Learning from Sony's Mega-Mistakes
Taking a baseball bat to a hornet's nest is never an advisable strategy. Sony's strategy in defending its intellectual property was heavy handed and has triggered the “nuclear option” with those that it engaged. Perhaps Sony could learn a few lessons from Microsoft in how it has handled XBOX 360 and Kinect intellectual property.
Since the case came to light earlier this month, several new issues have emerged:
1) Sony is "expecting" to bring its network back at the end of May (more than 30 days of outage due to security issues).
2) It's still not clear as to whether the records have been used for financial gain, or whether this was designed to teach Sony and their lawyers a lesson in proportionate responses.
3) Hardware (consoles) plus massive Internet connected infrastructures require unique penetration testing skills that Sony did not have, but who has such skills?
4) The Sony breach is a wakeup call for companies to integrate the DNA of security into their IT cultures or pay heavily for the consequences.
The reality of cloud data security and PCI-DSS today are that they are ineffective and there are no consequences for many companies that under-invest in security. You can be sure that the CIO and CSO at Sony responsible for this situation will probably not be fired or held accountable for their poor decisions. Similarly, the auditor responsible for the Sony account will similarly (in all probability and looking at these situations historically) not be held accountable. The loss of your personal information will (most likely) be nothing more than a "cost of doing business" for this type of company-you will take the pain and they will take a hit to their reputation (maybe).
It is for this reason I am fundamentally opposed to hiding PCI-DSS results as well as SAS70 reports from the public. If you don't have access to the full internal security report of a vendor you are dealing with, you should expect that they have little to no real security and that your data will probably be compromised.
There is abundant technology to prevent this type of breach and/or limit its scope, but Sony chose to not implement it. Putting this much data in a single database that is publicly extractable with no limits is shameful given what is available today to protect against this type of loss.
There is rarely a consequence to the executives responsible for under investing in security as well as no consequence to the auditors responsible for providing an accurate assessment of the risks companies are taking by not investing in security. Fundamentally, there is a financial consequence for Sony, but nothing near what the consequences are for their customers.
I would love to know which auditors were responsible for the shoddy IT security audit of Sony, as well as the executives at Sony that who were responsible for under-investing in security. Even better would be to see the board of directors toss them out of Sony publicly for not investing in security. Sony should also publicly fire their IT auditors for doing such a poor job. That outcome would be justice to the stockholders and customers of Sony.
As president and founder of Lieberman Software, Philip Lieberman developed the first products for the privileged password management and shared account password management space, and continues to introduce new solutions to resolve the security threat of common local account credentials. He is the chief blogger at Identity Week www.identityweek.com