Readers have been asking me to write about the recent network hack at Sony Pictures Entertainment. If you run a company like Sony Pictures it has to be tough to see your company secrets stolen all at once — salaries, scripts, and Social Security numbers all revealed along with a pre-release HD copy of Annie, not to mention an entire database of unhappy Sony employees who want to work anywhere Adam Sandler doesn’t. But frankly my dear I don’t give a damn about any of that so let’s cut to the heart of this problem which really comes down to executive privilege. Sony was hacked because some president or vice-president or division head or maybe an honest-to-God movie star didn’t want something stupid like network security to interfere with their Facebook/YouTube/porn/whatever workplace obsession. Security at Sony Pictures wasn’t breached, it was abandoned, and this recent hack is the perfectly logical result.
“I used to run IT for Sony Pictures Digital Entertainment,” confirmed a guy named Lionel Felix in a recent blog comment, “and (I) know that there were a number of simple vectors for this kind of attack there. They ran IT there like a big small office with lots of very high-maintenance execs who refused to follow any security protocols. I’m surprised it took this long for this to happen.”
High-maintenance execs are everywhere these days. At the same time average workers regularly go for years without a raise, we seem to live in the Age of High Maintenance Execs.
I wrote a column not long ago advising that entire corporate networks should be disconnected from the Internet for security reasons. If you want to post on Facebook or e-mail your mother, do it on your smart phone using cellular, not corporate, data minutes. Yet somehow on network after network, these simple measures aren’t taken.
Let me get excruciatingly specific: in the case of nearly all the recent high profile corporate data breaches in the USA, the primary ISP involved was AT&T. This is not an indictment of AT&T at all, just the opposite. As far as I can tell AT&T did nothing wrong. But in every case I’ve looked at, AT&T customers effectively sabotaged their own security.
AT&T is the only ISP I know of that segregates its Multi-Protocol Label Switching (MPLS) private networks from Internet access. The client has to very specifically bridge the two to get to the Internet and they do it all the time. For AT&T this is an immutable law — no private MPLS service has connectivity to the Internet. If you want Internet you order a second pipe. Yet Home Depot, JP Morgan, and Target all use the AT&T MPLS service so they specifically allowed their private networks to be bridged to the public network.
The bad guys were kept out until that happened.
This behavior goes against every classic IT rule of thumb except one. IT rule #1 is Hell no we can’t do that. There’s a long tradition of saying No in IT, yet here it didn’t happen. Rule #2 is we’ll need a lot more money and bandwidth to do that. Given AT&T’s position on the matter it should have been easy to score the required second pipe for Internet traffic, yet somehow it didn’t happen. Only Rule #3 — Thank you sir, may I have another — seems to have held, and therein lies the basic problem that IT can no longer stand up to executive management’s need for Twitter.
From where I sit it looks like the 500 million U.S. financial records lost to hackers over the past 12 months come down mainly to executive ego. All these companies opened a door to the Internet so employees could do banking, listen to Internet radio, check their Gmail, and all allowed their businesses to be robbed in the process.
So get a 4G phone and leave the corporate network alone. If you must offer Internet, BYOD over a guest network connected locally via DSL.
You can build an IP-to-IP network with low-cost Internet. The difference is that you remove the default route to the Internet and remove NAT’ing for Internet access. Simply allow static routes that connect only to other office routes. Even if bad guys attack the network public IP address the router cannot reply because the route is not in the route table. Without NAT no user in the RFC 1918 IP subnets can access anything anyway. All traffic is routed over the encrypted VPN tunnels. Internet is at the hub points — it is there that you decide if you want to open your network to the world. I vote no.
Yet these companies didn’t take the relatively simple steps needed to secure their data. Your company probably hasn’t, either.
Now folks at Google and Yahoo and other outfits that actually require the Internet to do business might see this somewhat differently. For that matter, I like paying my electric bill online and I’m sure the power company doesn’t mind getting money that way. So it’s not entirely simple. But what we’ve done is assume VPNs or https can handle everything when that’s just not true.
We need better rules about how to segregate traffic and design safer networks. And even faced with executive tantrums, IT has to be (re)empowered to just say no.
Well said, but will anyone listen?
Lots of jobs _require_ access to the Internet. Researching software issues on StackOverflow is so slow over a phone…
I was thinking the same thing. Perhaps employees should be given a second machine that has internet access, running through a separate router?
Sadly enough, Bob, those words are to be blown in the wind.
It’s not just the IT to deny, It’s the culture.
The company PC is … company’s, not your own.
Can you plug your smarphone to the company PC?
Well done! You can be on the Internet and bypass the whole secuirty bloat!
Let’s bring those VT100 back on the desktops.
This was security 101 back in ’95 when I started in this business. How sad it is that this is still a topic worth discussing almost 20 years later.
I’m guessing that in many situations checking Facebook, etc. on a company computer while waiting for a process or document may be more acceptable than doing it on your own phone, the former could wear a work rules fig leaf, the latter would look like play. Encouraging non-company whatever staying on the employee’s cellular would be less expensive than getting hacked…
It’s really a reflection of how integrated the internet has become in our daily lives. Yes, part of it is executive privilege but a large part of it will also be that anybody who sits in front of a computer today expects to be able to browse the internet. Indeed, for many not having that access would impair their ability to do their job.
.
I suspect that a new container type technology is required. One where the corporate computer is within a secure environment but has an application which is a secure container which is then allowed to connect to the outside world. That there is very limited abilities for communication between host and container.
.
Then when you start to wonder about applications being able to run within a standard container, the possibilities of changing the host OS multiplies.
At the end of the year when if becomes a choice between a bonus for the upper management, or investing in IT security, guess which side the money will come down on?
At Sony it appears that the decision was that bonuses could be increased if they laid off some more of those IT folks. And what will be the result of this? I’d guess that the upper management will fire the people responsible for IT.
To be perfectly honest, the FUD style tactics are pretty much standard everywhere these days. There are very few companies, governments, or organizations that are completely transparent and will acknowledge problems right from the beginning.
.
Thank you for this post, Bob.
It gets even better when executives and other high-maintenance types require that corporate crown jewel data (email, calendars, general data sharing) be moved to public cloud services. There’s not even a pretence of security left, just faith in the cloud service provider, and everything in between.
Data traffic segregation is the future. Plenty of solutions out there.
http://assets.unisys.com/Documents/Global/Brochures/BR_140102_UnisysStealthforAmazonWebServices.pdf
Good lord do any of you actually work in an office anymore? Your IT policy from 1995 might have made sense back then but disconnecting from the internet is simply not possible today. I’m a developer and need to look up APIs, ask questions on Stack Overflow, and generally keep up with market trends. Actuaries need to research risk groups. Customer service call center reps need to visit their merchants’ websites.
And have you heard of these newfangled “cloud services” like GitHub or Trello or Dropbox or Salesforce? They are indispensable in many of today’s workplaces. It has nothing to do with “executive privilege”.
Yes there need to be rigid controls in place and many companies aren’t doing it right but “just disconnect from the internet duh” isn’t even close to the correct response here.
True! My shelf-load of VMS manuals were tossed in a dumpster years ago. If I have a coding question I Google it which usually takes me to Stack Overflow or some useless MS page. A developer can’t work these days without direct internet access. My tools all need regular updates from the internet and I could not get along without various editors and other goodies from the web. I would guess many other occupations require internet access to get work done as well.
I think you’re totally correct for small and perhaps some medium-sized firms — disconnecting from the cloud would devastate business, but larger firms can effectively duplicate sites internally for GitHub, Jira, BaseCamp, Gerrit, Bugzilla, etc. and likely have their own Jenkins build system — all of which can be only accessible on a local VPN. That’s where you want to place your crown jewels, whatever the output of your business is.
.
Yes you will need to connect to StackOverflow to find a legitimate technical answer and lookup APIs from Google or Apple, but your crown jewels should only be accessible from WITHIN your organization and no IP spoofing allowed please. I know Intel and other large firms work this way. A pity for Sony they didn’t.
Totally agree–the Internet is not for paying your phone bill or watching youtube. The Internet IS the network for more and more companies today (think IaaS and SaaS). You don’t duplicate that with our own datacenter. The real answer is that companies need to update security structures to work with the reality of today, which includes people accessing corp assets from smartphones and tablets as well as continuous connectivity to the internet from desktops and laptops. Policies won’t do it because people will ignore, forget, or work around policies. You need something better. To hear Bob Cringely preach “disconnect from the evil Internet!” is bizarre at best.
That is what I preached as well. Company data was kept on one computer connected to via router by other computers, all of which had no internet access. When a remote login was required, the procedure was to copy the relevant files to a flash drive, place it on a computer that had internet access, MANUALLY connect the ethernet line to said computer, and then do the PCAnywhere connection, then reverse the process.
Did you dig this article up from 1990 Bob?
There’s this little thing called the cloud now and it means that almost all businesses are ‘like Google’ and need to have access to the Internet from all devices to operate.
I think you’re seriously out of touch with this one.
But Bob! How am I going to read I Cringely at work if I can’t get to the internet?
It’s the same in local government. Political appointees want their tablets to have access to the internet so it’s WiFi and internet access generally available.
At the same time it can take a week to have virus’s removed from a PC because of budget cutbacks in IT. The PC got the virus because older versions of Internet Explorer are required for access to legacy applications. The PC is still used with the virus’s resident as long as work can be done on it.
It doesn’t make the news because there are no credit cards involved. Only the rest of your life story.
After a career in IT, from programmer to CIO, I finally gave up because I could not find a way to combine the engineering imperative (make IT work and say “no” to business bosses most of the time) with the innovative imperative (move fast and break things, be the business bosses’ partner). We used to joke that we should have T-shirts emblazoned “here to take the blame”.
Maybe other functions feel the same. Finance and marketing can claim they suffer from similar mutually incompatible demands. But they don’t guard the crown jewels.
Information protection appeared to be one area where IT might get some respect. Surely business execs would see the potential for damage to corporate reputations from poor security and poor practices? And surely they’d see that they would have to defer to the specialists in this area. Unfortunately, not. The prevailing attitude is “I’m the boss. I’m a smart guy. I only deal with important stuff. I don’t understand what you’re talking about so it must be unimportant.”
And after all, how many CEOs have been fired because they allowed a lax security culture to thrive?
I hope attitudes change but I wouldn’t encourage anyone to aim for a career in corporate IT today.
Sony BMG copy protection rootkit scandal
“The Sony BMG CD copy protection rootkit scandal of 2005–2007 concerns deceptive, illegal, and potentially harmful copy protection measures implemented by Sony BMG on about 22 million CDs. When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Both programs could not be easily uninstalled, and they created vulnerabilities that were exploited by unrelated malware. Sony claims this was unintentional. One of the programs installed even if the user refused its EULA, and it “phoned home” with reports on the user’s private listening habits; the other was not mentioned in the EULA at all, contained code from several pieces of open-source software in an apparent infringement of copyright, and configured the operating system to hide the software’s existence, leading to both programs being classified as rootkits.
Sony BMG initially denied that the rootkits were harmful. It then released, for one of the programs, an “uninstaller” that only un-hid the program, installed additional software which could not be easily removed, collected an email address from the user, and introduced further security vulnerabilities.”
I’m not suggesting that you give up Internet access, it’s HOW you get Internet access at work that counts. And I even included a paragraph about how it can be safely done. Did those who would exile me to the 1990s bother to read that part?
Bob, do you mean the part where you said to use separate devices on a separate network? That’s still 1990’s thinking. Maybe even 1980’s. Like having one non-networked computer with a modem to dial AOL to check and print your e-mail.
If you meant the part where the internal network can reach the internet but is NAT’d and firewalled, well, that’s what everyone is doing and I’d be really surprised if Sony wasn’t doing that. It does not provide protection from a determined attacker. All they need to do is get in to one thing that can phone home to them.
Yes, the corporate network is not secure if it can reach the internet. But it has to, and there is no one-paragraph solution to eliminating the risk.
There has been some indication that there was inside help for the Sony job. At that point, I’m not sure what an IT department can do without implementing draconian-like measures that you’d only see at CIA headquarters.
It pretty much comes down to companies living by Wheaton’s Law, doesn’t it? Don’t throw your weight around like an emperor, and perhaps the guards won’t feel so inspired to hold the gate for the hordes.
Not sure why you went off on the tangent of talking about MPLS networks and trying to impress with RFC numbers and terms like NAT. Sure those are some of the technologies in use, but you are correct the real fault lies with the executives of the companies breached and what business decisions they make. IT is often viewed as a place to cut costs not as a strategic business tool. Look at executives who were in charge and their background. At Target the CIO was a person who came up through marketing and customer relations – not someone who has even the smallest background in IT technology. Home Depot hired an IT security person who tried to destroy his previous employers network. Many of the companies that have been breached have outsourced key IT functions to the lowest bidder. Neiman Marcus outsourced IT to a foreign company, WiPro. Key IT security controls like network segmentation are not that difficult to implement and maintain – if the execs are willing to invest just a relatively small amount of money upfront, instead of paying massive amounts after a breach. Someone also needs to call out the security firms who contract their services to companies like Target. If you look at the evidence from a number of the key breaches where credit card info was stolen it is quite obvious that these companies were NOT in compliance with Payment Card Industry Data Security Standards. Who was Target’s PCI QSA that gave them a passing Report on Compliance? What about Neiman’s or Home Depot? Not only are the executives for these companies that have been breached making poor decisions there is a large “good old boy” network which includes some MAJOR consulting firms. I have seen executives ignore sound advice from their own employers, but completely trust bogus advice from companies like Accenture, Verizon, Trustwave, and others. Like the good old days when “you never get fired for choosing IBM” (or later Microsoft). The bottom line and CYA is what it comes down to. Better to make their quarterly numbers then to stick their necks out and spend money on security – and their buddies from business school who are consultants will back them up (for a nice fee). Someone needs to go back in a year from now and see where all the key execs at companies like Target and Home Depot are working – if they aren’t still working for the same employer they probably have gone into consulting. I have seem incompetent IT security employees that were fired get hired immediately by big consulting firms. The only way to change this behavior is with $$. Quit doing business with companies that don’t protect your confidential information. Healthcare is the next big area where there will be breaches and data stolen. Get ready for it.
I don’t know anything about the networks or procedures used by big companies. However, it seems to me that the company’s “crown jewels” (including sensitive customer information) should _never_ be accessible from the Internet or cloud. This sensitive information should reside on the company’s private server that is accessible only by trusted personnel (guardians) from the company’s headquarters. Access to this secured information might even be partitioned among various guardians for added security. Access to specific information on this private server would require data dumps controlled by the guardians.
.
Everyone in the company should have access to the Internet and cloud for the routine information needed to do their work. When specific secured information is needed, people with appropriate authorization would request it from the guardians at the company’s headquarters. This specific sensitive information would be encrypted when transferred over the Internet.
.
Which is more important, security or convenience? If I was a customer, I would insist on security for my confidential information. If the company’s officers insisted on their convenience, I would never do business with that company.
Never going to happen. Data Centers are *expensive*. Separate networks are *expensive*. Internet access is cheap, and IaaS and SaaS vendors are winning this battle easily. The fundamental truth it’s not “executive ego” – it’s cost. And this idea that special “guardians” are going to protect data? Who’s going to pay for them?
You certainly may be correct about my idea never happening, Nate. However, I don’t agree with some of your comments. Which is more expensive, a company data center together with its guardians or a lack of security? I think that a lack of security can be far more expense. I never contemplated having a separate network for confidential information that would range outside the company’s headquarters. I was assuming that all the “crown jewel” information would be accessed only from the data center within the company’s headquarters. This would be where the top executives could access the critical information needed for reviewing results and making decisions. Summarized information (not raw data) could be encrypted from here and sent to authorized parties in the hinder lands.
.
I wonder if the top executives in a large company really understand the need for security (until it’s too late). If they don’t understand IT, how could they understand the need for security? They may not arrive at this understanding until after they read the headlines about all their customers’ information or other sensitive data being hacked.
.
When the cloud concept was first introduced, I wondered to myself how long it would take for someone to hack into all that priceless information. Of course, I doubt if all these intrusions are made public.
.
Speaking of costs, there are different kinds. There are recorded costs, hidden costs, and potential costs. Hidden costs are the losses resulting from the failure of the top executives to manage the company for long-term success. Potential costs might become recorded costs when a security breach becomes publicized.
Well i also think its not that easy… i work for an investment bank and naturally we have lots of confidential data, but we also need the public internet every other minute for everything from database access to online research about companies
even i really like the articles you are posting, i think removing the internet from company devices is definitely no solution, it’s just not realisitc
“but we also need the public internet every other minute”
Maybe have an outgoing (internet-bound) VPN with authentication and firewalling? Or a remotely-accessed virtual machine that has an internet connection but no intranet (other than the remote console)?
‘Sony was hacked because some president or vice-president or division head or maybe an honest-to-God movie star didn’t want something stupid like network security to interfere’
I’ve handled the financial accounts for a large numbers of fairly well-to-do people (mostly older) and it’s the same thing. Some have no interest in ‘that computer stuff’, and are happy to let me handle everything. Most want to be involved, they want to access to their accounts. Most violate every basic rule of network security you can imagine, despite me constantly ranting and lecturing them. Picking passwords that are ridiculously easy to guess. Using the same (easy) password on all their accounts. Post-it notes stuck all over the place with the passwords. Logging in to accounts that contain millions of dollars, and leaving the laptop, tablet, phone unattended while still logged in. On and on it goes. It got so bad with one old man millionaire, I told him to find someone else to handle his accounts because it had come down to a question of ‘when’, and I didn’t want to be held liable.
The real problem is that execs view IT as just a cost center and have been, for years, cutting IT staff numbers. Most IT experts are now spending most of their time “fire fighting” and dealing with crises, with no time to plan or do things properly. The same execs responsible for cutting costs then demand that top priority be given to getting their shiny new toys that don’t play well with corporate security to work (iPads, iPhones…). Finding time to argue against the latest demand to cripple network security simply isn’t possible in this environment.
I’ve set up many corporate networks with all the best practices as contractor. After I’ve done the job and moved onto the next gig, some high-maintenance entitlement besotted big wig loses his RSA SercureID token, demands IT to stop interferring with his “need” to do this or that on the internet, etc. So some wunderkid, wanting to score some easy brownie points comes along and “fixes the problem”, gets a pat on the back and the corporate network is now opened up to any script kiddie. Oh did I mention that the wunderkid was put in place by one of the TLA consulting firms straight out of some technical institute in a far off land?
The high maintenance execs can give themselves another big pay rise, they’ve just saved a bunch of money by outsourcing their IT, etc. The story gets repeated with depressing regularity.
Who cares ?
Sony has become the wiki-leaks of 2014. With each week comes some new and juicy revelations. I am tempted to write a script based on the inner workings on a Hollywood studio. If it is half as funny as the Sony leaks, I could make a lot of money selling the rights.
I stopped reading at “Simply allow static routes that connect only to other office routes.”
What?
I worked for a company with 700+ un summarized BGP routes and static tunnels all I’ve rathe place. It was an unstable troubleshooting nightmare. “OSPF is hard.”
I lasted 18 months there.
The company is esentially defunct now.
Oh RLY!
I have to agree with many of the replies here.. office employees being able to access internet tools (aka not facebook) is essential, and removing that ability would set a company’s productivity so far back, that they would never even reach the market cap of Sony. On top of that, you have to be able to take information from online and apply it to whatever you’re working on – docker containers, remote desktop, github, etc. Removing that access is ridiculous.
With that said, any production system, with wide open internet access is equally ridiculous. Let’s not forget, there’s a lot more granularity than on/off. You should be using non-routable subnets, defined port access, subnet access, automation around whether things are in compliance. If your IT department can’t effectively manage this, then they are a liability, and they’re holding your company back. Let’s not equate Sony’s financial datawarehouse to some desktop system under the secretary’s desk. Office employees and production systems operate in very different environments, you don’t accidentally end up with a production system grossly out of compliance.
Maybe there’s just too much bureaucracy, processes removed from reality, people take shortcuts in order to do their job, you know the rest…
“Sony Said to Learn Last Year About Large Network-Security Breach” – Bloomberg Businessweek 12/15/14 – http://buswk.co/1szRmdo – this boat had been leaky for quite a while before it capsized.
An article at Ars Technica paints a picture of a very lax security culture at Sony Pictures, with the worst offenders being top executives who routinely asked to receive important passwords in plaintext over email:
http://arstechnica.com/security/2014/12/sloppy-security-hygiene-made-sony-pictures-ripe-for-hacking/
This article confirms Bob’s point but debunks his conclusion. Cutting off Internet access to the rank-and-file employees would have done very little to prevent the stupidity of the top executives.
At a former employer of mine, we had to keep the password rules short and simple because one of the top executives (and part owner of the company) absolutely insisted on using his initials as his password for our internal systems. And even then he often had to be reminded of that password if he hadn’t logged on for a while – “It’s your INITIALS, sir.” (Sigh)
.
And at a Fortune 500 company (another former employer of mine), the rank-and-file were subject to overbearing security requirements much of the time, often forcing us to resort to a certain level of social engineering and stupid hacker tricks in order to get any real work done. When we found useful holes in the security systems, we typically kept them close to the vest but sometimes traded them among ourselves, quietly lest the security team find out about them and close them down. Meanwhile, the upper echelon were going around doing fun things like losing track of their corporate laptops, which unwisely had all kinds of company info stored on them (including business plans and HR information and such, at one point necessitating free credit monitoring for all 100,000+ employees), and fun stuff like that. (Sigh)
.
WIFI and Internet on one Network… Corporate Data on second Desktops security 2 wires 1 Network Card, you can be on either or but never both. Laptops never allowed on Corporate network(No ethernet card), if Execs must let them use thumb drives to move data between the two.
It’s not that simple to gain security. No thumb drives would be required since they could use the local hard drive to move data from one network to the other. By the same token, their computer could get hacked while on the internet and when they switch to the safe internal network, the hacked computer could pass the infection on to all other computers on the safe network. The hacker would just wait for data secretly saved from the safe network to return to the internet to retrieve it.
[…] https://www.cringely.com/2014/12/10/executive-ego-sony-pictures-network-hack/ […]
So I for one don’t know how a person can be expected to do really any job without access to the store of nearly all human knowledge we call the Internet. Maybe your idea of what people do in most jobs is different then mine, but I can’t think of any job on the white collar side of your standard business where access to knowledge and information from sites as varied as stack overflow (not just code), wikipedia, various government sites (stats, bls, etc) are not just flat critical. Never mind that for a ton of companies, half their processes expressly involve 3rd party websites to manage the process. You might think abandoning SalesForce is viable, but I betcha there are a whole lot of people in sales, supply chain management and customer management that would flat disagree with you.
Sorry, the internet is critical for day to day operations of most corporations, and for most people in most positions in those corporations. Some can try to operate like it’s pre-1995, but I bet they won’t be in business long enough to suffer a crippling hack by abandoning access to the greatest productivity accelerator in history.
I wonder if “https everywhere” will ultimately solve the problem: https://www.eff.org/https-everywhere
I have a client now who is, if anything, even more paranoid than I am. When they decided they needed internet access I explained the security risks. Their response: a second computer at every desk, with separate wiring and switches all the way back to the cable modem in the closet.
On an internal network server, cron calls a bash script every five minutes, checks to see if it can find google.com, comcast.net, or whitehouse.gov, and goes back to sleep unless it gets a response, which will then call a script that makes an annoying noise and sends a warning message to various users. I’m almost disappointed that nobody has fooled around with the cabling and exposed the network to the world…
Awesome. This should be the minimum security at any business. Plus remove all USB ports, and anything else a user may try to plug something into.
And run that script every 5 seconds, and have it shutdown things, don’t wait for humans to make the wrong decision.
Up to a certain point it sounded like you agreed with Bob. Then you added “…Should *never* be connected directly to the internet…The only systems setup that way are the ones *I* was allowed to setup.” So it sounds like you have personally set up systems connected to the Internet, which is what Bob says not to do. Do you have some way to do it so that it’s safe?
Whoops wasn’t clear. Build servers need to sit on an isolated network. They should never be allowed direct access to the outside world. You lock them down and only update them when needed off of staged internal update servers as part of your build maint process. Those connections are only maintained for the duration of the update interval. You connect to your version control systems for source (input) and to capture the build results. But those *should* be trusted connections to just a few machines, and those are the only machines that should ever generate traffic back and forth to your builders.
Most clients don’t physically lock their build servers in a secure space, and have no policies in place with regard to updates or network connections. Most build servers I have observed are allowed direct internet access. So they will sit right on the internet.
Most don’t have any type of recovery plan in place either…
That’s great Bob. Blame on the execs. They’re overpaid anyway.
Fact is Sony, like every other large company, just got stupid. Yup. Stupid. No matter who’s to blame here, stupidity and penny pinching..
I’m glad to be retired.
They probably outsourced the security to India.
You wanted outsourcing so bad, well you got it folks.
What is the lunatic nutjob CEO Kaz Hirai getting paid for?
What a loser!
Now they are saying it was an inside job by a disgruntled employee . . . how can you guard against an “Ed Snowden” ?
http://gawker.com/researcher-sony-hack-was-likely-an-inside-job-by-a-wom-1676556756
The only trouble with “pulling the plug”, Bob, is that more and more corporate applications are up on the Internet. We use SalesForce.com as a CRM track our sales. We use ADP for our payroll. We use some godawful service called Workday for our HR. For email we use an Exchange cloud hosted by Microsoft. Anyway, all of them are hosted by external companies, and all of them require Internet access to get to.
So the cat is out of the bag. I don’t know what it would cost to internalize these applications, but I’m sure migrating back to an internally-hosted CRM alone would cost us millions of dollars and take many months to implement. On the other hand, we really don’t need much of a corporate IT to run our internal network. Most if not all of our Corporate “Jewels” are out in the cloud. Personally, I think that’s extremely risky, but I don’t make policy.
[…] after all the real purpose of Sony management was to improve Shareholder Value. [MSNBC] (See also: [Cringely] [NYT]) That was it – not necessarily to protect its intellectual property, not primarily to […]
Do these same principles apply to the hacks of the government? Executive offices in the White House, now Central Command at the Pentagon.
Sony was hacked a lot. Not sure why after reading this:
https://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html
I mean it seems impossible someone with that mentality would allow his systems to be hacked, or even still have the same job. Perhaps he knows the right people?
You can’t disconnect your corporate from the interenet, You could practice good firewall rules, good compliance , and several other things. Disconnecting would not make you safer unless you do not need computers to start with. Google is used by 70-90% of an office workstaff every day, how to do you fill the well of knowledge in the not connected scenario?
Perhaps we can’t solve problems by passing laws, since outlaws will ignore them and good citizens will ignore them until the law demonstrably affects them. For example, most drivers will use their own “common sense” when driving until they find out about specific laws being enforced. Also, non-enforced laws against cohabitation were ignored for years, until a some jurisdictions removed them from the books. Also, law enforcement is an expense born by all citizens, so the limited budget should be directed towards the most serious crimes. Computer security problems that can be prevented, are self-enforcing, since the companies or people affected will see to it that “it doesn’t happen again”. That’s way more effective than an overly complex law like S.O., that primarily serves to discourage new businesses from developing to provide competition to established businesses with a team of lawyers and accountants.
Need some Espionage done? facebook, website, database, account, password, tool, crack, access,network, a school, phone, smart, computer, laptop, desktop, apple, windows, office, professional, cheap, fast, quick, affordable, legit, real, hackers, skype, twitter, instagram,” Hire a Hacker to help. Yahoo Messenger @ databasehackers
What’s Happening i am new to this, I stumbled upon this I
have found It absolutely useful and it has aided me out loads.
I hope to contribute & help other users like its aided me.
Great job.
I don’t know if it’s just me or if everybody else
experiencing problems with your website. It appears like some
of the written text in your content are running off
the screen. Can someone else please provide feedback and let me know if this is happening
to them too? This may be a issue with my internet
browser because I’ve had this happen previously.
Appreciate it
Thank you a bunch for sharing this with all folks you really
know what you’re talking approximately! Bookmarked.
Please additionally seek advice from my site =).
We can have a hyperlink trade agreement among us