The news cycle is a buzz with news of the Sony hack. As I learn more, I can only shake my head in disbelief at two things: 1. the lack of understanding of basic technology concepts and the lazy attempts to coherently explain how IT security and breaches actually work by the media, and 2. Sony was so careless and cavalier in regards to its IT security measures put in place.
Here’s a quick rundown of what I’ve been able to dig up on the Sony breach.
Sony’s Audit Report According to Our Analysis
Sony’s Exception | Proof | Suggested Control Improvement |
1. The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulting in Sony being SOX (Sarbanes-Oxley) incompliant in 2005. | Link | Don’t brag about your weak IS controls on a major publication. |
2. Password policy was notoriously weak at Sony and even stored unencrypted on corporate network in Microsoft Word documents. To add insult to injury, the file was even called passwords.doc. | Link | Password Policies: A strong, enterprise wide password policy should be enforced, incorporating the following elements:
|
3. Data retention policies were apparently non-existent as the company was found to be housing Social Security numbers, salary information, healthcare files, and more. | Link | Data Retention Policies: A compelling organizational requirement or business justification must be established for the retention of any potentially sensitive information or Personally Identifiable Information (PII). |
4. Data was not properly categorized, secured and encrypted. Intruders simply waltzed into Sony’s internal network and began lifting sensitive data. Had data been properly categorized and sensitive data been encrypted, it would have greatly reduced the impact of the breach. | Link | Information Classification Policies: At a minimum, the following elements should be included in an information classification policy and enforced.
|
5. Sony’s own employees complained that the network security was a joke. When your own staff and internal experts are telling you there is an issue, it is the responsibility of senior management to respond. | Link | Whistle-blower reporting: Employees can report security incidents to information security managment via hotline, email, or the IS web portal available on the company intranet. |
6. Sony is in the process of cutting 5,000 workers. This will surely result in a few disgruntled employees here and there. Couple disgruntled employees with weak logical access and password policies and you have a recipe for disaster. | Link | Logical Access Controls: At a minimum, the following elements should be included in a logical access policy and enforced.
|
Conclusion
Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors. The organization displayed cavalier and careless behavior and broke many of the simplest rules of IT Security, leading to a breach that was probably in reality, nothing more than an intruder walking through a door that was never locked in the first place.
Basic safeguards and following simple best practices can go a long way in safeguarding the reputation of your organization and protecting the private information of countless victims.
Cyber security isn’t that hard. Getting people to change their attitude about it: impossible.
Excellent post Shane. Sadly I don’t think this kind of incident will have the positive impact that it should. As I understand it, this hack doesn’t have any external facing impacts that would grind any consumer based company to bits. The story in the main stream media is the sensational gossip and how Sony looks like fools. They don’t have to face the wraith of a customer base that could turn it’s back on the company. In general, the movie going public isn’t affected and will still go see their movies. And I imagine many companies won’t heed the warning.
Steve – I think what happened to Sony will (hopfully) at least serve as a lesson to other companies of the real cost of reputation loss and the the value of private communication. It is also a reminder that foreign and underestimated bad-actors can cause havoc if you aren’t doing the right things.
If I were and executive this incident would make me take securing my communication and data very seriously.
I agree with you Christian. These security measures are very basic and they should have been put in place.