Security is not evidenced merely through the absence of harm.  A harming event may be transpiring in this moment, not yet apparent.     –  a B-TW warning.

You may remember my discussion of Sony’s earlier breach in my article, “Sony is Sorry.”  I don’t mean to be mean, but that can be taken a couple of different ways.

It was an apology, but now Sony is looking to be in rather a sorry state of affairs:  They’ve been hacked again.  Sony in Japan’s customer rewards site was broken into by an intruder, and that intruder stole virtual points worth the equivalent of $1,225 from account holders.  Not a whole lot in terms of theft, but the fact that access was gained is a very worrisome thing – particularly as a follow-on to what happened at Sony earlier.

What happened earlier was the stealing of personal information when the Sony PlayStation network was hacked, as well as Sony Online Entertainment.  

“What we’ve done is stopped the So-Net points exchanges and told customers to change their passwords,” So-Net, Sony’s ISP unit in Japan, said in a statement. 

At present, the company says that the breach seems to be limited, and no accounts are at risk other than those immediately affected. 

The company further states, “At this point in our investigations, we have not confirmed any data leakage. We have not found any sign of a possibility that a third party has obtained members’ names, address, birth dates and phone numbers.”

Unnamed security experts have said that Sony’s world-wide networks remain vulnerable, according to Reuters news agency. 

For that matter, I supposed we’re all vulnerable.  As noted, the mere absence of evidence of something harming is not necessarily a “secured state.”  Only through ongoing survey of systems, and a forward-thinking security posture, can you be reasonably certain that you are secure; that the environment is secured.  Even then, there are no guarantees in this world.

Do your best, and then quickly do better.

Firewalls, intrusion preventions, virus scans, surveys for malware, antispyware, e-mail protection, and so on – are no good if someone is not surveying reports and taking note of the warnings yielded.

Also, you must take note of the successfully thwarted attempts, to remain cognizant of where attempts are coming from and what sort of entities are mounting them - in making best attempt to project and predict where threats are going in their nature, and where they’ll be coming from in the future. 

You need a very proactive, evolving, and agile posture as regards threats and security. 

Ensure that those who are on the forefront of securing your organization get it.

Is Sony sorry?  They said they are…

NP:  Thelonious Monk, Straight, No Chaser.  On CD (cleansing with vinyl later…)

Did you ever notice the similarity between the words “Sony” and “Sorry”?  I’m just sayin’ – it’s uncanny.

“Sorry” – so says Sony’s Chief Executive Officer Howard Stringer.  Sony’s recent breach, which I talked a bit about here, and here, is thought to be the biggest ever.  Data from more than 100 million accounts has been compromised.  One.  Hundred.  Million.

Sony’s PlayStation blog carried the CEO’s apology:  “As a company we – and I – apologize for the inconvenience and concern caused by this attack.” 

Something for companies to keep in mind in the overall swim of risk we’re in:  Sales, revenue, and reputation, are heavily weighted within bad outcomes such as security breaches.  A big one like this makes a consumer think twice before buying something, before subscribing to a service, before entering crucial personal information online – things like credit card numbers in the service of a purchase, and all manner of other central personal data.

The Zone:  The really, really, really bad thing about any data breach is that… even if it’s the first and (thus far) only one, a company is now in a particular zone.  That zone is a sort of permanent breath-holding posture:  Will there be a second breach, whether soon or down the road?

A second breach could well sink a company’s reputation permanently.  Ensuing that there’s never a first breach is paramount.  Companies must actively survey for risk, must continually make present circumstances better, and must evaluate new products, services and implementations against new avenues of risk.  All of this must be done with prudent concurrent survey for what’s going on, on the outside – breaching entities are ever-more sophisticated and powerful.

Employees must be oriented upon hire according to best security practices generally, and to practices specific to the company’s position, products, and potential vulnerabilities (absent strong controls) that are unique to its market and presence in it, etc.  Going forward, all employees must then undergo regularized security training.  That schedule is up to each individual company, within its own assessment of risk, vis-a-vis budget, time, and potentials.

As we’ve noted before:  All activity must be viewed through a security prism.  For anything you do:  What effect does this action have on “the other end”?  Does this process/transmission/implementation put data at risk of exposure?  Does what we’re doing open a hole into our environment, or weaken a defense posture, for creating potential breaching conditions?

Stay safe out there.

On this day:  In 1906, a “temporary” permit was issued in San Francisco to erect overhead wires on Market Street.

Just kidding – it’s only Part 2.  (Please see first article, just below this one for reference).

Sony has said that this information has been compromised:  User name; address; country; e-mail address; birthdate; PlayStation Network/Qriocity password and login; and handle/PSN online ID.

Wow – that’s quite a bit.  But it gets worse, and I always hate the “maybe(s), might have been(s)…” etc. – there may have been breach of user billing address, purchase history, and various password security answers.  Ouch.

I had to laugh at some counsel from the Washington Post Business with Bloomberg section (which I saw online – I no longer reside in DC, but have many fond memories…):

This is certainly a big data breach and spells a lot of trouble for Sony’s image, but there’s no need for consumers to panic.  Just deal with it the same you deal with any data breach…

Yah.  No big deal…  handle it like that last breach you suffered through – and, hopefully the next one won’t be any bigger a deal than this one either.

Now, I don’t advocate panicking – I’m all about serious, straight-ahead tackling of problems – establishing empirical measures and solutions, for meritorious outcomes and protections.

But frankly, a rather casual attitude seems to exist here – paired with some good advice, make no mistake – I like it the advice.  But, in the realm of risk, unmanaged possibilities become probabilities. 

And here, Sony had tipped into the realm of probability:  Given the outcome, there can be no argument.  Let’s understand this fully for anyone and their position in today’s Weave: 

1.      Sony was in the realm of risk – we’re all there, particularly if we have any kind of online presence and business.  Risk – assumed and beyond:  Acknowledged.

2.      Sony entered a zone of unmanaged possibilities; again, given the outcome, there can be no argument.  The possibilities were engendered by someone who was not surveying the environment adequately, nor putting in place the prudent, forward, security posture and measures necessary.  (Note:  This is not fault-finding; the “someone” or “someones” may not have been able to survey adequately; may have been inhibited by budget; lack of training; or maybe the appropriate “someone,” department, security posture, etc., was simply missing in action at Sony).

3.      As usual, the unmanaged possibility manifested as a probability – and – the probable happened, as it always must – simple odds favor the probable, to the point that an unmanaged probable will always manifest.

Odds favor the probable, and left unattended, the probable will always manifest.

Thus, in the realm of risk, unmanaged possibilities become probabilities.

Survey your domains.

NP:  Yardbird Suite, Charlie Parker, www.Jazz24.org – followed by Keep on Gwine, Stanton Moore…  all I can say is… wow – each over 13 minutes of fine, fine, fine jazz…

Oh my:  Even children at play (and adults, too) are not safe – but we knew that.  It’s a cold, cruel world.

Apparently birthdates, e-mail addresses, and purchase histories have been “accessed” (therefore, for purpose of liability assessments, assume:  “Stolen”).  Too, credit card info may have been stolen, but Sony doesn’t know for sure – last time I checked.  (I guess you could say last time they checked!). 

However, PlayStation users are advised to check their accounts.  I’m glad I’m not a “player,” at least in this context.  For those of you who are parents, with kids, with PlayStations, you’re going to want to run this to ground to your own satisfaction.  Check with your card providers – and I’d do it by phone…

Sony says the attack is “malicious” in nature, and has hired an outside security firm to investigate.  Hmmm… methinks they hired the outside firm about a week too late.

Going forward, beware e-mail spoofs and phishing schemes:  That is, official looking e-mails that purport to be from your bank/credit card provider(s), and while we’re at it, from Sony too.  Breaching entities can strip official logos and authentication screens – an entire website’s “oeuvre” – allowing you to think you’re logging in to “XYZ-CreditCardCo.com” – you fill in credentials (ID and password; again filling a hack situation)… when in fact you could leave the fields blank and access the dummy site.  But, you’ve entered the critical info… and then… the site asks for all sorts of “further authentication.”  Oops.

How the heck does Sony get breached, hacked, violated… anyhow?  Aren’t they… big?  Protected with the latest security measures?  Are they not on the RFE (Responsible Forward Edge)?  Don’t they know what they’re doin’?  Um…

When Sony’s system is back up, change your ID(s), password(s), and any other authenticating/security/credentialing information.  Immediately.

Just to be sure.

NP:  Powerage – AC/DC.  Ok, a departure from my usual old-school, straight-ahead, jazz references.  But… someone here at S-bucks mentioned the band, and I just had to weigh in with my 3 concert experiences; two with original singer Bon Scott – and those were… simply… amazing.