Schneier Explains How To Protect Yourself From Sony-Style Attacks

phantomfive writes: Bruce Schneier has an opinion piece discussing the Sony attack. He says, "Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company." He continues, "The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations—gossip, medical conditions, love lives—exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now. This could be any of us." Related: the FBI has officially concluded that the North Korean government is behind the attack.

Re:Sony security: strong or weak?

[MightyMartian]

I'd be interested in knowing the details of the attack. Was it a "social engineering" attack of some kind (ie. a virus-laden email that someone with high privileges opened)? Was it a vulnerability in their networks? I've heard someone with high level admin privileges had their account hacked, but in what way was it done?

The organization I work for is a contractor for the government of a North American jurisdiction, and yesterday morning I started getting reports that some sort of virus-laden emails were flowing out of this government's networks. Sure enough, within a half an hour, I got emails from a contact I have within this particularly agency, with an attached ZIP file with an SCR file inside. That has to be one of the oldest ways that malware has been transmitted in Windows system, I saw my first virus-laden SCR file somewhere around 1997-1998.

Apparently this critter is so new that by the time we checked, only a few AV companies had caught on to it. Even worse in some ways is that it appears that it made its debut on the very government servers in question, making me think this was a targeted attack. So you have a combination of a brand new virus of some kind that won't get caught by the scanners, lax email rules that allow the opening and execution of executable file types (not that blocking EXE variants doesn't mean some bastard won't be firing off a compromised PDF at an unpatched system), and users who through a combination of laziness and ignorance happily take the final step.

With this particular attack, there would have been no problem if Outlook had been configured not to open these kinds of attachments, and in an Active Directory environment, that's pretty trivial, so some of the blame has to go to this government agency's IT team. But still, even with the best safeguards, where users just happily click on any old attachment, it doesn't exactly take a rare alignment of the stars to have malware planted in a network. Sure, it won't have root privileges and won't be able to propagate itself via more sophisticated means, but it appears in this case it didn't need to.

So I do agree to some point that there are finite limits to what any person or organization can do to secure itself against a determined and directed attack. But there are ways to make such attacks much more difficult, and more quickly captured before they wreak too much harm.

Re:Sure...

[khasim]

And one of the aspects where I disagree with him:

Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target.

He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

And 100% agreement with your air gap recommendation.

With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies.

He's got it right there. Once you are online you can be attacked by anyone anywhere. The only advantage you have is that you control the wire in your organization. Wireless is more of a pain. But you can see every packet moving on the wire.

It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won't end up posted online somewhere, but Sony clearly failed here.

In my experience, the problem is not money. The problem is EGO. Someone is always convinced that what they are doing is more important than following what the IT nerds say and they have the political clout within the company to force exceptions be made.

It is the exceptions that damage your security.

It is the exceptions that allow the easy-to-prevent attacks to get a foothold on your network. THEN the more advanced attacks are unleashed.