Sony's Catastrophic Security Problem - The End Game

Thursday, May 26, 2011

Rafal Los


This post isn't breaking news -if you don't know what's going on over at Sony with regards to security issues go Google it.  

This post also isn't going to pile onto the problems that Sony has... I find no joy in exacerbating others' pain.

What this post does address is the long-term impact, and the burning question of "just what is going on over there?" So let me address this from my point of view. Take this post for what it is, an opinion, with no insider knowledge what-so-ever.

Brief Background

Just in case you've been living in a cave, Sony has been the target of an on-going attack stream which started with the PlayStation Network (PSN) being compromised and taken down.

The communicated loss of revenue, as far as I can tell, was approximately $MM USD... which is a catastrophic loss for many organizations not Sony's size.

 Even if Sony can swallow up the cost, a few things have been exposed including the fact that information security obviously wasn't taken seriously... as is indicative that just now the organization is hiring an information security manager.  

This is all stuff you can read elsewhere, so I'll move on...

Just What Is Going On?

So at last count, I believe we're at 10 separate breaches (and counting!) at Sony assets since this whole thing started. The PSN has come back to life reportedly more secure than before, but it appears as though there is a pile-on effect going on now with the breaches at Sony.

Asset after asset has been breached, pillaged, and made public - recently on PasteBin.

All manner of defects and exploits have been used in the intrusions, and I'm sure many of the attack vectors we'll never really get much insight into. What's happened recently is that the attack vector has surfaced at the web application level, via SQL Injection... so that means that websites and applications across Sony's assets are being targeted.

From the perspective of someone reading the blogs and following the media, the outlook appears bleak as one incident after another pops up at least once a day now... the security community is starting to wonder if Sony can stop the bleeding.

What's the End Game?

I've been watching the issues unfold, had a few interesting conversations, and finally came up with some insight. What I think is really happening now is a giant game of "capture the flag".  

Perhaps what's more disturbing than the 'capture the flag' swarm mentality is that the attack targets may be escalating. I'm just speculating here, as I've said before without any inside information, but I think this game being played by the hacker community at Sony's expense is going to end at some point... but very badly.

I think that someone will "win" the capture the flag exercise, by obtaining something from Sony's super-secret vault, or some ultra-business-critical intellectual property that's going to hurt the business in the long term.

Hacking incidents, as we've seen, tend to have a short-term impact on a business and rarely impact the long-term viability of a large organization. What I suspect may happen here is an event or exfiltration of data so catastrophic that it may actually impact Sony's long-term viability and bottom line.  

I sincerely hope this does not happen... however I would not be terribly surprised if or when it happens.

So What Now?

If I had 1 minute with the Sony chiefs that are running point on this security calamity - I would offer the following pieces of advice... and these really apply to most organizations that face a large-scale, multi-pronged and ongoing intrusion:

  • Stop panicking
  • Create a tactical team to evaluate the 'worst-case scenario' I've described above
  • Create a short-term strategy to protect the most critical Sony IP
  • Disconnect or disable any non-essential connected systems
  • Start at the inner-most critical network segments that they can define, and work your way to the 'borders' (easier said than done, but must be done)
  • Risk-rank, schedule, and execute security evaluations on applications and systems
  • Create a long-term strategy to protect Sony assets, applications, and systems

I know this isn't easy... and it will take more resources they (or you?) currently have - but I strongly feel that the result of not doing the above, in that order, will be the eventual compromise and exfiltration of IP or information that may cause real, tangible, and long-term business damage to the organization.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
SQl Injection Enterprise Security Attacks Sony hackers breach
Post Rating I Like this!
Franc Schiphorst You would expect that they would be at re-risk rank as they would have a complete asset inventory already.

What you are not taking into account is that there is no Sony. There is a web of comapnies spread arround the world that form part of the Sony-web. But i would suspect most ties are in the financial / %owned area.
I doubt they have one UBER-IT backbone/plan.
So the start of the list is probably
PANIC at the HQ
Run down to HQ governance/security
Scream and shout.
Scramble by HQ govsec to find out where all the govsec are in all the seperate sub sony branded companies.
Try to do the rest of your list whilst finding out that there is a record company in germany that also has sony in the name that is getting hacked
Repeat the last step either by finding out via sony chanels or via infosec news that yet an other sony branded website got hacked in ("What? We have a comany in where is that???" ;)
Rafal Los @Franc - excellent point about the fact that there is no Sony, per se. I didn't think about that when I wrote this... but maybe I should have taken that into account?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.