The news cycle is a buzz with news of the Sony hack. As I learn more, I can only shake my head in disbelief at two things: 1. the lack of understanding of basic technology concepts and the lazy attempts to coherently explain how IT security and breaches actually work by the media, and 2. Sony was so careless and cavalier in regards to its IT security measures put in place.

Here’s a quick rundown of what I’ve been able to dig up on the Sony breach.

Sony’s Audit Report According to Our Analysis

Sony’s Exception Proof Suggested Control Improvement
1. The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulting in Sony being SOX (Sarbanes-Oxley) incompliant in 2005. Link Don’t brag about your weak IS controls on a major publication.
2. Password policy was notoriously weak at Sony and even stored unencrypted on corporate network in Microsoft Word documents. To add insult to injury, the file was even called passwords.doc. Link Password Policies: A strong, enterprise wide password policy should be enforced, incorporating the following elements:

  • Include uppercase and lowercase letters, numbers, and symbols in all passwords.
  • Enforce the use of space characters and characters that can be produced only by pressing the ALT key.
  • Require longer passwords (8 or more characters, with special characters #, %, *, etc.). 15 character passwords are recommended.
  • Enforce account lockouts for repeated incorrect password guesses (10 incorrect guess maximum) to prevent brute force attacks.
  • Enforce mandatory password resets (preferably at least every 60 to 90 days) with password history enabled
3. Data retention policies were apparently non-existent as the company was found to be housing Social Security numbers, salary information, healthcare files, and more. Link Data Retention Policies: A compelling organizational requirement or business justification must be established for the retention of any potentially sensitive information or Personally Identifiable Information (PII).
4. Data was not properly categorized, secured and encrypted. Intruders simply waltzed into Sony’s internal network and began lifting sensitive data. Had data been properly categorized and sensitive data been encrypted, it would have greatly reduced the impact of the breach. Link Information Classification Policies: At a minimum, the following elements should be included in an information classification policy and enforced.

  • Information should be properly classified/tiered and mapped to employee classifications to limit access based on business need to authorized individuals only.
  • Proper IT controls should be in place to limit logical and physical access to data and media which stores data.
  • All sensitive information should be encrypted in transit and at rest within the organization’s network.
  • Sensitive information should not be stored on any externally facing systems and should be secured in an internal network segregated from the DMZ and controlled via firewall/router configurations.
  • Logs which monitor read/write access to systems to sensitive data should be properly stored, retained and monitored/audited by Information Security staff.
5. Sony’s own employees complained that the network security was a joke. When your own staff and internal experts are telling you there is an issue, it is the responsibility of senior management to respond. Link Whistle-blower reporting: Employees can report security incidents to information security managment via hotline, email, or the IS web portal available on the company intranet.
6. Sony is in the process of cutting 5,000 workers. This will surely result in a few disgruntled employees here and there. Couple disgruntled employees with weak logical access and password policies and you have a recipe for disaster. Link Logical Access Controls: At a minimum, the following elements should be included in a logical access policy and enforced.

  • Logical access for all employees should be periodically (at least quarterly) reviewed to verify that access aligns with business need.
  • Strong change management procedures should be in place to verify that access is properly granted and removed as employees are on boarded, terminated or reclassified within the organization.
  • Periodic audits should take place to ensure that access databases align with HR databases.

Conclusion

Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors. The organization displayed cavalier and careless behavior and broke many of the simplest rules of IT Security, leading to a breach that was probably in reality, nothing more than an intruder walking through a door that was never locked in the first place.

Basic safeguards and following simple best practices can go a long way in safeguarding the reputation of your organization and protecting the private information of countless victims.