Sony has spent $171 million cleaning up its massive data breach. One security firm outlines mistakes.
Spring 2011 has not been good for executives at Sony. Security vendor Lumension Security put together a graphic depicting the timeline of the massive Sony breach. The firm also outlined what it calls missteps that likely cost the firm further embarrassment and money.
Sony’s PlayStation Network was taken down April 20 while a forensics team investigated the scope of the Sony breach. By May 2 the breach affected an estimated 100 million people and spread to its Online Entertainment division.
The firm has implemented additional security measures, but on May 18, the firm discovered a vulnerability in its password reset application causing another short outage.
Sony’s high-profile data breach is one of a slew of breaches that marked the beginning of 2011. Each one casts light on security weaknesses – configuration issues, vulnerabilities and social engineering threats – that combine to give a roadmap to cybercriminals attempting to gain access to systems.
Last month, Mandiant Corp. CSO Richard Bejtlich told my colleague Eric Parizo that it’s time for new innovative approaches to defend against attacks. Bejtlich advocates counter-threat operations for larger organizations that can afford it. Those organizations can go on the offensive to “actively hunt for intruders in their enterprise.”
Others are calling for a renewal of the basics:
- Review your security policies. Are they effectively communicated to employees? How are they are enforced. Experts say improving communication goes a long way to reducing data leakage. Employees are introducing devices onto the network, but many may not know what their company’s security policies are or if they’re even enforced. Some employees who deal with sensitive data often assume that an underlying technology is keeping them safe.
- Conduct a data audit (easier said than done) to find out where your most sensitive data resides on your systems. Experts say companies often deploy security technologies without even knowing where their data resides. This practice would have saved Sony further embarrassment. It found an exposed server containing credit card data that dated back to 2007.
- Ensure your security technologies are properly configured. Often Web application firewalls or other security devices are put in place to serve a compliance mandate, but far too often they’re set with so few policies that they have little impact on threat mitigation. Organizations that take the time to tune security devices to weed out nefarious activity or alert on a suspected anomaly can avoid a protracted breach and may even detect an attack in progress, as RSA did on its systems.
- Conduct a vulnerability assessment of Web facing applications and systems. As we’ve seen from the recent Verizon Data Breach Investigations Report, cybercriminals will almost always choose the low-hanging fruit for a point of entry. A thorough assessment of Web applications and the underlying infrastructure they’re connected to will make it more difficult for an attacker to penetrate a network.
- Prepare for a breach. It’s going to happen, experts say, so plan ahead for the inevitable. Companies with a contingency plan in place and a centralized incident response team led by a strong leader often suffer less pain. Again, it’s easier said than done, but there are some key steps to take for incident response planning.
Taking these steps won’t stop a determined attacker, but they may stall a cybercriminal long enough for alert systems to flag an anomaly and a response team to isolate and ultimately reduce the extent of a data breach before it spirals out of control.