Read Time: 4 Minutes
Ever since news of the now infamous “Sony hack” broke at the end of 2014, some experts have been skeptical that the government of Kim Jong Un was directly behind what appears to be the “worst hack any company has ever publicly suffered.” Too easily a connection was made between the government of North Korea and a satirical look at its government with comedy film about an interview with the North Korean leader.
Before the hackers dumped emails designed to humiliate the company then posted a note on Pastebin threatening the release of the “The Interview” with the ominous line “Remember the 11th of September”, our Security Advisor Sean Sullivan posted a theory. He suggested that “the attack was an attempted shakedown and extortion scheme.”
Few companies are as vulnerable to public acts of humiliation — thus as vulnerable to extortion — as a global media company like Sony Pictures. But nearly every company risks potential massive financial damage from the exposure of confidential data. So what does that mean for you and your business?
Here are five simple takeaways that may seem obvious to you but may not have seemed so clear to Sony. Keeping those key points in mind when you and your business structure security in house will save a lot of trouble and potentially money:
1. If your business’ network is going to be breached, it’s probably going to start with an employee clicking on an email attachment.
“It’s interesting that, while the array of tools is diverse, the basic methods of gaining access to a victim’s environment are not,” Verizon noted in its most recent Data Breach Investigations Report.
“The most prolific is the old faithful: spear phishing. We (and others) have covered this ad nauseam in prior reports, but for both of you who have somehow missed it, here goes: A well-crafted and personally/professionally-relevant email is sent to a targeted user(s), prompting them to open an attachment or click a link within the message. Inevitably, they take the bait, at which point malware installs on the system, a backdoor or command channel opens, and the attacker begins a chain of actions moving toward their objective.”
With the wealth of information available about executives online, targeting an infected email attachment to a specific user remains the most reliable method of penetrating a network. Most of us have been using email long enough to know that a message with a file included that reeks of unprofessionalism may be dangerous. But if the email seems crafted and personal, we still may be fooled.
Security education will never cure the plague human error, which is why your IT department is working overtime to break the “delivery-installation-exploitation chain”.
Still the basic caveat applies: Never open an attachment you weren’t expecting. And if sensible information is concerned, don’t be hesitant to call respective employees to verify information.
2. Don’t store your passwords in a folder called “Passwords”.
Seems obvious. But it appears Sony may have done just that. Verizon reports that credentials are the number one hacker target. With 62 percent hacks not discovered until months after a network has been hacked, the intruders will have plenty of time to poke around. Don’t make it easy.
3. Plug the holes.
Keep all of your system, application and security software patched and protected — especially browsers. Don’t use Java plugins.
Or get protection like F-Secure Software Updater that keeps you patched seamlessly.
4. Links in email can be as dangerous as attachments.
It turns out that years of indoctrination have has some effect. Users are more skeptical of attachments than of links in emails that can lead to “drive-by” web attacks and/or phishing scams — but not skeptical enough.
About 8 percent will click on an email attachment while “18 percent of users will visit a link in a phishing email. Users unfamiliar with drive-by malware might think that simply visiting a link won’t result in a compromise.”
5. Remember that email is forever.
Dance like no one is watching; email like it may one day be read aloud in a deposition.
— Olivia Nuzzi (@Olivianuzzi) December 13, 2014