Robert X. Cringley has written an excellent analysis of the recent Sony data breach and the reason for it is the same as what caused the Home Depot, JP Morgan, and Target breaches.
Executive ego and the Sony Pictures network hack
Readers have been asking me to write about the recent network hack at Sony Pictures Entertainment. If you run a company like Sony Pictures it has to be tough to see your company secrets stolen all at once — salaries, scripts, and Social Security numbers all revealed along with a pre-release HD copy of Annie, not to mention an entire database of unhappy Sony employees who want to work anywhere Adam Sandler doesn’t. But frankly my dear I don’t give a damn about any of that so let’s cut to the heart of this problem which really comes down to executive privilege. Sony was hacked because some president or vice-president or division head or maybe an honest-to-God movie star didn’t want something stupid like network security to interfere with their Facebook/YouTube/porn/whatever workplace obsession. Security at Sony Pictures wasn’t breached, it was abandoned, and this recent hack is the perfectly logical result.
“I used to run IT for Sony Pictures Digital Entertainment,” confirmed a guy named Lionel Felix in a recent blog comment, “and (I) know that there were a number of simple vectors for this kind of attack there. They ran IT there like a big small office with lots of very high-maintenance execs who refused to follow any security protocols. I’m surprised it took this long for this to happen.”
High-maintenance execs are everywhere these days. At the same time average workers regularly go for years without a raise, we seem to live in the Age of High Maintenance Execs.
I wrote a column not long ago advising that entire corporate networks should be disconnected from the Internet for security reasons. If you want to post on Facebook or e-mail your mother, do it on your smart phone using cellular, not corporate, data minutes. Yet somehow on network after network, these simple measures aren’t taken.
Let me get excruciatingly specific: in the case of nearly all the recent high profile corporate data breaches in the USA, the primary ISP involved was AT&T. This is not an indictment of AT&T at all, just the opposite. As far as I can tell AT&T did nothing wrong. But in every case I’ve looked at, AT&T customers effectively sabotaged their own security.
AT&T is the only ISP I know of that segregates its Multi-Protocol Label Switching (MPLS) private networks from Internet access. The client has to very specifically bridge the two to get to the Internet and they do it all the time. For AT&T this is an immutable law — no private MPLS service has connectivity to the Internet. If you want Internet you order a second pipe. Yet Home Depot, JP Morgan, and Target all use the AT&T MPLS service so they specifically allowed their private networks to be bridged to the public network.
The bad guys were kept out until that happened.
More at the site - excellent analysis and I cannot believe that the IT department would allow this to happen. The pointy-haired bosses are the ones who need to change their behavior, not the IT people...
