Dec 18, 2014 Sony and Cyber Security
The hacking of Sony’s email system offers an important reminder of the importance of stringent security. To the extent that the details of Sony’s system, and the attack, that have been reported in the media are accurate, some useful lessons can be drawn. A number of these are elementary. But that simply underscores how easy it can be to overlook the basics given the ebb and flow of meeting the daily demands of business.
- Most, or all, of the attack methods reported to have been used against Sony have been used previously. Monitoring security advisories (from US-CERT and elsewhere), and following up on these, can be time-consuming and requires diligence, but is necessary.
- Items such as passwords should always be stored in an encrypted form. And, for particularly sensitive data, the nature of the encryption is quite important. For example, when Ars Technica was hacked this week, they had in place much stronger password practices than Sony. Ars Technica’s practices protected most of their users’ passwords after the fact.
- Maintaining offsite, offline backups that are performed regularly enough so that important data is retained also is essential.
- Most importantly, capable security reviews need to be incorporated within any system and product, both at the design stage and afterward at regular maintenance intervals.
Is your system as ready as it can be? It is necessary to bear in mind that when faced with motivated and sophisticated attackers, there is no perfect security. But engaging a third party to conduct an objective security review can be an important step towards maintaining security hygiene, and in identifying the need for specialized approaches as necessary, to help minimize and mitigate risks.