We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Sony Hacked Again: How Not to Do Network Security

Sony has been targeted once again by a hacking collective and more customer data has been breached.

Yes. As unbelievable as it may seem, Sony was hacked again. It is not (entirely) Sony's fault that it is the target du jour for hackers everywhere. But, it is Sony's fault that its networks and servers seem to be trivial to hack and easy to pwn.

The trials and tribulations of Sony's epic struggle against hacks and data breaches over the past month or so are well-documented. You can read all about the breach of Sony Ericsson Canada, or Sony BMG Greece, or the Sony Playstation Network, or any of the other network attacks against Sony all over the Web.

LulzSec, the hacker collective responsible for the Wikileaks hacktivism attack and fake Tupac resurrection story on the PBS site last week, made it clear that Sony was the next target on its radar. Now it has made good on that threat with a hack of the Sony Pictures network, and claims to have compromised the account details of a million users.

Now, I am of the opinion that there is no such thing as absolute security. Any network is vulnerable given an attacker with sufficient skills, resources, and time. So, it would be very easy for me to be sympathetic to Sony's plight--except Sony seems to ignore compliance requirements and basic security best practices, so it is basically begging to be attacked. Shame on you, Sony. Seriously.

Andrew Brandt, lead threat research analyst for Webroot, agrees. "Lulz Security says the information they stole was entirely unencrypted, and while we can't verify Lulz's statements, we can say that companies should take this as a warning to check their internal methods of storing their customers' confidential information and make sure they comply with industry standards such as PCI-DSS."

According to Randy Abrams, director of technical education for ESET, if Sony did, in fact, store passwords in plain-text as LulzSec claims, it is nothing short of blatant negligence.

Fred Touchette of AppRiver adds. "There is no doubt that Sony needs to spend some major effort in tightening up its network security. This latest hack against them was a series of simple SQL Injection attacks against its web servers. This simply should not have happened."

So, aside from not pissing off the hacker collectives of the world, what can other companies do to prevent becoming a poster child for network insecurity? The best advice is that following security best practices, and implementing stronger network and data security controls is best done before you're a victim of hacks like these, not after.

Tim 'TK' Keanini, CTO of nCircle, cautions organizations, though, against security 'silver bullets' or shortcuts. He likens improving network security to losing weight or improving physical fitness. "No matter how hard you work it's going to take more than a few days, even if you focus on nothing else. Great security is about more than technology. It has to be baked into business processes and into every employee's brains as they go about their everyday activities."

Be proactive about following security best practices and data security compliance requirements. Don't be a Sony.

IDG UK Sites

Windows 9 release date, price, features: 30 September marked for unveiling

IDG UK Sites

Gateway to your kingdom: why everybody should check and update their broadband router

IDG UK Sites

Netflix whips up 3D VR viewing room for Oculus Rift during company hack day

IDG UK Sites

Best Mac? Complete Apple Mac buyers guide for 2014