The Sony Breach; Is it Really so Different?

Target, Home Depot, P.F. Chang's many others, now Sony. Yet, somehow the reaction from the normally reserved security community over the Sony breach is more strident, even a bit frantic. Is Sony really so different?

Unfortunately, yes, it is. I have been involved with software technology for over 30 years, on the engineering side and the marketing side. One thing I always have to remember; when you are deeply involved with a technology there are some things that you hold to be fundamental obvious truths that everyone gets, and you are usually wrong. That's where the communication breaks down, and I think it is happening this time. So I'll try to explain the "obvious truth" in the context of this break in, so we can all understand what we have in front of us together.

The truth is, the layered defense I described in my last post (sorry I probably should use the correct term "defense in depth") really wasn't built to "stop" a really determined threat (OK, "Advanced Persistent Threat, or APT"). These systems were basically built to inhibit, delay and harass. If a hacker persevered and got past one layer, the next one held him up in a different way, and the next in a different way, and so on. The point is, if the hacker is really good, and hangs in there, he will ultimately get in. So, this kind of defensive strategy is built on the premise that this level of hacker is a professional, in it strictly for the money, and one who firmly believes that there are plenty of vulnerable systems out there waiting to be hacked. If you have built your defenses well, and you have monitoring systems in place that will detect him if he hangs around long enough, he'll eventually decide that the possible payoff is not worth the grief, and go pick on someone else. Security professionals are fully aware that defense in depth systems are not invulnerable, it's the rest of us who believe that all is well.

So here is the problem with Sony. The hackers got an awful lot of valuable stuff, and they appear to be giving it away in such a way as to do as much damage to Sony as possible. So our "in it for the money" premise goes out the window. One logical conclusion is that someone with an axe to grind paid a hacker group to do it. I know there has been a lot of speculation about certain foreign powers, but the fact is we don't know, and might never know.. What we do need to understand is, the business proposition has changed. Very likely the contract is written so that if the Hackers don't succeed in creating the breach, they don't get paid. So instead of giving up and leaving a losing proposition, they are motivated to keep trying until they get in. Defense in depth as we define it today is not going to stop that by itself.

The good news is,there are plenty of people much smarter in this area than I am who know that this is a real problem. We'll have new solutions, but I think that eventually we will have to resort to diplomatic relations to stop these people where they live, not meet them at the gates of our city.

Steve Glass is Chief Marketing Technologist for Oinkodomeo, a company that specializes in aligning B2B Marketing, Sales and Information Technology.