Now that things have degraded to complete idiocy with regard to the Sony breach. I finally feel like I have to make a statement.
Of course, everyone is focused on a country using terrorist tactics to silence an ill-conceived work of fiction, and how quickly a large corporation caved in to threats.
But who really cares about that? The real story ... the one that everyone is being misdirected to ignore ... is how easily sensitive information was stolen.
There's absolutely no reason for Sony's data to have been stolen. There's even less reason that such an attack should have successfully acquired so much data. The fact that the criminals got so much information not only on Sony's products but also confidential employee information indicates that the breach was almost total in its scope.
Such a complete breach is only conceivable if Sony were blatantly ignoring best practices. Sony would both have to be refusing to implement layered security (i.e. "defense in depth") as well as proper intrusion monitoring.
If both of these security best practices had been followed, the attackers would have been slowed down enough by the layers for the intrusion monitoring to set off alarms. At worst, some limited amount of Sony's data would have been stolen before network administrators had noticed the attack and stopped it. At best, the attacks would have been stopped at the border, and eventually the attackers would have given up the effort as impossible.
Sony's failure to follow best practices isn't unusual. I can say from first hand experience over the past few years that most companies are making the decision to save money by avoiding perfectly ordinary security activities.
Sony's breach isn't really that bad, when taken in context. Imagine if the breach had been a bank, or a health care provider, or an insurance company. Imagine the number of completely innocent people whose personal data would have been compromised. Imagine waking up one morning to find that your identity had been stolen, your bank account emptied, and the most personal details of your medical history publish on a web site ... all because your employer decided to use a cut-rate HR provider that's not properly secured.
Impossible, you say? That's whistling past the graveyard. I can say, from first-hand experience, that there are numerous organizations with critical information that are not even beginning to secure it properly. This extends not only to private organizations, but also to government regulatory bodies; which means that in many cases, you don't have the option to withhold your personal information in order to protect it. The amount of unsecured information comprises tens of millions of people, and that's just what I've witnessed first-hand. It stands to reason that the trend extends far beyond my experience.
In the U.S., at least, the federal government is unable or unwilling to do anything about it. Sure, there are laws in place to protect people from negligence of this sort. But laws are useless in the absence of enforcement, and I've watched government enforcement agencies feebly fail to do anything useful toward effective enforcement, although I don't have the insight to know why. If I had to theorize, I would guess that the government is incapable of offering competent security professionals the sort of compensation that they can get elsewhere.
Private organizations aren't any better. Security professionals constantly have their efforts thwarted by high-level bean-counters who point out that proper security does nothing to improve the company's profits. Of course, with the lack of enforcement, there's no fear of fines or legal recourse, so the security professional is left with little ability to actually improve anything.
In the end, the state of affairs right now is that if your personal information hasn't been stolen, it's really just a matter of manpower. Simply put, criminals don't have enough time to steal all the information they could be stealing.
Here's hoping the Sony breach brings about some change.
No comments:
Post a Comment