The news cycle is a buzz with news of the Sony hack. As I learn more, I can only shake my head in disbelief at two things: 1. the lack of understanding of basic technology concepts and the lazy attempts to coherently explain how IT security and breaches actually work by the media, and 2. Sony was so careless and cavalier in regards to its IT security measures put in place.
Here’s a quick rundown of what I’ve been able to dig up on the Sony breach.
Sony’s Audit Report According to Our Analysis
|Sony’s Exception||Proof||Suggested Control Improvement|
|1. The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulting in Sony being SOX (Sarbanes-Oxley) incompliant in 2005.||Link||Don’t brag about your weak IS controls on a major publication.|
|2. Password policy was notoriously weak at Sony and even stored unencrypted on corporate network in Microsoft Word documents. To add insult to injury, the file was even called passwords.doc.||Link||Password Policies: A strong, enterprise wide password policy should be enforced, incorporating the following elements:|
|3. Data retention policies were apparently non-existent as the company was found to be housing Social Security numbers, salary information, healthcare files, and more.||Link||Data Retention Policies: A compelling organizational requirement or business justification must be established for the retention of any potentially sensitive information or Personally Identifiable Information (PII).|
|4. Data was not properly categorized, secured and encrypted. Intruders simply waltzed into Sony’s internal network and began lifting sensitive data. Had data been properly categorized and sensitive data been encrypted, it would have greatly reduced the impact of the breach.||Link||Information Classification Policies: At a minimum, the following elements should be included in an information classification policy and enforced.|
|5. Sony’s own employees complained that the network security was a joke. When your own staff and internal experts are telling you there is an issue, it is the responsibility of senior management to respond.||Link||Whistle-blower reporting: Employees can report security incidents to information security managment via hotline, email, or the IS web portal available on the company intranet.|
|6. Sony is in the process of cutting 5,000 workers. This will surely result in a few disgruntled employees here and there. Couple disgruntled employees with weak logical access and password policies and you have a recipe for disaster.||Link||Logical Access Controls: At a minimum, the following elements should be included in a logical access policy and enforced.|
Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors. The organization displayed cavalier and careless behavior and broke many of the simplest rules of IT Security, leading to a breach that was probably in reality, nothing more than an intruder walking through a door that was never locked in the first place.
Basic safeguards and following simple best practices can go a long way in safeguarding the reputation of your organization and protecting the private information of countless victims.