Enterprise IT Watch Blog

May 16 2011   3:57PM GMT

Lessons from the Sony breach: Three ways to avoid a repeat

Melanie Yarbrough Profile: MelanieYarbrough

Wonder how Sony’s holding up after its recent data breach? It was another blow in the gut after March 11’s earthquake in Japan slowed production at Sony. Costs will only rise as the entertainment company amps up its security and begins to compensate its customers.

As Eric Holmquist told SearchSecurity.com in a Security Squad podcast, “It really is unfortunate that it often takes an event to get people to do things better.” So what do you do if your job goes beyond managing a network to renewing confidence in that network?

3. Don’t let your competition show you up: Sony has competition coming from Nintendo, Samsung, and Apple as it tries to push its content via its game consoles and other hardware. The day after Sony announced its breach – a good seven days after the breach was discovered – Xbox alerted its users of possible phishing attempts during Modern Warfare 2 play. A minor alert, but still a way to show your users that you are keeping a close eye on your network, their data, and updating them on anything fishy.

2. Encrypt that data: With constant monitoring of Facebook’s security policy and just how far Google or the iPhone can reach into your personal information, it’s essential to care about your customers’ privacy as much as they do. As David Watkins reported, “Consumer trust in security is crucial to the success of such ‘cloud-based’ systems, say analysts, and the fact that Sony failed to encrypt some of its customers’ personal data has undermined confidence, they say.” If you’re going to be playing with the big boys’ infrastructures, you’ve gotta adopt their security measures as well.

Some of Sony’s disgruntled users dug into the poor security practices that continue to come to light:

Given these further delays, I can suspect one of two things.

First, they had absolutely no relative backups of the systems that were compromised. Either they were way to far out of date, or they just simply didn’t have any. They are rebuilding their entire infrastructure from scratch.

Second, they had almost zero security in place up until the time of the attack. Now that they got burned, they are spending this time to engineer a completely new security infrastructure. I tend to lean towards this one as the “final” testing they alluded to has poked some holes in their new set-up that need to be fixed further.

Either way, this is truly amateur hour at Sony.

Another user wrote:

So as a software engineer, I find this absolutely funny as all hell.

From the reports I have read, they were either running 2 year old, un-patched Apache Web Servers. Now this given the complexity of their system, let’s say they were running jBoss instead of Tomcat servers, and most likely Apache load balancers as well. On top off all of this they had no firewall running on the web servers as well.

The great thing about open source products is that if there is ever a vulnerability, it is quickly found and patched. The down side of this is everyone knows about them. Which would be fine, if YOU PATCHED YOUR DAMN SERVERS, and don’t even get me started with the whole no firewall thing. The start up I worked at a few years ago, with 8 people in the company, had better damn security than Sony.

1. ‘Fess up: One of the main criticisms of Sony is that the victims of the breach were not immediately notified. While it’s never pleasant to be informed that your information has been compromised, it’s much worse to find out days later. Not ‘fessing up in due time can have dire consequences, and is one way to ensure that you lose even more of your customers’ confidence.

The breach, which according to recent reports came from a rented space on Amazon’s EC2, has brought to light the embarrassing state of security that is often the case, even in large companies that control millions of users’ information. The best defense is a good offense, which is what Sony is promising to its customers with several security implementations, as outlined by Ben Cole at SearchCompliance:

  • Added automated software monitoring and configuration management to help defend against new attacks.
  • Enhanced levels of customer data protection and encryption.
  • Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
  • Implementation of additional firewalls.

Whether your company holds the sensitive information of its users or just of the company, it’s important to ensure the minimum of network security is in place. Breaches happen, even against the best protected networks; the real test is how you deal with the aftermath.

What do you think of Sony’s response to the breach? Let us know in the comments section or send me an email at Melanie@ITKnowledgeExchange.com.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: