Bruce Schneier reminded me of an old but very relevant concept in IT Security. There are two types of attacks: opportunistic and targeted. And then you can characterize attackers on two axis: skill and focus.
For example, script kiddies using point-and-click hacking tools are low-skill and low-focus. They grab what they can get if the low-hanging fruit is available. On the other side of the spectrum are highly skilled nation-state hackers with a single focus, and Sony is a good example. A large North Korean hacking team went in and shut down Sony Pictures, their job made easy by Sony's third-rate security. As NK specializes in unconventional (asymmetric) warfare, this type of attack may have been a great practice run for them.
In the middle between these two sit the opportunist high-skill, but low-focus attacks that we read about in the paper regularly: Target, Home Depot, JP Morgan Chase and now Staples lost a million cards. I'm getting breach-fatigue, how about you?
So, what are the lessons learned?
1) If you are the target of a high-skilled, high focus attack you can count on them getting inside. You need to focus on defending the crown jewels and make sure they do not get exfiltrated. The fact Sony did not notice terabytes of data leaving the network is an epic fail. Lesson learned: use encryption- and breach detection tools.
2) If you handle a lot of credit cards, Russian cybercrime has you in their crosshairs but so are a million others. If Home Depot would have upgraded their POS systems in time from XP to Win7, they would not have been hacked. However, good security makes their job a lot harder, more expensive and more risky. This type of bad guy is in it for the cash and their time is money -- they will move to a weaker target. Lesson learned: create enough IT security budget to give the InfoSec team the time and tools the implement best practices.
3) The time to start is before the attack and be prepared. Get a professional pentester and see -how- they penetrate your network, the good ones always get in. Remember that IT security is really three things: protection, detection and response. Lesson learned, and I'm quoting Schneier here: "You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”
As the Sony attackers came from across the planet, there are only three ways they could have gotten in:
- Mis-configured servers that allowed unauthorized access.
- Software vulnerabilities, either known or unknown zero-days.
- Social Engineering untrained employees that simply allow the bad guys in by clicking on a spear phishing link.
At least you can do something about number 3) right away, you need new-school security awareness training.