NEWS ANALYSIS: One significant reason why you don’t hear about military computer systems being hacked is because the military doesn’t approach cyber-security the same way you do.
Tom Chapman likes to quote the ancient Chinese general and military philosopher Sun Tzu when he’s talking about cyber-security. “If you know your enemies and know yourself, you will not be imperiled in a hundred battles,” Chapman quotes from Chapter 3 of “The Art of War.”
Chapman, who is director of cyber operations at EdgeWave Security, believes that if enterprises looked at security the way the military does and used military-grade practices, few network breaches would succeed. Chapman gets his military slant because he was in charge of part of the U.S. Navy’s cyber-war operations.
This is why he thinks the North Korea theory about the attack on Sony Pictures isn’t accurate. He said that nothing about the attack makes sense if you try to blame that country. Instead, he thinks the attack was either someone making use of readily available attack scripts found on the Internet, or it was an inside job.
He also said that it’s obvious that Sony Pictures had very weak security practices, partly because they had so few people in the IT department assigned to security functions and so few of them actually did hands on security work.

“They had 11 people in IT,” he explained, “Three were workers, three were managers, three were senior managers and there was a vice president. They needed people looking at their logs.” Unfortunately, he said, there is no “set it and forget it” function in security.

He said that because nobody had the time to regularly look at logs or check suspicious activity, someone was able to range freely inside the network at Sony Pictures. “Basically they owned them,” he said.
But that also meant that nobody was available to check for suspicious activities such as download of vast quantities of data from the servers at Sony Pictures, amounts that some have estimated to be as much as 100 terabytes. Chapman noted that the Sony Gameboy network that was previously hacked apparently got serious about security, but those practices weren’t implemented at the Sony Pictures unit.
So what does this mean for you, considering that you probably don’t have servers full of unreleased movies? That’s where Sun Tzu comes in. “Every company is different,” Chapman said. “You have to understand your adversary. Sony Pictures isn’t going to get attacked by Russia or China,” he said, but rather by cyber-criminals or someone, in this case, who wants to hurt the company.

It’s still not clear who Sony Picture’s adversary is, but as each day passes it looks less and less like North Korea. But let’s say you’re not Sony Pictures. Let’s say you run a small or medium sized business and you know that a breach could cause serious damage to your company. In fact it could put you out of business.

Leave a Reply