Close
Are you sure? Are you sure you want to report this comment? I understand, report it. Cancel

Security expert warns of "inherited apathy" towards user data

Thu 28 Apr 2011 9:38am GMT / 5:38am EDT / 2:38am PDT
Online

Was Sony's PSN breach from internal sources?

Sony Computer Entertainment

Sony Computer Entertainment is a Japanese videogame company specialising in a variety of areas in the...

playstation.com

In the aftermath of Sony's PlayStation Network breach, security expert LogRhythm has warned that organisations do not place enough importance on user data, and a culture of "inherited apathy" can exist towards valuable personal information.

This week Sony admitted that over 75 million PlayStation Network accounts have been compromised, with the platform holder unable to determine whether credit card details have been stolen.

And today it admitted that personal information including user's email address, passwords and online IDs were not encrypted.

Bearing in mind that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?

Martin Landless, LogRhythm

"Personal details such as names and addresses have long been seen as unimportant assets and as an organisation's services grow, the inherited apathy - or insufficient risk assessment - can prevail," Martin Landless, technical director of international markets at LogRhythm told GamesIndustry.biz.

"When this information is combined with dates of birth and credit card numbers, the value and potential to lead to further attacks increases exponentially. Even if the passwords were encrypted, the method used may not have been strong enough to ensure they remained secure."

While the current focus is on the violation of the PlayStation Network, Landless questioned whether the perpetrators were able to access other classified Sony information.

"What other systems did they access during that period? Is there a possibility that intellectual property has been compromised such as new specifications for PlayStation 4?"

He also pointed out that the majority of hacks are committed by internal staff, not outside forces.

"Bearing in mind the 80/20 rule that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?

"One would imagine there would be multiple external perimeters to compromise, and monitoring should have been conducted on these layers. There may not have been so many detection mechanisms within the network for a trusted administrator."

Sony has been criticised for not informing users sooner that their details had been compromised. Landless said that the company may not have been aware of the scale of the attacks and should now monitor security in real-time to improve reaction times.

"There is a very good chance it was unaware of the scale of the problem. Many organisations have a poor understanding of what is happening across their IT infrastructure, making it difficult to identify security incidents when they occur and the root causes responsible.

"There is often too much focus on the traditional security products that attempt to build a fence around the IT estate," he added. "Repeated high profile incidents of data loss have proven that these solutions are not infallible and are not enough to ensure network security.

"Sony needs to accept the inevitability of data breaches and take new courses of action to prevent similar incidents. It is now essential that systems are in place that can recognise breaches in real-time so that appropriate action can be taken immediately. Sony needs to automate and centralise the collection and analysis of 100 percent of its data logs, so that any aberration can be detected and investigated as it occurs."

14 Comments

Josef Brett
Animator

296 0 0.0
Unless I've missed other articles, this seems to be the first one that questions who actually did the hack. Do Sony know? Will the person be caught or will they just be left with all the time in the world to sift through all the data they have collected?!

A little more talk from Sony about the perpetrators of this attack may go some way to calming the hordes of angry PSN users...

Posted:3 years ago

#1

John Bye
Senior Game Designer

480 451 0.9
"80 percent of attacks are from insiders... Sony needs to automate and centralise the collection and analysis of 100 percent of its data logs"

Of course he'd say that, he works for a company that provides automated real-time monitoring of network logs to spot security breaches by insiders.

Posted:3 years ago

#2

Anthony A
Studying Msc Management

5 0 0.0
"Of course he'd say that, he works for a company that provides automated real-time monitoring of network logs to spot security breaches by insiders. "

It does not mean he's wrong, though. Probably the opposite.

Posted:3 years ago

#3

Tim O'Donoghue
Information resources

7 0 0.0
Wow. What kind of penalty are Sony going to get for this? Nothing or nothing squared? I suppose the law sees them as the victim here...

Posted:3 years ago

#4

Martin Appleton
Artists

3 1 0.3
I just hope they encrypted my credit card data better than they encrypted their firmwares in the past.

Posted:3 years ago

#5

Christopher Bowen
Owner, Gaming Bus

118 0 0.0
This reads to me like someone trying to sell its services. It's all speculation with the exception of facts we already knew.

Posted:3 years ago

#6

Chris Urquhart
Studying Computer Games Technology

1 0 0.0
The way I see it, both Sony and it's users were the victims. After all, it's the hacker that's the true culprit here. Sony did what they could to protect out information, but sadly it wasn't enough. But to be perfectly honest, nothing electronic is 100% secure. Assuming Sony increase their security now, which is apparently what they're doing, there's not much else we can hope for. What's done is done, and I'm just hoping to see that the hacker gets what's coming to them.

Posted:3 years ago

#7

Kristoffer Sandberg
Studying Computer Games Development

5 0 0.0
@Chris
Storing unencrypted passwords and usernames is not exactly 'doing what they can to protect the information'. That is just sloppy in my opinion.

Posted:3 years ago

#8

Jim Webb
Executive Editor/Community Director

2,266 2,400 1.1
Chris, keeping the user data unencrypted is not protecting us. Does your school leave your student passwords in plain text in a data table?

Posted:3 years ago

#9

David Spender
Lead Programmer

129 54 0.4
Culture of 'inherited apathy'..... indeed. Here are comments from this very site:

"THE actual problem will not cause anyone serious grief, even on a worse case scenario you do get your cards charged, in the long run, all will get sorted for you. "

"Any system can be hacked and cracked. Some harder than others. SONY just happened to be targeted this time. I feel there is no way to protect any form of digital data."

"Yes, they should have been more careful but come on: who can ever promise total internet security?"

"This isn't a big deal. People who aren't idiots check their online bank accounts daily."

"I am convinced that Sony wasn't any more careless with my data than other providers I also trust: they were just unfortunate to be targeted."

The problem is not the culture of apathy existing at the corporate level, its practically encouraged by the users who are too lazy to care or hold them accountable.

Posted:3 years ago

#10

Andrew Goodchild
Studying development

1,240 400 0.3
@David. Well said.

Posted:3 years ago

#11

Lee Ward
Education

8 0 0.0
@chris
Sony used security through obscurity as a method for protecting our user information. The fact they did not encrypt user information shows that Sony places convenience and ease of access of user data over security of personal information. They relied completely on the frontend and internal account systems to stop malicious access to their backend databases, and using a SQL database doesn't mean that it's protected by any means.

Any company that uses security through obscurity as a method of protecting anything deserves to have their systems breached, company fined heavily and the developers responsible for ok'ing the use of secuity through obscurity as a method of protecting user data sacked. As a frontend and database developer myself, 45% of my code is security based, code designed to detect, strip and report the problem directly to me detailing the attempted exploit so I can check and harden the scripts accordingly. Security through obscurity is pure laziness.

Posted:3 years ago

#12

Andrew Ihegbu
Studying Bsc Commercial Music

445 157 0.4
People talk about security breaches happening all the time, but I haven't seen a successful hack this big my whole life. The thing that worries me is that I feel as if it's not the protection systems and firewalls that are the reason our info hasn't been stolen elsewhere,it's simply that the right hackers (like the ones here) haven't tried.

The only people I reckon have their security covered is Adobe and the antivirus companies.

Posted:3 years ago

#13
Andrew, the words security and Adobe should not be used in the same sentence. Adobe's security is so bad that many large IT companies forbid their employees to have Adobe software installed.

Posted:3 years ago

#14

Login or register to post

Take part in the GamesIndustry community

Register now