Tuesday, December 9, 2014

Sony Breach - How A Hack Will Add Transparency To Your IT Practices (AKA I've Seen This Movie Before)

Having spent 15 years in security and building a security assessment company, which helps companies identify and mitigate security risk, I've been at ground-zero for many data breaches. I've seen the fallout. I've watched as companies that couldn't even a fund realistic budget to help address security risk, make outsized expenditures after a security incident. I've seen companies that couldn't even get an internal risk management meeting together with key stakeholders, involve many lawyers, executive management, IT and compliance personal and even the board of directors, after an incident.

As it turns out IT gets a lot of attention after a breach.

So while there may not be much visibility into the inner-workings of your IT function before a breach, you can bet there will be after. Corporate IT is becoming very, and it's difficult to gauge the overall robustness of many IT environments at a glance. In effect, IT is not inherently transparent. However, what you will find is that after a breach, there is significant scrutiny to IT practices. Few people really know what's happening in your IT environment before a breach, but everyone will be looking at your IT practices after.

And this increased visibility creates two phases of impact. The first phase is the data disclosure impact such as the compromised credit card numbers, account numbers, passwords, social security numbers, confidential data, etc., and the associated liability. The second phase is the impact associated with how your IT environment is viewed once it comes under scrutiny.

The poster child of this was CardSystems Solutions a credit card processor. They had 40 million credit cards compromised from their systems. However, it wasn't the incident itself, but their security practices exposed after the breach that led their downfall. When it was discovered that they had been storing unencrypted card numbers on their network their biggest customers, Visa and American Express, dropped them, and they eventually shuttered.

And more recently you can see the dissection of Sony's security practices, such as:

Interviews with former employees:
“Sony’s ‘information security’ team is a complete joke,” one former employee said. “We’d report security violations to them and our repeated reports were ignored.” on Time's website.
Similar tweets:

And a Mashable post with the headline:
"Sony Pictures' security chief once thought data breaches weren't a big deal"

Of course you might be able to say this about any organization or perhaps you could argue that these quotes have been taken out of context. There is certainly plenty of monday-morning-quarterbacking happening here, but these comments, along with some of apparent lax security controls reinforce the idea that Sony's culture didn't foster robust security processes. 

And I've experienced this attitude first hand. I once drove 90 miles to meet a potential client to deliver a proposal for a web application security assessment when I was building Redspin. When I got to the meeting, the CIO not only failed to show for our confirmed meeting but had no excuse, apology, or any reasoning whatsoever; not even a comment or message.  You can imagine my surprise when, a month or so later, I got a call from that same CIO. The company had been hacked, in fact, the very web application we would have evaluated got compromised in a very public way. So while I couldn't get the attention of the CIO for a meeting in his own conference room a month before, at this point the CIO was calling from the board room, with a room full of attorney's, top management and board members. It was real fire drill; lots of people were looking at IT. 

So I counsel executives to do this exercise: 

  • Pretend you just got hacked. Now, imagine how your security practices and decisions will be viewed.
Ask yourself these questions:

If we have a breach, and if my IT process is exposed, will it look like:

  • our organization value's security?
  • I care about generally accepted best-practices?
  • we respect the security process?
  • I value our employees input? 
What we do know is that your environment won't look perfect. No environment will look anywhere near perfect. IT is too complex and too dynamic. But will it look like you are even trying? Will it look like you care and even respect the process? Will it look like you care about your employee and customer data?

No comments:

Post a Comment