Sony CEO: “They came in the house, stole everything, then burned down the house. They destroyed servers, computers, wiped them clean of all the data and took all the data. We were so taken by surprise by the events…that we didn’t have a playbook or a plan at that moment to go forward.”
Remember the Sony Pictures hack in late 2014? A hacker group calling itself the “Guardians of Peace” leaked personal information about Sony employees and their families, and they dumped copies of unreleased new films. Then they held the company’s information assets as a kind of ransom, demanding that Sony not release a film called “The Interview.” What happened when the Guardians were ignored made headlines worldwide.
Investigators believed that hackers spent at least two months copying corporate files. According to Wired Magazine, hackers may have had access for at least a year before the leaks and demands became headline news.
IDEA
At COLLABORATE 17, Quest is hosting a special presentation by a US FBI Special Agent on the latest trends they are seeing in cyberattacks on businesses. Staying informed is part of staying secure. That’s another great reason to bring your team to COLLABORATE!
INSIGHTS
Last year Quest hosted a special presentation at our Executive Forum by Mark Weatherford on the Best Practices in Securing Enterprise ERP & HR Data. Mark was the first US Deputy Under Secretary for Cybersecurity, part of the Obama administration’s Department of Homeland Security. He has also held similar-caliber positions with the State of California and the State of Colorado. Now he is the Chief Cybersecurity Strategist for vArmour, a cloud services provider. Here are a few brief excerpts from the detailed presentation that Mark shared at COLLABORATE 16’s Executive Forum, with a few added observations of my own.
“It was a very sophisticated attack.” “I didn’t think we were big enough, important enough, or valuable enough to be concerned about hackers.” Those are common excuses. However, today’s cyberattacks all are very sophisticated – whether from nation states, global criminals, or malicious insiders.
While people commonly get the risks from outsiders, corporate leaders tend to under-estimate the threats to their information assets from inside the organization. Where are the real risks? In the 2015 Vormetric Insider Threat Report, more than half of the respondents said that Privileged Users posed the biggest threat. Other insider threats came from contractors, service providers, and privileged business partners.
URGENCY
The median time for an organization to detect a cyber intrusion is 146 days. That’s seven months of someone you don’t know prowling around your network – watching, reading, copying, or stealing, according to the FireEye M-Trends 2016. In the case of Sony Pictures Entertainment, it could have been a full year.
Only 47 percent of organizations breached discovered the trouble on their own. More organizations–53%–had their breaches discovered by external entities, such as law enforcement, 3rd parties or customers, according to FireEye. In many cases, those breaches turned into damaging publicity.
RECENT TRENDS
In 2015 and on into 2016, two major trends were the explosion of Advanced Persistent Threats and Ransomware.
Advanced Persistent Attacks (APT), when discovered, leave victims with two major choices. Do you shut down the network door? Or, do you leave it open temporarily to determine the extent of damage? That damage could be wide spread, given the median detection time of 146 days and only 47% self-detection.
Ransomware attacks often are an outgrowth of spear-phishing emails, social engineering attacks, and infected legitimate web sites. They have shut down hospital patient care and billing systems, such as at Hollywood Presbyterian Medical Center. Other victims include school districts, governments and law enforcement agencies, and businesses of all sizes.
FBI Cyber Division Assistant Director James Trainor recommends that organizations focus on two main areas: Prevention and Recovery. Prevention efforts include training employees for awareness and implementing strong technical controls. Recovery is about business continuity planning and execution, including data backup/recovery and system failover preparation.
PRIORITIES FOR ERP & HR DATA
Among several aspects of enterprise data protection that Mark shared, three priorities stood out in my mind. First, conduct a risk assessment – and revisit it regularly. This should include “red team” hacking. For example, are software administration accounts set to easily-guessed credentials? Do system users with administrative access have only the access needed for their current daily duties? Are some administrative privileges needlessly elevated?
Second, Mark advises to encrypt your data, particularly for sensitive personnel and customer information. That means encrypting what is stored on hard drives so that a security breach will yield useless or low-value data. I wonder what enterprise IT leaders think about also encrypting corporate data storage on loss and theft-prone mobile devices, too? Furthermore, data should be encrypted whenever transmitted. Mark says, “Dance like no one is watching. Encrypt like everyone is.”
Finally, have a security strategy. Understand the technology and data relationships between business units, align business risks with appropriate controls (not every data transaction deserves a user retina scan), and be aware of applicable regulatory requirements.
Understand your organization’s information assets. Where are the organization’s “crown jewels”? What would put your organization in jeopardy of going out of business tomorrow if you lost it?
And, make sure your employees understand the value of applying and regularly refining your organization’s security strategy. Without buy-in and diligence, organizations may lurch from breach to breach.