Sony Pictures has an operating income (revenue minus expenses) of $501 million per year. They can afford to pay creatives, but they can't afford to pay for a few more security engineers?
Look, I get the creative field costs a lot of money. But Sony Pictures was paying $454,224,070 http://fusion.net/story/30850/ in total salaries as of May.
Even hiring 5 more security engineers would have gone a long way. That's $1 million if we assume a $200k salary for good security engineers. A drop in the bucket for Sony Pictures.
I personally could do a lot with 5 security engineers.
Exactly. Let's not engage in this faux polemic about art-v-practicality. Sony are not mumblecore aesthetes from Bushwick. They are a megalith that should have their security locked down hard. Sorry you got owned, but seriously get with consensual reality: hackerfolk tend to hate owners of Big Content like you. Should have seen this coming ...
> They can afford to pay creatives, but they can't afford to pay for a few more security engineers?
So how do you measure their risk and the probability of being damaged? Serious security experts are STILL trying to figure out how to calculate these things. Insurance companies still have trouble "properly" pricing cyber insurance. The insurance companies are doing it, but they are way behind their ability to price for other forms of disasters.
So how much should they spend towards cyber security? How far off are they from that amount? We don't know. (well maybe we'll know from the leaked documents).
You do that through a Security Risk Assessment. There are plenty of models (e.g. Octave) out there to help a security engineer conduct a Risk assessment on an organization's infrastructure. Moreover, a Security Risk Assessment is very strongly suggested by any Security Compliance Program that deals with sensitive information.
This dump clearly shows personally identifiable information, something that would be easily classified as sensitive (e.g. SSNs). I'm very sure Sony Pictures classified their leaked movies as sensitive since it would cause massive financial loss (which happened) if it was stolen.
If anybody was doing a Risk Assessment, protecting this critical part of the infrastructure would have been number 1 on the list.
Hackers are even claiming that a physical door with access to the sensitive environment was left unlocked. That's security 101!
Sony has a culture problem: if it is not a Japanese initiative, it doesn't happen. Unfortunately, the Japanese web executives are at least 10 years behind on Silicon Valley, on knowledge and vision. For as long as there isn't a Japanese security expert, born in Japan and groomed at Sony, Sony will continue taking these types of blows.
you are talking about human problems. people clicking links. people typing their passwords into foreign web forms.
software engineers wont magically fix executives handing over credentials to hackers.
if you were designing a network and interface to access your files, maybe you could design it without resorting to passwords, but that wasn't practical in sonys case.
maybe they could have designed their network to notice the data leaving, but again, the hackers could always find a way to win. (physical infiltration of the company and a verizon hotspot?)
> software engineers wont magically fix executives handing over credentials to hackers
and all those important files were just lying around
You can't project a film without a dedicated digital link to Sony's servers in London authorising it. For some movies they send personnel to your cinema to record the audience with IR cameras. For some movies you are not allowed to let the staff watch the film for free.
> and all those important files were just lying around
That's it. Whether a designer was comprised through a phishing attack or a physical door with access to the sensitive environment was left unlocked, there were clearly no controls in place to manage all the files just laying around like money under a mattress.
If they can find the money and staff to implement securing third party cinemas to prevent copyright infringement by members of the public, perhaps they should spend a few dollars to secure their own premises.
People in cinemas with cameras are physically detectable.
Network attacks on infrastructure and/or exfiltration by rogue (or rouge) elements within your own workforce are vastly more difficult to detect. Not impossible, but they involve both violations of trust and allegiance, and plausible cover under other activities.
Though, once you're aware of / suspect such exfiltration, there are generally a limited number of places to look for suspects / points of access.
I should have made more of the fact that to screen the movie on your own projector you have to have a dedicated ISDN line to Sony in London which authenticates your machine with an online DRM system.
You also have to give them a share of your ticket sales, provide sales figures and you cannot offer discounted tickets for concessions or special offers.
Much of that is effectively exercising control over the market venue though. The studio gets to specify which facilities do or don't meet the standards required to show their content. To that extent, the technical restrictions are less about keeping the content from being pirated (there are plenty of other leak channels, typically pre-release review copies, which have their own copy controls, yes), and far more about keeping cinemas beholden to the studio vassal lords.
Security is multiple layers. A phishing attack (as you described) should only gets you 1 layer deep, it shouldn't give you access to everything. You still need to bypass the rest of the controls to get the delicious sensitive data. With a leak like this (100 TB of sensitive SSNs, Salaries, and Movies leaked), there clearly weren't very many controls, if any.
I think you're thinking too much about UX, Passwords, and phishing links when you're forgetting all the other layers that a usable security environment can provide without the needs of passwords (e.g. authorization control, segmented file servers for each department). A security engineer can definitely create a very safe and secure environment WITHOUT negatively impacting the usability, experience, or workflow of the creatives working on their designs and art.
Let me rephrase the question here, we could either spend $1m on some gobbledegook that those fast talking nerds saying we need, or we could get bigger bonuses. We worked hard and bonuses would be tangible, when asked about how we will know if $1m expenditure a year is working fast talking nerds talk even more quicker about something that amounts to 'nothing bad will happen'.
We are arguing here from position of knowledge that guys who make these decisions likely do not have. Should they have it? Probably not, but they definitely should listen to someone who knows and who can present solid risk/cost/benefit analysis that they can understand.
I completely agree with you that they should know what they are doing and make robust decisions. But when you are at the top, and you tell board what is going on, and you define what it means to be a professional the line blurs. It is very easy to omit certain tail risks by simply not knowing and not taking time to know about them.
The most recent google hack [1] wasn't actually a Google hack. It was just a combined list of various email/password dumps of various hacked webservices over the years. That all ended in @gmail.com
My account was included yet my password was 18 months out of date.
Google was hacked quite as hard? You mean, where all their employee SSNs were posted online, along with their technology roadmap? No, sorry, I don't remember that.
Look, I get the creative field costs a lot of money. But Sony Pictures was paying $454,224,070 http://fusion.net/story/30850/ in total salaries as of May.
Even hiring 5 more security engineers would have gone a long way. That's $1 million if we assume a $200k salary for good security engineers. A drop in the bucket for Sony Pictures.
I personally could do a lot with 5 security engineers.