"This is punishment," says Josh Corman, a security analyst for the 451 Group, about the monthlong string of attacks against Sony websites. "Ideologically motivated adversaries show how tenacious and lengthy an attack can be. They will take it further than anyone would expect and do it longer. This is a bludgeoning."
That is very different from how a typical attackers motivated by profit would work. Once financially motivated attacks are detected, they can be shut down and vulnerabilities can be repaired and the attack will likely be finished, he says.
BACKGROUND: PlayStation Network hack timeline
But when the goal is punishment for perceived wrongs, attackers keep on trying with whatever tools they have available, Corman says -- an entirely different beast that calls for new thinking. "I can almost guarantee that as part of their threat model, most organizations lack a plan for dealing with an ideologically motivated adversary," he says.
Businesses need to ask whether they could fall victim of such punishment attacks, he says. "If the answer is yes, run scenarios and adjust your countermeasures."
Actions such as shutting down websites -- something Sony has resorted to -- might not have been on the list before, but may belong there now, he says.
If businesses use cloud services or Web hosts, they should insist on contract language that guarantees an emergency hotline that can shut down the services immediately. Delays shutting down a Gmail account led to the theft of 70,000 emails from HBGary Federal.
Business should also have a plan for running servers in a way that is less functional but also less attackable, he says. Customers may not be able to do everything they could before, but at least business can proceed.
If a business has angered adversaries to spark such attacks, the technical defensive arsenal should be expanded to include social methods. Find out what set them off and take steps to defuse the motivation, Corman says. The initial Sony attack has been linked to what some say was a heavy-handed Sony legal response to a gamer jailbreaking PlayStation 3 and posting a how-to on the Internet.
The most important lesson to learn from Sony's problem is that it could happen to virtually any business. "I suspect if you had a concerted attack by relatively sophisticated hackers on any institution there would be some success," says Mark Rausch, director of cybersecurity and privacy at business consultancy CSC.
Any global enterprise with a well-known brand name is at risk, says David Barton, a principal in UHY Advisors business consultants who specializes in technology assurance and advisory services. "It could happen to any big company that hasn't kept up with the most recent attacks and most recent threats," he says.
Companies' reputations are at stake. The constant drumbeat that Sony has again been compromised has been wearing away at the credibility of the company's security.
While the best thing is to have good defenses in place before being targeted, there are steps that should be followed afterward, starting with not panicking, which can lead to bad decisions about remedies. Other steps Rasch recommends:
* Perform penetration tests.
* Determine the scope of the breach and mitigate it. For example, assign new user IDs and passwords and migrate to new servers.
* Actively monitor logs, and lower thresholds for alarms.
* Lock down systems that would otherwise be left open.
* Know your affiliates and subsidiaries and where they are.
* Develop for the future a comprehensive security program that is part of the infrastructure architecture so security isn't bolted on.
Businesses can fall victim even if they have been diligent in carrying out these recommendations, Rasch says.
Sony may have been doing a good job based on what it thought its risks were, Barton says. "I think it's reasonable not to suspect that something like this would happen," he says, but when it did, everything changed. "The threat level went way up when somebody decided to make them a target," he says.
But the repeated attacks have forced Sony to take drastic actions such as taking its affected servers offline and rebuilding its infrastructure. These steps are disruptive and publicly embarrassing, but necessary. "They're only going to hurt themselves even more by not taking the drastic action," Barton says.
Whether Sony has responded sufficiently to its increased risk level is hard to say, according to Barton. It may be taking appropriate steps, but those steps may be complex and not completed yet. "It's difficult to do the kinds of things that are necessary quickly," he says.
Rasch says all companies have to make accurate risk assessments and carry out their responsibilities to protect personal information they store. "They have to realize they are fiduciaries of customer data and have a moral and legal obligation to protect that data. They need to do everything reasonable," he says. "The cost of repairing after the fact is 10 to 100 times higher than preventing it in the first place."
Sony has said it will cost at least $171 million to deal with its breaches, but the number was calculated before the latest ones.