May 122011

Sony PlayStation Network has been down for weeks due to the recent network intrusion with which, according to Sony’s email, hackers gained access to millions of accounts and possibly obtained the following information: name, birth date, address, email address, PlayStation Network/Qriocity password and login, and handle/PSN online ID, profile data, purchase history and billing address, password security answers, even credit card number and expiration date!

According to my experience most business entities are downplaying the importance of security in an effort to be more efficient and profitable. On the other side the hackers are getting more “professional” in their criminal activity and the bigger the network, number of consumers and the amount of financial information, the more sophisticated attacks it has to resist. I’m therefore concerned that there will be more similar security breaches and it won’t be before some businesses get shut down that the corporate world will start paying more attention to security so that it’s not only a paperwork requirement, but a real concern with dedicated and significant time, money and staff who can make sure that all systems, networks and user accounts are as secure as they could be.

Security and Convenience Don’t Live in Harmony

Security is in most cases inconvenient and tedious. It doesn’t increase productivity and most executives and users try to circumvent it whenever possible. Its benefits are intangible until bad things cause a paradigm shift when it suddenly becomes obvious how expensive the convenience can be in the long run, but the damage is usually done.

Very few people are aware of the fact that majority of security breaches come from inside. Hackers almost always look to take control of an unprotected inside system of a low importance from which they can then attack more important targets. At my old job I was amazed how many IT ‘experts’ and executives from a non-technical background neglect security and confidentiality of user accounts and data in order to appear more efficient, or just to avoid more work. In one such case, trying to persuade a key IT player to install SSL encryption on a major business system was like pulling teeth because they were “too busy” and didn’t have time to do a few hours of testing and send several emails to end users about the link change. I kept trying to push this for years but to no success and I believe these services still run without SSL encryption. Although they were internal, these systems have thousands of users and there are so many targets that it’s really a miracle they still didn’t have any big breaches or at least none have been discovered yet. Of course, in my case, never mind my nagging, had such a breach occurred while I was there, I would have been fired as the network manager in charge, but that makes sense because in similar examples usually someone else suffers after a security breach while the real culprits are two jobs and companies away. So the current situation seems to be rewarding executives, accountants and technicians who circumvent security and push for convenience. This is why it is so easy to have a breach at an average corner-cutting business entity and why account and systems security has to be dictated from top down, . Very few people have the mindset to do the due diligence and the will to fight the windmills and push for proper security procedures. The reality check is that if the average user can avoid the extra steps, they will do it. That’s probably another limiting factor for security gigs and their success – if it’s not strictly enforced by the top management team, the users don’t want to deal with technicalities. Until this happens, or until some new and more secure brave new digital world is created, we will probably continue to have many more intrusions and hacks throughout the world.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>