Testifying before Congress last week, the FBI's Joseph Demarest played up the sophistication of the hackers who broke into the network of Sony Pictures. "The malware that was used would have slipped or probably gotten past 90 percent of Net defenses that are out there," he said.
But this doesn't impress security expert Robert Graham, who argues you don't have to be very sophisticated to break into a corporate network. He describes one case where his firm was hired for "penetration testing" — attempting to break into the company's network to test its security.
We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.
This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, ... everything.
This story illustrates a couple of lessons about corporate security. First, one of the biggest challenges in corporate security is employee training. A company can have the strongest possible defenses against external enemies, but there's no getting around the need for the company's own employees to access sensitive information. If a hacker can trick a few of those employees into doing something dumb, like running a program found on a USB drive or typing a password into a hacker-owned website, then the attacker can get the same permissions as the trusted employee.
There are precautions network administrators can take against this kind of attack, but they tend to make it harder for employees to do their jobs. It might have been possible for the company Graham attacked to ban employees from putting USB drives in their computers, but that would have created headaches when they actually needed to get information off of a USB drive. So there's constant pressure for security measures to be relaxed in the name of efficiency, leaving a lot of vulnerabilities for the first group to make a serious effort to exploit them.