A year after the crippling hack that brought Sony Pictures Entertainment to its knees, few if any lessons have been learned on how to prevent future attacks, security experts tell TheWrap.
While some studios have made some minor changes to their security systems, experts insist another attack on a Sony scale is not only possible, but highly probable.
“It’s not a matter of if, it’s a matter of when,” said Brent Rieth, who manages the Cyber Liability practice for the western region of risk management firm Aon. “At some point, there will be another studio that will be impacted by a cyber incident.”
While most corporations have taken some steps to mitigate the risk — like adding staff and conducting mock phishing attacks to test employee awareness — most have taken a lax approach… with one exception.
“Disney is pretty much the best,” said Ralph Echemendia, a security expert known as “The Ethical Hacker.”
Echemendia, who has worked as a security consultant for Sony in the past, said that unlike other studios, Disney not only focuses on its own network security, but requires any of its business partners to undergo rigorous system testing, or what is called “ethical hacks,” before they can do business with the studio.
“Most of the other studios don’t do that because of the cost involved,” he said, declining to specify the expense involved in such screening procedures.
Adam Levin, the author of “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves,” told TheWrap that Disney’s Marvel has doubled down when it comes to data encryption as well as segmenting sensitive information to avoid easy access. It also ensures that information is secured with a two-step verification process. All of which, according to Levin, Sony did not do prior to the hack.
There are indications that Sony has taken steps to increase its security. Most legal documents now require password protection, with outside parties needing to place a phone call to the studio to learn the password, according to one senior Sony executive.
It’s hard to quantify just how much money studios have spent on upgrading their systems in the aftermath of the Sony hack. Studio execs are notoriously tight-lipped about their security operations.
Sony, Universal, Paramount, Twentieth Century Fox and Warner Bros. either declined to comment on the record or did not respond to TheWrap’s request for an interview. Even Disney, which has been cited by many security experts as a good example of what studios can do to prevent further hacks, declined to comment.
But experts say whatever they’re spending, it’s not enough.
“Studios spend $200 million to $300 million on tentpole films but they are spending literally nothing on IP security,” Echemendia said. He estimates studios need to shell out upwards of $100 million to $150 million just to rebuild their infrastructure.
“What’s mind-blowing to me is that you would spend $300 million on a movie and not have anyone directly responsible for digital security,” he added. “And that’s still how things work.”
Even though Disney is ahead of the game, experts insist no studio is hitting it out of the park when it comes to cyber security. Echemendia told TheWrap he would give Walt Disney Pictures about a B+. Warner Bros. gets a B grade. Paramount, Fox, Universal and Sony all receive a C. (To be fair, experts say that Sony’s grade is an improvement on the F it would have received before the hack.)
“They still have a lot of work to do,”Echemendia said. “They are still rebuilding their infrastructure.”
Levin took it one step further, telling TheWrap every report he read suggested Sony “didn’t have much of anything.” In fact, things were so lax at Sony that employees kept at least 1,000 passwords on a Word document that was accessible to anyone.
“Sony literally was rolling the dice on information security,” said Levin. “The overwhelming percentage of people had 1234567-type passwords.”
Making matters worse, the Sony hack shouldn’t have come as any surprise to anyone at the company. Sony had been plagued by cyber-attacks for years prior to the 2014 breach. But no one seemed to sound the alarm.
Representatives for Sony have disputed the suggestion that the studio was ill-prepared before the hack; Joseph M. Demarest Jr., assistant director of the FBI’s cyber division, suggested last December that the malware deployed in the Sony hack would have slipped past 90 percent of private industry.
But experts say that Sony, like many others, was too focused on prevention rather than detection.
In fact, the Guardians of Peace, the hackers behind the Sony attack, broke into Sony’s systems months before actually launching the malware that caused so much damage. But no one at Sony seemed to notice.
Once hackers launched the actual attack, it took a mere 60 minutes to throw Sony Pictures back into the ’80s. Computers and email accounts were shut off as studio employees reverted back to Post-It notes, fax machines, hand-written paychecks and snail mail, according to one individual with knowledge of the situation.
By then, the hackers had managed to erase everything on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers, according to a report by Fortune. And to make sure it made a lasting impact, the attack came with an added bonus: a special code that essentially overwrote the data seven times over.
The 2014 Sony hack was a wake-up call that spread far beyond the studio grounds, shaking American corporations and immediately involving the FBI. The hackers demanded the cancellation of the film, “The Interview,” a comedy about a plot to assassinate North Korean leader Kim Jong-un starring Seth Rogen and James Franco. In an effort to do damage control, Sony quickly pulled the movie, eventually releasing it on Netflix and select theaters. After evaluating the software, U.S. intelligence agencies determined North Korea was the source of the attack. Even President Barack Obama chimed in.
“We cannot have a society in which some dictator in some place can start imposing censorship on the United States,” Obama said, referring to the North Korean leader.
The Sony hack was no longer just about Sony; it became a center of international cyber warfare. The U.S. even imposed economic sanctions against several North Korean government officials in retaliation.
“Breaches truly have become the third certainty in life, along with death and taxes,” said Levin. “Cyber War has replaced the Cold War. It’s a worldwide issue.”
Since the attack, more high-profile hacks have followed. In July, Ashley Madison, a website promoting extra-marital affairs, was hacked, exposing 9.7 gigabytes of the company’s data, including many user profiles. Last month, CIA director John Brennan’s AOL email account was hacked, revealing sensitive information about top U.S. officials and their phone call logs. The hacker apparently gained access to Brennan’s account by masquerading as a Verizon employee and persuading workers at the company to give out Brennan’s information.
The hack into Brennan’s account is exactly why experts say companies need to make employee security training a top priority.
“Events such as the Sony hack have emphasized the human factors in the cyber security equation,” Mary Aiken, Cyber Psychologist and the inspiration behind Patricia Arquette‘s character in “CSI Cyber,” told TheWrap. “The weakest link in any secure system is the human factor.”
Levin says one of the most important things any company can do to tighten up its security is hire companies to run phishing drills on employees. According to Levin, the number of employees who fall for the mock phishing attack can reach up to 80 percent at first.
“The reality is, it only takes one wrong click, and you can bring down a company,” he said.
Until that happens, experts say that such another Sony-caliber hack is imminent.
Perhaps the one silver lining to come out of the Sony hack, experts say, is the fact that companies are more aware of the risks and potential liability and lawsuits.
“Sony is facing a lot of legal problems, “said Jim Lewis, Senior Fellow at the Center for Strategic and International Studies. “There is damage to their bottom lines and some of their executives have had a really hard time. It’s not 100 percent … but more companies are taking this seriously.”
And even though not enough has been done to prevent future attacks, Lewis says at least one thing has definitely changed.
“I don’t think you’ll see too many studios making fun of the North Korean leader.”