With the majority of the Sony breach of November and December 2014 now behind us, it’s a good time to reflect upon the nature of the attack and what we as a community of technologists can learn from it.
Security starts and ends with people
The technical underpinnings of securing (digital) data–controlled access and encryption–are strong. Air gaps, vertical integration (in the extreme for preventing TAO and similar attacks), and the venerable algorithms of RSA, AES, and so forth have been proven time and again. Especially with the vast amount of expert knowledge available relating to implementing these technologies, building a secure system is not a great challenge. There is little mystery (I’m tempted to say “no mystery”) in these systems.
However, there is a lot of mystery in people. The users of a system are almost always its biggest attack surface; this is why phishing attacks have been and continue to be so prevelant & successful. The users of the system–from their bank account to their company’s intranet–are far more vulnerable that the systems they use. In advanced cases the technical systems systems can even be formally verified, and in the common cases they can still be extensively tested and audited.
This is not so with people. You cannot audit and verify the entire scope of a user’s behavior; creativity and spontaneity and so on are a beautiful part of being human.
Learning from Sony & other’s misfortune
What we can take away from the Sony breach is that training, policy, and other user education are critical to effective security. The reports stemming from the Sony incident investigators indicate at least some form of insider knowledge/participation; this was also the case with civically-minded individuals supplying Wikileaks and other corporate leaks. Some of these people were working with highly secure systems, and yet despite this security they were able to achieve significant levels of access. No matter your field, hiring and training good personnel will always be key.
Beyond just the threat of “inside jobs” is the necessity of proper training and culture of security. This is something Sony apparently lacked; reports point to a slipshod approach to system security and incredibly lax attitude towards maintenance, patching, and vulnerability response. Proper infrastructure defense demands diligence and dedication. As the Sony breach has demonstrated, an interal culture and staff without this cannot adequately maintain the security of their systems.
In technology–as in most things–users are both the greatest strength and the greatest weakness. Impromperly maintained systems are a disaster waiting to happen. If your organization has sensitive information–and it probably does–then the Sony incident should serve as a wake-up call to ensure you have adequate resources and training dedicated to securing that information. Failing to do so is inviting calamity.