Mark Anderson over at IEEE Spectrum has a nice article today on “How Not To Be Sony Pictures.” His argument: corporations can no longer afford to be cavalier about cyber security. Accordingly: they need to do much more than simply spot threats.
“Any organization that thinks cybersecurity is as simple as installing and regularly updating their anti-virus software risks similar nightmare scenarios as what Sony Pictures now stares down.” – Mark Anderson, IEEE Spectrum.
Anderson notes this blog post, by Fengmin Gong, the chief strategy officer and co-founder of Cyphort Security. Gong argues that the sheer scale and complexity of connected devices requires a new attitude towards protecting critical data and assets.
“The new approach today that people have shifts away from prevention — which everyone knows is not achievable — to a focus on attack sequence and consequence,” Gong writes.
What does that mean? Gong and Anderson are really talking about letting go of the notion of a “hard shell” network that keeps sensitive data in (and deflects external attacks). Instead, Gong advocates a more porous network in which there are “some leaks” because it is impossible to anticipate all the ways that users and devices will connect. But it is also a network in which constant monitoring for threats and abnormal behavior ensure that sensitive and critical data never flow across that border.
Anderson also notes the importance of finding the equivalent of cyber “broken windows” – small compromises that might be building blocks to larger ones. In the case of Sony, he notes (as we have) that the malware used to steal data and wipe infected systems was already hard coded with Sony credentials, indicating that attackers had a foothold on Sony’s network long before their coup de grace – the wiping of infected systems that occurred on November 24.
Read more via How Not to Be Sony Pictures – IEEE Spectrum.