On top of trying to get employees back to work, battling with hackers leaking films online and gigabytes of data being released to the internet, some shocking news has emerged about internal security at Sony Pictures.
According to Gizmodo the data includes a file directory named “password” which includes 139 Word documents, Excel spreadsheets, zip files, and PDF’s containing thousands of passwords to Sony Pictures internal computers, social media accounts, and web services accounts.
The kicker: “Most of the files are plainly labelled with titles like ‘password list.xls’ or ‘YouTube login passwords.xlsx.'” Because when hackers go looking for sensitive information like login credentials, they would never think to search for the word “password”.
Is this common, or just a terrible action? We asked some of security’s finest minds for their views>
David Gibson, VP at Varonis Systems:
“In order to do security well, you need have a good imagination. Unfortunately, their imagination seems to have disappeared about the time they cancelled their AOL accounts.
“How could they not ask themselves: What would happen if one of the administrator’s accounts was compromised and the attacked started poking around? If you were an attacker, would it occur to you to search for anything containing the word, ‘password?’ Maybe we should call the folder something a little less obvious, like ‘laundry list’? Maybe we should encrypt those files, or use one the many password manager products out there?
“If they used any of the passwords to access the systems the passwords unlock, and oh, defaced our website or started tweeting form the company account, would that be an issue? It’s difficult to understand how someone working in IT today could let this situation continue. I’d like to say they did one thing wrong, but they did everything wrong.”
Mark Sparshott, EMEA director at Proofpoint:
“Whenever a breach like this becomes public it is easy to stand on the outside dumbfounded by what appears to be a lack of security common sense. So where is the security gap this time? Well Sony might not be in this situation if they had they been using security tools which may have prevented the breach in the first instance or at least helped expedite the detection and remediation prior to data exfiltration.
“Breaches will occur despite everyone’s best efforts to secure the perimeter, so ensuring that sensitive information is correctly classified and appropriately secured at rest and in transit is vital, but often overlooked by organisations. You can be sure that Sony have sensible security policies specifying the storage of passwords, perhaps the IT/Security function were simply unaware that these folders and files now leaked on the internet even existed – this would be ‘shadow IT’ in action.
“So a key lesson here for everyone standing on the outside dumbfounded is to ask yourself when was the last time you audited all of your corporate file systems/shares/laptops or analysed your outbound email/web traffic for sensitive or regulated data. Could your organisation be the ne
xt Sony?”
Roy Duckles, EMEA channel director at Lieberman Software Corporation:
“Putting all your passwords in a folder marked ‘passwords’ is a very obvious mistake, the hackers must of thought it was Christmas when they found that file.
“The key point that we keep stating is, unless you have all admin passwords under management with very strong randomisation and encryption, across your entire IT infrastructure, the hackers will find a way in and affect a breach.
“A breach can only be affected through escalation of privilege, and if a company ignores the management of privileged or admin accounts, then they are being negligent in that area of their IT Security. Everyone knows where the Crown Jewels are kept but they don’t get stolen because of the security that is affected daily and consistently; Companies should take the same view with respect to passwords and privileged accounts.”
Mark James, security specialist at ESET:
“It’s just inconceivable that someone these days would store sensitive data in a folder named ‘Password’ and certainly not an organisation that should have a very clear IT policy on good practice and safe storage of data.
“I appreciate that the internal network is perceived to be safe, but in light of the massive breaches reported in the press these days you would think IT teams would think twice before storing passwords in this manner. If you are going to store this information on a computer all in the same directory, then at the very least you should be creative in the folder description. Sony have taken a few bad blows in security over the last month, but this without question is up there with the biggest of them.”
TK Keanini, CTO of Lancope:
“The fact that Sony had thousands of passwords in a folder called ‘Password’ is not the problem, the problem is that they were not properly encrypted!
“Think about it for a second. It is a good practice to use a password manager, and that is essentially keeping everything in a folder called password with one major difference – it is properly encrypted so that even if the adversary had it in their possession, they cannot read it without proper credentials.
There were many major mistakes made at Sony, but the question everyone should be asking is why does it take a major incident to find these mistakes, why didn’t anyone catch these incredibly obvious insecurities prior to the incident and fix them?”
