We trust companies who store our personal information in an on-line system more than they deserve. According to Sony's FAQ on their breach, credit card numbers were stored encrypted and they're only warning customers to assume their CC numbers were released in an "abundance of caution." That statement in addition to their statement that they're rebuilding the network from scratch with security upgrades says to me they aren't very confident in the encryption, key management, or communications security they used to move that info around. It is apparent that no one scrutinized their system before it was approved to store all this info and expose it to the open internet.
It shouldn't be possible for this to happen for all 77 million of their customers in a single breach. The concept that a firewall keeps the bad guys out has been disproved again and again. Critical information needs to be protected making the assumption that the bad guys are inside your network. Simple, mature techniques for protecting this kind of information (https, AES encryption, etc) have been in place, implemented on many platforms, and promoted by security experts for many years. Often, turning them on requires no more than ticking a checkbox. All the security experts get to say, yet again, "I told you so."
No comments:
Post a Comment