Lessons from the Sony Breach

IB 0314_LessonsLearnedSony_770By now you know that hackers calling themselves “Guardians of Peace” went through Sony Pictures Entertainment like a hot knife through butter. They collected everything–high-quality copies of unreleased films, employee passwords, emails, salary numbers, movie scripts, contracts, medical records, celebrity aliases, and Brad Pitt’s phone number–and released it all to the public.

There were more than 10 terabytes of data stolen–enough to fill the shelves of the Library of Congress 10 times over. The total cost of the attack is estimated to be more than $100 million. Plus, Sony is already the target of three class-action lawsuits.

How did all this cyber-chaos happen?

It reportedly started with someone clicking on an attachment in a phishing email. That installed malware designed to spread itself to other computers and to report back everything it finds.

The Sony breach underscored something that community bank IT security professionals have known all along–when we think about security, we think about perimeter defenses. Today, the perimeter is everywhere.

One thing that data breaches have demonstrated over and over again is that the bad guys will get through the perimeter. They’ll find an unpatched line of code, they’ll try clever social engineering on employees, and they’ll use zero-day exploits that no anti-virus can guard against.

It might be time to give up on trying to keep the bad stuff out. Instead, focus on only allowing the good stuff in–and nothing else. “Application whitelisting has had great success in controlled environments,” says Trey Ford, a security strategist at Boston-based Rapid7. “So that would work very well in banks.”

Two common ways to do this is to either have a computer where employees are not allowed to download or install anything not on an approved list, and another where all computers are rolled back to a “golden image” every night.

Work-related documents and data would be stored in central systems, under tight lock and key, with well-monitored access controls. Plus, it makes it easier for an IT help desk to solve problems, and reduce costs.

A community bank should know what equipment it owns, what applications it needs to run, what each employee needs to do his or her job. As any organization grows, this gets more and more difficult to do.

Read full article at Independent Banker.