The cyber-attack on Sony Pictures Entertainment in late November is not the first time that the Sony Corporation has been a target for cyber-criminals and if anything is to be learned from the attacks on Sony is that corporations are not taking cyber-security seriously.
Sony, which appears to be the current target of a major cyber-attack by forces the FBI claims are operating on behalf of the North Koreans, has had its corporate and game networks attacked several times over the past decade. The 2011 attack on the Sony game network resulted in more than 77 million users’ personal information being stolen and released on the Internet and in the most recent attack on 8 December the game network was taken down for about three hours.
Between 10 August and 16 September the US retailer Staples Inc. was subject to a broad cyber-attack that infected machines at 113 stores across the US resulting personal information from more than 1.16 million payment cards being stolen. What is a concern here is not just that so many customers were compromised but the cyber-attack went on for so long before it was identified.
Other US retail chains that have been subjected to successful cyber-attacks include Home Depot Inc. (56 million card accounts) and Target Corporation (40 million card accounts) which were attacked with variants of the same malware.
Consequences for data breaches locally have been almost non-existent and governments have taken a step back from forcing business to meet minimum privacy and security standards when operating electronic systems connected to the Internet.
But there are signs that the times are changing because earlier this year Target Corporation removed chairman and CEO Greg Steinhafel in a move aimed to restore consumer confidence that had fallen as a result of the Target data breach and Sony has now found itself subjected to a number of class action lawsuits barely months after finalising a $15 million settlement of a class action brought against Sony over the 2011 Sony Playstation network data breach.
In a similar context, it appears that only through the courts will Australians be able to force business to take privacy and security seriously. Successive Australian governments have put mandatory data breach reporting, by business that have been subjected to a cyber-attack, on the back burner and it is only a matter of time before the courts are inundated with class actions if current practice is not over-turned.
Telstra’s Cyber Security Report 2014 has found that a major security incident has been experienced in the past three years by 41 per cent of local organisations surveyed. 45 per cent of the security incidents were the result of staff accidentally clicking on links to malware or opening mail attachments that contained links to malware. Of the organisations surveyed 43 per cent indicated they were prepared for cyber incidents and less than 30 per cent plan to increase cyber-security spending in 2015.
The Office of the Australian Information Commissioner (OAIC) has published an updated guide for handling personal information security breaches, and a guide to information security but without any legislated powers to act against business the toothless Australian Privacy Commissioner has been given a poison chalice of responsibility by the government.
Business looking at the limited ability of the OAIC to take action against companies that fail to secure personal information and report data breaches, may be tempted to put information privacy and security into the too hard basket and carry on as normal, but this would be tempting fate just a little.
And it is not just US companies that are being attacked by cyber-criminals. As the world looks to connect everything to the network it is timely to look back at how US security firm Cylance attacked and gained entry to the Internet connected building management system for Google Australia’s office in Sydney.
In 2015 Australian business will need to take information privacy and security seriously as the rate of cyber-crime is continuing to increase and the sophistication of the attacks and malware used to breach company defences has increased faster than the defensive systems.
Add to this the trend towards the Internet of Things and mobile device growth and we have an environment that will provide cyber-criminals with new targets that will provide easy pickings unless business takes the threat seriously. Kaspersky Lab Global Research and Analysis Team recently published its predictions for advance persistent threats (APT) in 2015 that include:
- The merger of cyber-crime and APT
- Fragmentation of bigger APT groups that will increase the attack base
- Evolving malware techniques
- New methods of data exfiltration
- New APTs from unusual places as more countries join the cyber arms race
- Use of false flags in attacks to mislead about the attackers origin
- Threat actors add mobile attacks to their arsenal
- APT+Botnet: precise attack+mass surveillance
- Targeting of hotel networks
- Commercialisation of APT and the private sector – legal spyware
Consumers have been coming to terms with the fact that every device they own irrespective of the brand is subject to cyber-attack and the malware used to attack the iPhone 6 when the phone is connected to an Apple Mac demonstrates clearly that cyber-criminals are evolving their methods of attacking consumer devices.
Australian business needs to move beyond using a passive defence to cyber-attack and start to look at systems that proactively target possible sources of malware and data breaches. It is only by actively seeking anything unusual on corporate networks and devices that business will be able to fight the increasing sophistication of cyber-crime.
Intelligent systems that seek device malware and intrusions into corporate networks have been in development for more than ten years and it is time that Australian business develops a best practice guide on how to implement cyber-security systems.
It is also a time when Australian business should consider proactive defensive measures including the capability to defend against cyber-attack by targeting and counter-attacking the source of an attack against the company’s devices, systems or network.
Cost has long been an issue when fighting against cyber-crime and to minimise cost Australian business should consider utilising common secure infrastructure and gateways when connecting to the Internet. Whilst some companies offer security systems of this kind, there is still scope for more development of common or industry wide defences.
Sony’s travails and the long list of major corporations subjected to major cyber-attacks over the past couple of years provide a warning signal that must not be underestimated by Australian boardrooms.