Sony has been in the new for all the wrong reasons for the past few weeks. It has had to endure one hack after another, with each hack resulting in the theft of more customer information. What makes Sony so vulnerable?
Based on the information available, Sony has had at least a couple of types of attacks that were successful – SQL Injection and Spear Phishing.
In a SQL Injection attack, the attacker tries to modify parts of the HTTP request so that the SQL statement that goes to the database is modified and does what the attacker wants it to do. In the latest Sony breach, the attackers were able to pull out a lot of user information.
The primary causes of a successful SQL Injection attack are
- Parameter values that come in to the application not being validated properly before being used
- The wrong type of database operation commands being used (String concatenation instead of parameterized SQL)
In some cases, the effects of a successful SQL Injection attack can be mitigated somewhat by encrypting (or hashing) key pieces of data. Even if data is stolen, it will not make much sense to the attacker if rendered unreadable (a PCI DSS term meaning encrypted, hashed or truncated). In Sony’s case, sensitive data including passwords seem to have been stored in the clear which is against all recommended best practices.
One thing to remember if encryption is used is that the encryption keys have to be properly secured. If the keys are in the same location as the data, then it will be trivial for the attackers to do the extra step of using the keys to decrypt the data. Key management is a very important part of data security.
In a spear phishing attack, emails containing malicious payloads are sent to specific people in an organization. The emails might look like they were sent by someone known to the receiver. This is how the the Gmail attack against US government employees worked as also the RSA attack involving SecurID.
This can be very tough to detect and prevent using only firewalls. Users have to be vigilant to protect themselves. For instance, if you receive an email attachment from a friend on a topic that they would not normally discuss, you may want to be careful about opening it. The most important thing is to look out for anomalies and look at the source of the email carefully. This requires users being educated on what to look for and their being alert and watchful.
Every employee has to understand that the security of the whole organization can depend on the choices he/she makes. Organizations have to ensure that their employees understand policies and what to do when something happens. Throwing money at the problem will not make it go away. Security has to permeate the culture at every organization to minimize these incidents.