risk presentation sony 2012 the playstation network security breach
DESCRIPTION
Focus on Sony: The PlayStation Network Security Breach Overview Focus on Sony What data do they Collect? High Profile Breach – What Happened and Why? The Aftermath Response Policies Introduced as a Result What has Happened Since? Vulnerabilities in Legalisation Sony’s Sony World’s leading digital entertainment brands, with a large portfolio of multimedia content. Sony Computer Entertainment The PlayStatioTRANSCRIPT
IS510
JAMES DELLINGERGRAINNE MALONEJENNIFER MURPHYRAN ZHANG
Focus on Sony:The PlayStation Network
Security Breach
Overview
Focus on SonyWhat data do they Collect?High Profile Breach – What Happened and
Why?The Aftermath
Sony’s ResponsePolicies Introduced as a ResultWhat has Happened Since?
Vulnerabilities in Legalisation
Sony
World’s leading digital entertainment brands, with a large portfolio of multimedia content.
Sony Computer Entertainment
The PlayStation Network (PSN)
PSN Data Collection
NameAddressCountryE-mail addressDate of BirthPSN password and login nameCredit Card DetailsPurchase HistoryAnswers to Users Security Questions
What Happened?
Security Breach in PlayStation Network
Shutdown of service
77 million users put at risk
Personal information stolen
Security Issues
Weak security system
Lack of random number in algorithm
Lack of Firewalls
Obsolete web applications
Lack of Management support
Response from Sony ?
Very slow reaction time
Poor communication
Lack of transparency
Lack of direction
Measures Introduced
Software monitoring
Penetration and Vulnerability testing
Encryption
Firewalls
Security personnel
Creation of a New Position - CISO
“ to oversee information
security, privacy and internet safety across the company, coordinating closely with key headquarters groups and working in partnership with the information security community to bring the best ideas and approaches to
Sony.” – Sony Corporation
Number of Actions Taken
Moved PSN server to a new, more secure and
unnamed location
Enhanced levels of data protection and encryption
Enhanced ability to detect software intrusions,
unauthorized access and unusual activity patterns
Additional firewalls
Established a new data center in an undisclosed
location with increased security
Changes of Terms of Service
September 2011 - No Suing Policy!
“ Other than those matters listed in the Exclusions from Arbitration clause, you and the Sony Entity that you have a Dispute with agree to seek resolution of the Dispute only through arbitration of that Dispute in accordance with the terms of this Section 15, and not litigate any Dispute in court. Arbitration means that the Dispute will be resolved by a neutral arbitrator instead of in a court by a judge or jury.”
- Section 15, Terms of Service, Sony Entertainment Network
Recent Scandal ?
Ahhhhhh Not Again!!!
June 2011 - SQL injection attack against Sony Pictures disclosed personal information of over 1 million Sony customers
June 2011 – an attack against Sony’s Developer Network posted 54MB of Sony developer source code.
October 2011 – Brute-force attack broken into 93,000 PlayStation and Sony network accounts
January 2012 – attack against a several websites operated by Sony for the corporation’s support of the US Stop Online Piracy Act (SOPA).
Issues with Legislation
Security breaches of this nature fall under data protection and privacy regulation which the European Commission leaves to each EU
member state unlike Europe’s antitrust regulation, which is centralised.
United Kingdom - Information Commissioner’s Office (ICO)
Ireland - Data Protection Commissioner
Future Legalisation
E-Privacy Directive A swift, mandatory disclosure about a data breach
EU Justice Commissioner ‘They will modernize rules dating from 1995, and could expand to e-banking, online shopping or the personal data field’
Conclusion
What do you think? Who do you blame? What should be done?