Sony has created a new CISO position and is implementing additional firewall protections and other safeguards after...
multiple data breaches of its systems resulted in the exposure of sensitive data on at least 100 million of its customers.
The company is one in a line of large businesses struggling with high-profile data breaches that have marred the first few months of 2011. RSA, the Security Division of EMC Corp., is still investigating a breach that may have exposed its most precious asset: intellectual property. Marketing services firm Epsilon Data Management, which handled customer email addresses and other information for dozens of major companies, including RSA, suffered a massive breach of its systems.
Sony executives have apologized for the security lapses and are giving customers free credit monitoring, a standard move following breaches. But security experts say Sony’s breach highlights a number of lapses, including the inability of the company to isolate its customers’ sensitive payment data from the rest of its systems. Sony’s initial breach affected 77 million users of its PlayStation Network, but a week later, the firm disclosed that a server tied to its Online Entertainment division containing credit card information dating back to 2007 was also exposed, potentially affecting an additional 24 million people. And, a third breach of its systems in Japan could affect millions of more Sony customers.
The recent breaches point to a need for better data security management in the enterprise, experts say. Too often, companies focus on infrastructure and system security improvements, but fail to take an inventory of the data residing on remote systems, says Eric Holmquist, president of security consultancy Holmquist Advisory.
“I’ve seen so many instances where people can evidence all the technology, all the procedures and all the policies and you say, ‘Great, where’s the data inventory?’ and you get blank stares,” Holmquist says. “It really is unfortunate that it often takes an event to get people to do things better.”
Jon Gossels, president and CEO of consulting firm SystemExperts, says he advises all companies, large and small, to measure themselves against the ISO 27002. The framework helps organizations formalize security policy, manage their assets more closely and bridge operations management, risk analysis and access control.
“Understand the way your business is supposed to operate, the way it actually operates and figure out the gaps,” Gossels says.
Gossels says the Sony breach shares similarities to breaches at other organizations. Oftentimes, organizations aren’t running the latest software. Even if they are running updated software, a configuration error can lead to weaknesses, he says. According to the 2011 Verizon Data Breach Investigations Report, nearly all the data breaches analyzed exploit configuration weaknesses or “inherent functionality of the system or application.” In fact, Verizon found only five vulnerabilities were exploited across the 381 breaches attributed to hacking.
“Even companies that are very good [at security], we’re finding today are still very vulnerable,” says Gossels, referring to the RSA breach. “Today you have organized crime, hostile foreign governments and industrial espionage going on; [attackers are] trying to do something that is subtle.”
In many cases, organizations are doing a much better job of patching, but few are addressing software vulnerabilities in legacy systems, says Bill Curtis, director and co-founder of the Consortium for IT Software Quality. Even if SQL injection, cross-site scripting and buffer overflow vulnerabilities are found and patched, a determined hacker will find his way in, says Curtis, who believes organizations need to conduct a more thorough code review of their systems as well as maintain a better configuration management program.
“The minute you expose your apps to the Web, you have all kinds of interactions you never had before with people you may not know,” says Curtis. “A payment system would hopefully not be connected to a system for the gaming world.”
Robert Westervelt is the news director of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org