Monday, December 22, 2014

I'm more comfortable blaming the victim a little when the victim has a market cap of twenty billion

While in no way taking away from the magnitude of the criminal acts involved in the Sony hacks, it is important to remember that upper-level management gets such high salaries in part because they are supposed to anticipate threats and take steps to minimize their potential impact.

At Sony, not so much...
The new trove appears to include a collection of documents the hackers came across on the Sony Pictures network that had “password” in their titles, and includes digital keys for everything from Sony computers and servers to magazine subscriptions and YouTube accounts for Sony movies. (As much as we’d like to log into This is the End’s YouTube page, we haven’t actually tried any of these passwords to see if they work.) It is generally a bad idea to store all your passwords in a document on your computer. It is an even worse idea to title that document something like “My Passwords.”
The hackers leaked a new file that includes a collection of all the documents Sony Pictures employees used to store passwords

Sony Pictures employees and former employees are flipping out about the leak and the unexpected debut of their personal information on screens across the world. But some former employees, who asked to remain anonymous, have told us that they’re disappointed but not surprised by the massive hack given Sony Pictures’ long-running lax attitude toward security. They say that employees highlighted specific vulnerabilities on company websites and systems that were never addressed.

“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”
Part of that joke was an org-chart straight out of a Dilbert cartoon.
The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.
Keep in mind, this is more than three years after Sony suffered "one of the largest data security breaches in history."

Just to be clear, the great majority of the upper-level executives I've encountered (no C-level, but quite a few directors and VPs) have been smart, hard-working and conscientious. I certainly don't want to make a blanket condemnation, but stupid, incompetent people do sometimes make it through, and if they get to a high enough rung, it is amazing how small the consequences are for their screw-ups. Accountability is for little people.

On a completely unrelated topic.
In 2005, Sony Pictures Entertainment was audited to ensure the company was keeping in line with federal regulation regarding information security practices. The auditor found, among other things, that Sony had deliberately engaged in insufficient digital security practices, including allowing employees to use basic proper nouns as passwords instead of requiring them to use a complex system involving random letters, numbers and punctuation marks.

If Sony were a bank, the auditor said, its lackluster security practices would put it out of business.

Sony’s then-executive director of security information Jason Spaltro pushed back: If a bank was a Hollywood film studio, he said, it would already be out of business.

“It’s a valid business decision to accept the risk (of a cyberattack),” Spaltro told CIO Magazine in 2007. “I will not invest $10 million to avoid a possible $1 million loss.”
As mentioned earlier, a few years after that interview hackers would steal  personally identifiable information from 77 million Sony PlayStation accounts. What happened to the executive of security information who gave that embarrassing interview?
By the way, Jason Spaltro — the executive from the beginning of this article who suggested the company not spend $10 million to combat a potential $1 million risk — still works at Sony. He has since been promoted to vice president of information security — one of the top executives tasked with ensuring things like the Sony Pictures hack don’t happen. He makes close to $700,000 a year: $300,000 base salary and a $400,000 initiative-based bonus. We know this because hackers published his employment information last week.

1 comment:

  1. IMO, it is time to relegate passwords to the dustbin of history. Look, I'm as bad as anybody. On those sites that force me to use "hard" passwords (and, worse, change them every few months), it is impossible for me to remember those passwords. So I used to write them down in a little notebook. But then sometimes I couldn't remember where I put the notebook. So, where are they now? You guessed it: in a file on my computer (though it's not called Passwords!) What else can I do? I need these passwords to function and they are just impossible to remember.

    Much better is two-factor authentication. Even if somebody hacks my computer and gets a password file, it's unlikely they'll also be able to physically steal my cell phone.

    Finally, for things that really need tight security, we should move to biometrics.

    Yes, all of these systems have their drawbacks and limitations. But I think it's clear that passwords are useless: the simple ones are too easy to crack, and the hard ones get subverted by users by me.