What Bruce Schneier Learned from the Sony Breach
After spending a lot of time thinking about the massive breach of Sony, security luminary Bruce Schneier came to a scary – but not really surprising – conclusion.
"The lesson is that we are all vulnerable. North Korea could have done it to anyone," said Scheier during a packed session at the RSA conference in San Francisco.
While the IT security industry knows how to deal with high volume, low-focus attacks, Schneier said, security professionals have trouble handling highly skilled and focused attackers, commonly referred to as advanced persistent threats (APTs).
"Against a motivated and skilled attacker, we just don't know how to defend," Schneier said. "Against an unfocused attacker, you just have to be more secure than your neighbor."
Security is especially difficult now that there has been a democratization of tactics. In many cases, Schneier said, it's initially hard to tell the difference between an attack launched by a small group of hackers and an attack sponsored by a nation state.
"Attack attribution is hard," Schneier said.
When attribution does come, Schneier added, it can take weeks. In the Sony case, it took three weeks for the U.S. government to blame North Korea. Attribution is important, he noted, because it can help enable a legal response when appropriate.
Attack response is another essential infosec skill, since it's not always possible to prevent attacks.
"So how do we respond without attribution, and how do we survive these attacks, and how do we thrive in spite of them?" Schneier asked.
Schneier shared two key pieces of advice.
Organizations should secure against the actual threats, he suggested. "So if the problem is self-replicating killer robots, we need self-replicating killer robot killers," he said.
Organizations also need more agile response mechanisms, he said.
"Sony might not have been able to prevent attack, but they could have responded quicker," Schneier said. "If the goal is resilience, then the question is how do we get there?"