In response to the news that Sony has officially cancelled the December 25 launch of The Interview, security experts from Proofpoint and Bromium have the following comments around the consequences of the attack and what this could mean for cyber attacks of the future:
Kevin Epstein, VP of Advanced Security and Governance at Proofpoint says:
“The Sony attack clearly shows how dangerous cybercriminals can be when they successfully compromise an organization's cybersecurity. The extortion tactics applied to Sony are yet another public example of the new level of threat posed by targeted attacks -- for which the crucial business tools of email and social media still lead as delivery vectors. Attacks like this have a direct impact on company revenue, raising security to a boardroom level of visibility.
It’s important to remember that U.S. and global companies are targeted by nation-states and cybercriminal groups every day. We anticipate this class of breaches will only increase in 2015, driven by email and social media hacks. Layered targeted attack protection that goes beyond anti-spam is a necessity in today’s defense against such attackers.”
Ian Pratt, co-founder, Bromium writes:
“Corporate networks get compromised by hackers every day, but the public rarely get to hear about it. The motives of the attackers are usually to steal intellectual property (product designs or business intelligence) or personal information (credit card numbers or health records). These attacks are performed stealthily, frequently without detection by the corporate security team, at least until much later.
Increasingly, some hacking groups are attempting to extort money from businesses through threats of service outages or destruction of data. Although the business will be clearly be aware of such attacks, they rarely become public knowledge.
The Sony Pictures attack is unusual in that the whole aim of the attackers has been to maximize the publicity from the attack and to scare Sony and other businesses into complying with their wishes. To that end, they seem to have been very successful. The attack has been a sobering reminder of how critical the information on our computer systems is. The attackers are reported to have stolen a terabyte of data -- a quantity that would easily fit on just a single hard disk -- but the haul has contained pre-release movie files, sensitive business information, health records, salaries and other employee information, and many private email exchanges that have now been laid bare causing much embarrassment. It will take Sony a considerable time and massive expense to recover from the full effects of the attack, even once they have their computer systems up and running again.
The attack has clearly been more sophisticated that the average hacktivist attack, but the current state of software security is such that it would not have been particularly difficult or expensive to execute, and at very little risk to the attackers. It's not that the security team at Sony Pictures did a bad job, it's that security teams at all corporations currently face a nigh impossible challenge of keeping hackers out. Antivirus software and other security tools are all too easy to evade by hackers, so these traditional approaches of trying to retrofit security by detecting attacks are failing. We need to demand that software and hardware vendors to a better job of security by design, making systems that are less vulnerable and more resistant to attack. This means reducing the "attack surface" the amount of critical computer code that is exposed to an attacker. Only then will we be able to change the economics and make the cost of such attacks prohibitive, putting the advantage back in the hands of the security teams that defend our networks.”