Losing $2 Billion

July 1, 2011

Sony’s PlayStation Network is reported to have 70 million registered users worldwide. On May 2, 2011, Sony issued a statement that 12,700 credit cards and 24.6 million user accounts were compromised. The stolen data included names, addresses, dates of birth, passwords, security questions and answers and credit card information.

This compromise is said to be one of the largest and most high-profile online data thefts to date. The theft raised major concerns in the industry because many people use the same password for all of their online services. In addition to Sony, online retailer Play.com in March of this year informed customers that someone or some group hacked into its computer systems and stole e-mails and personal information. In January, cosmetics company Lush admitted that credit card data belonging to customers had been stolen.

So why are we hearing about so many companies being hacked? Are they controlling access into their computer systems effectively so that they can identify unauthorized entry? Sony faced many questions about how it handled the theft of its confidential data partly because initially Sony indicated that there was no evidence that credit card data had been obtained.

Serious data breaches are primarily the result of persistent hackers whose aim is either the destruction of systems or the collection of financial data to use for illegal purposes. In the advent of Sony’s woes, it is clear that better control of virtual systems and the identification of illegal users is necessary in order to reduce possible breaches into computer networks. Not any different than the physical security world, the virtual security world needs to have strong access control and identification protocols in order to detect and defer intruders who try to access computer systems illegally.

In Sony’s case, the lack of access control and identification of unauthorized users cost them an estimated $2 billion. Its lack of control and identification cost it customers who switched systems so they could continue to play games online, the loss of revenue from their online store that was down for about a month and the cost of three forensic computer teams required to identify breaches and determine the extent of the stolen data. In the case of Sony, news reports indicated that the reason for the attack may have been due to outdated security software. In addition, the version of software that Sony ran was known to contain errors that could permit unauthorized access.

The key to reducing attacks through identification and access control processes starts with an assessment of prevention systems, the continued updating of software and preventive systems and the consistent and regular audits of systems. Access control means firewall deployments with insurance that the current rules and processes are maintained. Provide secure remote access with strong authentication techniques. Establish an effective identity and access management strategy that focuses on single sign-on capabilities. Establish guidelines for developing secure applications that include threat modeling, code reviews and security testing. A final consideration might be to investigate technologies such as Encrypting File System to encrypt and protect business-critical files, the use of multi-factor authentication techniques such as smart cards or biometrics for critical accounts, or even developing a strategy for rapidly deploying the latest updates to all operating systems and applications.

Monitoring and auditing is key to network security – a secure environment requires a proactive strategy that includes audit networks and identification systems configured in ways that will identify users and systems that do not meet standards. Include the regular review of client and server logs to look for attack patterns. Install intrusion detection systems to monitor access of business-critical systems and to help identify portions of systems that have been compromised. Look at all aspects of electronic communication and data manipulation throughout the IT enterprise, including all instant messaging, file transfer, chat, e-mail, online meetings and webinars, plus all data creation, change, storage, deletion and retrieval.

Important to access control and identification is the establishment of an incident response process to help minimize adverse effects to network and collect data to help network security teams better secure systems against future threats. Network administrators should use a backup and recovery strategy to restore services and data quickly by utilizing a local standby server or a remote server to software applications. Use the latest quarantine technologies and update systems on a regular basis with the latest virus and hacker information. Install current patches on a regular basis. Conduct disaster drills, business continuity exercises, validation testing and for larger systems maintain a full-time consultant who is an expert at breaching systems.

Because many companies have not taken the security of their networks seriously, breaches have cost them and their customers billions of dollars. In the case of Sony Corporation, it is clear that even the excessive purchase and installation of software and the hiring of virtual security personnel would have saved them $2 billion.

Bernard J. Scaglione, CPP, CHPA, CHSP, is a principal partner at The Security Design Group in New York City. He has 30 years experience in the security field. Ben is Chairman of the ASIS International Healthcare Council and president of the New York City Metropolitan Healthcare Safety and Security Directors Association. He is a member of the training council for the International Association for Healthcare Security and Safety and is an accomplished author writing for ASIS, the International Association for Healthcare Security and Safety and Lawyers and Judges Publishing. He currently teaches re-certification classes for licensed architects and professional engineers at the Platt Institute in New York City.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.