Security expert warns of "inherited apathy" towards user data
Was Sony's PSN breach from internal sources?
In the aftermath of Sony's PlayStation Network breach, security expert LogRhythm has warned that organisations do not place enough importance on user data, and a culture of "inherited apathy" can exist towards valuable personal information.
This week Sony admitted that over 75 million PlayStation Network accounts have been compromised, with the platform holder unable to determine whether credit card details have been stolen.
And today it admitted that personal information including user's email address, passwords and online IDs were not encrypted.
Bearing in mind that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?
Martin Landless, LogRhythm
"Personal details such as names and addresses have long been seen as unimportant assets and as an organisation's services grow, the inherited apathy - or insufficient risk assessment - can prevail," Martin Landless, technical director of international markets at LogRhythm told GamesIndustry.biz.
"When this information is combined with dates of birth and credit card numbers, the value and potential to lead to further attacks increases exponentially. Even if the passwords were encrypted, the method used may not have been strong enough to ensure they remained secure."
While the current focus is on the violation of the PlayStation Network, Landless questioned whether the perpetrators were able to access other classified Sony information.
"What other systems did they access during that period? Is there a possibility that intellectual property has been compromised such as new specifications for PlayStation 4?"
He also pointed out that the majority of hacks are committed by internal staff, not outside forces.
"Bearing in mind the 80/20 rule that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?
"One would imagine there would be multiple external perimeters to compromise, and monitoring should have been conducted on these layers. There may not have been so many detection mechanisms within the network for a trusted administrator."
Sony has been criticised for not informing users sooner that their details had been compromised. Landless said that the company may not have been aware of the scale of the attacks and should now monitor security in real-time to improve reaction times.
"There is a very good chance it was unaware of the scale of the problem. Many organisations have a poor understanding of what is happening across their IT infrastructure, making it difficult to identify security incidents when they occur and the root causes responsible.
"There is often too much focus on the traditional security products that attempt to build a fence around the IT estate," he added. "Repeated high profile incidents of data loss have proven that these solutions are not infallible and are not enough to ensure network security.
"Sony needs to accept the inevitability of data breaches and take new courses of action to prevent similar incidents. It is now essential that systems are in place that can recognise breaches in real-time so that appropriate action can be taken immediately. Sony needs to automate and centralise the collection and analysis of 100 percent of its data logs, so that any aberration can be detected and investigated as it occurs."