Great Sony PR as “sad little” North Korea’s “tinpot dictator” takes offence
- 15 December, 2014 03:30
“Getting attacked by the North Koreans for making a movie that spoofs their sad little country and its tinpot dictator makes Sony the most sympathy worthy attack victim of the millennium.”
That’s the damning view of Gartner analyst Jay Heiser, who believes following the attack, Sony has “suddenly become the globe’s cyber-security poster child.”
According to Heiser, it’s “morbidly fascinating” to see a continuing series of news articles related to the material stolen from Sony.
“Anyone with any background in Infosec is itching to learn more details about what level of protection effort was in place, and what form of attack managed to so thoroughly comprise such large chunks of their digital enterprise,” he adds.
However, Heiser believes it is too early to have a definitive opinion on the relative degree to which Sony may or may not have followed best security practices.
“It is uncertain how many additional negative consequences will accrue as embarrassing internal memos leak,” he adds.
“It is premature for any other organisation to use the example of Sony as a significant part of their business case for security program improvements.”
Echoing Heiser’s comments, fellow Gartner analyst Paul Proctor believes it’s easy to pick on the security of a company that has just been hacked, believing that the criticism levelled towards the tech company “has not been fair, accurate or defensible.”
“Make no mistake,” he adds, “there are companies with terrible security practices who have been hacked and likely deserve derision, but I have trouble believing that Sony Pictures is one of them.”
According to what is known publicly, several files were dumped on the internet that allegedly come from Sony’s internal networks, many of these are said to contain passwords.
While the actual source of the attack remains to be seen, given the glee expressed by the officials from Asia’s answer to Grand Fenwick, for the time being the industry is treating this as a surprising act of technical competence from a place that is generally considered a digital trailer.
“‘How can this be so?!’ cries the ambulance chasing security pontificators, ‘Sony has terrible security practices!’,” Proctor adds.
What is known publically about Sony is that they are a for profit company dealing in a digital medium with obvious devastating impact for unauthorised access to their products.
“They have every motivation to pour a lot of resource into protecting their lifeblood,” adds Proctor, before questioning; “But what about their administrator’s behaviour?
“Dumping sensitive data into unprotected text files is a practice as old as time and I have seen it at many companies.
“This is typically the result of administrators who have a job to do. If you need access to 50,000 passwords, this is a convenient way to get it.
“Sure it is against policy. Sure it is risky. But what’s the probability of a pervasive and comprehensive attack that will compromise such a file?”
Proctor believes risk and security programs have a lot of priorities and employees ignoring policy has not been at the top of the list.
As a result, he bucks the trend in claiming that Sony security should not be lambasted for “doing exactly what they should have been doing”, which is, according to Proctor, “focusing limited resources on the most important assets in the company.”
“If you want to cast the first stone, you better consider your own glass house,” he adds. “Basically, every enterprise has this problem with people and behaviour.
“Everyone reading this has unencrypted files in their company with sensitive data.”
However, the Sony hack changes the game. If North Korea is involved, a nation state attacking an enterprise with malice creates a very different security problem with user behaviour that will not be solved by technology.
“Security programs and user education need a boost with special attention on these risky practices for convenience,” Proctoer says.
“Simple behaviour changes will do more to protect your enterprise than spending millions on complicated technology that will make users miserable.
“Users will immediately seek to bypass poorly conceived technical solutions and put even more data at risk. Avoid this outcome.”
Proctor says Gartner’s research in people-centric security recognises the criticality of user behaviour as a control and seeks a better answer than posters and mouse-pads that say security is important.
In other words, it is the integration of security and social science designed to motivate users to want to do the right thing.
“Never waste a crisis,” he adds. “Sony is not the first serious, game changing hack and it won’t be the last.
“Use the visibility this creates with executives to institutionalise better practices that will survive the times when they go back to sleep over security.
“You could do that… or you could use this opportunity to push through the budget for that DLP system you’ve been trying to get for 3 years. Your choice.
“And stop picking on Sony.”
Moving away from the mechanics of the hacking, Heiser speculates that while there will be some important lessons that will come out of the analysis of this incident, it doesn’t represent a new normal in the degree and prevalence of digital compromise, but only time can establish norms.
“No shopper is comfortable with the idea that a merchant might have leaked their credit card, but nobody is going to boycott a movie maker because they leaked Sylvester Stallone’s social security number,” he adds.
“What I know for certain is that after all this buildup, I’m deadly curious about a flick that otherwise would have been pretty far down my list.”
So much so that news of this dramatic hack is going to encourage huge attendance for a movie that otherwise doesn’t seem to have the ingredients typical of a cinematic masterpiece, Heiser adds.
“They couldn’t have invented better PR than this,” he says. “I’m going to the theatre, and I’m going to cheer for the good guys.”