Can a new CISO improve Sony PlayStation Network security?

Can a chief information security officer (CISO) help prevent the kind of massive data breach that occurred in the Sony PlayStation network breach last month in which attackers grabbed personal information on an estimated 77 million customers of the PlayStation and Qriocity online games?

The Sony division now cleaning up the huge mess from the data breach incident certainly hopes so, as Sony Network Entertainment International (SNEI) over the weekend announced it is "creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of parent company Sony Corp." The hope behind the future CISO appointment is to bring "expertise in and accountability for customer data protection and supplement existing security personnel."

BACKGROUND: Sony apologizes, details PlayStation network breach

Can one person with the title of CISO -- a role that usually means voicing criticism from a security angle on how information technology staff want to deploy products and services, often stepping on toes -- really make any difference? Some evidence suggests it can. And when a data breach does occur, the costs of response and remediation are often considerably less when a CISO is on board.

Patricia Titus, CISO at Unisys since 2002, said she'd advise the future CISO to "start at the architectural review and incident response level" to discern how the breach was possible and what was the response. On the governance level, it will likely mean a change in the management process to make sure people and technology are both in place to detect attacks and respond, she said.

It's known that last month an attacker stole the personal information of some 77 million customers of PlayStation Network and Qriocity. Over the past weekend, Kaz Hirai, head of Sony's gaming division, held a news conference in which he described how Sony took the two services offline on April 20 after an intrusion was detected on network servers housed in an AT&T data center in San Diego.

Sony indicated it's working with the U.S. Federal Bureau of Investigation and is still investigating the scope of the attack, which involved stealing customer account information involving names, passwords, birthdates, email addresses and other personal information.

The commencement of the attack may have come somehow disguised as a purchase. While 10 million accounts have credit-card numbers associated with them, which Sony says were stored in an encrypted database, it remains unclear whether credit cards can be considered untouched by the attacker or not.

Sony's CIO Shinji Hasejima last weekend called the cyber-assault on PlayStation Network a "sophisticated" one. Sony has so far described the attack as exploiting a known vulnerability in an application server to plant software used to access a database server that sat behind a firewall.

The company, which claims it has "implemented a variety of new security measures to provide greater protection of personal information," says both divisions, Sony Computer Entertainment (SCE) and SNEI, will work together to soon restore online game services.

While Sony did not provide much detail on its new security measures, they are said to include "automated software monitoring and configuration management to help defend against new attacks" and "enhanced levels of data protection and encryption," as well as "enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns," plus more firewalls.

Sony's divisions also say the online gaming systems are being moved to a "new data center in a different location that has been under construction and development for several months."

Customers may see changes because "in addition, PS3 [PlayStation 3] will have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service. As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data," Sony's divisions said in their statement over the weekend.

The "welcome back" program SNEI is putting together once services are up and going again in various regions is expected to include 30-day free membership in the PlayStation Plus premium service for all existing PlayStation network customers, among other things. According to the Sony statement, "SNEI will continue to reinforce and verify security for transactions before resuming the PlayStation Store and other Qriocity operations, scheduled for this month."

Read more about wide area network in Network World's Wide Area Network section.

Tags business issuesSony PlayStationcorporate issuespersonnelsecuritysony

Recommended

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?