Vanilla Ice and Jazz - Your wonderful Techno Ferrets! |
Sony Pictures did a bad thing yesterday and over the past few weeks. They allowed some black hat (unethical) hackers to get into their network and download massive amounts of data.
Here is what Sony Pictures did wrong, in our view:
1. They allowed a senior administrator "God" privileges on their network. What "God" privileges do is allow someone to use their administrator account to log into any server on the network. That this account could log into the email servers and the data servers, only starts the cataclysmic failure of Sony Pictures. The hackers got a hold of this account and they had basically "keys to the kingdom" meaning they had access to everything. In this day and age, real administrator security should have put the email servers and the data servers on two different accounts. Accounts are easy to setup and a good way to keep this sort of hack from going on.
2. Sony Pictures appears to have not had any real Information Security people watching the log-in of various accounts. They would have known that the account had been compromised a long time ago. With the amount of data stolen, this hack had been going on for a while. That no one in their security department caught this, only shows that there is a lack of control within the company.
3. The biggest failure is Sony Pictures rolling over. Movie theaters could choose to show it or not but there are agreements that require movies to be shown that Sony Pictures has. This was a cop out with Sony Pictures blaming the movie theaters. Sony Pictures needed scape goats and the movie theater owner's are that. I hope the theater owners will step up to the plate and say that it was not them that forced the cancellation of the movie.
4. Sony Pictures has now set it up the following: Any company doing something that a foreign entity does not like will get hacked. After the hack, that company will be forced to kowtow to the demands of the foreign entity. Why do you ask? Because the companies do not use reality and smarts when developing a proper IT Security Policy (this is where one decides what is spent, how much is spent and on what).
Over the next few weeks, we will be posting suggestions of what companies should be doing. We hope that you will take our link and push it out to your human friends and human co-workers so that the word will really get out. This whole blog is designed to educate the masses so that the masses can demand that the companies that they do business with will implement changes in their IT policies.