What can the Sony PSN Security Breach Teach Us?

Posted on May 8, 2011 | 0 comments

On April 20, 2011, Sony’s PlayStation Network suffered a massive security breach, with upwards of 100 million accounts being compromised.  User’s personal information was exposed, including names, addresses, phone numbers, as well as credit card information.  The network is still down as of today, as another set of delays postponed a relaunch planned for this weekend as Sony continues to ensure that the security holes have been patched.

What can we learn from this breach to apply to our own networks?  The first and most obvious is the fact that the size of the organization does not necessarily indicate the level of security that they may have.  While your network may only have tens, maybe hundreds of users, hackers are always on the prowl and can infiltrate a network of any size, so a sound security policy is necessary regardless of the size of your network.  It is also important to be aware and careful of where you share your private, personal information, even if the site appears to be adequately secured.  When you do share information, be sure to include the minimum necessary to conduct business, and where possible, use an account that provides for online fraud protection.

One thing that I often see with people using websites containing sensitive data such as banks, stores and corporate intranets is that they see the SSL icon indicating a secure session is established, then they get the captcha prompt, followed by the answering of a personal question, then a password screen with an image verification before they finally reach their account screen all the while assuming that this is 100% secure.  While this all sounds very secure, it is for the most part a mild deterrent to a hacker rather than an effective security profile that will protect your account from a security breach.  The reason for this is that a simple file called a keylogger can easily unravel this entire security procedure, and these can be easily installed onto your computer through exploits in web browsers, Windows itself, or from a malicious email message.  I think that in a way, these security procedures present a false sense of security for customers, and I think that more awareness needs to be made of how vulnerable users are, and what they can do to shore up their defenses.

That said, no amount of personal security protection would have prevented the PSN breach.  That was something that Sony was responsible for, and although they likely knew of the exploit, did nothing, causing one of the most significant security breaches in recent history.  So the most important thing to take from this is that no matter how secure an institution may seem, there is always a chance for a breach to occur, and you need to constantly remain vigilant when you have active information on file with an institution. How do you best do this?  There are a few key tips that can help you keep damage from a breach to a minimum.  One is to use one specific credit card with all of your institutions that has strong fraud protection to reimburse you for unauthorized charges.  You should also monitor this account frequently to make sure that all charges are valid, and reconcile this account monthly to keep a record of all transactions, and to help spot anomalies.  It is also helpful to try to avoid providing the 3 or 4 digit security code with your account, as many institutions require this code to complete a transaction, which can reduce somewhat the number of unauthorized charges.

So from a network security perspective, what can be done?  Really, this is not something that can be done using a “one size fits all” approach, as each network is different, however there are some fundamental steps that can be taken within any network that will help minimize an attack.

One is for users to always use complex passwords on their Active Directory user accounts which include 8+ characters using a combination of upper and lower case letters, as well as numbers and special characters.  These passwords take months or even years to crack, and if you have a policy that locks a user account after a few attempts, it moves the possibility of being cracked into the “impossible” range.  Another step is to minimize the attack surface of a network by minimizing the number of “pinholes” or port forwards that are in place from the external to the internal network.  The best way to deter a potential attack is to give the least amount of tools for an attacker to work with, and using a strong firewall that uses SPI, placing Internet-facing servers into a DMZ outside of the internal firewall, and enforcing the use of VPN’s to allow external traffic to the internal network can greatly reduce the attack surface.  It is also important to quickly install anti-virus updates, Windows patches, browser and email patches, and to have a strong spam/virus filter outside of the network to reduce the number of potential security exploits that a hacker could use.

I think that attacks like these give us an opportunity to take a hard look at our networks to see if we have done what is necessary to protect ourselves from an attack like this.  This outage has been going on for 2 1/2 weeks now, and could last even longer with lawsuits and cancellations to quickly follow.  Could your business survive a 2 1/2 week outage?