This post isn't breaking news -if you don't know what's going on over at Sony with regards to security issues go Google it.
This post also isn't going to pile onto the problems that Sony has... I find no joy in exacerbating others' pain.
What this post does address is the long-term impact, and the burning question of "just what is going on over there?" So let me address this from my point of view. Take this post for what it is, an opinion, with no insider knowledge what-so-ever.
Just in case you've been living in a cave, Sony has been the target of an on-going attack stream which started with the PlayStation Network (PSN) being compromised and taken down.
The communicated loss of revenue, as far as I can tell, was approximately $MM USD... which is a catastrophic loss for many organizations not Sony's size.
Even if Sony can swallow up the cost, a few things have been exposed including the fact that information security obviously wasn't taken seriously... as is indicative that just now the organization is hiring an information security manager.
This is all stuff you can read elsewhere, so I'll move on...
Just What Is Going On?
So at last count, I believe we're at 10 separate breaches (and counting!) at Sony assets since this whole thing started. The PSN has come back to life reportedly more secure than before, but it appears as though there is a pile-on effect going on now with the breaches at Sony.
Asset after asset has been breached, pillaged, and made public - recently on PasteBin.
All manner of defects and exploits have been used in the intrusions, and I'm sure many of the attack vectors we'll never really get much insight into. What's happened recently is that the attack vector has surfaced at the web application level, via SQL Injection... so that means that websites and applications across Sony's assets are being targeted.
From the perspective of someone reading the blogs and following the media, the outlook appears bleak as one incident after another pops up at least once a day now... the security community is starting to wonder if Sony can stop the bleeding.
What's the End Game?
I've been watching the issues unfold, had a few interesting conversations, and finally came up with some insight. What I think is really happening now is a giant game of "capture the flag".
Perhaps what's more disturbing than the 'capture the flag' swarm mentality is that the attack targets may be escalating. I'm just speculating here, as I've said before without any inside information, but I think this game being played by the hacker community at Sony's expense is going to end at some point... but very badly.
I think that someone will "win" the capture the flag exercise, by obtaining something from Sony's super-secret vault, or some ultra-business-critical intellectual property that's going to hurt the business in the long term.
Hacking incidents, as we've seen, tend to have a short-term impact on a business and rarely impact the long-term viability of a large organization. What I suspect may happen here is an event or exfiltration of data so catastrophic that it may actually impact Sony's long-term viability and bottom line.
I sincerely hope this does not happen... however I would not be terribly surprised if or when it happens.
So What Now?
If I had 1 minute with the Sony chiefs that are running point on this security calamity - I would offer the following pieces of advice... and these really apply to most organizations that face a large-scale, multi-pronged and ongoing intrusion:
- Stop panicking
- Create a tactical team to evaluate the 'worst-case scenario' I've described above
- Create a short-term strategy to protect the most critical Sony IP
- Disconnect or disable any non-essential connected systems
- Start at the inner-most critical network segments that they can define, and work your way to the 'borders' (easier said than done, but must be done)
- Risk-rank, schedule, and execute security evaluations on applications and systems
- Create a long-term strategy to protect Sony assets, applications, and systems
I know this isn't easy... and it will take more resources they (or you?) currently have - but I strongly feel that the result of not doing the above, in that order, will be the eventual compromise and exfiltration of IP or information that may cause real, tangible, and long-term business damage to the organization.
Cross-posted from Following the White Rabbit