Skip to content

Call of Duty – Transparent Disclosure

April 28, 2011

I wrote about the need for transparency at the start of the month, so you might expect me to be gunning for Sony right now.  You’d be wrong.

We’re seven days from the announcement that its PlayStation Network and Qriocity streaming service had been breached, and Sony is only just advising subscribers that their credit card data may have been accessed.  Compared with breaches like RSA and Comodo we know significantly more after a week than we have come to expect – it could be argued that the brand and its consumer, rather than trade, audience may have kept this incident in the spotlight.  But, while it has taken seven days for Sony to officially advise subscribers to cancel credit cards used by subscribers, the details and actions taken by Sony on day one will mean many subscribers won’t have waited for today’s announcement to take action.

From what Sony has already divulged, the attack has all of the hallmarks of a modern advanced persistent threat – for all we know, it may still be an ongoing breach. The nature of the Sony attack – now being billed as one of the top 5 in information security history – means that the company’s security professionals may still not know the full extent of the breach.  Figuring out the how, why and what the target was, without a way to quickly correlate the millions of pieces of security data on it’s network, may take weeks or months to fully understand.

It is also possible Sony will never know the full extent of the breach!

UPDATE:

This morning Sony acknowledged that another network breach, related to the first one, has been identified.  This time it involves Sony Online Entertainment (SOE).

From what we know so far it isn’t a separate attack, but a second breach that occurred during the first attack.  While details are still vague it’s reported that it involves 12,700 credit card numbers – Sony has not confirmed this.  That takes the total user records compromised by the attack on both the SOE and PSN, Qriocity attack to around 100 million.

The question most journalists, analysts and commentators will be asking is how did this happen?  Any CISO or Enterprise Security Analyst in charge of a large distributed network will understand how it could have taken 15 days for this second breach to come to light. Unless Sony has a platform that enables it to capture, correlate and analyze the millions of data security records on its network, in all formats via a single console, the process of identifying the source, target and scale of the attack will involve multiple systems and reports and require days of grueling manual analysis by Sony’s security analysts.

There are those who questions Sony’s transparency – personally I see an imperfect process.  After all, having spent yesterday apologizing to customers it’s unlikely the company would want to lose any more face unless it absolutely had to.

UPDATE II

News that Sony has called in two forensic IT investigation firms to help it to figure out how it’s PlayStation and Online Entertainment networks suggests that the company still has no real idea how it’s network was breached.  Sony has described the attack as, ‘very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes.’  Sounds like one of those Advanced Persistent Threats [APTs] again, doesn’t it?

I predicted at the start of the year that Stuxnet would be commercialized; I wonder…

It also transpires that Sony has admitted that it waited two days to contact the FBI – and a further five before it met with the Bureau.  The admission came in a letter sent to a US House of Representatives subcommittee in response to questions over how Sony was protecting consumer information – seven days is a long time in cyberspace, where reputations are built – and destroyed.

The bottom line is that until the experts have figured out what happened – as best they can – Sony cannot be sure it has done everything possible to secure its networks against further attack.  Had it been able to capture, correlate and report on the security data in its network in real time, including while the attack was still taking place, it may have been able to identify the source, modus operandi and target of the breach take action to stop it and limit the damage, to both its network and reputation, done.

Is there anybody that still thinks that the threat posed by cyber attackers is overhyped?

Update III

Sony’s claim at the end of last week that a security breach that resulted in the theft of more than 100m users’ data occurred while it was fighting a DDoS attack by the Anonymous activist group illustrates a fundamental flaw in traditional Enterprise security systems and processes.  In an era of Advanced Persistent Threats [APTs] the truth is thatthis type of distraction theft is also likely to become increasingly prevalent – while security analysts are focused on repelling an attack in one part of a large distributed network another attack sneaks into another and steals data or causes harm behind their backs.

Over the last few months we’ve talked about Unified Situational Awareness and how we believe it can plug a fundamental gap in existing Enterprise and Federal Information Security activities – the Sony attack suggests that we have a point.  Unified Situational Awareness enables security analysts to see their entire security position via a single console.  It allows them to correlate every piece of security data on their network [often millions of records] in seconds to show them any relationships between anomalies and answer questions like:

▪   Are there an unusually high number of failed logins, that go beyond simple fat-fingering, on any user accounts?

▪   Do any of these accounts have privileged access to critical systems or information?

▪   Have any unauthorized configuration changes been implemented by accounts that have experienced an unusually high number of failed logons?

▪   Are the unauthorized changes on systems that contain sensitive company/customer data?

▪   Is the net flow unusually high for any of the major Enterprise systems? Are they accessed by any of the accounts with an unusually high number of failed logons?

Answering these questions, in real-time, while attacks are occurring can be the difference between taking action at that time to repel and limit damage, or the situation that Sony finds itself in nearly two weeks after the start of an attack: hiring forensic IT experts to, I suspect, comb multiple reports to figure out EXACTLY how somebody was able to gain access to up to 100 million user records.

We call that difference Unified Situational Awareness.

Update IV

[Operation: Stringer’s Bad New World]

As I prepared to post a final installment in our Call of Duty series of posts (cautioning the return to service of Sony’s PlayStation and Online Entertainment networks, on the basis that it remains unclear whether the company fully understands how it’s networks were breached), two new stories broke.  The reality is that Sony HAD to get the networks back online as soon as possible: it had subscribers to its own networks as well as number of third party applications/services to placate, and there is no such thing as absolute network security.

The latest reports suggest we were correct in our original analysis.  The fact that it appears the password-reset page has been attacked (it has subsequently been taken down) suggests that there remained a real risk of further damage. Of course, every security professional knows that — as Sony’s Chief, Howard Stringer admitted – no organization can honestly claim their network is 100% secure; but there are risks and then there are RISKS. APT’s like the Sony attack demonstrate that the ‘bad guys’ will stop at nothing to cause commercial and reputational damage, and until there is enough intelligence to understand the risks, it doesn’t make sense to put services back live.

The only real protection against an advanced persistent threat is early detection. Identifying the vector of an attack, the target and the modus operandi of the virus or worm, for example, enables security analysts to understand the risk to their infrastructure and the data that belongs to both their organization and their customers, take proactive steps to limit both the scope of the attack, protect mission critical systems and data and issue appropriate warnings.  It also makes assessing the likelihood of ongoing problems much easier to evaluate.

Achieving this requires:

▪   Continuous monitoring of ALL security data – events alone aren’t enough to get the job done

▪ The ability to correlate every piece of security data on a network, regardless of it’s location or format, in real time

▪   The intelligence to take immediate action, often while an attack is still occurring, to limit the damage done

Sony’s Stringer describes the new cyber security landscape as the ‘bad new world’ that both commercial organizations and federal agencies face.  You certainly can’t fault his honesty.

We, and an increasing number of information security professionals around the world, are saying the best weapon for protecting large distributed networks from advanced persistent threats [APTs] is called Unified Situational Awareness.

Why not put it in your security armory?

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: