There’s been a lot of commentary and gotcha-style journalism surrounding the Sony data breach, but not much constructive criticism.
Yes, the breach could have easily been prevented. Had Sony enabled fairly standard firewall technology and kept its systems up-to-date with the latest patches, none of this most likely would have happened.
Since most of us have enabled firewalls on our personal computers and are aware of the risks if we don’t, Sony’s mistake immediately smacks of foolishness. But setting up protection for a network of 100 million users is a little different than protecting the Mac in your living room.
Sony’s breach is a valuable lesson for many organizations considering a transition to the cloud. Already the media is reporting that businesses are rethinking it. And that’s a good thing.
Any transition from one kind of data system to another needs serious thought. That’s the Sony lesson: Migrating data from a traditional system to a new technology must be done very carefully. Shifting from classical to cloud isn’t as easy as the snappy alliteration makes it seem.
Whatever move your data is making, you must ensure all relevant security measures are enabled. If the servers are connected to the Internet, yes Sir Howard Stringer, you need a firewall. But even if it isn’t, you need to ask questions such as, What information is guarded? How is it guarded? What is the scalability, and how can it be exploited? How do we know that someone is after our data?
The second lesson we can learn here is the rule of maximum leverage. Leverage all security elements to maximum potential. Businesses of all sizes have a patch management policy, most likely executed by an inside professional security team. It would have been to Sony’s benefit to have such a functioning policy in place, and, with 100 million users, to make sure it’s as rigorous as possible, with tight control on its execution.
We often use words like “robust,” “comprehensive,” and “strong” to describe security programs. Nice as that may sound, security isn’t only about the strength of a system, but about the mindset of the people working it. Have they asked all the questions? Have they covered all their bases? Whenever data is transitioned someone needs to know enough to ask the right questions. The human element is the most important security element. It is human creativity that pushes technology to its maximum functionality. Security needs a vision and strong ruler fully supported by executive management. After all, someone has to flip that firewall switch.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.
Leave a Reply