There hasn't been an official report detailing everything that's known about the breach, but there has been a fair amount reported unofficially:
- Attackers allegedly stole as much as 100TB of information from Sony systems. This included email messages, confidential agreements, health care information, unreleased movies, computer source code, security audit reports, and more.
- Information leaked on the Internet by the attackers included celebrity phone numbers, scans of celebrity passports, and information about employees of other companies that worked with Sony. The leaked information could easily be used for identity theft and other crimes.
- The breach may have been in place as long as a year before it was discovered, which explains how the hackers got so much information.
- There are implications that insiders helped the attackers. A quote from someone claiming to be with the Guardians of Peace group said "we worked with other staff with similar interests to get in" and one article mentions that "the attackers knew the internal network from Sony since the malware samples contain hard-coded names of servers inside Sony's network and even credentials/usernames and passwords."
- The malware spread across their LAN via Windows Management Instrumentation and other system administration features.
- Systems within Sony were down for several days, reportedly, and some may still not be up.
- Indications are that the malware that wiped the computers didn't "phone home" to its creators until it had already wiped the systems.
- Some have hinted that the North Koreans may have been behind the attack or assisted with it, though the North Koreans have denied this.
There are lessons here for any company that thinks its security is "good enough". One article I read quoted a Sony security chief as saying it wasn't worth spending $10 million on security to prevent a $1 million loss. On the one hand, I don't think anyone would advocate over-spending on security solutions - but what Sony has lost here is far more than $1 million. They've lost goodwill with their employees and suppliers. They've damaged relationships with celebrity talent. They've exposed their employees to potential identity theft. And they've lost revenue on as-yet-unreleased movies. You can't put a monetary value on all this, but even the parts you can put a value on would be significant.
Since the exact details of how the Sony breach was carried out are unknown, it's only possible at this point to speculate what might have occurred and what security controls could have prevented such problems. It seems that at least these controls must have been missing in the Sony environment, or perhaps were bypassed by the insiders who helped the Guardians of Peace group:
- Privilege Management Software: This software allows you to reduce the number of administrator accounts in your environment, audits how those accounts are used, and can downgrade a potentially harmful process from elevated-to-administrator to "restricted user". It's possible that Sony gave all its employees administrator permission to their systems. If so, this would have made it much easier to infect a system and spread to other machines.
- Application Control Software: This software intercepts an attempt to launch an application (or malware program) and compares the software to "known good" or "trusted" applications. If there's no match, the software is prevented from running. If the insiders allegedly assisting in the attack did so by bringing in software from the attackers and running it on their PCs, application control software would have flagged this software as unauthorized or unrecognized and prevented it from running - stopping the infection.
- Data Loss Prevention (DLP): Most companies have confidential information that would be damaging to have leaked on the Internet, whether that's price lists, contract details, customer credit card numbers, etc. DLP software provides a way to identify potentially sensitive data flowing out through the network or being copied to removable media. If Sony had DLP software in place, this might have prevented the terabytes of data from escaping.
- Password Management: Several articles suggest that the leaked Sony files include passwords stored in unencrypted files with names like "password". The use of password management software might have prevented the leakage of these passwords by storing them in encrypted and secured locations. Other articles suggest that staff were allowed to set blank passwords, passwords that matched the account name (like your account "fred" having the password "fred"). Better management of passwords might have helped here.
Even if Sony did have all of these in place, they might have been negated by a sufficiently knowledgeable and empowered employee working with the hackers. However, bypassing systems like these might have tipped Sony IT Security staff off to a problem before it spread very far.
If someday an official report on what happened at Sony is published, it will be interesting to see how the attackers accomplished what they did, who helped them, and what that help entailed. There will likely be lessons for all of us in there.