Sony hack was good news for INSURERS and INVESTORS Whoever hacked Sony Entertainment at the end of November changed information security forever. Where once hackers had been most concerned to gain access to the honeypots of credit cards and bank accounts, this theft had a different goal, one that became clear with the steady release of Sony’s most intimate secrets throughout …
If Sony were JPMorganChase or another large financial institution... those assets [would have been] squirrelled away deep within digital vaults, air-gapped against any possible network intrusion, access strictly limited on a need-to-use basis.
Not so much. Not to comment on JPMorgan Chase's recent hack attack, but the norm seems to be to devote effort to equine retention after the team has left. The only good thing about the recent spate of hacks has been that they are getting media coverage. I am convinced that the frequency with which they occur in all sectors is much the same as it has been in the past. I have hope, however, that the additional attention the issue is getting will induce otherwise reluctant management to devote resources to mitigating risk rather than to damage control.
"If the theft and publication of that correspondence renders her unemployable, wouldn’t Pascal have grounds for a massive lawsuit against her former employer?"
Perhaps if they had not been suck a disk-heads in the first place to say things that are untrue, and/or in very poor taste, and/or showed very poor professional judgement, they would have nothing to fear?
That is what our leaders keep telling us, so it must be true...
> If the theft and publication of that correspondence renders her unemployable, wouldn’t Pascal have grounds for a massive lawsuit against her former employer?
See, this is another example of the mindset that says "anything I can get away with is OK". As I would like to see it, the way to be a respected film executive is to have a proper degree of respect for your staff and for the 'talent' that you employ. The fact that she (allegedly) trash-talks folk in company correspondence tells you something about the respect due to her (if you believe the content of the leaks). The damage is done at the point of writing the trash, not at the point of it becoming public knowledge.
In more enlightened times, this was known as having a conscience, and hypocrites did not run to their lawyers alleging that being found out was somehow somebody else's fault.
I wonder how you strike a balance.
Money.
You pay for good sysadmins, and enough of them. You buy good authentication systems. You pay for third-party network threat monitoring and egress monitoring, and you make sure your response team is ready to act immediately to every alert. You maintain control over corporate devices and you have strict policies against corporate IP on personal devices, and you enforce those, even when there's a short-term loss (again, money) from enforcement - such as suspending or terminating employment for violation.1
Does any of that prevent losses? Of course not. Security isn't an absolute. Security is a process of reducing your average costs (the sum of risk-loss products) and/or raising the attackers' costs. The only trade-off here is deciding how much investment in security brings a positive return in that calculation, under a reasonable threat model.
1I'm in favor of lesser punishments, by the way, because people make mistakes and draconian responses lead to concealment, resentment, etc.)
...because I don't like Sony at all, ever since they decided it was acceptable that their CDs should be shipped with rootkits.
I think Sony truly believes that their customers can be divided into three camps: known criminals, unknown criminals and idiots not smart enough to be criminals.
So I've had a jolly good laugh at Sony's expense, and I feel much better now.
So it uncovered what most of us already knew, that people are people. They bicker, fight and do stupid things such as talk about each other. I bet if you crack open any company's Exchange server you'll find more less similar prattling in the reams of emails, people passing on rubbish to each other, it's the secrets and tittle-tattle that binds groups together.
I sometimes talk trash about other people, I guess most people do... But I'm sure I don't do it by email, and DAMN sure I don't do it over corporate email.
That's just one of many baffling behaviors within Sony exposed by the hack... I guess people up the corporate ladder feel more invulnerable in what they do...
I sometimes talk trash about other people, I guess most people do... But I'm sure I don't do it by email, and DAMN sure I don't do it over corporate email.
Neither do I. But I'm not a senior executive in an industry that employs narcissism as one of its chief resources. I suspect that selects for ill-behaved personalities.
Missing here is that the industry behaves this way with physical (printed) media as well. So long as it's kept within the confines of people working in the industry, cutting and sharing with all and sundry is normal, damn the fact that the same behavior results in hunting down and ruthlessly 'killing' anyone else outside the industry who possesses and/or shares their bounty. Oh, and that applies to 'friends of the industry' as well. Social behaviors, including gossiping/trash-talking, are completely normal so why should it be any surprise that such is true in the virtual? If anything, people are more likely to engage in poor behavior as the immediate context seems less real.
Dear Sony, this is as real as it gets. Get it? Almost certainly not.
"If Amy Pascal loses her job heading Sony Pictures Entertainment, her credibility fatally damaged by an unending stream of private moments made public, who is liable? Pascal surely believed Sony would take appropriate precautions regarding her private business correspondence. If the theft and publication of that correspondence renders her unemployable, wouldn’t Pascal have grounds for a massive lawsuit against her former employer?"
and
"Sony Pictures Entertainment co-chairs Amy Pascal and Michael Lynton".
Amy Pascal was the employer, together with Lynton. The lack of security on her watch was her responsibility.
That said, she's got big bucks, she's an executive, so I'm sure she'll get a lovely golden goodbye despite the problem being her own negligence in failing to properly set corporate policy.
Nice article.
Sadly, even after many, many serious data security breaches, proper IT security still remains an elusive and fuzzy blip on corporate radar screens. Complex, ever-changing security problems with no "one-size fits all" proposals aren't easily grokked by execs and many world leaders (yes, I'm looking at you Dave). Ignorance, laziness, greed and dishonesty confirms the inevitable result.
Today, if a major US corporation sprayed loose asbestos on its workers, chained shut the fire doors in a burning factory, or sold flammable childrens clothes, they would be sued or prosecuted under consumer safety legislation (or both).
Until we can clearly establish similar liability standards for data-holding corporations, particularly those holding financial data, this will always be an uphill battle, Punishing negligent behavior by exacting massive financial damages is much more painful than hanging out the dirty laundry of a few pushy entertainment execs. Until that happens, the Sonys, JP Morgans, Targets ad infinitum will continue to play the clueless card and hand out identity theft insurance. There is no real motivation to clean up their collective security acts. Corporate entities do not possess a conscience or a desire to do the "right thing".
Money and legal action are a few of the things that corporate executives, shareholders, lawyers and insurance companies grok very well indeed. Public embarassement doesn't really compute because the spin doctors will fix it anyway.
What the world needs now is an IT Security consumer crusader. Someone like Ralph Nader in the 1960's. Gory pictures of heads being cut off by plate glass car windscreens, political pressure, legal action and robust safety legislation eventually forced Detroit to build safer cars. Data security would of course need new memes and horror stories, but you get the idea.
Otherwise, we will be left asking: what will make companies build and use safer information systems? Should we be forced to keep using systems where we frequently risk our reputations, personal security, credit ratings, and sanity every time we grab a keyboard?
A big brass rod with legal razor blades on it might just help adjust the playing field.
If there's one thing I've learnt in life, it is that multiple bosses == bad news. Well, to be more accurate, it's not the bossing that matters, but the dilution of leadership and clarity of direction. If in fact the "co-chairs" were spookily aligned, why did SPE need them both? My guess is they were hedging their bets.
The reason that top brass are paid so highly is that (a) they have that rare combination of proven qualities (such as capabilities/expertise, experience, charisma, drive and motivation) to make good decisions more often than not, meaning that they are in high demand; and (b) they demand the $$$$$$ in return for their personal accountability when, almost inevitably, like gamblers they eventually make a seriously bad decision.
Roughly 20 years ago, I went to work for a small credit card company as a programmer. The company used direct mailings to market itself, and was growing rapidly. When I was hired, I was the second IT employee. by the third year, there were almost 20 of us.
As with any normal company, people are occasionally let go, and we had a network admin that was creating more problems that he was fixing. So he got the axe.
About a month later, a competitor was suddenly contacting the people our mail was going to before the mail got there. It took a while to notice this, but it was causing a reduction in customers signing up that was clearly noticeable both from signup numbers and income from those.
The boss finally demanded that every IT employee come in over the weekend and audit each and every computer system in the company, checking for any possible way that the outside world could get in and steal data. So we spent 2 days checking hundreds of PC's, and in the process, we found that one computer, in the sales department managers office had a modem card in it that should not have been there, and that the card was connected to a standard phone line that the company had not ordered. We removed the modem card from the system.
Not surprisingly, a week later signups were back to normal and income was as well.
But we sat down and had a lengthy discussion about how to prevent anyone from ever getting more than just an ID code number from our systems even if they had full access, and while it took about 2 months to get the code updated, we finally spent a weekend encrypting every name, addess, phone number, and everything else on every customer in our databases. The encryption key was in a file that itself was encrypted, and any the IT department programming systems were isolated from the production systems by an air gap to keep the encryption keys safe. Even within the IT department, there were only 2 of us that knew the encryption key, plus the owner of the company.
With all the changes we made, even if someone were to somehow gain full access to the production system, everything was fully encrypted except for a unique ID code that we generated the second a new customer was added to the system. Everything anyone system-wide could access was decrypted only to display or process what had to be used. Anything that did not need to be decrypted wasn't.
So when I see these huge mega-corporations and the government losing data like they are, I just do not understand why they have not done what we did nearly 20 years ago.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
