The massive breach at Sony Pictures has raised fears that cyber crime is outpacing corporate security and that hackers have achieved a new height of technical ingenuity in their attacks. But experts tell CBS News there's more to the story -- and that while not every hack can be prevented, some of the damage can be.
The Sony attack displayed an "extremely high" level of sophistication, said Joseph Demarest, Jr., assistant director of the FBI's cyber division, at a hearing of the Senate Committee on Banking, Housing and Urban Affairs on Wednesday. "The malware that was used would have slipped -- probably have gotten past -- 90 percent of Net defenses that are out there today in private industry," and perhaps even the government, he said.
Echoing that assessment was Kevin Mandia, CEO of Internet security firm Mandiant, which was hired by Sony to investigate the attack. In a letter to Sony Entertainment CEO Michael Lynton that was published by Re/Code, Mandia called the attack "unprecedented in nature."
However, other experts tell CBS News it's not the technical sophistication of this attack that really sets it apart.
Richard Bejtlich is chief security strategist at FireEye, which owns Madiant. "From a tech standpoint, there really isn't anything to me that's unusual about this," he said. "For years, even for decades, people have had the capability to wipe out the contents of hard drives, render computers unbootable, to destroy data. We saw things like this in 1982."
Bejtlich did not confirm whether Sony is a client of Mandiant or FireEye.
He went on to say that what makes the Sony hacking stand out is that the attackers didn't just passively steal information, they engaged in active destruction, which he said is atypical, especially in the United States. The attackers, calling themselves the "Guardians of Peace," destroyed Sony hard drives and ransacked the company's digital files. "When you combine the destruction of data with the release of what has turned out to beembarrassing data, put those two together and those are some new dimensions that most security, IT and even management teams aren't used to dealing with."
Prioritizing detection
The problem isn't simply that the hackers have advanced, it's that corporations have proven ineffective at detecting and dealing with breaches. And this is as much a matter of personnel and corporate priorities as it is an IT problem.
Though Demarest stressed at the Senate committee hearing that the FBI began working with Sony "within hours" of discovery of the infiltration, it can be argued that that's simply not good enough -- not if the breach had gone undiscovered for a long period of time first.
"Organizations need to implement strategies, policies and technologies that allow them to detect these breaches when they occur, because then they can actually mitigate them," Shawn Henry, president of the services division at CrowdStrike and former executive assistant director at the FBI, told CBS News. "If it goes on for months at a time that an adversary is inside the network, that's where serious damages can occur."
Bejtlich said that based on his experience, the average time between a breach and when someone notices the breach is seven to eight months. "And two-thirds of the time someone else notifies the victim," he said. "The victim doesn't find it for themselves -- they have to learn it from the third party and most of the time it's the FBI."
Some reports suggest there were security gaps at Sony dating back to September 2013.
"When companies suffer these kind of attacks," Henry said, "it's really important for them to be proactive on their network and to actually hunt for the adversaries within their own environment."
Cyber criminals, he explained, just like burglars, leave traces of their break-ins -- the digital equivalents of fingerprints, hair and clothing fibers. "If organizations are using technology to look for those indicators, they can quickly mitigate the attack."
But most companies are doing nothing of the sort.
"I think that Sony Pictures Entertainment did not prioritize security needs, and others trying to ignore the problem will do the same," cautioned Kurt Baumgartner, principal security researcher at Kaspersky Lab, an IT security vendor.
Black market in data
The danger of a breach goes beyond the immediate damage to data, network systems and reputation. As Bejtlich tells his clients, "Digital is forever," and digital information is a hot commodity.
David Gewirtz, a computer scientist and cybersecurity advisor, told CBS News, "Right now it looks like the folks perpetrating this are focusing on Sony specifically and trying to get whatever they can in terms of causing damage to Sony. But there is a profit motive underneath this stuff and there is profit potential for them, so I'm sure that if they don't use it they will probably shop it to people who will."
Information stolen in the Sony hack included employees' Social Security numbers and other personal data that could be valuable to identity thieves. There is a massive international black market for information acquired in hacker attacks, and intricate distribution channels for digital booty.
It's organized crime, Gewirtz said, and in addition to hackers trading secrets, there are Russian gangs, criminal networks in Eastern Europe and nation states involved in such dealings. "We have evidence that China is participating," and thatNorth Korea has "turned cyber attacks into a profit center."
On the question of whether North Korea was responsible for the Sony attack, Gewirtz gently scoffed: "There is no doubt that North Korea has a very extensive hacking group that is state funded...but whether or not the North Korean leadergot cranky because of a silly movie and decided to get revenge, it's kind of out of a comedy."
For his part, the FBI's Demarest hinted Wednesday that "generally speaking about nation states that have this capability, you can pick the top three or four off the top of your head that have the ability" to perform an attack like this, and "one predominantly out of the Middle East that we are also very concerned about." (Though he didn't name it, he was believed to be referring to Iran.)
What companies can do
To minimize the potential damage from cyber gangsters and nefarious nation states, corporations need to invest not just in fancier technology, but in people and policies for sniffing out -- and snuffing out -- attacks as quickly as possible.
"They are absolutely not going to prevent all these attacks," Henry asserted. "The networks are just too vast, too broad and it's not possible to prevent them entirely." The key is detection, and most companies don't have adequate staffing or protocols in place to deal swiftly with a cyber security incident.
"We have a generation of leaders who treat this as an IT issue and they believe that if you just buy the right software then you can just write a check and take care of the issue," Bejtlich lamented. The more effective alternative, he said, is to look at it as a business problem and develop strategies on the assumption that an attack will occur.
"Right now, the company that isn't prepared has to be reactive," Darren Guccione, founder and CEO of data protection company Keeper Security, told CBS News' Dean Reynolds. "And when you're reactive, that's a very painful situation to be in."
Gewirtz concurred: "A lot of companies who are trying to cut down on dollars spent are not seeing cyber security as an ROI [return on investment] activity. They're seeing it as purely an expense line and they try to do as much as they can with as little as they can. The problem is that once these things happen, the cost to recover is tremendous."
He recommends that owners of small and medium-sized businesses invest in the services of one of an emerging market of identity management firms.
Most companies use a range of services from different vendors -- email services, contact management services, supply chain services -- each of which requires a login and password for each employee. Identity management firms connect employees to all of these services with a one-time access code that supersedes passwords, establishing what is called "federated identity." The cost, he said, is typically in the range of $5 to $10 per employee per month.
Bejtlich summed it up with the three questions every business owner needs to ask his or her security team:
"First, what sorts of bad things have happened on our network in the last year? The second question is, how long did it take for use to detect it and how long did it take for us to deal with it? The third question you should ask is, are we a member of an organization called Forum for Incident Response and Security Teams (FIRST)?"
FIRST promotes sharing of information between companies, government agencies and educational institutions to help coordinate reactions to cyber attacks.
"If you're in a company where you can get a good response to all three of those questions, you're probably not doing too badly," he said. "If your security team has no hope with any of those questions, that's a sign that you need some improvement."