The hacking of Sony Pictures' network has highlighted how vulnerable companies are to attack, and hammered home the need for strong data security measures.
When Sony Pictures' network was hacked in November 2014, the incident set new precedents for the impact of such attacks. The ramifications have not only damaged the target, Sony Pictures, and its employees but also third parties including high profile celebrities, suppliers and customers.
According to news sources, the first indications that Sony Pictures' network had been compromised came on 24 Nov 2014 when images appeared on users' screens bearing a threat to publish stolen data. In an attempt to stifle the attack, the network was shut down and the company remained offline for several days - leaving employees without access to their data or email accounts.
It later became apparent that around 100 TB of data had been stolen during what was in fact a sustained breach of the network, following which:
- Five feature films were uploaded to file sharing websites and the script of the James Bond film 'Spectre' exposed during production
- Masses of confidential company and personnel data, including social security numbers, financial and health details, was made public
- Company emails discussing public figures and celebrities were also released causing embarrassment to Sony executives
How was Sony hacked?
Full details of how the hack was executed are, understandably, being protected while investigations are carried out. It is understood however that hackers 'stole' the login credentials of a system administrator to gain entry to the network.
Once initial access had been gained, the hackers used a Server Message Block (SMB) Worm Tool to propagate the attack. This worm was able to use brute force authentication attacks to spread within the network, enabled the hackers to harvest sensitive data and had the power to wipe hard disks and leave them in an unrecoverable state.
What the hack means to the rest of us
While Sony Pictures was the victim of a large scale, targeted attack, from which it may be impossible to defend, the fact remains is that password security was a predominant factor in both its initiation and propagation.
And weak password security is one threat to which many organisations are equally vulnerable. It's also true that brute force authentication attacks aimed at cloud servers and websites are extremely common, happening every day, as are confidence attempts to obtain login credentials from individuals. Therefore, the news about the Sony hack should highlight the need for all businesses to review their data security, starting with password strength.
Make passwords your first line of defence against hackers
Tackling password security within an organisation may seem a daunting task, but complacency on this issue is equal to negligence when you consider how critical it is to security. Fortunately, making passwords more secure isn't actually that hard and it is only misconceptions that prevent people for doing it naturally.
As we wrote in our post on weak password vulnerability
- Secure passwords don’t need to be complex or difficult to remember
- Password length is actually a better measure of password security
- A 'pass-phrase' consisting of several easy to remember words is actually stronger than eight or ten impossible to remember characters and symbols
- Two-factor authentication, requring the use of physical possession such as a smartphone, is even more secure again
- By providing and encouraging use of a password manager, employers can make it easy for employees to use unique, strong passwords for every login
Though it will always be difficult to fully protect your business from such highly skilled and focussed hacking attempts as that which crippled Sony Pictures, most are unlikely to attract that sort of attack. All businesses however are exposed to opportunistic attempts to compromise login details and wreak havoc. In these cases, strong passwords are an effective first line of defence.