It has been more than a month since the data leakage suffered by Sony Pictures Entertainment (SPE). There is no doubt that this is one of the most devastating attacks of recent times. The Federal Bureau of Investigations (FBI) formally stated that they have connected the North Korean government to the cyber-attack. It is speculated that the trigger could be the production of the film “The Interview” about a plot to assassinate North Korean leader Kim Jong-Un, although some experts have expressed doubts on this.
A hacker group going under the moniker “Guardians of Peace” (GOP) was the responsible of the shutdown of the SPE’s computer network. This group informed that they had in their hands confidential information from SPE that was going to be published if the company didn´t cooperate. Among the information stolen (attackers claimed that they had more than 100 TB), according to a Reddit thread or even in the wikipedia, there are personal identifiable information about employees, e-mails between employees, information about executive salaries at the company, copies of unreleased Sony films, passwords, financial documentation, employee performance reports, etc.
In several articles published we can find details of the stolen data:
- Excel spreadsheets with the latest layoffs in 2014 including their reasons.
- Performance reports of hundreds of employees.
- Information about salaries and comparison with the ones of other competitors.
- Excel spreadsheets with names, social security numbers.
- Scripts of films such as the latest one of James Bond 007.
Other examples of the lists shown in the Reddit post show several Word documents, Excel spreadsheets, and PDFs that, by the name of the file, refer to username and passwords (i.e. FTP passwords malaysia.xls, Login and Passwords.xls, etc.). There are also files with names that refer to confidentiality agreements, information about films, etc.
On the other hand it has been recently discovered the Regin malware that has been spying to private companies, governments, research institutes and individuals in 10 countries since 2008. The 28% of the targets is related to telecommunication companies, with other victims among energy companies, airlines or research institutions.
Although the reason behind more traditional APTs (Advanced Persistent Threats) is usually obtaining specific information (i.e. Intellectual Property), Regin goes further, trying to gather data and performing continuous monitoring of their targets for a long time, while unnoticed.
Again, one of the main purposes of these attacks has been to obtain sensitive information in the corporate sectors. Protection tools against APTs, perimeter protection solutions, anti-malware, etc. try to detect these threats that tries to break into the corporate network. But now, more than ever, it is critical to have a layered protection in the corporate systems to add security measures to protect not only the network and the hosts or devices, but also the information itself.
Some of the measures that we can consider to try to protect our business against such attacks are:
- Make backups so we can have it protected against possible deletions, or over-writing, to ensure business continuity.
- Isolate the critical information, the “crown jewels”, keeping it protected, encrypted and under control.
Would it have been possible to minimize in any way these confidential information leaks? Could it have been prevented that the Excel documents, Word documents or PDFs with sensitive information were accessible once stolen? Imagine that this information would have travelled with a protection shell that goes with the data wherever it is, with an access control embedded that can decide in real time who can and cannot access. This type of protection, information rights management could have avoided that certain information were accessible once outside the company network. Maybe due to the nature of these attacks can be complex avoiding that this information is extracted from the system, but if the protection travels with the document, we certainly will be putting the things much more difficult for the attacker.
Moreover, such attacks demonstrate the economic impact of a severe data breach. A break or idle time on computers has economic consequences for the company, but nothing comparable to those derived by the publishing of extremely confidential information that can lead to internal incidents (salaries, internal communications, performance evaluations, etc.) or external losses (data prematurely filtered, financial information, breaking of agreements with third parties, competitive information, etc.).