Can a chief information security officer (CISO) help prevent the kind of massive data breach that occurred in the Sony PlayStation network breach last month in which attackers grabbed personal information on an estimated 77 million customers of the PlayStation and Qriocity online games?
The Sony division now cleaning up the huge mess from the data breach incident certainly hopes so, as Sony Network Entertainment International (SNEI) over the weekend announced it is "creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of parent company Sony Corp." The hope behind the future CISO appointment is to bring "expertise in and accountability for customer data protection and supplement existing security personnel."
Can one person with the title of CISO -- a role that usually means voicing criticism from a security angle on how information technology staff want to deploy products and services, often stepping on toes -- really make any difference? Some evidence suggests it can. And when a data breach does occur, the costs of response and remediation are often considerably less when a CISO is on board.
Patricia Titus, CISO at Unisys since 2002, said she'd advise the future CISO to "start at the architectural review and incident response level" to discern how the breach was possible and what was the response. On the governance level, it will likely mean a change in the management process to make sure people and technology are both in place to detect attacks and respond, she said.
It's known that last month an attacker stole the personal information of some 77 million customers of PlayStation Network and Qriocity. Over the past weekend, Kaz Hirai, head of Sony's gaming division, held a news conference in which he described how Sony took the two services offline on April 20 after an intrusion was detected on network servers housed in an AT&T data center in San Diego.
Sony indicated it's working with the U.S. Federal Bureau of Investigation and is still investigating the scope of the attack, which involved stealing customer account information involving names, passwords, birthdates, email addresses and other personal information.
The commencement of the attack may have come somehow disguised as a purchase. While 10 million accounts have credit-card numbers associated with them, which Sony says were stored in an encrypted database, it remains unclear whether credit cards can be considered untouched by the attacker or not.
Sony's CIO Shinji Hasejima last weekend called the cyber-assault on PlayStation Network a "sophisticated" one. Sony has so far described the attack as exploiting a known vulnerability in an application server to plant software used to access a database server that sat behind a firewall.
The company, which claims it has "implemented a variety of new security measures to provide greater protection of personal information," says both divisions, Sony Computer Entertainment (SCE) and SNEI, will work together to soon restore online game services.
While Sony did not provide much detail on its new security measures, they are said to include "automated software monitoring and configuration management to help defend against new attacks" and "enhanced levels of data protection and encryption," as well as "enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns," plus more firewalls.
Sony's divisions also say the online gaming systems are being moved to a "new data center in a different location that has been under construction and development for several months."
Customers may see changes because "in addition, PS3 [PlayStation 3] will have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service. As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data," Sony's divisions said in their statement over the weekend.
The "welcome back" program SNEI is putting together once services are up and going again in various regions is expected to include 30-day free membership in the PlayStation Plus premium service for all existing PlayStation network customers, among other things. According to the Sony statement, "SNEI will continue to reinforce and verify security for transactions before resuming the PlayStation Store and other Qriocity operations, scheduled for this month."