News of the recent hacking of Sony Pictures brought questions about security and how to protect our data and intellectual properties to the forefront of our concerns. Obviously, there are lessons to be learned by everyone from this incident.
Here are some of our recommendations:
- Remember that everything on the Internet is public & permanent
Nowadays any kind of activity is traceable and collected by large tech and non tech companies such as Facebook, Yahoo, Google, Microsoft, AT&T and others – Just try doing a white pages search on yourself. It’s shocking to see how much information is already readily accessible about you with little or no effort on your part.
So when you surf please remember that someone is watching you, what you search, what you buy, what you look for, how old are you, your gender and all the other demographic and Psycho-graphic information about you. They plant cookies on your computer and gather the information even when you are not using the computer. Be careful with your text and email and what you open and click on.
- Don’t use email for sensitive communications
Just to be clear: email is not a secure channel of communication. By default, email travels in plain text, readable to anyone snooping on the many connections and servers through which it travels. And emails that you send to someone are only as secure as that recipient and their computer. Sharing sensitive files in unencrypted email attachments is an accident waiting to happen.
A good rule to live by is this: Never put anything in a digital communication that you wouldn’t want your mother (or enemies) to see. At this point in time, and for the foreseeable future, nobody can guarantee that those digital communications will never be hacked, leaked, subpoenaed, or otherwise made public. This applies to text messages, comments on web pages, messages on forums, and picture-sharing as well as email. In other words, this is really basic cyber-hygiene that has been common knowledge for decades, a fact that makes Sony Pictures’ apparent ignorance of digital realities all the more shocking.
- Don’t give everybody access to everything
Classify your documents and segment your networks. Sony Pictures could have saved itself a lot of grief if it had been enforcing a classification system that branded documents like contracts with actors and directors as Top Secret, and a policy that forbid the storing of Top Secret documents in an Internet accessible database. Too many organizations have grown their networks with maximum convenience in mind, effectively giving everyone access to everything. Unfortunately, that means access to outsiders as well if there is even a small chink in your cyber-defenses.
Networks need to be segmented, with access controls between them to limit who can see what. Target learned this lesson the hard way last year, when hackers found it was possible to get from a supplier portal that the retailer had created, all the way to the card payment terminals in its stores. Now would be a good time to audit your networks for inappropriate connections and unfiltered access.
- Don’t store passwords in a file called passwords
This lesson is as head slapping obvious as “Don’t write down your workstation password on a Post-it note and stick it to your monitor.” Yes, passwords are a pain, but there are secure methods of managing them. The failure of Sony Pictures to enforce a policy of not storing passwords in plain-easy-to-read-text will be one of the biggest strikes against them in court when employees whose privacy was violated in this attack bring suits claiming negligence. Do not have the same password for everything. Make sure the password changed every 6 months. Coincide the password change with Daylight Saving Time.
- Don’t ignore warning signs and risks
If something seems wrong, don’t ignore it. Take a screenshot, write down the error message, call support, run an antivirus scan. Sometimes it turns out to be nothing, or even a new feature you didn’t know about. Other times it means you are under attack.
Various parts of the Sony Empire have been under attack for years now and many attacks have succeeded. That should have told Sony executives that IT security was a priority, even before Sony Pictures decided to proceed with a movie that was 100% guaranteed to upset at least one nuclear-armed nation already suspected of carrying out cyber-attacks.
Sony was initially hacked in June of 2011 and its databases were compromised. Since then Sony’s online properties have been hacked numerous times. 3 years later, in June of 2014, Sony Pictures released a teaser trailer for The Interview. The talks and threats of hacking became more serious and frequent. In other words, Sony was forewarned, but not forearmed. We see a past history of weak security combined with a failure to tighten the hatches which was bound to cause serious infiltration.
- Don’t go another day without an incident response plan
When news of the Sony Pictures breach started to leak, the company’s response demonstrated a lack of planning. Actions taken were sometimes contradictory or inflammatory. In short, the company clearly lacked an appropriate incident response plan. Why this should be, is hard to fathom. One of the most consistent themes in IT security publications over the past few years has been: It’s not if you get hacked but when. In other words, any responsible organization will put in place a plan for responding to a reach. And stick to it when a breach occurs.
- The obvious
Many small businesses think that “it will not happen to them”. It is highly recommended to change that mindset and follow some basic rules
A- Have a good router firewall
B- Have a good antivirus program and keep it updated.
C- Apply the patch management.
D- Have a good password policy
E- Have an encryption software for your sensitive emails and files.
F- Be aware of your disgruntled employees
G- Get your network system audited.
CEO offers a free network audit to discover all the vulnerabilities of your network. Please call us at 818-501-2281 to setup an appointment.