Security against hackers is similar to that agsint car theives


Lessons from the Sony Hack
[Via Schneier on Security]

Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment’s computer systems and began revealing many of the Hollywood studio’s best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama’s presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of “The Interview,” a satire targeting that country’s dictator, after the hackers made some ridiculous threats about terrorist violence.

Your reaction to the massive hacking of such a prominent company will depend on whether you’re fluent in information-technology security. If you’re not, you’re probably wondering how in the world this could happen. If you are, you’re aware that this could happen to any company (though it is still amazing that Sony made it so easy).

To understand any given episode of hacking, you need to understand who your adversary is. I’ve spent decades dealing with Internet hackers (as I do now at my current firm), and I’ve learned to separate opportunistic attacks from targeted ones.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus — people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.


You can easily stop your car from being stolen from opportunistic thieves – don;t leave the engine running or the keys in the ignition, lock the doors, etc. You can add horns and alarms systems. You simply make it too much trouble to get into the car.

Similar crooks on the web require similar easy defenses. The hacks into Target, et al. show that they had the equivalent of running engines for their security. Just doing some rudimentary security would have passed those theoves onto an easier foe.

But we all know that a determined thief who really wants our specific car, can pretty much get it. We can slow them down but never really stop them.

If they are focussed on our specific property and are not just opportunistic.

Something similar can happen on the Internet. Focussed hackers are very hard to defeat. It takes a lot of effort on focus from those being attacked. 

But you have to be prepared. If you have to sleep in your car to prevent it frfromo being stolen, then you sleep in your car. Having adaptable, vigilant policies in hand are a must for any company today.

Sony seems to have done a poor job here, allowing focussed attackers entry that even opportunistic ones would have gotten. Hope they fix that.