May 26, 2017

Access Control: Et tu, Sony?

The recent breach of more than 77 million user’s information at Sony bids the public cry, “Et tu, Sony?” How can one of the largest corporations on planet earth be subject to such a significant security breach? Well, Sony is not alone.

The Sony hackers claim in their alleged chat logs (posted on pastie or Lo-Ping) that sensitive data such as passwords and credit cards were stored in plain text. Sony initially had said they did not encrypt the data, but later clarified by saying the data was “transformed using a cryptographic hash function.” Either way, the biggest question is how they gained access to the data in the first place.

There are conflicting reports, but the consensus is that the hackers didn’t seem to have it too rough. As mentioned in the hackers’ chat logs, Anonymous’ press release, and in Time’s Techland article, it is claimed that Sony was “[…] running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable.”

Whatever the case be with Sony, CIO’s and the leadership in IT departments need to revisit the basics. Surveys show that hackers’ successes are not from using extravagant methods to breach state of the art defenses, but from using simple methods to capitalize on systems’ weaknesses.

Let’s start with passwords. Imperva’s report titled “Consumer Password Worst Practices” states that at least 50% of users are choosing trivial passwords. As David Coursey at PCWorld writes, people are making “Hacking Passwords Easy as 123456“. It appears IT staff do not have much better practices. A Cyber-Ark survey of 200 IT professionals revealed that “15% NEVER change IT administrative passwords.”

Secondly, let’s look at system upgrades. Simple upgrades can save your company a PR nightmare, and a few billion dollars. Some estimates say the Sony breach could cost them up to $24 billion. How much would upgrading cost them? ABC reported in 2010 that the Secret Service brought in the NSA to review it’s systems and estimated upgrades at $187 million. In most cases, as in Sony’s, CIO’s aren’t running on 1980’s systems that would warrant drastic updates, simply clicking “update now” (or “apt-get upgrade”) will suffice.

Thirdly, let’s look at what the most common security holes are. And according to the Web Hacking Incident Database, guess what the number one attack method is? SQL injection. Although this database focuses on web applications, the system weaknesses are basic–insufficient authentication ranks 4th in top weaknesses–and likely are reflected in non-web systems.

Implementing a few basic improvements can go a long way. With passwords, set stronger restrictions, reset passwords every quarter, or send a memo to help employees make good passwords with Microsoft’s guide to “Create strong passwords” or Symantec’s “A Guide to Better Password Practices” (which has great reference material), or even WikiPedia’s article with “Guidelines for strong passwords“.

If the systems on which your security strategies rely on are unpatched or out of date, then any those strategies are quite useless. Keep your systems up to date and if you want to take your security a step further, call in some outside help. Look into Exin’s security certification program, or consult Cyber-Ark on how to keep your passwords secure. Attacks don’t just come from outside too. Revisit who has the “Keys to the Kingdom“, as Cyber-Ark’s report revisits the significant risks of poor control over privileged accounts. You don’t want to be the IT manager saying, “Et tu, Terry Childs?

Overlooking basic security measures has unnecessarily hindered the trust of areas of society and of corporate leadership in IT departments through, not just the breach at Sony, but this perpetual echo of “Et tu?”

Joe Purcell
About Joe Purcell 1 Article
Joe Purcell is a technology virtuoso, cyberspace frontiersman, and connoisseur of Linux, Mac, and Windows alike.