This afternoon a Facebook friend wrote to me in a comment,
I'm sure you've been fascinated by this entire ordeal [The Sony compromise, accusations against North Korea, etc.] too! I mean really, an unencrypted folder called "Passwords"? sigh
Fascinated? Not so much fascinated as jaded. Most large corporations simply fail to take security seriously. In 25 or so years in the field, I've seen far too many people who are experts in other areas believe they can simply master security (or software development) with very little time and training. "How hard can it be?"
Anyone who has ever worked in IT or ITS has received tremendous amounts of helpful advice from experts in HR, accounting, finance, etc., all of whom think their experience is portable, transferable, translatable. But how many of those experts ask the IT or ITS folks for advice on their work? NONE. And why is this?
Oh, it's obvious? If it's so obvious one way, why isn't it obvious the other?
Witness RSA itself, for a long time the world leader in secure authentication systems. Until their entire network was compromised over a periods of months in a successful effort to break their authentication systems in order to attack one of their largest clients.
And these are folks who should have known better. As for Sony, they have a long history of bad IT, bad ideas, and worse responses. Witness the root kit episode a few years back.
Witness CurrentC: When Apple introduced iWallet, retailers supporting CurrentC disabled NFC for iOS devices to hamstring their future competitor, a move widely seen (rightly IMHO) as anti-consumer, anti-choice.
Within days, CurrentC had been compromised by hackers offended at their position. They simply were not ready to play in that league, but somehow were arrogant enough to think that because they could several other things well they could ITS well.
Wrong, thanks for playing.
As for blaming NK, well, sigh. Holding up a credible (or better yet, incredible?) strawman simply diverts attention from those who are truly responsible: Sony.
Sony didn't attack itself, that's not what I mean. What I mean is that IMHO Sony was negligent. At this point, wilfully (they could not not have known otherwise). Whether criminally, well, IANAL and all that.
I am so looking forward to the day when a Home Depot or Target or Sony or other is found criminally negligent for the exposure of customer records following a compromise. I'm not really sure whether I'm interested in anything happening to the attackers. I just think it's about time that companies that treat and truck with so much employee and customer data start treating it properly.
The thing is, good security is actually cheaper than the opposite: Design security in from the beginning, small incremental cost.
Get compromised, huge cost. Simple economics.
Big company with large Internet presence? Visible target, will be attacked. Guaranteed. So pay a little now or a lot later. Simple economics.
(A few years ago I prepared a short presentation to justify that last statement for a client. I'm going to dig it out and turn it into a blog post sometime soon. The graphic on relative costs at various stages ranging from design to operations is really quite striking. Stay tuned.)