Awareness lessons from the Sony hack

As more information is disclosed from the Sony hack, it demonstrates that awareness concerns go well beyond phishing.

The now infamous Sony hack was the culmination of a variety of technical and non-technical vulnerabilities. While the attention tends to focus on the fact North Korea was the attacker, and that is important, from a practitioner's perspective, it is more important to understand what let the attacks to be successful. I previously did that on a comprehensive scale.

However, as an awareness practitioner, the recent identification of spearphishing messages as the first step in the attack actually demonstrates many awareness-related failings that need to be addressed. It is all too easy to say that the attack exploited phishing, so people need phishing training. That is true, but that doesn't help with the other exploited human failings, and frequently doesn't help with many phishing attacks.

When you look at the description of the attack, clearly there were issues related to phishing involved in the attack. However, upon further analysis, there were also vulnerabilities related to oversharing on social networks, as well as password reuse. Those are issues that go beyond phishing, and most can be addressed by any competent awareness program.

First, it is appears that the North Korean attackers first scoured LinkedIn and other social networks for employees who might have administrator privileges. Even people with low-level privileges are targets as they at least provide a foothold inside the organization. While you cannot tell people not to post on LinkedIn, they do at least need to be aware that their social network exposure represents the fact that they can be a target.

The article describes how phishing messages targeted Apple account passwords. That implies that people with personal iPhones and other Apple products need to understand that they are potential targets, as Apple products are becoming more common. There is a belief that Apple products are immune from security concerns. That is clearly false, and people need to understand that any technology can be targeted, directly or indirectly.

Another aspect of the phishing attacks is that you have to assume that some users detected the phishing messages, but didn't report them. If they did report the offending messages, then there was an issue in reacting properly. While it is important to detect messages, it is as important to ensure that employees report potential phishing messages, which is also an aspect of a good security awareness program.

Password reuse was also a vulnerability targeted by the North Korean hackers. In a good security awareness program, password reuse would be addressed as part of a Password Security Awareness campaign. The attackers exploited the likelihood of password reuse by not just the average users, but by administrators as well. And if an administrator reuses passwords between his personal and corporate administrative accounts, there are likely other accounts that are similarly vulnerable. So in this case it is clear that you cannot just classify the phishing messages as being due to "stupid users."

The last issue is actually pretty critical as I see many awareness programs ignore the technical staff, since they assume the technical staff is somehow already aware of the behavior related issues, like password security. All employees need to be targeted in awareness campaigns.

When I ask security audiences how many people have clicked on a phishing message in the last two years, I generally get less than a 2% response rate. I believe that rate to reasonably accurate, as security professionals are generally aware of how to detect phishing messages. However, they rarely receive a phishing simulation message or formal training, when I ask the follow up question. The reason is that they are generally aware of most security-related issues, and as the expression goes, a high tide raises all boats. People who are aware of physical security generally become aware of phishing concerns as well, because they are aware to be suspicious.

I use the analogy of driving. You cannot prepare everyone for every possible road hazard. However with general driver safety, drivers become aware of how to react to most hazards, even if they have never been trained for that specific hazard. Similarly, awareness programs should be as comprehensive as possible, so that employees will actually become aware of even more issues than they are exposed to.

The Sony hack can be put to good use to many organizations. However to make the best use of the attack as a learning tool, and to generally improve security programs, awareness professionals, CISOs, and everyone involved in creating and maintaining security programs have to look beyond the obvious attack vectors. As you can see, even the phishing attack has more implications than phishing. This is why awareness programs need to be as comprehensive as possible.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachsony

More about AppleSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts