Hacking Sony: How It Happened

The first question is "Who?" We could speculate that it's someone who doesn't like Seth Rogen. Or maybe someone who doesn't like a Sony executive. North Korean hackers? That's a real stretch.

The next question is "How?" Sony may never reveal the real answer themselves because it will be too embarrassing. Why? It was so easy it's embarrassing. So how did North Korea, or the Guardians of Peace, or the Illuminati secure the Sony system administrator's password effectively giving them "keys to the entire building?"

There are a few things about networks - and how they're breached - that you need to know.

"Hacking," a word that is only slightly less overused than the phrase "reach out," isn't necessarily what you think. Technology used to guard government and corporate networks has become so sophisticated, criminal hackers have turned to the dumber part of the network that is much more easily manipulated: people.

Many, but not all, of the breaches that happen today are a result of an individual who has clicked a link or opened a file that installs malware - software that is intended to damage, disable, disrupt, or gain access to sensitive information - onto a computer or the entire network. There are a number of ways this happens.

Phishing

The easiest way for a hacker to gain access to a network - called phishing - is to entice an individual to open a file or click a link that launches malware. This breach is often used by the criminal hacker to access sensitive data or network credentials that will enable them to dig deeper into an organization.

You might understand that an email from a strange person asking you to open an attachment is a bad plan. Unfortunately, the savvy people aren't who they're targeting...it's the gullible who have no concept of why opening an attachment from an unknown individual is a bad idea.

Security software that detects the install of malware is the first line of defense against stupid decisions, but obviously not everyone is as concerned with breaches as you may (or may not) be.

Spear Phishing

As the name suggests, spear phishing is more highly targeted and skillful use of phishing. Sony very well could have been a victim of spear fishing - a targeted focus on specific individuals within an organization by using personalized emails or by impersonating others so the emails are more compelling to open.

Spear phishing attackers use social media sites such as LinkedIn or Facebook to gather personal information to help cloak their attack, making it more believable to the target. Ultimately the attacker desires an organization's secrets - confidential, internal email, intellectual property, or other data of value...such as Sony's entire library of digital movies.

Yeah, I get it, you're not Sony. But it's not always the big corporation that will get attacked. The first step in the Target breach was stolen credentials of an HVAC contractor. According to an article on csoonline.com I referenced two years ago:

Hackers are shifting resources toward small companies because they often partner with large businesses in fulfilling major contracts. Because smaller companies can be the weakest link in the chain, cybercriminals use them to gain information they can use to penetrate the defenses of their larger partners.

A Word on Password Security

Your dumb password is another way attackers can gain access to a network. Yes, I'm talking to you. By gaining access to your email, network login, social media account, bank account, or other username and password secured assets, you're making an attack on the rest of us a real possibility. Imagine a hacker sending an email to all 1,000 people in your contacts list with a virus attached. That could really happen if someone were to gain access to your email account.

What's frustrating is that I have this conversation with people every day. In our business, we need to gain legitimate access to accounts protected by username and password. I use 'protected' loosely with regard to some of the passwords I'm given. Let me assure you: if you can read a password to me, it's bad. Really bad. Especially if you're using that same password for everything.

So if you made it this far...congrats. Now go read my "Are Your Passwords Secure?" post from July 2012 because it is still the truth. The only differences between July 2012 and today is that I'm now using LastPass for password security and the breaches are only getting more common.