Ouch, Sony. Hot on the heels of the last 4 hacks have come another two in a row. Sony BMG Greece was hacked on Monday, and now Sony BMG Japan.
Though I stand by my comments from my earlier post (see: What the Sony hacks tell us about their Sysadmins and Management), there is another important dimension to this story. That's the dimension of a feeding frenzy.
It's a popular saying that "dogs can smell fear." There are similar stories about sharks with blood - actually, even chickens respond to blood with a pecking frenzy of their own. Anecdotally we all know people who react the same way. Maybe it's something in our animal nature, but this is definitely a similar issue.
People love to jump on the big guy when he's down. After the first big attack on Sony, hackers around the world had their interest piqued. It was a pretty big security lapse, after all! Then we found out that it was actually TWO hacks. By the time the third attack hit, there was definitely blood in the water.
No question, there are serious lapses in judgment that have left Sony's many arms exposed in so many ways. But at the same time, we should recognize that very few organizations could withstand a true hacker feeding frenzy like what Sony is going through. In the network security world, it is commonly acknowledged that a determined enough opponent will always find a way in. That's why we use honeypots, traffic monitors, and intrusion detection systems, after all. That's why it's so important to encrypt sensitive data even when it's on a privileged server. And here we have schadenfreude acting as a focusing lens for the power of thousands of hackers of various levels. It's not a single super-determined hacker - it's worse. It's a thousand dilettantes who know just enough to be dangerous.
This is difficult for non-technical people to understand, but in my mind I think of it like wrestling. Andre the Giant could wrestle almost any man alive. But try and pit him against 50 8 year olds, and see what happens. Likewise, one script kiddie is not a big deal, but a thousand of them is a different question. The worst part is knowing that in amongst the thousands of idle script runners there are probably some decent blackhats working the more complicated angles. As the security expert trying to coordinate defense, this is a "worst nightmare" scenario.
Sony faces threats from all comers at the moment, and there really isn't a good response. They are already hemorrhaging money into their security problem, and it's only going to get worse. Maybe the best possible response is just to turn out the lights.
If I were Sony, I would seriously consider putting all internet-connected services into non-interactive modes and "going dark" for a week. Lock everything down as much as possible to let the shark pool calm down a bit. You can still offer your websites as flat HTML, but I would host them externally and give zero access to privileged information. Meanwhile, I would have my security team work their asses off to get the house in order. Change every password and private key, and even change your internal network topography just enough to make anyone's prior information invalid. Check every service and every port, and monitor everything you can think of. It's important to make all of these changes in a hermetically sealed, zero-open-services environment.
After the feeding frenzy has had a week of no targets, bring services back up one at a time, under close scrutiny. In just a week without even a system to work on, the sharks will start to drift away. Focus the efforts of what remains of the frenzy on one or two carefully guarded systems at a time. Give yourself the best possible chance to fend off attacks and respond quickly. Within a month the sharks will have moved on, and you will be back to full service again in a better state than when you started.
This is an expensive tactic to take. But I would at least want to consider the cost-benefit comparison between a degradation of service for 2-3 weeks, and more security breaches. How much will it cost the company in reputation, market share, and legal fees, to lose another hundred million credit card numbers? How much will they have to spend to earn back people's trust? And how much investment will it take before "Sony customer" no longer means "identity theft victim" in the popular consciousness?
{% endraw %}
Though I stand by my comments from my earlier post (see: What the Sony hacks tell us about their Sysadmins and Management), there is another important dimension to this story. That's the dimension of a feeding frenzy.
It's a popular saying that "dogs can smell fear." There are similar stories about sharks with blood - actually, even chickens respond to blood with a pecking frenzy of their own. Anecdotally we all know people who react the same way. Maybe it's something in our animal nature, but this is definitely a similar issue.
People love to jump on the big guy when he's down. After the first big attack on Sony, hackers around the world had their interest piqued. It was a pretty big security lapse, after all! Then we found out that it was actually TWO hacks. By the time the third attack hit, there was definitely blood in the water.
No question, there are serious lapses in judgment that have left Sony's many arms exposed in so many ways. But at the same time, we should recognize that very few organizations could withstand a true hacker feeding frenzy like what Sony is going through. In the network security world, it is commonly acknowledged that a determined enough opponent will always find a way in. That's why we use honeypots, traffic monitors, and intrusion detection systems, after all. That's why it's so important to encrypt sensitive data even when it's on a privileged server. And here we have schadenfreude acting as a focusing lens for the power of thousands of hackers of various levels. It's not a single super-determined hacker - it's worse. It's a thousand dilettantes who know just enough to be dangerous.
This is difficult for non-technical people to understand, but in my mind I think of it like wrestling. Andre the Giant could wrestle almost any man alive. But try and pit him against 50 8 year olds, and see what happens. Likewise, one script kiddie is not a big deal, but a thousand of them is a different question. The worst part is knowing that in amongst the thousands of idle script runners there are probably some decent blackhats working the more complicated angles. As the security expert trying to coordinate defense, this is a "worst nightmare" scenario.
Sony faces threats from all comers at the moment, and there really isn't a good response. They are already hemorrhaging money into their security problem, and it's only going to get worse. Maybe the best possible response is just to turn out the lights.
If I were Sony, I would seriously consider putting all internet-connected services into non-interactive modes and "going dark" for a week. Lock everything down as much as possible to let the shark pool calm down a bit. You can still offer your websites as flat HTML, but I would host them externally and give zero access to privileged information. Meanwhile, I would have my security team work their asses off to get the house in order. Change every password and private key, and even change your internal network topography just enough to make anyone's prior information invalid. Check every service and every port, and monitor everything you can think of. It's important to make all of these changes in a hermetically sealed, zero-open-services environment.
After the feeding frenzy has had a week of no targets, bring services back up one at a time, under close scrutiny. In just a week without even a system to work on, the sharks will start to drift away. Focus the efforts of what remains of the frenzy on one or two carefully guarded systems at a time. Give yourself the best possible chance to fend off attacks and respond quickly. Within a month the sharks will have moved on, and you will be back to full service again in a better state than when you started.
This is an expensive tactic to take. But I would at least want to consider the cost-benefit comparison between a degradation of service for 2-3 weeks, and more security breaches. How much will it cost the company in reputation, market share, and legal fees, to lose another hundred million credit card numbers? How much will they have to spend to earn back people's trust? And how much investment will it take before "Sony customer" no longer means "identity theft victim" in the popular consciousness?