Security Experts:

Sony Battens Down the Hatches for PlayStation Network, Hiring CISO

Following a cyber attack that resulted in the personal information of more than 75 Million PlayStation Network and Qriocity customers falling into the hands of hackers, Sony has shared some additional details on what it has done in response to bolster security and attempt to ease the minds of customers.

PlayStation Network SecurityAfter the discovery of the attack, Sony shut off access to the PlayStation Network and Qriocity services while it conducted an extensive audit of its systems with the assistance of multiple information security firms in an attempt to determine the extent and details of the breach that occurred at the company’s data-center located in San Diego, California.

Since then, the company has implemented a variety of new security measures to provide greater protection of its systems that store personal information. Some of the security measures Sony has implemented include the following:

• Added automated software monitoring and configuration management to help defend against new attacks

• Enhanced levels of data protection and encryption

• Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns

• Implementation of additional firewalls

• Expedited a planned move of the system to a new data center in a different location that has been under construction and development for several months.

• Implemented a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service.

• As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data.

In addition, Sony Network Entertainment International said it is creating the position of Chief Information Security Officer, who will report directly to Shinji Hasejima, Chief Information Officer of Sony Corporation, to bring expertise and accountability for customer data protection and supplement existing information security personnel.

This recent incident, combined with also recent data breaches such as the breach at Epsilon, further emphasizes the fact that security needs to become more proactive, rather than reactive. With the PlayStation Network and Qriocity services storing the personal data of over 75 million customers, the division should have had a Chief Information Security Officer looking over the unit long before this event occurred.

Sony has also been heavily criticized over the length of time it took to identify the extent of the breach and make the appropriate adjustments. Industry experts criticized Sony’s information security practices, saying the entertainment giant should have had the capabilities to easily look through its logs to identify sessions that occurred when data exposure occurred. Because the PlayStation Network stores credit card data, it must comply with PCI standards and have log management tools in place, but the company wasn’t able to quickly make use of the collected data in a reasonable timeframe, critics say.

Industry vendors and experts say that Sony should have had the appropriate tools in place that would enable it to identify a breach almost immediately, allowing it to identify exactly what had been compromised (if anything) in short time.

“The Sony PlayStation Network breach reminds us of the importance of log management tools and that they are far more useful than just meeting checkbox compliance for PCI and other regulation,” said Joe Gottlieb, President and CEO of SenSage, a company that provides security intelligence solutions primarily based on log management data. “When organizations are proactive and use these tools to filter security events, they can find the patterns that lead to breaches like this one,” Gottlieb added. “Using log management allows organizations to understand, triage and put a boundary around the risks."

Aside from a pure security perspective, Gottlieb believes log data and the appropriate tools to make sense of the data is important from a disclosure and PR perspective. “In the case of any breach, the more data that is being logged, the better – it can help the breached organization put a definitive boundary around the breach which in turn limits disclosure damages and costs and allows for more proactive handling of the ensuing PR challenges,” he said.

“There is lots of survey data out there that tells companies they need to be more proactive when it comes to securing their data. The recent Verizon Data Breach Investigations Report (DBIR) says that evidence of breaches are right in front of us – in our log files. Companies can be much more self-aware based on good log filtering and analysis. They have a pretty major weapon in the arsenal but aren’t being proactive enough to use it,” Gottlieb added.

As you would assume, many of these vendors are looking to sell their security solutions and are more likely to be more vocal about what tools breach victims should have in place, but the bottom line is that a company that houses massive amounts of data containing the personal information of its customers should be better prepared to respond to such incidents. Letting users sit and wonder for almost a week is unacceptable.

Following the implementation of the increased security measures, Sony said it would will shortly begin a phased restoration PlayStation Network and Qriocity services, by region, beginning with gaming, music and video services being turned on. In addition, the company said it would be launching a customer appreciation program, offering consumers a selection of service options and premium content for registered consumers affected by the network downtime.

Sony said it is still conducting an on-going investigation and that it's working with law enforcement to track down and prosecute those responsible for the intrusion.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.