Architecture, Network security

Sony should be looking at its own employees — not North Korean hackers

February 12, 2015

The mainstream media's take on the Sony hack is a narrative worthy of a Hollywood production. Most people imagine rows of North Korean cyber soldiers attacking corporate America from a dark bunker amid blinking lights and flashy graphics.

While portraying hacking as an exciting, blockbuster-worthy pursuit certainly makes for a good story, the truth usually isn't as intense as the fantasy.

The Target and AT&T data breaches weren't accomplished through secret software vulnerabilities or armies of hackers. They were both inside jobs — and so was the Sony hack.

The real threat is usually inside

When a company gets hacked, it's easy and convenient to blame outside forces. But the truth is that insider threats are the leading cause of data breaches.

After all, internal employees are the ones with all the access. IT personnel can read emails, access company computers and sensitive files, and destroy the data on company devices as part of the technical nature of their jobs. When an IT employee goes rogue or is compromised, he becomes a major liability.

Looking to North Korea as the sole player in the Sony hack could very well be a case of hearing zebras instead of horses. Questions are still circulating about whether North Korea was even involved.

For instance, why would North Korea be so sloppy and expose its own IP addresses? These are the same addresses that popped up during the 2013 attack on South Korea. It's easy for a skilled hacker to fake IP addresses, and I find it hard to believe that the perpetrators of this attack would make such a rookie mistake.

Then, there's motive. The hack itself seemed to be aimed at embarrassing the Hollywood elite and Sony management, which fits the modus operandi of a disgruntled employee looking to embarrass the company more than a country trying to send a message to an enemy nation. Why was “The Interview” mentioned only after the press started positing it as a possible motive for the Guardians of Peace?

And let's not forget the linguistic analysis, which points to a possible Russian origin rather than a North Korean one.

Even if North Korea is responsible, it looks like the country had inside help. Norse Corp. has publicly stated that it has evidence that a studio employee may have colluded with outside hackers. This would also explain how the breach got so big so fast without anyone at the company noticing until after the hackers went public.

Stop breaches from the inside out

Regardless of whether North Korea was involved in the Sony cyberattack, the hack was likely preventable. Insider breaches shouldn't be nearly as common as they are because they're easier to trace and the sources generally have much more to lose than external hackers.

The problem is that companies often overlook the need for protection from internal attacks and end up leaving themselves vulnerable. If businesses don't start implementing some simple security protocols to protect themselves, insider breaches are only going to become more common.

The first thing companies need to do to avoid becoming the Sony of 2015 is to create collusion security. No one should have keys to the kingdom. That means creating an environment where multiple people need to be involved to move or access data in a nontraditional method. This way, if one person is compromised, it's not enough to bring the whole system down.

Second, they should make sure they keep security roles separate. It's important that the person who governs and manages access controls is not the system administrator. Security responsibilities should be spread out among employees so no one has too much power.

Finally, companies need to monitor and limit access to sensitive data so they'll be able to notice any atypical logins before compromised data goes public.

Of course, it's possible that the Sony breach was solely the work of an outsider. But even if that's the case, it's the exception, not the rule. Companies need to take cybersecurity seriously and consider that the biggest threats to their data may already be inside their walls.


Tim Maliyil is the CEO and data security architect for AlertBoot. AlertBoot protects customers from data breaches that damage their credibility, reputation, and business. The company's managed full-disk encryption, email encryption services, and mobile security services deploy within minutes to customers' PCs, smartphones, and tablets, providing tremendous insight, visibility, and control.