Security Technology Executive

MAY-JUN 2015

Issue link: https://securitytechnologyexecutive.epubxp.com/i/530736

Contents of this Issue

Navigation

Page 37 of 67

38 SECURITY TECHNOLOGY EXECUTIVE • May/June 2015 www.SecurityInfoWatch.com COOL AS MCCUMBER B y J o hn M c Cu m b er W John McCumber is a security and risk professional, and author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, e-mail Cool_as_McCumber@ cygnusb2b.com. hen Sony Pictures Entertainment was reportedly hacked last October, it became the most significant cyber-attack to receive nation-state attribution. Shortly after the company leadership announced the breach, anonymous US government sources whis- pered to major media sources from the shadows they believed hackers affiliated with the govern- ment of North Korea were responsible for the breach and subsequent extortion of Sony Pictures Entertainment executives. Straining credulity even further, these same sources said the motivation for the attack was the impending release of a predictably lame comedy movie about two bumbling journal- ists tasked with assassinating North Korean dictator Kim Jong-un. As this crazy scenario played out dur- ing the final quarter of last year, numer- ous Sony executives were exposed for crass (and allegedly racist) email exchanges, and the pseudonyms of a bevy of movie stars were brought to light in the purloined infor- mation. Missing in all the words written by journalists, technology reporters, and security researchers was a detailed descrip- tion of the exploited vulnerabilities, and an explanation of how the sheer volume of data exfiltrated happened without anyone on the Sony security team noticing. While Hollywood executives were being exposed as nasty industry infighters, and movie stars as snobby narcissists, the breached financial data and strategy document ripped the covers off a treasure trove of sen- sitive corporate data. The repercussions of this breach aren't reflected in the sheer numbers alone, nor the dodgy attribution. It should also be a wake-up call for all security practitioners as well. First and foremost is understanding the specific vulnerabilities that were exploited in the Sony infrastructure. Remember, it's not just the technical vulnerabilities, but the policy and human factors failures as well. In addition, one of the most glaring lessons of the Sony breach is to watch for unusually large amounts of data leaving your network for unknown destinations. Even though the Sony attack got lots of media attention, it didn't even enter the Top Ten for the number of records breached in 2014. That dubious distinction belongs to eBay that exposed nearly 150 million records in 2014. When data leaves your organization at those levels, you need security oversight to ensure it's authorized. The other observation I want to cite in these high-visibility attacks is the seemingly newfound desire to run to the media with attribution. As one of my old-school colleagues likes to point out, attribution in cyber- space is hard. But even more significant, it is usually irrelevant. Sony can't launch a kinetic counterattack against a nation-state like North Korea. Sony can't even sue them. So let's spend less time on attribution in jurisdictional-less cyberspace, and more time observing the first rule of security: protect thyself. ■ It's All Their Fault! EDITORIAL Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nancy.brokamp@cygnus.com Editorial Director/Editor-in-Chief .....................................Steve Lasky 800.547.7377 ext. 2221 • steve.lasky@cygnus.com CONTRIBUTING EDITORS David G. Aggleton, CPP Kevin Beaver, CISSP Ray Bernard, PSP, CHS-III Ray Coulombe Robert Lang, CPP John R. McCumber Robert Pearson, CPP George Campbell EDITORIAL ADVISORY BOARD Christopher B. Berry, CPP, VP Global Security & Safety, Henry Schein Inc. George Campbell, Emeritus Faculty Advisor, Security Executive Council Eric W. Cowperthwaite, CSO, Providence Health & Services Elizabeth Lancaster Carver, Member Services and Projects Manager, Security Executive Council Richard L. Duncan, CPP, Dir. Security, Hartsfield-Jackson Atlanta Int'l Airport John B. Leavey, Director of Corporate Security, AIG Karl Perman, Director of Security, North American Transmission Forum Art Director .....................................................................Bruce Zedler Production Manager ..................................................Jane Pothlanski 800-547-7377 ext. 6296 • jane.pothlanski@cygnus.com Audience Development Manager. ................................... Sue Hanson 800-547-7377 ext. 1448 • sue.hanson@cygnus.com SUBSCRIPTIONS CUSTOMER SERVICE Toll-Free (877) 382-9187; Local (847) 559-7598 Email: Circ.SecTechExec@omeda.com SALES CONTACTS Midwest Sales Brian Lowy 800.547.7377 ext. 2724 brian.lowy@cygnus.com West Coast Sales Bobbie Ferraro 310.545.1811 bobbie.ferraro@cygnus.com East Coast Sales Janice Welch 800.547.7377 ext. 6288 janice.welch@cygnus.com Display Sales Kristy Dziukala 800.547.7377 ext. 1324 kristyd@cygnus.com LIST RENTAL Elizabeth Jackson 847-492-1350 x18 • ejackson@meritdirect.com CYGNUS REPRINT SERVICES To purchase article reprints please contact Brett Petillo, Sales Manager at Wright's Media 1-877-652-5295 x118 or e-mail: bpetillo@wrightsmedia.com SECURITYINFOWATCH.COM Group Publisher ....................................... Nancy Levenson-Brokamp 800.547.7377 ext. 2702 • nancy.brokamp@cygnus.com Managing Editor ................................................................Joel Griffin 800.547.7377 ext. 2228 • joel.griffin@cygnus.com CYGNUS BUSINESS MEDIA CEO, Paul Bonaiuto CFO, Ed Tearman President, Chris Ferrell EVP Public Safety & Security, Scott Bieda VP Events- Public Safety & Security, Ed Nichols VP Production Operations, Curt Pordes VP Technology, Eric Kammerzelt VP Human Resources, Ed Wood Published by Cygnus Business Media, Inc. www.SecurityInfoWatch.com

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2015