Imagine you're the CEO of a big company that has just been hacked...

CEOImagine you're the CEO of a big company that has just been very publicly hacked.

It's pretty damaging - your computer systems are down, your staff are locked out of systems, your private data is in the hands of criminals who might or might not be looking forward to a new movie from Seth Rogan...

You decide to call in the experts. Not only do you call in the cops (your corporation is definitely the victim of a crime), but you're also keen for a crack team of cybersecurity experts to come in, determine what might have been stolen, and how you might better protect yourself in future.

Chances are that you would also quite like those security experts to say that your company wasn't to blame. You'd probably like them to say the attack was so advanced that there were no defences that any regular corporation would have had in place to protect against it.

In fact, you'd probably be keen for the experts (who you're paying plenty of dollars to) to say that nothing like it has ever been seen before, and that no companies could have been fully prepared for such an attack.

Now, imagine you're the boss of a security company that has been called by a big company that has just been hacked.

They're waving lots of dollars at you, and your eyes are going kerr-ching!

You don't want to upset your new customer, and you'll probably be prepared to bend over backwards to keep them happy.

And if the CEO of the company that fell victim asked you to write a few words that can be shared with staff about the hack, you're not going to want to rock the boat are you?

...

In entirely separate news, did you see the internal memo that Sony Pictures CEO Michael Lynton sent to staff, including some words from Kevin Mandia, head of security firm Mandiant?

Over the last week, some of you have asked about the strength of our information security systems and how this attack could have happened. There is much we cannot say about our security protocols for obvious reasons, but we wanted to share with you a note we received today from Kevin Mandia, the founder of the expert cybersecurity firm that is investigating the cyber-attack on us. The investigation is ongoing, but Mr. Mandia’s note is helpful in understanding the nature of what we are dealing with. Full text below.

We also want to thank you once again for your resilience and resourcefulness in carrying out our critical day-to-day activities under incredibly stressful circumstances. As a result of your efforts, we have made great progress moving our business forward, and we will continue to do so.

— — —
Dear Michael,

As our team continues to aid Sony Pictures’ response to the recent cyber-attack against your employees and operations, I wanted to take a moment to provide you with some initial thoughts on the situation.

This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat.

In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.

We are aggressively responding to this incident and we will continue to coordinate closely with your staff as new facts emerge from our investigation.

Sincerely,
Kevin Mandia

"Unprecedented"? "Undetectable"? "Unique"? "Unparalleled"? "Differs from any we have responded to in the past"?

Hmm.

In the words of Mandy Rice-Davies, he would say that wouldn't he?

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

3 Responses

  1. Coyote

    December 10, 2014 at 11:39 pm #

    "This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat."

    I was tired of that claim by the second time it was ever claimed. That was a long time ago, wasn't it? Indeed. I'm sure the malware was so unique, so hard to detect… that is quite common though, isn't it? That ironically means that the claim is not any more unique than the malware (and/or other attacks). That also means it is lying in order to save integrity. Further irony (and sad irony at that) is it does the exact opposite. Lying to try to save your reputation/similar only ruins your reputation further. If you can admit you aren't perfect and more so inform what you learned from (whatever), you are far stronger, have far more integrity and much more honourable, honest and overall everything is better.

    Incidentally, I'm reminded of when LulzSec took over Sony whenever it was and the security company Sony hired came in and then after the fact another attack by LulzSec came to light. Maybe they forgot to start over and better their policies? I guess that is the least of their worries now (although if they did learn from it perhaps we wouldn't have this story).

    Yes, Kevin. If that makes you feel better, keep it up…

  2. epte

    December 11, 2014 at 1:37 am #

    Yeah, I bet that if it was against them it had to be unprecedented lol.

  3. Coyote

    December 27, 2014 at 10:33 pm #

    I visited this post again for some reason and I have some additional comments. It is rather ironic that I would say "Yes, Kevin. If that makes you feel better, keep it up…" because that sort of reminds me of another Kevin – Kevin Mitnick. Naturally he isn't the only one but the very idea there is things aren't fair and if we can find a way to take zero blame (and therefore learn nothing), then so much the better. Unfortunately it doesn't really work that way, and that is why this is only one of several attacks Sony has faced (so either they're worse at hiding it or they're worse at hiding it and also worse at hiring (and hiding) how helpful their crack – sorry, I mean security team – is (isn't)).

    As for the way you worded something, something in particular being:

    "… for a crack team of cybersecurity experts to come in, determine what might have been stolen, and how you might better protect yourself in future."

    While I did see it and I did think of it at the time I read this post, I didn't remark on. Yes, crack team (although perhaps quack team is even better ?) fits quite well given the circumstances. Instead of making the best of a situation they decide to dismiss it as nothing could have been done (there is always something that can be done, no matter how successful it is or isn't) and so nothing to worry about (other than saving our reputation and our company). Of course they could be doing the latter while doing the former if only they could see that…

Leave a Reply