Quote:
Originally Posted by DVTimes
The hack, which has led to the network being unavailable for over a week, has left observers wondering if a company as vast and seemingly advanced as Sony can get hit, who out there is safe?
The answer, according to experts, is no-one - and something similar will almost certainly happen again.
|
As a licensed security officer and investigator with 15 years of internet security experience,
I'm of the opinion that this is rather misleading. "a company as vast and seemingly advanced as Sony"
is a giant bureaucracy, driven almost entirely by marketing, with most decisions being made
by people who know nothing at all about security. Giant bureaucracies like that, in my experience,
hire a computer science degree without regard to the cluelessness of the person holding it.
We've conducted several short interviews with people who, when we saw they weren't
nearly competent enough to work for us, they soon got a job with a big name bureaucracy.
So if they get hit, who is safe? Any company who cares enough to actually pay attention
to security and work with a knowledgeable security professional is pretty safe. The vast
majority of hacks happen because of a very few rookie mistakes in configuration and code.
A couple of hours developing security policies and then FOLLOWING those policies will
make you safer than 95% of sites, and the bad guys normally go after the easier targets.
Quote:
|
"The reason is that there's always a trade off in security between usability - being able to get at what you want to get at, and making it secure.
|
There IS a trade off, and you can CHOOSE to either make your script "work" by chmodding
everything 777, or you can choose to set permissions correctly, which means taking a few
minutes to pay attention to what you're doing (or choosing to hire people who pay attention
to doing things right). You CAN choose to be safer than Sony. They obviously made some
rookie mistakes. If you choose to be lazy, that will be easier for now, but eventually, maybe
this year or maybe next year, you will have a major problem. You will reap what you sow, eventually.
For example, systems we've designed, like Sony's, have a publicly accessible interface, and a billing
system which has credit card information. The difference is, our public systems, like our
web site and the admin or game interfaces, are not connected to have any access to the credit card
systems. No matter what hackers did through our public systems, we would have no worries
about credit card data, because there's no path from the public system to the billing, they
are separate networks. There is no reason for data to flow in that direction. Sony DECIDED
to be lazy and set it up that way, and now they are paying the price.