Sony Execs Duped by Hackers
A report on the Associated Press website - "N Korea-linked Sony Attack may be costliest ever" outlines some of the financial costs of the attack. Further down in the article, they state that "Hackers targeted executives to trick them into revealing their online credentials".
Well, we know that most people reading this would think something along the line of "those execs must be living in the dark ages to have been duped into giving out their credentials - we all know about these phishing scams, social engineering etc" (most probably you're thinking something less polite).
Well, our experience is different and we completely understand how easy it would have been for those execs to have been duped into giving out their account credentials. The fact that it happened is not an excuse - however, they are probably like most organisations out there. Execs know about security issues - superficially - but either think its none of their business (its an IT issue) or assume it will not happen to them.
In our Incident Response and Readiness Service, one of the service components is focused on simulating an attack - we spend time getting to know the organisation from afar, understanding who is who in the business, what their online profiles are, sometimes going as far as finding out where they live and other aspects of their personal lives - be assured attackers have no boundaries when it comes to respecting your personal space! This information forms the basis of a simulated attack on the business to see how far we can get. In most cases, we easily compromise C-Level execs - in some cases even the Security Officer. Once we've carried out this attack, we use it to demonstrate the importance of understanding the threats to the business and of educating the business team.
So, when we hear that hackers targeted executives to trick them into revealing their online credentials - it doesn't surprise us that they were successful. After all, how many businesses actually go so far as carrying out detailed tests of their defences and their team's knowledge? Our impression is that not many do it well enough and we'll bet that this is something that Sony wished they had put more thought into.
If all of this is getting you thinking about your business and your capability to defend against and respond to such an attack, you may want to take a look at our Incident Response Planning Guide - its FREE and you can download it here: