Sony Pictures hack serves as a stark warning for corporate cybersecurity

Sony Pictures Entertainment may be the victim of the worst corporate hack in history. Everything from key business intellectual property and information to the private personal data of its employees was ransacked and then spread across the open Web. Worse, at least according to the experts brought in to respond, there may have been nothing Sony could have done to prevent it.

In a memo to staff from Sony Pictures Entertainment Inc. chief executive Michael Lynton – obtained by Silicon Valley tech news site Re/Code – Kevin Mandia of Mandiant, the security firm hired to clean up the mess, said “this attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software.”

It’s just the latest so-called “epic” hack in a year that saw hundreds of thousands of records exposed at companies including Home Depot Inc., eBay Inc. and JPMorgan Chase & Co. A new security forecast from McAfee Labs says it recorded 307 new threats every minute in the third quarter. Malware attacks surged by 76 per cent from the previous year.

McAfee’s report calls 2014 “the year of shaken trust,” thanks to high-profile discoveries of weaknesses in software widely used by critical Internet systems. Examples include Unix’s Bash exploit and OpenSSL’s Heartbleed error. The U.S. Department of Homeland Security maintains a National Vulnerability Database that attempts to round up all reported cases of exploitable software flaws. In 2013 there were barely 5,000 examples, but this year the count passed 5,200 on Sept. 30 and is on pace to break through 6,500, as it did in 2006, the highest year on record.

With so many vectors for attack, experts say security preparedness should be a top priority for most businesses. But another report released on Tuesday, by cloud security provider Trustwave, found that more than 40 per cent of businesses don’t know what to do in the event of a data breach. “Twenty per cent of businesses do not have a process that enables the reporting of security incidents,” the report states. Another 20 per cent said they had no plans at all.

The survey of 476 information technology and security specialists spread across 50 countries found that 80 per cent of the companies contacted store sensitive data, and 47 per cent manage payment card data (a popular target for hackers). Despite that, more than half the companies either don’t encrypt key data (20 per cent), or just encrypt some of it (31 per cent).

Trustwave found that most businesses do only annual or quarterly internal audits, and 19 per cent don’t have any tracking systems at all. McAfee’s team of 400 researchers reports that while hacker syndicates still perform smash-and-grab payment data heists, they are increasingly switching to advanced persistent threat (APT) tactics “in which they collect intelligence that they can either sell or use at a later date. In this way, criminals are beginning to look and act more like sophisticated nation-state cyberespionage actors.”

Patient probing can defeat even the most advanced firewalls, which is why Intel Security’s Doug Cooke, director of sales engineering, believes that in 2015 businesses need to build systems that better automate information sharing and threat detection.

“If I see an alert in an e-mail that caught a piece of spam, associated with that spam is a bad IP address,” Mr. Cooke said. “I should tell every device in my environment immediately that that’s a bad IP, so that every user device no longer surfs there, every intrusion prevention device is watching for that IP going forward.”

Until those systems improve, Mr. Mandia‘s conclusion about Sony’s hack serves as a stark warning: “The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”