Accusations of Democratic People’s Republic of Korea’s (DPRK) involvement in the Sony Pictures leak are falling upon receptive ears despite a lack of solid evidence. After all, the attacks do bear some resemblance to those previously used to attack South Korea, and who else but the DPRK would get so upset about a film which is little more than a typical Seth Rogan/James Franco comedy.
Evidence like this sways public opinion, but experts are admitting it might never be possible to catch the hackers involved; much less formally charge the DPRK of wrongdoing. The reasons for this are why the case should be a wake-up call for all businesses with an online presence.
Hacking is no longer limited to the realm of the young or disgruntled. Petty vandalism has given way to organised collectives lacking any formal affiliation with a state or company and selling a variety of services to anybody able to pay. Governments are free to pursue their agendas in cyberspace while at the same time be able to deny involvement when acting irresponsibly, since any investigation will lead back to the group to which it has no formal affiliation.
Sometimes a tenuous link can be found. Take for example, an alleged hacker going to school on a state scholarship, but finding actionable legal evidence to prove wrong doing can be next to impossible in an age of escrow services and crypto-currencies.
Security loopholes are low cost and easy to exploit
Acting anonymously with a low risk of being caught is attractive to everybody and unfortunately, the ability to conduct a sophisticated cyber-attack is easily within the average individual’s budget. Just how easy can we exploit this vulnerability? In the past I have been able to source the hacking of my own social media accounts for as low as US$30. Some providers have offered to take a particular business offline for a day at a price of less than USD$100. Up-and-coming security enthusiasts can receive detailed reports on the efficacy of their malware against modern security software or appliances for just fifty cents.
These groups are rightfully nervous about being caught in a sting so first-time buyers may face difficulty in finding a contractor. The groups are also suspicious as security companies are known for buying attacks to gain intelligence on exploits that are used to ‘harden’ their own applications. A dedicated buyer will eventually discover a contractor and as the relationship grows successful in the long term, the communities will compete heavily for new business, making reputation one of the key differentiators amongst contractors. Unfortunately, these communities can thrive – in spite of the business activity engaged – as there is always honour among thieves.
Governments, rival corporations, activists, or even disgruntled employees now have the ability to wage asymmetric cyber warfare and businesses must seriously re-think their security strategies in order to adapt. It is no longer possible for businesses to pay lip service to policy while implementing the bare minimum of controls needed to satisfy an international standard. Sony, along with every other high-profile company breached in the past two years, had various industry certifications and what seemed to be a proper security policy in place, yet basic mistakes on the part of employees were not caught by the management system. The keys to Sony’s entire social media presence (amongst other accounts) were found unencrypted in a well-ordered directory labelled “Passwords”. Any money spent on their security policies could have been better spent educating their employees and providing staff with an enterprise-grade user-credentials management system.
The sophistication with which these groups conduct attacks brings home the reality that every business is at risk of, or has already been compromised. The management’s role is to craft a security plan that limits the amount of data which a single compromised account can leak. Defence has to be taken to new depths where even the usage patterns of previously secure applications need to be reviewed. Media reports have found a treasure trove of controversy in the emails released by the Sony hackers. Corporate email has moved beyond simply being a communications tool. It has become a file repository for workers around the world with banal conversations sitting next to corporate R&D documents in a single repository just waiting to be mined.
How can we mitigate against our own disasters?
What can businesses do? Now that our previous assumption of email access being secure has been proven false, we must leverage existing technologies to change user patterns.
The days where appointing a “security guy” is enough to ensure an organisation’s security are long behind us. Hackers come from a broad set of backgrounds which require a broad spectrum of security professionals as a counterbalance. Hacking groups maintain specialists for different tasks so it is reasonable to expect companies to do the same. Different industries have different technologies and data which require specialised skills to properly secure them.
Third-party consultancies prove invaluable here since they allow small organisations to leverage the expertise of professionals with the global knowledge of a particular domain, without struggling to keep the resources on the payroll. Larger companies can benefit by hiring experts to attempt network incursions for real-life feedback on their security posture.
Regardless, the importance of properly empowering a security group with resources and manpower can no longer be questioned in today’s environment. Savings realised by cutting corners when implementing security will be immediately wiped out following a single incident. No amount of money can buy back credibility lost after customers get even the slightest impression that proper due diligence was not carried out.
The new generation of hackers poses a challenge to the traditional ways of doing business and the companies that remain successful will be the ones which go back to basics by building agile and well-regulated management systems that can catch the advanced threats of the modern Internet.
John Lloyd, Consultant, Logicalis