Friday, December 5, 2014

Varonis Perspective on the Sony Breach


This is an amazing story. It's all about not paying attention in Security 101. In the following unattributed analysis, Varonis adds detail and insight on this breach. 

FROM VARONIS:

While we have few details on the Sony Pictures attack itself, this very public breach—or pwning in hacker slang--has shown the extent of the actual exposure—it is massive. The always informative Krebs knows, at this point, as much as the rest of us—possible North Korean connection and perhaps the use of destructive erase-all malware. That’s not to say this incident hasn’t revealed significant insights about our collective data security practices: don’t think the Sony incident doesn’t apply to you!

Krebs provides a link to the sprawling Sony directory hierarchy. This should definitively settle any doubt about the scope of this thing.

There are a few points to make. 

Unlike the big-box retailer incidents, this breach is not, for the most part, about personally identifiable information or PII. Certainly, there are employee social security numbers, email addresses, passwords, and health identifiers that are now out there for the world to see. But the Sony breach does not involve millions of consumer records and the subsequent issuing of new credit card numbers along with subscriptions to credit monitoring services.
This incident, though, is centered on sensitive data, perhaps even valuable IP, which was found in the 25 gigabytes of file data scooped up by the hackers. The leaked information should look all too familiar to any worker in a larger organization: readable files and emails, or, as we like to refer to it, unstructured, human-generated data.  So we’re talking employee salaries, financial data, internal presentations, company information under NDA, legal memos, the CEO’s private notes, and on and on. 

We should add that plain-text user passwords were found in files named, um, passwords. They certainly violated the "prime directive" on credentials.

From a broader perspective, we expect this is just one very public instance of a problem that can be found in enterprises globally. The amount of human-readable formation is growing exponentially. These documents live in file shares, intranets and in email as attachments, where far too many people have far more access than they really need, and usage is rarely monitored or analyzed for abuse.

No one should be casting any stones: we have all been or are Sony.

As we’ve seen in other breaches, the compromise of one employee email account can expose troves of sensitive data.  It’s likely the hacker harvested credentials —not necessarily of privileged admins or power users-- through PtH and other techniques. With their group memberships and access rights, combined with a loosely permissioned file system, they had a panoramic view of the Sony data landscape.

How did the situation get to be so dire?  Consider these two very common business-as-usual scenarios:

Scenario 1: A folder, containing sensitive data, becomes accessible to large group of people
A folder on your network share is used by your HR department—it might even be someone’s "home drive." At some point, someone makes the folder accessible to a broad group of people (this happens a lot), and it’s forgotten. Usage information about this folder (who is opening, creating, deleting, changing, moving files) isn’t tracked or analyzed (this is the norm).

Over time, sensitive files—say salaries, financial data, etc.—accumulate in these publicly sharable folders. No one really thinks about it, but everyone knows that a certain presentation or spreadsheet is just there so there's no need to formally request the data from the relevant owner. It's a data exposure incident waiting to happen, requiring a hacker to gain access to an average users' credentials—a simple phish mail often will do.

Scenario 2: Company emails become web browser enabled and gets hacked
You’ve enabled web browser access to your email system (try mail.yourcompany.com or owa.yourcompan.com if you're wondering), so anyone can log into their email from anywhere with only their password. Usage information about your email system is not tracked or analyzed (you can’t see who is sending or reading email or reading and marking them as unread, etc. – this is also the norm). The hacker gains the password of the email account—maybe by just guessing it.  Now the attacker can log in and read all the executive’s email (including the attachments) without leaving his home – and no one will know. Again, very valuable information—merger talks, new customers—in readable formats.

Another Teachable Moment
As Sony’s hackers gained access to more than just passwords, but movie budgets, salaries, social security numbers, health care information and so much more, the Sony breach provides us with yet another teachable moment. It reminded us all the importance of proper access controls, identification of sensitive data – who has access, who is using it, where it’s overexposed to the everyone group and who it belongs to, as well as implementation of real-time alerts.