Sony Attack: an Australian Perspective

The cyber-attack on Sony Pictures Entertainment in late November is not the first time that the Sony Corporation has been a target for cyber-criminals and if anything can be learned from the attacks, it is that corporations are not taking cyber-security seriously.

Sony, which appears to be the current target of a major cyber-attack by forces the FBI claims are operating on behalf of the North Koreans, has had its corporate and game networks attacked several times over the past decade. The 2011 attack on the Sony game network resulted in more than 77 million users’ personal information being stolen and released on the Internet and in the most recent attack on 8 December the game network was taken down for about three hours.

Between 10 August and 16 September the US retailer Staples Inc. was subject to a broad cyber-attack that infected machines at 113 stores across the US resulting personal information from more than 1.16 million payment cards being stolen. What is a concern here is not just that so many customers were compromised, but that the cyber-attack went on for so long before it was identified.

Other US retail chains that have been subjected to successful cyber-attacks include Home Depot Inc. (56 million card accounts) and Target Corporation (40 million card accounts) which were attacked with variants of the same malware.

Consequences for data breaches locally have been almost non-existent and governments have taken a step back from forcing business to meet minimum privacy and security standards when operating electronic systems connected to the Internet.

But there are signs that the times are changing because earlier this year Target Corporation removed chairman and CEO Greg Steinhafel in a move aimed to restore consumer confidence that had fallen as a result of the Target data breach, and Sony has now found itself subjected to a number of class action lawsuits barely months after finalising a $15 million settlement of a class action brought against Sony over the 2011 Sony PlayStation network data breach.

In a similar context, it appears that only through the courts will Australians be able to force business to take privacy and security seriously. Successive Australian governments have put mandatory data breach reporting—by business that have been subjected to a cyber-attack—on the back burner and it is only a matter of time before the courts are inundated with class actions if current practice is not over-turned.

Telstra’s Cyber Security Report 2014 found that a major security incident has been experienced in the past three years by 41 per cent of local organisations surveyed. Forty five per cent of the security incidents were the result of staff accidentally clicking on links to malware or opening mail attachments that contained links to malware. Of the organisations surveyed 43 per cent indicated they were prepared for cyber-incidents and less than 30 per cent plan to increase cyber-security spending in 2015.

The Office of the Australian Information Commissioner (OAIC) has published an updated guide for handling personal information security breaches, and a guide to information security but without any legislated powers to act against business the toothless Australian Privacy Commissioner has been given a poison chalice of responsibility by the government.

Business looking at the limited ability of the OAIC to take action against companies that fail to secure personal information and report data breaches, may be tempted to put information privacy and security into the too hard basket and carry on as normal, but this would be tempting fate just a little.

And it is not just US companies that are being attacked by cyber-criminals. As the world looks to connect everything to the network it is timely to look back at how US security firm Cylance attacked and gained entry to the Internet connected building management system for Google Australia’s office in Sydney.

In 2015 Australian business will need to take information privacy and security seriously, the rate of cyber-crime is continuing to increase and the sophistication of the attacks and malware used to breach company defences has increased faster than the defensive systems.

Add to this the trend towards the Internet of Things and mobile device growth and we have an environment that will provide cyber-criminals with new targets offering easy pickings unless business takes the threat seriously. Kaspersky Lab Global Research and Analysis Team recently published its predictions for advance persistent threats (APT) in 2015 that include:

Read more: Risks in Retail: New POS Vulnerabilities and Malware

  • The merger of cyber-crime and APT
  • Fragmentation of bigger APT groups that will increase the attack base
  • Evolving malware techniques
  • New methods of data exfiltration
  • New APTs from unusual places as more countries join the cyber arms race
  • Use of false flags in attacks to mislead about the attackers origin
  • Threat actors add mobile attacks to their arsenal
  • APT+Botnet: precise attack+mass surveillance
  • Targeting of hotel networks
  • Commercialisation of APT and the private sector – legal spyware

Consumers have been coming to terms with the fact that every device they own irrespective of the brand is subject to cyber-attack. The malware used to attack the iPhone 6 when the phone is connected to an Apple Mac demonstrates clearly that cyber-criminals are evolving their methods of attacking consumer devices.

Australian business needs to move beyond using a passive defence to cyber-attack and start to look at systems that proactively target possible sources of malware and data breaches. It is only by actively seeking anything unusual on corporate networks and devices that business will be able to fight the increasing sophistication of cyber-crime.

Intelligent systems that seek device malware and intrusions into corporate networks have been in development for more than ten years and it is time that Australian business develops a best practice guide on how to implement cyber-security systems.

It is also a time when Australian business should consider proactive defensive measures including the capability to defend against cyber-attack by targeting and counter-attacking the source of an attack against the company’s devices, systems or network.

Cost has long been an issue when fighting against cyber-crime and to minimise cost, Australian business should consider utilising common secure infrastructure and gateways when connecting to the Internet. Whilst some companies offer security systems of this kind, there is still scope for more development of common or industry wide defences.

Sony’s travails and the long list of major corporations subjected to major cyber-attacks over the past couple of years provide a warning signal that must not be underestimated by Australian boardrooms.

Read more: The Active International Response to Cyber Crime


Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Home Depot Inc.Australian PerspectiveFBI claimsSony Pictures Entertainmentcyber-attackcyber-criminalsGreg SteinhafelmalwareOAICkaspersky labCyber Security Report 2014data breachesAustralian businesssony corporationnorth korea

More about AppleAPTCSOEnex TestLabFBIGoogleHome DepotInc.KasperskySonyStaples

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Gregory, RMIT

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts