1. List and describe the security and control weaknesses at Sony that are discussed in this case.
2. What management, organizational, and technological factors contributed to these problems?
3. What was the business impact of the Sony data losses on Sony and its customers?
4. What solutions would you suggest to prevent these problems?
Sony PlayStation Service was one of the most popular game station for online gamers. It have 130 servers across the globe. On the year of 2011 some hackers did a trick and get control over the server and stole information. Below are some weakness of Sony that contributed for the security breach:
- The Sony management was failing to anticipate some well-known Security Risks
- Sony was unwilling to spend for resource that have better security measures
- Instead the company had lots of technical guys; it lacked to some extend on training, had carelessness on possible attacks
- Sony used outdated soft-wares that were vulnerable for attacks
- Sony was using older Version of Apache web server Software
- Their website had Poor Firewall protection
- Sony didn't cared data-encryption and stored plain text information
The great security attack on Sony PlayStation Service is not an accident. It was an organized, well planned and studied approach to get control over the system. The hackers knew more about the PSN system than the Sony's technical guys.
The management fails to make appropriate decisions to upgrade the system. The management should have prior knowledge of how the hacking attempt was taking place in the world. Not only that being management isn't a simple thing, they should have proper decision making capacity. Spending few bucks on secure and updated system could save our customers head so that our company will be stable.
The organization is eco-system of entire management technical person and the customers too. The customers on their behalf too must have been aware of possible security threat and should have taken safety measures. The organization being mostly popular on online gaming should have taken minimal security features. The organization should have goal of not only expanding market but on the quality and security of service provided.
The outdated system software used by Sony Company helped the attack. The database system was not properly secured by encryption measures. The system is not even intelligent enough to trace out what confidential data are stolen. The log file was deleted means the file permission is not set properly. I think the great theft is not performed in a flash. So they should have some alert feature to let the management and concerned authorities.
For a company like Sony that have high customer belief and daily customer engagement, shutting a system for few hours mean a very high level of customer dis-satisfaction and diversion. The impact can be listed below:
- The Sony have to shut down entire Global PlayStation Network
- The attack caused deletion of many files and hide its information
- The shut-down on online system is long term impact on its Goodwill.
- Customers lost their personal information
- Customers who were fond of playing games felt disappointed
- Customers losing their personal information and credit card information could have loss on customer account balance too
Sony, if analysed and investigated the great attack thoroughly would find the possible weakness and the dark side of their system. The report could suggest preventive measures which may include but not limited to:
- Investment on resources for Strong Security
- Encryption of data needs double the resources, not limiting the resources and implementing the encryption would help them
- Sony need strong firewall with better access policy to protect against external access to their system.
- The use of outdated software is really a security threat and even a child will suggest updating the software to latest version and releases that might have improved security and bugs
- It won't harm if the Sony Company make some automatic alert mechanism in case of attack or security breach so that technical person could make some preventive measures.
- The file permission, logging and mirroring should be managed well so that deletion of some files would not harm to great extent.