Tuesday, May 3, 2011
The ONE most important lesson from the Sony PlayStation Security Breach
77 million paid users, personal information such as email, passwords, credit cards, access to a platform that managed powerful Playstation devices, and licensed content makes such services a sure target for hackers and jail breakers.
Jail Breakers and Hackers both saw the rich opportunity which the business failed to see. Jail breakers for the thrill of free content and the urge to make the content freely available. Hackers for the rich source of credentials, credit card numbers and email which can be sold to fraud rings for a fee, and possibly could install malware updates on Playstation devices potentially harnessing them for denial of service attacks or even to deactivate them.
There are 50 million or so BIT Torrent users who believe that it’s their right to share licensed content. For all businesses this is a reality that we need to live with.
Jail breakers can be dealt with by removing the need to jailbreak and making the product secure. Key concerns of jail breakers are price and availability. One can also make it profitable for a jail breaker to report flaws for a fee. Imposing criminal action as a deterrent motivates jail breakers to go underground, thereby loosing the opportunity to harness their expertise to improve product security.
Hackers on the other hand profit from this action as they are already underground. An insecure product or service is rich pickings.
So why did such a large organisation fail to see the inevitable?
The main reason is the inadequacy of addressing security as a major business concern. Instead of improving product and service security, the focus was on prosecution, as the immediate problem was loss of license revenue and that was what business understood of the problem.
This inconsistency is present in every business where business and an IT decision makers overrule security in favor of functionality and a false belief that such problems do not occur.
All CISO’s should highlight this incident to their management as a wakeup call.