The Sony Hollywood Hack | How Cybercrime Turned A Blockbuster Comedy Into A Global News Story
It's
definitely
scary.
Up to a
certain
point
as a CISO
you plan
your defenses
for
most
of the
common
hackers.
Financial
groups,
Hacktivists,
stuff
like
that.
But in
order to
prepare
yourself
for
nation
state,
those
advanced
attacks,
it's in a
whole
new
league,
right?
It
takes a
whole
new level
of
budget,
of
resources.
You
really
have to
prepare
for a
nation
state
attack.
Imagine
a
screenplay
so
shocking,
so full
of twists
and
turns,
it could
only be
real.
This isn't
a
Hollywood
blockbuster.
It's the
real
story of
the 2014
Sony
Pictures
hack.
What
started
as a
simple
cyber
assault
quickly
unspooled
into a
political
thriller
that
shook an
entire
industry
to its
core.
Hackers
leaked
everything
from
private
emails
and
unreleased
scripts
and films
to
embarrassing
internal
conversations,
and then
took it
a
horrifying
step
further
by
issuing
physical
threats,
explicitly
referencing
the
September
11th
attacks
and
demanding
censorship.
This
wasn't
just a
data
breach,
it was a cultural
flashpoint.
It pulled
back
the curtain
on an
industry
built
on image
and
revealed
its most
vulnerable
secrets.
We're not
just
talking
about
passwords
and
firewalls
today.
We're
talking
about
power
dynamics,
private
conversations,
and the
terrifying
intersection
of
digital
threats
and real
world
violence.
Joining
us to
unpack
this very
real life
screenplay
is our
CISO
co-host
Dror
Hevlin,
a
cybersecurity
executive
with two
decades
of hands
on
leadership
across
national
defense,
critical
infrastructure
and
global
enterprise
security.
Dror
welcome
to The
CISO
Signal
Podcast
for
listeners
who
may not
be
familiar
with
your work.
Tell us
a
little bit
about
your
background.
How did you get
started
in
cybersecurity
and how
did you
become
a CISO?
Yeah.
Hi,
Jeremy,
it's a
pleasure
now
to be
here.
I've
served
for over
15 years
in the
Israel
Defense
Forces
in cyber
roles.
Naturally,
after the
military,
I went
to the
government
sector.
I have been
the CISO
of the
Israel
National
Cyber
Security
Directorate,
and
currently
I am
the CISO,
and VP
Security
at
Cynomi.
Thank you.
Dror
And
I want to
say
a quick
thanks
to our
entire
audience
of
cybersecurity
leaders.
We are
so
grateful
to have
made it
halfway
through
our first
season,
and
the response
has been
phenomenal.
We're
going
to take
a short
break
before we
ramp up
to the
second
half of
the season.
And
of course,
if you
haven't
already,
please
take a second
right
now,
subscribe
to
the podcast
on
YouTube
and your
favorite
app,
and
follow
The CISO Signal
The CISO Signal
Podcast
company
page
on
to
stay up
to date
on
everything
that
we're doing.
All right.
Dror
It is
time for
lights,
camera
and
investigation.
Let's get
started.
We are
in the
midst
of a
ceaseless
war.
Not of
bombs
or
bullets,
but of
breaches.
Firewalls
and
silent
incursions.
The targets.
Our
borders,
our
banks,
our
commerce
and the
critical
infrastructure
that
underpins
a free
civilization.
The enemy
is
cloaked
in code,
fueled by
greed,
glory,
and a
desire
for
chaos.
This is
the
story of
the
unseen
protectors,
the
nameless
generals,
the CISOs
chief
information
security
officers.
They are
the
guardians
at the
gate.
Watchers
on the
wall.
Ever
vigilant
and
always
listening
for
The CISO Signal
The CISO Signal
So
when you look
back at
the Sony
breach,
it's
really
remembered
as one
of the
very
first
high
profile
Nation-State
attacks
against a
specific
single
company.
What's
one of
the
things
that
still
stands
out
to you
about it
after
all these
years?
Yeah.
What I
remember
is,
from the
Sony
breach
I think
it was
the first
event
where
cyber,
state,
nation
attacked
a private
company
in order
to gain,
not
military
advantage,
but
revenge
for
humiliating
them
and
making
them
look bad.
So
I think
that was
the first
incident
that
we've
seen
a nation
state
really
using
its force
to
embarrass
a public
company.
All right.
Dror
So
let's
talk
about the
unique
and
terrifying
aspect of
this
attack.
It wasn't
just a
data
breach.
We're
talking
about
the
group,
called
themselves
Guardians
of Peace,
or GOP.
Went
beyond
leaking
emails
and movie
scripts
and
unreleased
films
and,
of
course,
employee
personal
information.
They made
explicit
physical
threats
or
explicit
as
you can
get with
some
broken,
not
fantastic
English
referencing
the 911
terrorist
attack,
saying
to
moviegoers,
quote,
the world
will be
full of
fear.
Remember
the 11th
of
September
2001?
We
recommend
you to
keep
yourself
distant
from
the places
at that
time.
End
quote.
And
of course,
that was
interpreted
at the
time to
mean
theaters
that were
scheduled
to screen
the
movie,
The
Interview.
That
threat
completely
changed
the scale
and scope
of the
incident
as a CISO
you
bear this
incredible
responsibility
for the
security
of your
organization's
data
and
systems.
But
what must
it feel
like
when that
responsibility
extends
to the
physical
safety
of
employees
and
even the public?
How
do you
carry
that
weight
and make
decisions
under
that kind
of
pressure?
It's
scary,
right?
Because
you need
a lot
of
security
controls
and
defenses
to invest
in order
to make
certain
you are
not
easily
attacked
by
advanced
hackers,
right?
So
you have to
plan
your day
to day
operation.
How
do I gain
visibility?
What kind of tools
do
I really
need?
Smaller
companies,
smaller
footprint
in the
digital world.
So
you have
to take
that also
into
account.
It's
kind of
a
complicated
business
where
you have
to weigh
every decision,
and
of course
you
have to
explain it
to the
management.
And board
in order
to get
those
needed
resources.
Everything
you do
as head of
security
is risk
management.
Where to
invest
first,
which
security
controls
to buy?
Do I need
more
policies,
more
drills,
more red
teams
coming in
to test
our
perimeter
and stuff
like
that.
Act 1
The First Cut
The First Cut
The year
is 2014,
and a
familiar
hum of
human
ambition
fills
the air.
A melody
played
on the
hallowed
ground
of
Hollywood
on the
Sony
Pictures
lot.
Dreams
are spun
into
reality.
Executives
like
co-chair
Amy
Pascal
and
producer
Scott
Rudin
held
the strings
of a
multi-billion
dollar
empire,
casting
new
roles,
greenlighting
projects,
and
negotiating
seven
figure
contracts
for its
movie
stars.
This was
a world
of
A-listers
and
tentpoles
of
pre-production
and
final cuts.
It was a universe
that
operated
on the
twin
engines
of Ego
and
Illusion,
but
unseen
by
anyone.
A
different
kind of
script
was being
written
not in ink,
but in
lines
of code.
The characters
a
faceless
collective
known
as the
Guardians
of Peace
or the
GOP and
the
genre?
It was a
horror
film
no one will ever
forget.
The
opening
salvo
arrived
on a
quiet
Monday
night
with a shout.
But
with a
silent,
creeping
pestilence,
it moved
from
machine
to
machine,
a digital
phantom
in the
wires,
leaving
behind
a trail
of ruin.
It was
if every
computer,
every office
from the
studio
lot in
Culver
City to
the
soundstages
in New
York was
suddenly
struck
by a
digital
plague,
a grim
red
skull,
a
declaration
of war
was
emblazoned
on
every screen.
It was
a kind of
digital
death.
And
the patient
was an
entire
movie
studio.
But
this wasn't
a simple
walk out.
It was a
scorched
earth
campaign.
The attackers
deployed
a custom
built
destructive
malware,
a
sophisticated
variant
of the
“Shamoon”
or
“Destover”
wiper
payload.
This
malicious
code
didn't
just
encrypt
files.
It
systemically
and
irreversibly
erased
them,
overwriting
the
master
boot
records
of
every machine
it
touched.
The
company's
servers.
Its
internal
file
shares
its
entire IT
nervous
system.
All were
reduced
to inert,
useless
metal
husks.
Sony was
instantly
paralyzed.
Then came
the second,
more
humiliating
act.
The Guardians
of Peace
began
to
release
their
stolen
assets
to the
public.
In a
series
of data
dumps
larger
than any
Hollywood
premiere
employee
Social
security
numbers,
medical
records,
future
film
screenplays,
and, most
damning
of all,
thousands
of
private
emails.
It was
as if
the attackers
had found
the
studio's
most
secret
story,
and
were now
leaking
the plot
to the
entire
world.
The
central
McGuffin
in this
unfolding
story
was a
satirical
comedy,
a film
about
a CIA
orchestrated
assassination
of a
foreign
leader.
A film
called
The
Interview,
starring
the
affable
duo
of Seth
Rogen
and James
Franco.
To Sony
it was a high
concept
comedy,
but
the attackers,
it was
a
narrative
that
demanded
a
different
kind of
final
cut,
a final
cut that
threatened
not just a
comedy's
bottom
line, but
its very
existence.
The stage was set,
the cameras
were rolling
and
the studio
was about
to learn
that
in this
new kind
of
negotiation,
they had
no power
at all.
Thinking
about the
evolution
of
cybersecurity,
were
there
any
warning
signs
in the
Sony case
that
might
have
seemed
routine
or
harmless
at the time,
but today
would be
immediately
raising
red flags
for a
security
team?
Yeah,
I think
so.
And I'll
explain.
You know,
it's very
striking
how many of the,
you know,
like,
signs
back then
looked
ordinary.
You know,
like
I would
say even
boring,
right?
They had
legacy
systems
running
quietly
in the
background.
Nobody
wanted
probably
to do
the
patching
because
at
the time
it seemed
normal.
The
networks,
you know,
like they
had fled
network
design,
which at
the time
was
probably
seemed
efficient,
you know,
like way
collaboration.
But
actually
it meant
that once
you gain
a
foothold
in one
machine,
you could
easily
went over
to all of
the
machines
in the network.
And
I think
the
biggest
problem
in
my book
was the
silent
part.
They had
places
with no
alerts,
no locks,
and no
visibility.
Probably
back then
they felt safe
because
they had
quiet.
But
today,
you know,
like this
kind of
quiet
to
security
officer
is
very alarming.
You don't want
to be
there
when your network
is
completely
silent.
That
something
wrong
over
there!
So many
attacks,
even
today,
can be
traced
back to
something
as simple
as leaked
or reused
credentials
as a CISO
How do you
get an
entire
organization
to take
that
threat
seriously
at scale,
and not
just
see it
as some
minor
inconvenience?
Yeah,
well,
I think
we've
seen over
a
history
of famous
breaches
that
hackers or
attackers
doesn't
need
to use
very
sophisticated
tools
in order
to breach
any kind
of
company.
Sony
Breach
by
the way,
is an
example
where
a compromised
credential
can
really
take them
far into
the
network.
As
a CISO
what
I always
do, I
make sure
we have
MFA,
we have
privileged
access
management,
and we do
routine,
you know,
like
hygiene
checks.
But,
you know,
controls
are not
enough
by
themselves.
You have to
train
your
employees.
You have
to make
them
understand
that
their
cyber
hygiene,
they
employ
cyber
hygiene
is
good enough.
And that
when
you do
phishing
simulation,
you
bring in
Red Teams
and
you try
to raise
awareness,
you know,
like to
when
people
have the
oh moment
when they
almost
click
some link.
I think
that they
really
assimilate
the risk.
And your
goal as
a CISO
is to
make
those
habits
a second
nature,
right?
Not
some chore
They have to
do.
So
the Sony case
was
really a
great
example
or
spotlight
on the
importance
of good
hygiene,
something
we talk
a lot
about
these
days.
How
do you
effectively
communicate
to
everyone,
from the
mailroom
to
the C-suite,
that
their email
isn't
just a
communication
tool,
but
a potential
attack
surface?
What's
your
approach
to making
them
understand
that
a casual
could be
their
end?
Right.
The Sony
case
really
emphasized
that
is not,
by itself
just a means
to
an end,
but
it could be
the end.
We have
seen
the
reputation
damage
went
through
the roof
with the
publication
of those
emails,
and the
hackers
really
shaped,
you know,
like the
narrative,
the
public
narrative
with
those
leaked
conversations.
Right?
I mean,
it made
a lot of,
let's
say,
dirty
mess for
Sony.
What
I try
to do,
you know,
like when
we do
the
awareness
talk and
awareness
training,
I always
say
mainly
to
executives,
by
the way,
because
their
emails
contain
more
sensitive
or
proprietary
information
of the company.
So
I always
tell them
whether
it's one
on one
awareness
meetings
or as a
group
guys,
whenever
you
write in
the
email,
just
remember
that
it can
be read
by
someone
outside
of
the company.
It can be
taken
out of context.
So
make sure
whenever
you write
an email,
you
treat it.
With
this kind
of
consideration,
you may
never
know what
might
happen
to it.
As the
world's
media
feasted
on the
stolen
data,
the
narrative
of the
hack
shifted
from a
technical
intrusion
to a
public
shaming
the attackers
and not
just
breached
a network
they had
stolen
the
unscripted
dialog
of
Hollywood's
most
powerful
people.
The
leaked
emails
became
the raw
footage
of a
documentary
that no
one ever
intended
to air.
What is a
secret
in
a world
without
Shadows?
Is a
private
conversation
truly
private
if it
exists
in a
digital
form?
These weren't
just
emails.
They were
the raw,
unedited
footage
of human
nature
at its
most
unguarded.
The world
watched
with
fascination
as
powerful
producer
Scott
Rudin
reportedly
called
actress
Angelina
Jolie
a, quote,
“minimally
talented,
spoiled
brat.”
end
quote.
The fight,
according
to
reports,
was over
a director
for
Jolie's
passion
project,
Cleopatra.
In
another
devastating
chain,
Pascal
and Rudin
made off
color
jokes
about
what
films
they
should
mention
to
President
Barack
Obama.
It was
an
embarrassing
look
behind
the
curtain,
a moment
when the
illusion
of
Hollywood's
elegance
was
stripped
away and
its raw
human
flaws
were
exposed
for all
to see.
While
the gossip
consumed
the
headlines,
federal
investigators
were
sifting
through
the
digital
fingerprints
of the
attack
itself.
They
discovered
that
the attackers
had just
appeared
overnight.
They had
reportedly
spent
months
inside
the
network,
a quiet,
unseen
presence
mapping
the
terrain
and
siphoning
data.
The initial
vector
was a
simple
yet
devastatingly
effective
spear
phishing
attack,
a few
convincing
emails,
a handful
of
trusted
credentials,
and
the attackers
had their
foothold.
From
there,
they
navigated
the
network,
escalating
privileges
and
finding
unguarded
troves
of
information.
Reports
later
revealed
that the
key
passwords
were
saved
in easily
accessible
files.
A
vulnerability
that now
seemed
almost
criminally
negligent
in
retrospect.
This
actor,
according
to
subsequent
reports
from
the FBI,
was not
some
rogue
hacker
group.
The
forensic
evidence,
these
specific
lines
of code
in
the Destover
the Destover
malware,
the use
of
certain
IP
addresses,
the
sophisticated
and
coordinated
nature of
the
attack
all
pointed
to a
single
foreboding
source.
The
government
of North
Korea.
The attack
was not
a random
act of
cybercrime.
It was an
act of
retaliation,
a direct
response
to a
satirical
film
they deemed
a
declaration
of war.
The film's
stars,
Seth
Rogen
and James
Franco,
went from
promoting
a comedy
to living
inside
a
political
thriller.
Their movie
about a
fake
assassination
plot had
just
triggered
a very
real act
of
digital
destruction.
The joke
was no
longer on
screen.
The joke
in this
bizarre
new
reality
was
on them,
and now
the plot
took a
turn
no one
could
have
predicted
the
Guardians
of Peace,
not
content
with
merely
leaking
data,
issued a
public
threat.
Invoking
the
chilling
memory
of
September
11th
and
promising
a, quote,
“bitter end”
end
quote
to anyone
who dared
to show
the movie
in
theaters.
The stage
was set
for the
final
act,
where
Hollywood
would
face a
moral
and
business
dilemma
with no
good
outcome.
In the
midst of
this
chaos,
Amy
Pascal,
the studio
co-chair
who had
served
as a
creative
force
for
decades,
would be
forced
to face
the
consequences
of
not just
the
breach,
but the
very
embarrassing
dialog
in her
stolen
emails.
All
right,
let's
step away
from the
tools
and
techniques
for
a second.
I want to talk to
you about
fear.
What's
your
biggest
security
fear?
What's
the one thing
that
truly
makes
the hair
on
the
back of
your neck
stand up.
The kind of
threat
that
keeps you
up at
night
as a CISO?
Yeah,
well,
I have
a lot
of fears
that
keeps me
from
sleeping
at night.
I think
about
but...
One of the
top
is the
really
shadow
IT
some,
you know,
like
small
forgotten
system
someone
just set
in an
old admin
account
or an old
API,
and just
tried
some
testing
and then
forgot
about it.
And
it's like
you can
have the
best
security
in
the world,
right
in your company,
and
you have
a lot
of
detections
and
patching
and
monitoring.
But
when someone
leave
this kind
of
application
or
an old account
or
even an API,
it's
like you
leave
a side
gate,
you know,
like
unlocked
in your
castle,
right?
You might
not
notice it
as a CISO,
but an
attacker
is
definitely
looking
for it.
And
the problem
is
it just
compounds
over
time,
right?
Every time
someone
does this
kind of
mistake,
it piles
up.
The only way
to fix
it is
make sure
you do
inventory
process
and the
culture,
mainly
culture.
When
employees
feel safe
to admit,
hey,
I did
something
for
testing
reasons
and
we need
to close
it.
So
without
any kind
of
judgment,
you have to
take it
back
under
umbrella,
visibility
and
control.
Bottom
line,
if you don't
address
Shadow IT
it will
address
you!
All right.
Here's
a tricky
one
for you.
With
the rise
of nation
state
hackers
and
so-called
cyber
activists,
have we
entered
a new reality
where
a company's
products
or
services
or
solutions,
or
even who
they sell
to, can
become
the
trigger
for
heightened
risk of attack?
So
I think
what happened
with the
Sony
attack
showed
the world
that once
politics
entered
the
equation,
everything
changes.
We have
seen
since
then
private
companies
being
pulled
unwillingly
into
geopolitical
disputes.
The only thing
you can do is
preparation.
And
I think
in those
kind of
breaches
where
there is
a
political
motivation,
you have
to
prepare
your
relationship
with law
enforcement
and
government
agencies
before
you need
them.
It probably
also
means
that
you need
to have
legal
counsels
that are
familiar
with
those
cross
border
issues.
Train
your
management
about
scenarios
right
that
include
public
threats,
extortion,
even
media
firestorm.
The
technical
side of
those
kind of
breaches
is just
one side,
but
you have
to
control
the
narrative
side,
right?
And your
position
in those
kind of
political
struggles
don't
wait for
the
breach
to happen
before
you
figure
out who
to call,
how to
handle
media
or what
your stance
will be
in the
face of
those
media
publications.
All right.
Let's
talk
about
crisis
moments
for
a second.
When
you're in
a war
room
situation,
how do you
decide
who's in
and who's
out?
What's
the
strategy
for
getting
the right
people
in the room
and
communicating
effectively
when
everything
is on
fire?
Very
sensitive
decision
because
every
executive
wants
to be
there.
They have
to feel
important
for me.
War room
is all
about
speed
and
clarity.
Only need
to let
inside
the
minimal
participants.
You
got to have
technical
responder,
right?
You had
to get
legal
counselor,
communication
and HR
and maybe
1 or 2
executive
decision
makers.
Everybody
else
should
wait
outside
and wait
for updates.
But
in the main
war room,
only 4
or 5
people.
Okay,
so
I don't need
brand
names
or
company
names
in this
situation,
but
what I do
need is a
general
idea of
your
foundational
security
tool.
If
you had
to pick
one
single
tool
that sits
at the
foundation
of your
entire
security
philosophy,
what
would
that be
and why?
Yeah,
I think
for a
long
time,
whenever
I come
into a
new
company,
one tool
I
advocate
most
is the
so-called
EDR,
the endpoint
detection
and response.
This
tool,
by
the way,
serves
many
functions.
It's also
a
detection
layer,
but
it also a
prevention
layer.
And it
also
helps you
in
containment
and
remediation.
So it's
like
a good
Swiss
knife
when you
can
use it
to many
scenarios.
And
I think
any company
without a
good
endpoint
detection
and response
is really
blind.
They can’t
respond
quickly
or
correctly
to cyber
incidents.
Act 3
Fade to Black
Fade to Black
The
threats
were real.
The damage
was done
and the studio,
which had
always
prided
itself on
controlling
the
narrative,
had
completely
lost
control
of its
own. In
the face
of
threats
against
moviegoers.
Major
theater
chains
across
the
country,
citing
safety
concerns,
made a
decision
that would
send a
shockwaves
through
Hollywood.
They would not
show
the movie
The Interview
in their
theaters.
This was
the
climax.
The moment
the studio
blinked.
The
decision
was a
capitulation
to a
terrorist
style
threat.
It was
a
devastating
end to
a
production
that had
already
cost
millions.
Sony
was left
with a
finished
film,
a
cultural
hot
potato,
and no way
to
release
it to
the masses.
The movie
was for
all
intents
and
purposes,
canceled.
A
creative
work had
been
silenced
not by a censor,
but
by a cyber
attack.
The art
was the
casualty
of a war
waged
with code.
The fallout
was
immense
and far
reaching.
The
financial
losses,
reportedly
in the
tens of
millions
of
dollars,
were only
the
beginning.
The breach
had
exposed
a fundamental
flaw in
the
studio’s
security
posture
and its
corporate
culture.
Employee
lawsuits
were
filed
Law
makers
demanded
answers,
and in
a business
built
on
reputation,
the damage
was
irreversible.
The most
poignant
symbol
of this
fallout
was the
fate of
Amy
Pascal.
Months
after the
devastating
leaks,
she would
step down
from her
position
as
co-chair
of Sony
Pictures
Entertainment,
a move
widely
reported
as a
direct
consequence
of the
embarrassment
caused by
her own
leaked
emails.
Hers was
a career
built
over
decades
that
ended
not with
a major
film
premiere,
but
with a scandal.
It was
the ultimate
...
‘UnHollywood’
ending.
The Sony
hack was
more
than just
a
cybercrime.
It was a film
that
served as
a
blueprint
for a
new kind
of
terror.
It proved
that a
nation
state
could
weaponize
embarrassing
gossip
and
intellectual
property
with
the same
destructive
force
as a bomb.
It
showed
that in
a world
without
digital
borders,
a comedy
could be
seen
as an act
of war,
and the
company's
private
conversations
could
become
a weapon
of mass
humiliation.
The lessons
were
brutal
and
clear.
The most
dangerous
threats
may not
come from
a
network's
vulnerabilities,
but
from the culture
that
governs
it.
The true
security
gap isn't
in the
firewall,
but
in the trust
we place
in our
digital
systems.
And the
true cost
of a
breach
isn't
just
measured
in
dollars
and
cents.
It's
measured
in
careers,
in
reputations,
and
in the
very
price
of having
your
deepest
secrets
exposed.
For the
world
to see.
Okay,
so let's
learn
from the
misfortunes
and
misery
of
some of
the Sony
executives
here and
circle
back to
internal
communications.
Whether
it's
or slack
or teams
or
whatever
you
happen
to be
using.
How do you
coach
your
leadership,
your
management
team, to
think
about
what
they're
saying,
knowing
that
their
private
words
could
one day
become a
very
public,
mess?
If
a breach
were ever
to occur?
Yeah,
I think I
tell them
my golden
rule.
Never
write
an email
things
that if
it
will go
out there
in the world,
they would
embarrass
you
personally
or
the company
or even
your board.
So that's
my golden
rule.
Whatever
you write
in an
or flex
some
communication
channel,
make
certain
or think
about
their
ramifications.
If it get
leaked
outside,
how would you
explain
those words?
So
there's
no doubt
for
everyone
who is
listening
to this,
watching
this,
everybody
knows
that
being
a CSO
is an
incredibly
tough
and
demanding
role.
What is
one
unconventional
or out
of the
ordinary
thing
that
you do
in
the role
that
helps you
succeed
as a CSA?
Yes, sir.
What I
usually
try to do
is make
sure
every
employee
in the
company
understand
is part
of my
security
control,
right?
So
whether
you're
a
developer,
a
salesperson,
or even
an
executive,
you have
to
understand
the
system
depending
on you
to be
there
and not
just to
make
certain
you don't
click on
emails.
But
whenever
you see
something
suspicious,
you know,
like
happening
in your system.
And
whenever
you see
maybe
some
employee
sitting
next
to you
doing
things
that you
shouldn't
do,
you have to
report
it,
right?
Because
they are
my sensors,
my
employees
are my
sensors
of
security
and in
addition
to my
technical
controls.
And I
try
to make
them
understand
that they
should
always
be aware
that
whatever
happens
around
them,
not just
inside
their
box.
So
the CSO
signal
podcast
is all
about
positivity.
So let's
for
a second,
think
about
Sony and
for all
the
criticism
and
mistakes
that
we can
heap on
them.
I want to give
Sony some
credit
for what
they did
right
in
dealing
with this
attack
from a
security
leadership
perspective.
Did
anything
stand out
to you
in
terms of
their
response?
That was
commendable.
Yes.
So
I think
what
they did
admirably
was
quickly
get in
touch
with the law
enforcement.
I think
the public
saw it
as a very
positive
act.
They were
very
transparent
about
their tech.
I think
once
disclosing
to
the media
they were
attacked,
by
the way,
by
nation,
state.
And back
then,
you know,
like
everyone
was
really
scared
of North
Korea,
right?
No one
really knew
what
their
arsenal
was, what
their
capabilities
or
how far
they're
willing
to go.
Not good
for Sony,
but
it helped
them
deliver
a
message,
right?
That
as much
as you
prepare
yourself
for a
cyber
incident,
it's very
hard,
very
challenging
to be
ready
for a
nation
state,
especially
if you
are not
federal
or,
you know,
like
government
or
military.
And
I think
once
they had
the law
enforcement
agencies
working
alongside
with them
to really
help them
speed
things
along
to a
better
containment,
even
better
media
communication,
because
you have
law
enforcement
on your side
now, and
it's not
really
some
criminal group
that went
after
you.
It's it's
really a
it's more
forgiving,
right,
when
there's
this very
amazing
hacker
group
going
after you
draw.
It was a
pleasure
having
you on
the
podcast.
Great
speaking
with you.
I hope
you
come back
and do it
again
real
soon.
With
pleasure.
Really
enjoyed
it.
And now
our
closing.
The final
scene
of this
story
is not
about
the end
of
the hack,
but the
beginning
of a new
chapter
in cyber
defense.
The events
at Sony
Pictures
were
a grim
and
public
performance.
A dress
rehearsal
for
the future
of
conflict.
The breach
proved
that an
organization's
greatest
vulnerability
is often
its own
people
their emails,
their
conversations,
and their
tendency
to assume
privacy
in
a world
without it.
It
showed
that a
well-funded,
state
sponsored
actor
could
exploit
these
human
flaws
to
achieve
a
political
objective
far
beyond
simple
financial
gain.
The film
was the
excuse,
the gospel
was the
weapon,
and
the destruction
was the
ultimate
objective.
For CSOs,
the message
from
Sony's
empty
servers
and
leaked
emails
is
unmistakable.
A strong
cyber
defense
is not
just
about
technology,
it's
about
culture.
It's
about
training.
And it's
about
creating
a business
where
every
employee
understands
that
their
password
is a key
and their
is a
public
record.
It's
about
building
a company
that,
when
faced
with an
unprecedented
threat,
can do
more than
just
survive.
It can
remain
resilient.
The Sony
hacks
legacy is
a new
kind of
final
cut, a
new truth
for the
digital
age.
In this
era,
the story
of
a company's
success
can be
just as
important
as the
story of
its
secrets.
And all
it takes
is one
wrong
decision,
one
unguarded
thought,
one
single
tragic
frame of
a film
to change
the
entire
screenplay.
And so
we must
remain
vigilant
and
always
listening
for the
CSO
signal.
All
episodes
are based
on
publicly
available
reports,
post-mortems,
and
expert
analysis.
While
we've
done
our best
to ensure
accuracy,
some
cybersecurity
incidents
evolve
over time
and
not all
details
have been
confirmed.
Our
goal is
to inform
and
entertain,
not to
assign
blame
where
facts are
unclear.
We've
used
cautionary
language
and
we always
welcome
your
corrections.
Thanks
for
listening
to the
seasonal
signal.
