Skip to content

A Tale of Two Breaches: Part I

June 2, 2011

As anyone who is addicted to Call of Duty: Black Ops multiplayer can tell you (along with anyone who hasn’t been planted under a rock for the past month), Sony experienced a massive network attack several weeks ago that compromised customer cardholder data, and resulted in Sony voluntarily bringing down their Playstation Network service for over eight days.  Coincidentally (perhaps?), federal systems integration firm Lockheed Martin also experienced a massive externally-oriented attack last week.  While specific details associated with both attacks are somewhat sketchy, we do know that both were broad-based, likely originated outside the organization, and posed a massive threat to each organization and its customers.

As we’ve said many times here in The Situational Room, attacks will happen.  Any organization that believes it is 100% immune from attacks — or any vendor who tells them such nonsense – is fooling themselves.  There are countless ways to attack a complex network, and over time, many of these methods will be used on almost every single network.  However, the biggest difference between the Sony and Lockheed Martin attacks was not in the attack vector, the payload, or even whether data was compromised.  No, the big story here is the stunning difference in how these organizations handled the attack.

In Sony’s case, disclosure was slow: the company was mum on the specifics, and Sony’s story behind the breadth, scope and cause of the breach changed over time.  The Playstation Network itself — about which customer cardholder data was stolen – went down almost immediately, with little explanation.  Customers (including yours truly) were issued cryptic, apologetic e-mails, with offers for free credit monitoring.  Overall, the tone of this attack, and its results on Sony’s customer base, was ominous.  Questions still remain: exactly how many credit cards were compromised?  What attack vector(s) were used?  What controls is Sony implementing to ensure that this kind of problem doesn’t occur again?  And perhaps, most importantly, why didn’t they see this kind of attack occurring in the first place?

In the case of Lockheed, the story is quite different.  Not only did the company disclose almost immediately that an attack was attempted, but that it was in fact thwarted: in their online press release, the exact quote was, “no customer, program or employee personal data has been compromised.”  Now that is the sign of an effective information security program!

So what does Lockheed Martin have that Sony didn’t?  What made the difference in how these two global, household names were able to deal with a roughly similar problem in such incredibly divergent ways?

In Part II of this post, we’ll take a look at some of the inner workings of these attacks, including the (alleged) susceptibility of RSA SecurID tokens as part of the Lockheed Martin attack.  Later, in Part III, we’ll talk about how organizations can minimize the threat of these attacks, and see what technologies can — and cannot – be used to detect and mitigate these advanced persistent threats,

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: