There are lots of rumors about the Sony Pictures GOP hack right now, but only two things we can say for sure: there was a ton of badly protected unstructured data taken and they used privileged accounts to pull it off. There were documents emerging from as far back as 2000. What were these documents doing in the open? Are there even Sony employees who need access to that stuff on a day to day basis? Before this starts to sound like Sony bashing, I should point out that they are just the unfortunate ones who are being made an example of. You can point to their history and say maybe there’s a persistent security issue. In truth, though, much of what’s happening to Sony could happen to anyone not taking care of their unstructured data, which is most organizations I run into.
There will always be a need for contracts to have sensitive data in them, but there is never a need to have these contracts laying out on networks without adequate protection. There is also a best practice to age data out to more controlled, locked down storage when it’s not needed on a day to day basis. The problem is most organizations, including Sony, just don’t see their unstructured data as a risk. If you asked someone “do you need to protect your biggest client’s social security number?” of course they will say yes. But if you ask them “do you look at who can access every Word document that is a contract?” They are going to say “I don’t know.” These are the same questions asked different ways.
A lot of attention has been given to the documents containing passwords. It’s funny to me that people are criticizing documents filled with passwords on social media that it’s just as likely they logged into using a password they got from a similar document filled with passwords. Again, Sony is paying the price for all of us who have made these basic security errors. Of course no one should do this, but too many still do. Worse is they put those documents onto the same file systems that aren’t built to protect the other sensitive data they are managing with those passwords. People assume all the firewalls and other measures make the shared drives and collaboration portals secure. They don’t. People in security say that the perimeter is disappearing all the time, but it takes a Sony to make it clear that unstructured data in files is on the inside of the fallen outer walls.
The goal of every malware is to get itself embedded on the inside and use the access an account has to do its dirty work. The best access to get is privileged access. The most obvious kind of privileged access is the IT administrators’ accounts. But you can do a lot of damage with the right end user account. How much access does the CEO’s administrative assistant have to sensitive data that can embarrass – or turn to profit? The bad guys also know we’re doing the wrong things with access to unstructured data. An IT administrator should have no business reading contracts with social security numbers of celebrities, but we all know they can. So if the bad guy gets an administrative account, it’s game over. With the sheer amount of data exposed at Sony it’s a near certainty that they got their hands on a lot of administrative access. The real question we should all ask ourselves is “why do our IT admins have rights to see the sensitive business data?” It’s a classic “who’s watching the watchers?” problem. Just like we don’t want the COO to have the password that can reboot the big website server, the IT admin should not have the rights to read to corporate secrets. It’s basic separation of duties, which is something that security folks should know all about.