Last updated: 
1 month 4 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

What can we learn from the Sony breach?

Friday, December 19, 2014 - 14:11

There's been a huge amount of press coverage of the attack and subsequent data breach at Sony and the few facts that are public knowledge have been swamped by hearsay and conjecture. What can we learn so far? Here are a few thoughts to end the year on.

  1. Anti-virus software alone isn't enough to protect you from malware. No one is really interested in the 99.9% of malware that your AV software stops, it's what gets through that hurts. And the malware that gets through needn't be all that sophisticated either - just new, unseen or slightly different. This can and will happen to any organisation. You need a deeper array of technical and human controls to reduce this risk to your organisation.
  2. Do you think you'd notice 10-100TB of data leaving your network?  At a continuous 1Gb/s stream that would take almost a day I hope you'd notice. Even so, at a rate of 1Mb/s you could still lose a substantial volume of highly critical data in just a few minutes. Would you notice that? When the controls in 1) inevitably fail, how long will it take you to notice?
  3. Attribution is useless. At this point everyone is being very quick to accuse North Korea based on (at the point of writing) tenuous and circumstantial evidence. Even if  true, what good does it do Sony? Does it help their incident response? Does this knowledge help them change their future behaviour? At the moment it seems to do little apart from turn the event into the plot of Bond film.
  4. Most of the attention surrounds inside information about celebrities and the workings of Hollywood. This will damage the trust and and competitive advantage that Sony may have held but once the press coverage dies down the serious outfall is likely to surround the personal data entrusted to them as an employer. Does your risk management take this into account?