Privileged Account Management: Lessons from the Sony Hack

Kevin Jones
January 20, 2015 by
Kevin Jones

CNN recently reveled the methodology of the cyber attack that allowed anonymous cybercriminals Guardians of Peace direct access to their network, or the "keys to the entire building," as one Sony Pictures Entertainment official stated. According to investigators, the attack was carried out through a set of stolen system administrator credentials; a privileged account username and password providing a golden gateway of unfettered access to employee records, unreleased films, intellectual property, email conversations and other sensitive data. The breach has now escalated to a matter of national security, with FBI claiming North Korea as the nation state responsible for this attack based on a recent press release from the agency.

Why Hackers Love IT Admin Credentials

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Access to a system administrator credential may have been the linchpin in allowing the Guardians of Peace to carry out their attack to the length and complexity they achieved; they held sensitive data hostage paired with ominous threats of movie goers if screenings of upcoming satirical comedy The Interview were not cancelled and their demands met.

It's difficult to say exactly what happened, as the raw details of how the hack was performed aren't being made public yet. Based on information currently available, it's safe to say Sony was utilizing a very poor password policy for its privileged accounts. Despite the fact that it has been common knowledge not to do so, Sony still stored sensitive, system-level passwords in plaintext in Excel spread sheets, and made use of extremely weak passwords, like "password," on said accounts. The public doesn't know how often Sony was actively rotating and changing passwords on these sensitive credentials or if they were left stagnant over a long period of time.

While it's not certain that putting all of these password security measures in place would have completely stopped the attackers, it would have mitigated the damage and perhaps slowed attackers down enough to thwart the attack before it was fully executed.

Our own research, conducted this past August at the Black Hat Conference, shows that hackers who are in search of sensitive corporate data don't look at the top executives as the most likely suspects for security weaknesses. Thirty-six percent of the hackers we surveyed indicated that IT admins were the first place they looked when attempting to penetrated an enterprise network – right behind independent contractors. These groups are at a major risk for attack because the nature of their work typically includes direct access to servers and systems housing sensitive company data, such as billing information and customer data. Once an attacker gains control of login credentials, they can swiftly compromise systems, move laterally through and gain control over the network.

Privileged Account Security Must Be a Top Priority

As hacker intelligence evolves faster than preventative technologies allow, the perimeter is not the secure defender it once was. It's innately porous and can only block a certain percentage of those attempting to gain access to a network. Once the attacker is inside, they are on a hunt for anything of value, and often target privileged account credentials to gain access to those jewels quickly and effectively.

It's in Sony's best interest moving forward to invest in safely storing, securing, and managing privileged account credentials such as system administrator, database administrator, ROOT, and service account passwords to prevent something like this from happening again.

This cyberattack is a wake-up call to all enterprises who have been neglecting the regular maintenance of passwords belonging to these kinds of service accounts – especially companies that have recently had any kind of downsizing, shifting of roles in IT, or new offices in other locations. Left unchecked, these accounts are extremely vulnerable. Hackers are counting on it.

What's Next for Sony Pictures?

Given the current evidence of poor security practice and subsequent brand and financial damage at Sony Pictures, it is unlikely they used any form of third party, or even first party auditing on stale security policies. I expect this to change for them going forward. If they are smart, they will get a third party vendor to properly audit and assess their security policies regularly.

The truth is, the damage has been done. Emails have been leaked, data has been compromised. That cannot be remedied. Sony, like every other company that's experienced a data breach, must learn from their mistakes and move forward. Sony Pictures will most likely look to a consulting firm to help them mend the damage and put a privileged account management (PAM) solution in place.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

PAM needs to play a central role in the rebuilding of their IT security infrastructure. Limiting account access, rotating privileged passwords on a scheduled basis and auditing account usage are key strategic pieces that not only will mitigate current levels of risk, but help set an example to other businesses industry-wide. The Sony hack's biggest takeaway is that nobody should wait for a breach to occur to begin securing their privileged accounts.

Kevin Jones
Kevin Jones

Kevin has specialized in a variety of cybersecurity initiatives in the privileged management space. As Senior Security Architect for Thycotic, Kevin brings a deep understanding of cryptography and cryptographic systems as well as advanced threat modeling to the design and implementation of enterprise security software. A Microsoft MVP, Kevin has been a featured presenter at numerous IT and security events including IANS Forums, ISSA, ISACA and software development clinics.