Lessons of the Sony PlayStation hack
Joe Basirico, director of security services, Security Innovation
If we haven't yet been taught to protect our data, certainly the past six months should have changed that.
The market has been saturated with different methods of attacks leading to significant exploits, and they have had a far-reaching impact.
Over the last few weeks, we've seen a number of data breaches from LulzSec and Anonymous, and further we have seen some major global organizations experience monumental data-loss incidents, like Sony and Citigroup.
The Sony PlayStation Network breach brings up a perfect storm of lackadaisical security measures, outdated and unsecured software and, simply stated, just not paying attention to the warning signs.
It's important that we learn from the systemic problem that allowed it to happen.
A few years back, Security Innovation tested the Sony PlayStation 3 console, and it was evident that the designers' expertise lied with embedded systems, not with systems designed for the internet.
Application performance was superb, but the security behind it was not necessarily up to the same standards.
The Sony PlayStation Network had shifted from a closed, embedded systems provider to a web and internet services content provider. The underlying flaw in this approach was that when it made the move, the team was not properly educated on the differences between developing applications for a closed system and creating programs for an online system.
Sony servers were running outdated software versions with documented vulnerabilities, including a service to encrypt data communication, but one that allows unauthorized access. The hackers identified that Sony was running software that was loaded with vulnerabilities.
Contributing to the problem was the failure to see how the attack surface had expanded, and in what ways the gaming applications were exposed.
If organizations don't have that knowledge, they can't begin to mitigate threats and prevent attacks. The gating factor in this assessment was the organization needed to consider a different security model to align with the shift from an embedded to a web-based business model.
Where do we go from here?
It's a natural reaction to want to simply “add more security” after an exploit or a breach.
It's a reactive measure that is designed to satisfy some immediate needs. However, prevention isn't derived from installing a new firewall to protect an out-of-date server.
We have to dig deeper into the problem and realize that the software application layer is where the data is most vulnerable, as the Sony breach clearly illustrates.
Here are some best practices that all organizations need to consider:
- Train all technical personnel on the principles, both fundamental and advanced, on secure software application development, on an ongoing basis.
- Implement an effective means of assessment – identifying gaps in the software development lifecycle, understand where vulnerabilities exist and employ the correct remediation.
- Have the right mix of people, process and technology. Again, it's not necessary to have every security solution on the planet, but employees need to adhere to best practices in their defined roles
- Ensure that all developers have some type of reference guide where they can leverage knowledge that will help them ultimately write secure code.
By all estimates, many are expecting the Sony breach to cost the company more than $1.5 billion. The average cost per record lost, according to a recent Ponemon study, was $214 per record, a $76 increase from $138 per record in 2005.
Sony actually got away with a lesser impact than expected, considering that their PSN breach only cost them $171 million. That is, if the most recent numbers are correct.
Sony will most likely be more concerned with how these breaches will impact its reputation and therefore its overall business, which is exactly why security should be top of mind for any company whose revenue is predicated by doing business on the web. The IT security staff within your organization should be viewed from the top-down as a revenue retention group and should be supported in their efforts.