The FBI today named the North Korean government as responsible for the cyber attack against Sony Pictures last month, saying its technical analysis points to the isolated, Communist country.
But now what?
“This could embolden future attackers,” Johannes Ullrich, dean of research for the SANS Technology Institute and the head of SANS’s Internet Storm Center security arm, said of Sony’s withdrawal of its comedy, The Interview, earlier this week after threats were posted online by the alleged hackers. “Just like with real-world threats, a successful highly-publicized attack like this will draw out copy cats to conduct similar attacks against other companies.”
The attacks, which were disclosed in late November, made off with gigabyte upon gigabyte of internal Sony documents and files, including embarrassing emails, financial information, passwords, and current and former employees’ personal information.
Speculation that North Korea was behind the attack has been circulating for weeks, primarily because of The Interview, a movie whose plot centers around an assassination attempt against the country’s dictator, Kim Jung-Un.
But fingering North Korea is a waste of time, said John Pescatore, director of emerging security trends at the SANS Institute.
“There’s been so much focus on the cyber warfare aspect of this, as in ‘Oh, my God, this was North Korea,'” said Pescatore in an interview today. “The focus has been on the actors, not on the [weak security] that enabled the actors.”
More important than arguing who was responsible, said Pescatore, will be what companies do in response to the massive leaks from Sony.
“We’ve been scared of trying out stronger authentication, but maybe we’ll try that now,” hoped Pescatore, talking about two-factor authentication for accounts, including email and network access, that relies on more than a username and password. Two-factor authentication also requires another piece of information, typically a multi-digit code generated by a specialized hardware token or more commonly, by a service provider or enterprise IT department, that’s sent to a user’s smartphone.
Without that code, hackers who manage to dupe victims into disclosing their passwords — typically via a phishing attack, which many experts believe was at the root of the Sony attack if it wasn’t an inside job — are not able to access hijacked accounts.
“Maybe this is the one more straw on the camel’s back,” said Pescatore.
Sony’s example should also convince companies to encrypt all of their data, or at least more of it. “Encryption is not easy to do when you want to collaborate, but the hope now is that the attacks cause enough management attention for companies to say, ‘We are going to do this hard thing,'” Pescatore said.
The decision to yank The Interview — triggered by U.S. theater chains’ announcements that they would not show the movie for fear that the hackers’ threats of physical attacks would be carried out — was blasted by many security experts this week.
Today, President Barack Obama weighed in, too, saying, “I think they made a mistake,” of Sony and the theater chains.
“This will encourage others, certainly,” said Tom Chapman, director of cyber operations at Edgewave, a San Diego-based security firm, and a former U.S. Navy cyber-warfare commander who also worked with the FBI and the Navy’s criminal investigative service, or NCIS. “What’s going to happen if there’s a movie that a Muslim terrorist doesn’t like? What will happen if some group says, ‘Don’t sell this product’ or ‘Don’t support this cause?'”
Ullrich agreed. “With the wave of DDoS [distributed denial-of-service] attacks over the last years, they found a lot of ‘followers’ [when] they where successful,” he said in an email reply to questions.
For Chapman, implementing stricter security measures — something Sony in hindsight certainly should have done, as none of the documents leaked by the hackers was even password protected, much less encrypted — is well and good. But he urged companies to do more than that.
“An IT department must know what’s normal [on their network] and what’s not normal,” Chapman argued. “They have to watch what’s going on on their network. There’s no way someone should be able to remove gigabytes of data and not be noticed.”
In its statement today, the FBI said it would “identify, pursue, and impose costs and consequences on individuals, groups, or nation states who use cyber means to threaten the United States or U.S. interests,” a hint that the reports of possible retaliation against North Korea were accurate.
Good luck with that, said Chapman.
“There’s not much we can do to get back at them,” Chapman said, pointing out the sanctions already imposed on North Korea and its almost non-existent digital infrastructure. “We have to find a different method.”