"[I]n the 17 years I've been doing incident-detection response, I've never seen anything like [the Sony breach]."
-Richard Bejtlich
Chief Security Strategist, FireEye
2014 has been dubbed the Year of the Breach. The year began with the Target breach and finished with Sony. However, the Sony data breach stands out as a game-changer. Beyond the advice in the headlines, what can companies take away from 2014? How has Sony impacted thinking in 2015 and beyond?
In a Wall Street Journal article titled How the Sony Breach Changes Cybersecurity, cyber security experts--including Richard Bejtlich, who was inside Sony after the data breach--offer their perspectives.
Shuman Ghosemajumder, Vice President of Product Management for Shape Security, explains,
The problem is that it's extremely easy for anyone to become an attacker. And they can attack from anywhere in the world. They can compromise machines from any other part of the world in order to be able to make it appear as though the attack is coming from someone else.
Even more troubling is the fact that there could be thousands of individuals who could pull off a similar data breach. Cyber security expert Jon Miller, VP of Strategy at Cylance and self-proclaimed former hacker, explains that there is no shortage of technically proficient people who'd be willing to pull off this type of attack.
Miller points out that the exposure of so much sensitive, personal information could also fuel future attacks. He mentioned that the tools to conduct an attack like the one on Sony could be purchased from Russian hackers for $30k.
"It truly, truly is the Wild West right now," Miller said. "What we're seeing are people getting pulled out onto the street and shot and it's like 'Where's the Sheriff?' There's no sheriff."
The problem is that the advantages are currently on the attackers' side. A recent poll revealed that 69% of CISOs (Chief Information Security Officers) believe the sophistication and pace of attackers will increase more quickly than their own countermeasures.
The world has plunged headfirst into the Internet revolution without taking into account the repercussions technological repercussions. Businesses looking to change course and improve cyber security face an uphill and expensive climb. There is a lot of technical debt out there.
RSA CEO Amit Yaron pointed out in his RSA keynote that while experts agree that the old security paradigm is no longer relevant, he said it's clear that few are doing anything differently.
It may need to come from outside cyber security, but changes are needed. What executives can take away from the Sony data breach is that data breaches impact everyone. There isn't an executive in the world that should feel comfortable now. Their private emails could be leaked at anytime and circulated around the Internet, or their personal information could be who knows where.
Executives and board members need to ensure their organizations have dynamic cyber security leaders that can build and lead successful cyber security organizations capable of addressing modern cyber threats. The executive suite and the board should advocate that CISOs to bring new ideas, methodologies and technologies to their organization that will improve cyber security and lower risk.
Employees, partners and vendors need to support their organizations/ cyber security by adhering to good cyber security practices. Change is needed to achieve all this, and hopefully the Sony data breach will become that catalyst.
