error to bring the whole thing tumbling down. In this particular instance, the error was made immeasurably worse by the hackers gaining access to unencrypted documents containing passwords to other internal systems. This lapse in judgement has paralyzed the company and will undoubtedly cost them millions to remediate.
The lesson to be learned from this: sensitive information, especially passwords, should never be stored in the clear on an unsecured spreadsheet or word processing document. At minimum, store those documents in an encrypted partition, or utilize a password manager with two-factor authentication. The other important lesson: don’t assume that just because you have a well-documented security policy that your employees are trained well enough to implement or follow it, even the internal IT staff.