Sony Network Breach Teaches Lessons for All Enterprises

NEWS ANALYSIS: It's a natural assumption that Sony Pictures was hit by a revenge cyber-attack from North Korea, but the fact is all enterprises are just as vulnerable as Sony.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Sony Hack B

The idea that the government of North Korea is behind the recent attack on Sony Pictures almost reads like an effort to promote the upcoming movie, "The Interview." In the movie, the Central Intelligence Agency sends two bumbling journalists on a mission to assassinate the North Korea dictator Kim Jong Il, a plot that has apparently annoyed that ruler.

Sony Pictures, the studio behind that movie, apparently is saying that North Korea is indeed behind the cyber-attack in November that took down company's computer systems during the Thanksgiving holiday period.

However, there are competing claims from a group that calls itself the "Guardians of Peace." In any case, the attack on the company not only took Sony Pictures offline, the attackers also erased data and leaked Sony movies, some of them unreleased, on the Internet.

However, nobody really knows for sure whether North Korea was behind the Sony Pictures attack. Nobody knows whether Guardians of Peace had anything to do with the actual breach, is a North Korean front organization or whether it's simply a bunch of wanna-be hackers claiming credit for something they didn't do. Complicating matters, nobody knows exactly how the attackers gained access, although there are a few theories.

As I found out when I interviewed Frank Abagnale, this is a situation in which someone clearly did something they weren't supposed to do. The identity of that person may never be known, but the fact is that Sony Pictures has a long list of employees and contractors, any one of which could have made a fundamental security mistake or who may have failed to beef up their security enough. Or as Abagnale has suggested, perhaps Sony Pictures simply didn't provide enough of the right training.

In addition there may not be a single point of failure here. For example, a disgruntled employee with administrative access could have compromised the security on Sony's network, perhaps in an attempt to pass out some free movies. Breaching what was probably strong security that protected the unreleased movies was probably enough to gain access to the recesses of the network where the company stored its more sensitive data.

But even with access to the servers containing the movies, how was it that the attackers also got access to everything from the human resources department to payroll and the email server? Of course it's possible that Sony may have had really bad internal security, but considering that the company has just recovered from an earlier serious breach to it gaming, one might hope that wasn't the case.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...