Observations on the Sony PSN Breach

I read an article at SC Magazine yesterday discussing the Sony PSN Breach. I think it is safe to say that the breach itself is old news. However, the class action suit against Sony is new. (That last link opens a 30 page PDF.)

I've skimmed through the class action filing and it is an interesting read as far as legal documents go. Here are the items that caught my attention.

Shiny Objects in the Sony Class Action Filing

Remember, these are interesting in terms of legal documents and not necessarily in absolute terms.

  • Sony failed to implement some fundamental security controls such as firewalls, IP "address limitations", and software updates
  • Sony experienced a number of smaller breaches immediately preceding the Lulzsec breach
  • Sony terminated a number of personnel just prior to the breach including personnel responsible for network security
  • Lulzsec used a basic SQL Injection attack to harvest the data
  • The case references the PCI DSS as an accepted industry best practice

The plaintiffs attribute these allegations to "numerous confidential witnesses cooperating in the investigation of this action and based upon their firsthand knowledge". If these confidential witnesses were subject to the reduction in force mentioned in the filing, it would be reasonable to question their motives. But, for the sake of argument, let's say that these allegations represent the truth of the matter. I'm curious to see how the prosecution defines IP address limitations and what constitutes the smaller breaches.

Good News for Risk Professionals

Sony's predicament provides us as information security and risk professionals with some great tools. On the risk side of things, this law suit can give us hard data to determine a good estimate of the loss magnitude associated with cutting corners when securing customer data. Now we can look our business partners in the eye and say the loss magnitude is somewhere between zero and whatever this lawsuit wrings out of Sony, which I dare to guess will be tens if not hundreds of millions of dollars. The most likely value of the loss magnitude and probability will vary widely based on your organization. Putting a dollar value on a decision helps the business folks compare security matters with the other business risk decisions they make each day.

Subtle, Yet Significant

The other notable feature in this filing is at it mentions the PCI DSS specifically as an accepted best practice. To my knowledge, PCI DSS has been mentioned consistently as a reasonable standard outside the court room, but this is the first time I've heard it called out in a lawsuit. Please let me know if it has been mentioned elsewhere as a legal standard of reasonableness. If this is the first time and it holds up, PCI compliance could become a challenge for everyone and not just credit card processors.

Hey you! Yeah, You With the Keyboard!

Agree with me? Think I'm smoking crack? Let me know in the comments. This is a place for me to think out loud and get feedback. I've got thick skin and have no problems conceding a point when I'm wrong. And, I totally dig it when I'm right too. Who doesn't? Challenge me, but keep it civil.