Sony Pictures hack: what can we learn from all the furore?

Blog by Andy | Posted on Thursday December 18 2014

So, another hacking story has reared its head across the global media, as Sony’s November security nightmare hits the headlines again. In case you hadn’t heard, in November Sony Pictures was the victim of a security breach by a bunch of hackers referring to themselves as ‘GOP’ or ‘Guardians of Peace’, and rumours developed that there was some involvement of North Korea, angry at the planned release of The Interview, a comedy lampooning the country’s regime and cheese-dependent leader. They’ve denied this speculation, but said they admired the sentiment.

Why is this an international news story? Well, politics aside, it’s the size:

Sony’s size
Sony Pictures is a global entertainment giant with $8bn revenue (Mar 2014) and thousands of employees, (Sony Corporation’s total employees worldwide number over 140,000).

The size of the data loss
About 100TB of sensitive data about said employees, including financial information, Human Resources data and user passwords. All stored insecurely in a variety of formats (eg. spreadsheets and Word documents) that the least sophisticated of computer users could view.

The size of the subject on Social Media
Trending on Twitter, all over sharing site Reddit (indeed, Reddit has started banning users sharing Sony hack documents) and the subject of many a news article.

Added to the size aspect, it’s the relevance of the hack to all of us learning about it. Sure, the rumoured ‘reason’ for the hack (Sony’s attempts to distribute a movie critical of the North Korean regime) is specific to them, but the nature and extent of it relates to us all.

There are data protection and compliance laws in place in most countries now, but few of them truly enforce them until after a data loss occurs. There are certain sectors that have had regulatory bodies set up to monitor compliance (we’re looking at you, Bankers), but the rest of us are left to self-regulate.

But do we self-regulate?
If you work in a corporation, take a look at your business culture and the practices you employ to share information. Could they be compromised? Better still, think about how you manage any information you store on your computer or send to anyone whether at work or at home. How secure is that information? Even companies using an intranet as a means of information distribution should take steps to secure the data held, but too often rely on the isolation from the wider internet as a substitute for security.

Ok, so how do we self-regulate?
Start with the files themselves. If you protect them as you create them by encrypting and limiting access, even if they fall into the wrong hands they will be useless. If Sony’s documents had been access-controlled, the files would be worthless to the hackers into whose hands they fell. Software such as Watchful RightsWatch is ideal for this. WatchDox, software aimed at protecting the sharing of documents between users is also a good way of protecting your documents as you distribute them (and relinquishing access later).

You can further protect your documents by securing the hardware on which they are stored. Multi-factor authentication including biometric methods is becoming more affordable and widespread, and is now a realistic solution to a data protection strategy. Use fingerprint authentication as part of your access control (alongside passwords – more on that in a moment) when logging into your computer. If you take your data with you in a USB stick or external hard drive, encrypt it and limit access to it. Imation’s brilliant Ironkey portable storage solutions come with encryption already enabled, and the Ironkey F200 USB stick and H200 External Hard Drive come with fingerprint authentication built in.

And then there’s simple good practices and common sense. If a company adopts and enforces a strategy of good security and expectations with its employees, it can limit the risk of exposure of data to potential threats:

  • Don’t store passwords in plain text anywhere. If passwords must be stored, encrypt them and limit access.
  • Change passwords regularly, and make sure they are strong. They don’t have to be gobbledegook to be difficult to crack – two random words of at least 5 characters, capitalised and separated by at least two numerals and two punctuation marks is a good pattern eg. ‘Toasted46$!Mantra’ – just make sure it’s all random. In theory, it would take a standard PC 931 trillion years to crack that example. And if you use it most days, you’ll find it easy to remember.
  • Follow regulations and guidelines about the storage of personal and financial information of individuals, and never store them in an unencrypted file.

Because you’re worth it
I guess my point is that Sony Pictures was not vulnerable to attack simply because hackers may have had an agenda. They were vulnerable because their staff were complacent about their security and didn’t take the steps necessary to mitigate threats. And you are just as vulnerable if you don’t do the same.

The sad truth is that we all have to assume that all our devices, especially those that connect to the internet, are potential targets for the unscrupulous users of the web. But if we all join the culture shift, then – just like the habit of securing our homes and cars or protecting our PIN numbers for credit cards – we will make life that bit more difficult for those who seek to wreck our work or just ruin our fun.