The Sony Hack Won’t Change a Thing in Security

I’ve read a lot of commentary on the Sony hack and even penned a bit of my own on it. Ironically, what I ended up releasing was just fluff due to wild speculation at the time. I had actually written a piece decrying the fact private companies are being forced into a position where they are fighting political and military level battles against nation state armies- and the U.S. government sits by while spouting worthless commentary about threat and information sharing (for years). Maybe I’ll share that post some day…

All of this commentary aside, I was really inspired by Anup Ghosh’s piece Game Change: Three Reasons Why #SonyHack Will Change Security. Having been on the forefront of the evolution over the years, specifically in the IR space where I’ve seen more than my fair share, I disagreed with his high level statement. Let me explain why.

EvilTriumph

Things Haven’t Changed

Anup mentions that the landscape started to shift due to both the RSA hack happening in 2011, let alone the follow-up report on APT1 in 2013; publicly, that may be true, but it was actually changing well before this- and I’m sure before I was even brought into the fold. I was brought into the fold ~2008/9, as the C-suites across some of the largest defense contractors/Fortune 500 were being handed security clearances to be briefed on what was actually going on with regards to Chinese hackers (e.g. [the real] APT) siphoning off their intellectual property. This said, I believe I entered this arena as one of the first 26 companies invited. Interestingly enough roughly only half of the companies showed up at the recurring meetings we held to address the problem together. This is after the C-suite was explicitly told what was happening to their data and networks. Put another way, only half cared.

So did anything really change in 2011-2013, other than more publicity to the topic? Nothing dramatic- the companies who invested continued to invest and those that didn’t kept doing more of the same or incrementally invested. As an example, this year I asked one of the largest defense contractors (that was invited to those meetings in ’09) how they had dealt with APT1 in their network, as I had intel stating they were in there recently- they had blank looks on their face. Incidentally, I came to find out months later they were now writing a $1M check for Incident Response. Five years later, they were still bleeding IP and had not built out a true capability to properly deal with the issue. The reality is that we’ve been dealing with Nation State attackers for years and relatively few companies have identified it as a true business imperative and have properly invested to deal with them- most others continue to struggle.

On the criminal side of the house, the 2007 TJ Maxx hack did little to influence change across the broader landscape. Fast-forward to 2011 and the Information Security community thought the $170M+ tab for the Sony PSN hack would finally change the game as well. Now jump ahead to 2013 and the Information Security community thought that the Target breach would finally change the game as well. Considering the CEO was let go, InfoSec was now a board level issue! There are indications that it did become a larger issue, as retailers invested more in security in 2014- though they seemingly moved at a snails pace thinking business as usual, “this won’t happen to us”, and “we sell hammers”, but we can see the results as Home Depot, Staples, Bebe, Dairy Queen, Jimmy Johns, and more continued to fall victim. Speaking of Anup’s post, I think he hit the nail on the head on this side of the house.

Two Other Key Considerations

1. The Board generally has more important things to worry about. For example, in the U.S., we are motivated by short-term returns…

While security may be an important topic, it may only get 5-15 minutes (1-3%) of an all-day Board meeting- with other Risk areas seeing more time, let alone the content that actually drives the business. As an aside, it astounds me how many InfoSec pros openly question why a company continues to do business in China even though they are continually hacked by Chinese APT. It’s a business- US Business Leaders would generally rather make $1 versus $0, and try and find an answer to that problem later.

2. The vast majority of CISO candidates are ill prepared for the job.

I once said that CISO’s should be required to have a background in Incident Response, and I still believe that to be true today. My favorite CISO quote of the year was, “I have no need for Incident Response- if I get hacked, I’ll deal with it then.” Simply put, if you are a CISO in today’s world, you are on point to fight foreign military units and organized criminal enterprises… you probably didn’t see that coming while you were working on your IT and/or MBA degrees.

While there is a growing community of #IDR (Intel-Detect-Respond) folks, it is still rather niche considering the number of years it has been around, and Prevention continues to be “the answer” chosen the most- many times due to lack of headcount. While I think great leaders can grow into a CISO role and will understand they need to overweight in the #IDR space, I believe the pool of folks that understand this and/or knowledgable people that CISO’s can reach out to and hire is rather limited.

Final Comments

So why do we think the Sony hack of 2014 will change anything? Due to the destructive nature of the attack? Due to bad press? Due to the convergence of attack types and fallout? I don’t buy it. Factually speaking:
1. Sony’s stock is right off a 52-week high- it has not crashed during or due to this attack.
2. “Annie”, which was leaked and had less than stellar reviews, opened to a bigger weekend than anticipated.
3. Sony is still in business.
4. Other companies notice this.

Will Sony take a financial hit? Absolutely. Perhaps nearing $500M-1B when it is all said and done. I also believe they will swing the security pendulum completely the other way- similar to Target- to show everyone they take information security seriously. I doubt other companies will follow suit with swinging that pendulum very far though- simply put, relatively few invested quickly and properly to combat nation state APT and cyber criminals, so why would they consider this even more remote possibility of a country destroying their network in their company risk equation?

I’d love to hear feedback on Twitter, so please reach-out @SeanAMason.

2 thoughts on “The Sony Hack Won’t Change a Thing in Security

  1. Sean, you are probably right, unfortunately, As an information security specialist for many years, I unfortunately see the same recurring theme with businesses time and time again, and that’s the failure to implement comprehensive security policies, procedures, processes, and other fundamental initiatives. With so many free and cost-effective solutions available online, there’s really no excuses as to why businesses don’t take the necessary steps for ensuring the safety and security of one’s entire network infrastructure. What’s also frustrating is not seeing comprehensive security awareness training and other basic, fundamental programs, like annual risk assessments, that should be in place for further helping protect organizational assets. There are literally hundreds of sites offering free employee training material. It’s time companies got serious about security and not just profits because data breaches are continuing to grow at such an alarming rate. Think about it, what business do you even have if a significant data breach occurs? Kiss your profits goodbye and say hello to the onslaught of lawsuits sure to arrive.

  2. I don’t think that the percentage of an IT bdegut dedicated to security is that important in determining an organization’s overall level of security. Typically that figure is along the lines of 5-10%, but what matters much more is the amount of internal company resources and organizational capital that is dedicated to security. This broadened concept of spending is what we are trying to measure in the referenced in the previous comment.I have felt for a while that companies are spending too much money on security and too little internal resources. For most organizations, building a secure product is ultimately more expensive which is one reason ROI/ROSI calculations aren’t a good tool for the boardroom. The real reason to build appropriate security into products is the market and regulatory expectation that an organization have an overall security narrative. In this way security is not different than other narratives a company is expected to have – fair labor practices, community involvement, consumer protection, etc. If the security narrative is critical enough to the company, they will hire a CISO (although I think that this function ).So while I agree with the title of your post from a few weeks back (Cheap IT is ultimately expensive), I think that cheap security is often just that – cheaper. Of course this depends a lot on the industry and the product, but often security flaws are not exploited in a way that reflects back on the victimized company. Or in other words, companies don’t necessarily get called out on bad security. As a result there is no money either saved or earned by slowing down a release and locking down an environment to make sure everything is secure. The lack of ROI doesn’t imply that companies should build insecure products. There are some things that companies do not because they save or earn money but because they are a cost of doing business. In many industries security is precisely such a tax.

Leave a Comment

Your email address will not be published. Required fields are marked *