Sony hack lessons – protect the data, but also software and secret credentials
We do not know yet who did it and how they did it. There is suspicion that known malware was used. Software integrity was likely compromised. Attackers might have gotten their hands on some secret credentials to get in.
Being practitioners of data security for large enterprises, though, we often find that even savvy customers sweep very important security issues under the rug, hoping that nobody will notice. That is, until disaster strikes.
It is now obvious to many people that data needs to be encrypted. They therefore deploy solutions that encrypt their databases, data volumes and storage arrays. Is that enough?
As it turns out, it wasn’t for Sony, as witnessed by the vast array of files leaked through file-sharing networks. If only those files had been secured with persistent strong encryption using a solution like CloudLink SecureFILE!
But the problem runs deeper than a simple lack of security for sensitive files. Despite Sony’s apparent lapses in data security, it is hard to imagine that an organization its size didn’t employ any sort of cryptographic protection for its structured and unstructured data. The trouble is that such protection is only as strong as the management of the keys used to perform data encryption. Let’s consider the case of database encryption. The key used to encrypt the data needs to be placed where only legitimate users can access it. The best place to hide it would be a key manager or some kind of a Hardware Security Module (HSM) using strong cryptographic authentication. But wait, before one can even use a key manager or HSM, how does one authenticate to it? Use SSL you say? But where would one hide private keys to be used for SSL – before connecting to the key manager/HSM? A surprising number of organizations just stick them on local volumes, in cleartext!
There is a multitude of enterprise VMs that use private keys, secret credentials and other valuable bits of data that hackers covet. Think of private keys for SSL acceleration virtual appliances – they are often protected by secret credentials stored right there on system volume, in the clear. What about firewall virtual appliance rules, IDS configuration files, event logs, message queues, etc.? Even if encrypted they are still vulnerable if the keys are not fully protected. And this is where the attackers have an opportunity.
And then there are the applications themselves. While enterprise IT has every right to be proud of their investments in anti-virus and intrusion detection, in the virtual world VMs can be stopped, paused or shutdown. When that happens, in-guest antivirus and IDS protections are unavailable. This leaves applications and the operating system vulnerable to attacks that modify configuration files and executables while the defences are dormant.
The moral of the story? It is not enough to secure sensitive data. We also need to secure the credentials and software used to protect data in this age of sophisticated cyber-attacks.
This creates a strong case for encryption of OS boot volumes coupled with pre-boot integrity checks. CloudLink SecureVM was designed to solve the problems described above. By encrypting the entire boot volume in addition to data volumes, it secures all credentials, files and executables while offering centralized control and monitoring of the VM, including pre-boot authentication and software integrity checks.
Perhaps if Sony paid more attention to such details, nobody would have ever noticed the movie that started it all.