25 October 2014

44975

Retired Member

699 | posts 2,182,570 | views 831 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Have you looked under the virtual mat?

06 May 2011  |  4046 views  |  1

 

 

I wonder what the Japanese is for “when you are in a hole it’s usually a good time to stop digging?"

 

I read the new Sony press release with some bemusement; the one with regard to the loss of 25 million further customer details from Sony Online Entertainment. The release had the following statement: 

Information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained.

It makes one wonder if Sony is aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance? The PCI DSS control 3.1 states that cardholder data must be kept to a minimum and that a data retention and deletion policy must be implemented, which involves a process for the secure deletion of cardholder data when it is no longer required. I would suggest outdated credit card databases fall fairly under this category.

Not only that but the PCI DSS Prioritised Approach categorises the 220 plus controls into six Risk levels and control 3.1 is one of only eight controls considered severe enough to be put in at Risk level 1. In these litigious days one can only assume that the Sony lawyers and Marcom staff who proof read this statement had been missing during the Security Awareness Training.

On another tack with regard to this breach, Sony have said that in the original attack, they couldn’t be sure if the credit card database (the large one) had been stolen but in any case the entire database was encrypted.

This statement has been endlessly repeated – yet no-one has asked Sony the obvious question: “did they take the decryption keys as well?” Because let’s face it, if they got the keys as well, then the encryption is as useful to Sony and its customers as the proverbial chocolate teapot.

Where were the decryption keys? Well this is a rhetorical question because I don’t know – and let’s hope that neither did the hackers.

However if you are smart enough to grab millions of card details from a large organisation’s database and then find it is encrypted, you might just be tempted to wander back in to see if you can find a decryption key. Even worse, imagine if the key was stored in the database itself, or put in clear text into a configuration file, or left under the doormat (in a humorous virtual way ) – surely no one would do that. But then again, surely no-one would leave 100 million personal details lying around would they?

 

 

 

TagsSecurityRisk & regulation

Comments: (1)

Keith Appleyard - available for hire - Bromley | 07 May, 2011, 18:14

Nothing to do with Sony, but about 5 years ago I went to Tokyo to do a Systems/Security Audit on a Japanese subsidiary. Because I had to join a conference call back with the USA and I wanted to avoid paying extortionate hotel phone rates, I asked what time in the morning the Security Guard unlocked the premises?

Amused, the local staff showed me that in practice the 'yale-style' key to unlock the main door was buried in the soil of the cheese plant in the (public) foyer; the first person in each day simply unlocked the premises - and this gave access to the IT department including server room - with no intruder alarm and no CCTV.

Suffice to say the whole subsidiary was closed down within 60 days of my visit.

So - don't be surprised what might eventually emerge re Sony.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

7-day account switch: customer empowerment or indifference

18 June 2014  |  1840 views  |  1  |  Recommends 0 TagsRisk & regulationRetail banking

On Reinventing Money.

03 June 2014  |  1237 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Operational Lessons for New Boutique Asset Managers

27 May 2014  |  625 views  |  0  |  Recommends 0 TagsRisk & regulation

Trading System Failures Cannot Be Our Norm

21 May 2014  |  1481 views  |  0  |  Recommends 0 TagsRisk & regulationInnovation

Around the Clock Tweeting

15 May 2014  |  1950 views  |  0  |  Recommends 0 TagsMobile & onlineRetail banking
name

Retired Member

job title

company name

member since

2014

location

Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Rasvan Stanescu
Sian Bentley
Tony Wenzel
Jorge Yui
Ketharaman Swaminathan
Mark Pavan
Vishal Chaturvedi
Matt Scott
Geoffrey Barraclough
Thad Peterson
Marinka Ryan
Alexander Peschkoff