On April 19th, Sony’s PlayStation Network and Qriocity services were infiltrated, and hackers walked away with personally identifiable information from more than 77 million accounts. The attack was one of the largest security data breaches in history, and Sony’s response has been widely criticized by security experts, consumers and politicians alike.
From waiting over a week to alert users that their personal details may have been stolen to storing those personal details in an unencrypted format, the PlayStation Network breach is an excellent case study for how other cloud app companies both big and small can avoid a similar fiasco, even if they do get hacked.
The first thing to keep in mind is that while it may be easy to blame the hackers, the roots of Sony’s PlayStation Network (PSN) breach started in the board room.
“Organizational complexity and a lack of good security support at board level is probably the biggest mistake Sony made that led to the PSN hacks,” says Stuart Thomas, a UK security expert who has worked as head of security at the London Stock Exchange and wrote the national cryptographic standards for the UK National Health Service.
Thomas has special insight into the matter: he built the original PlayStation 2 network for Sony back in 2001.
“If you don’t have a solid expert at board level championing good security management of people, technology and processes, everything else fails,” says Thomas.
Even so, it can be rare to find such experts at board level.
“The ongoing costs of hiring Ph.D.-level security analysts are almost always scoffed at,” says Thomas. “But if you are not watching your intrusion logs, you have no idea what is going on in your network.”
In Sony’s case, that may have led to disaster. An experienced security analyst examining the PSN’s logs on a regular basis should have been able to detect the earliest warning signs of the upcoming breach. We don’t know exactly what measures Sony had in place before the breach, but it has clearly tried to bolster security measures since then. In September, Sony hired former the director of the National Cyber Security Center at the US Department of Homeland Security Philip Reitinger to be its new chief information security officer (CISO).
Organizational complacency was also an issue that led to the PlayStation Network attacks.
“Nothing is ever 100% secure. Don’t assume someone won’t come after your data because you’re ‘just a games company’ or something similar,” says Chris Boyd, a senior threat researcher for GFI Software and four-time Microsoft Most Valuable Professional award winner in Consumer Security.
Even though you may think that you are a small fish in a big pond, the danger of being hacked is very real.
“Everyone is a target, even if you can’t think of ways that your data could possibly be used for nefarious purpose,” says Boyd. “If you don’t have a CISO already, now is the time to be looking for one.”
Once you’ve got a security expert in place, practice makes perfect.
“A cloud app company or online service should prepare to be hacked just as if it were having a fire drill,” says Stuart Thomas. “You need to have an agreed incident management policy for having your systems breached. Practice it often, then go over the results and learn from your mistakes. Don’t wait until it’s too late, your user’s data has been compromised and your CFO is firing the shots because your company has been cut off from processing credit cards.”
And not just the big hacks count. Make sure that all levels of your company are aware of good security procedures.
“If customer support is involved with password resets, you should ensure that staff are familiar with the basics of social engineering,” says Boyd. “There are dedicated teams who spend hours each day phoning customer service representatives, attempting to hijack accounts.”
So what do you do when you find out you have been hacked? Well, whatever you do, don’t follow Sony’s lead and sit on the information. Instead, alert users immediately. Doing otherwise could cripple your company’s credibility in the eyes of consumers.
“In Sony’s case, they waited seven days to tell users what happened,” says Boyd. “Since there was a possibility of financial data having been stolen, customers should have been informed much earlier. If I were a customer, I’d rather Sony had assumed the worst and let me know that my payment info may have been exposed, even if it turned out later that it wasn’t actually the case.”
Ultimately, security isn’t just about the software you use or how you encrypt your data. Security can’t be patched in. You need to build your product with security in mind from the ground up, and foster an obsession with security amongst all aspects of your company.
“Speed to market for a cloud app can be important, but quality controls ensure the survival of your app and brand,” says Stuart Thomas. “Great security skills are important, but it is the ability to evangelize, communicate and motivate all levels of management and staff that keeps security issues fresh in people’s minds.”
What is the takeaway for cloud app companies both big and small hoping to learn from Sony’s mistakes? It’s simple, says Thomas.
“Make security real.”
Image credit: Surian Soosay/Flickr
VB's research team is studying web-personalization... Chime in here, and we’ll share the results.