Can a new CISO improve Sony PlayStation Network security?

Can a chief information security officer (CISO) help prevent the kind of massive data breach that occurred in the Sony PlayStation network breach last month in which attackers grabbed personal information on an estimated 77 million customers of the PlayStation and Qriocity online games?

The Sony division now cleaning up the huge mess from the data breach incident certainly hopes so, as Sony Network Entertainment International (SNEI) over the weekend announced it is "creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of parent company Sony Corp." The hope behind the future CISO appointment is to bring "expertise in and accountability for customer data protection and supplement existing security personnel."

BACKGROUND: Sony apologizes, details PlayStation network breach

Can one person with the title of CISO -- a role that usually means voicing criticism from a security angle on how information technology staff want to deploy products and services, often stepping on toes -- really make any difference? Some evidence suggests it can. And when a data breach does occur, the costs of response and remediation are often considerably less when a CISO is on board.

Patricia Titus, CISO at Unisys since 2002, said she'd advise the future CISO to "start at the architectural review and incident response level" to discern how the breach was possible and what was the response. On the governance level, it will likely mean a change in the management process to make sure people and technology are both in place to detect attacks and respond, she said.

It's known that last month an attacker stole the personal information of some 77 million customers of PlayStation Network and Qriocity. Over the past weekend, Kaz Hirai, head of Sony's gaming division, held a news conference in which he described how Sony took the two services offline on April 20 after an intrusion was detected on network servers housed in an AT&T data center in San Diego.

Sony indicated it's working with the U.S. Federal Bureau of Investigation and is still investigating the scope of the attack, which involved stealing customer account information involving names, passwords, birthdates, email addresses and other personal information.

The commencement of the attack may have come somehow disguised as a purchase. While 10 million accounts have credit-card numbers associated with them, which Sony says were stored in an encrypted database, it remains unclear whether credit cards can be considered untouched by the attacker or not.

Sony's CIO Shinji Hasejima last weekend called the cyber-assault on PlayStation Network a "sophisticated" one. Sony has so far described the attack as exploiting a known vulnerability in an application server to plant software used to access a database server that sat behind a firewall.

The company, which claims it has "implemented a variety of new security measures to provide greater protection of personal information," says both divisions, Sony Computer Entertainment (SCE) and SNEI, will work together to soon restore online game services.

While Sony did not provide much detail on its new security measures, they are said to include "automated software monitoring and configuration management to help defend against new attacks" and "enhanced levels of data protection and encryption," as well as "enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns," plus more firewalls.

Sony's divisions also say the online gaming systems are being moved to a "new data center in a different location that has been under construction and development for several months."

Customers may see changes because "in addition, PS3 [PlayStation 3] will have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service. As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data," Sony's divisions said in their statement over the weekend.

The "welcome back" program SNEI is putting together once services are up and going again in various regions is expected to include 30-day free membership in the PlayStation Plus premium service for all existing PlayStation network customers, among other things. According to the Sony statement, "SNEI will continue to reinforce and verify security for transactions before resuming the PlayStation Store and other Qriocity operations, scheduled for this month."

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuespersonnelcorporate issuesSony PlayStationsecuritysony

More about etworkFederal Bureau of InvestigationISOLANSonySony Computer EntertainmentTitusUnisys Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts