Sony Playstation Security Breach - Essay Example

There is a growing need to synchronize data among various devices and thus the need for vigilance is at an all-time high. If we lived in an ideal world, the database team would have full control of how and when an application is allowed access to a database. However, that is merely wishful thinking. The reality of application development and maintenance makes such pronouncements very difficult to enforce, especially if you take into account legacy systems, mixed environments and colliding opinions. Hackers have become more skillful and therefore tech wizards have been forced to up their game. Only a single vulnerability is needed for hackers to exploit and put an entire database at risk. In order to avoid such vulnerabilities, database developers and application developers must dance to the same tune. Sony PlayStation Network Security Breach Sony’s data center in San Diego, CA was hacked into on April 19, 2011. The hackers had gained access of customers’ data through Sony’s PlayStation Network servers. This attack on Sony is said to be the largest personal data heist in history with reports estimating that around 77 million Qriocity and PSN users’ accounts and 24.5 million Sony Online Entertainment user accounts were affected. (Better Business Bureau, 2011). Strange activities had been detected by Sony Corporation on their network system. They noticed unauthorized access of the company’s servers. A day after the attack, Sony decided to power down the affected systems and delayed restoration of the PSN services for users in the U.S until May 14. Users were later on required to change their usernames and passwords as an additional way of curbing further attacks. Since the attackers had exploited Sony’s website via its URL, they were thus forced to disable the page temporarily because attackers exploited the URL of Sony’s website (The Sydney Morning Herald, 2011). Unfortunately, this was not the last attack. A series of attacks on Sony’s Online Entertainment services and the PSN were later on executed during the same period. These attacks were carried out on; Sony BMG Greece, Sony BMG Japan, So-Net ISP in Japan, and servers of Sony in Thailand (McMillan, 2011). Losses Incurred During Security Breach It was estimated that the personal information of 77 million Qriocity and PSN users, and 24.5 million online entertainment users was stolen. The attackers rummaged through a wealth of information concerning the users and their attributes such as names of users, their addresses, email addresses, and birth dates. Attackers also approached the login information of users such as usernames, and passwords according to Kazuo Hirai, Chief Officer of the Board at company “Sony Computer Entertainment America LLC (Colvile, 2011). Attackers worked so sophistically that Sony hired forensic consultants to assist with investigating and confirming the extent of stolen data. It took more than a month to discover whether credit card information was stolen along with customers’ data. It was found that credit card information was encrypted while other personal information was not (Carstensen, 2011). Sony PlayStation Network Hacked It was noticed on April 19, that Sony’s PSN servers were rebooting, and no process was rescheduled for this day. The next day, it was identified that someone had intruded Sony’s servers and accessed the data. It turned out that criminals had gained illegal access of Sony’s servers as servers were hit by the attack of denial-of-service (DoS) (Brice, 2011). By using aggressive techniques, hackers exploited the software flaws and accessed the network. They employed sophisticated techniques to infiltrate the system going undetected by the administrators and deleting the log files. The administrators of Sony did not immediately identify the intrusion, mainly because they were focused on identifying the DoS attacks (TechnoBuffalo, 2011). Denial-of-Service (DoS) attacks are types of attacks targeted against a network and are designed to cripple or paralyze it with useless traffic or obstructing entrance to a specific web site. Examples of these attacks include; Ping of Death, Teardrop attacks etc. Although the attacks originate from a single source, they target various systems or networks. Such attacks result in the server being too occupied to process legitimate requests from valid customers. Furthermore, the system becomes sluggish. (Samuelle, 2011, p. 261). What Really Happened? Chief Officer Hirai stated that the hacking of the servers was a target of professional criminal activity, and highly sophisticated cyber-attackers. Sony’s top management blamed these activities on the group of hackers named the Anonymous. However, the group denied these allegations from Sony. (Carstensen, 2011). Further investigations revealed that Raynaldo Rivera and his co-conspirators through a SQL injection attack stole information from Sony Corps Sony Pictures computer systems. (ComputerWeekly, 2012). Rivera who is also known as Neuron, pleaded guilty to these charges brought against him. Because Rivera pleaded guilty, he will receive a reduced punishment of a 5 year prison term and a $250,000 fine. The acronym SQL stands for Structured Query Language. This is the common language programmers use in order to manipulate the database. SQL is commonly used in web and internal business applications to retrieve the data for the application from a database (Clarke, 2012, p. 156). This same programme is used in injection attacks. Hackers use SQL commands to manipulate data in the database. To do this, the hacker inserts SQL codes into the application so that it passes it to the database. The hacker inserts these SQL commands in unexpected locations, such as the password field in the logon screen of the application (Clarke, 2012, p. 156). SQL injection attacks use enable the hacker to access the database (Stewart, 2011, p. 154). Techniques Used to Protect Web Applications against SQL Injection Attacks Perform Input Validation This is one of the techniques through which SQL injection attacks can be prevented. This is because they limit the types of data users provide in a form. Numerous variations of input injection or manipulation attacks require a broad spectrum of defense approach, some of which include whitelisting and blacklisting filters (Stewart, 2012, p. 155). Limit Account Privileges The database account used by the web server should have the smallest set of privileges possible. If the purpose of the web application is to retrieve data, then it should possess that ability only. SQL injections are used to handle interactions between the front end and the backend database. If the script was defensively written and a code included in order to escape meta-characters, then in such a case SQL injections wouldn’t be possible (Stewart, 2012, p. 155). Database Software Database servers contain relational data. This is used as a back-end repository of information for front-end applications and web services. The most popular forms of database software include; Microsoft SQL, Oracle and MySQL. The front-end user application usually sends commands as a set of procedures so that the database runs on the data and so that the required results can be returned. If the database software is not properly configured or correctly programmed, the parameters could bypass built-in security to reveal confidential data or destroy thousands of data records. Use Stored Procedures It shold be noted that this method of protection is not applicable in all instances. However, where possible, applications should be permited to interact with the database through stored procedures. This way, the database account requires only the necessary permissions to execute the stored procedure. Use Dynamic SQL Only When Necessary Dynamic SQL should only be employed if necessary. This is because it greatly increases the vulnerability of SQL injection attacks especially when the command language is concatenated with the user input. It is important to appreciate the fact that at times one cannot avoid using dynamic SQL. Use the Principle of Least Access When Granting Database Access Even if and organization can limit application access to stored procedures and avoid using dynamic SQL, it must still ensure that database access is restricted to the fullest degree. Every database account should be assigned the least privileges necessary to access the database. That is why restricting access to stored procedures can be so effective. If a high-privilege operation must be performed, create a stored procedure to perform that operation and sign the stored procedure with a certificate. The goal is to ensure that even if an attacker were to discover a security hole in the application, there would be little they could do. Applications that access the database should always be limited to a low-privileged account that only has the minimum rights required to execute the statements its permitted to submit to the database. Use Testing and Monitoring to Guard against SQL Injection There should never be any let up in enforcing security matters. In protecting against SQL injection attacks, it is of paramount importance that the database code be run through the necessary checks just to make sure that it is safe. Stricter Guidelines Sony Corporation was highly criticized for delaying its disclosure about the PSN breach. Sony waited for a whole week before informing its customers about the breach. (Carstensen, 2011). U.S. lawmakers were furious at this breach of personal information. As a result of the breach, Sony Corporation officials were invited to Capitol Hill in order to testify before the Manufacturing and Trade sub-committee, and the House Commerce. They however declined the invitation. Mary Bono Mack, the sub-committee chairman, expressed her dismay at the mode of disclosure opted for by Sony. The company had chosen to disclose the security breach on its PlayStation blog, and she termed Sony’s actions as “an effort without enthusiasm and efforts.” Sony also emphasized on the lawmakers to enact the more strict guidelines for the protection of personal information (Homeland Security Digital Library, 2011). Other officials apart from U.S lawmakers also raised their concerns with the issue of data breaching. These were mostly state regulators in U.S and also privacy officials in foreign countries. They demanded an explanation from Sony’s management and Attorney General George Jepsen added his two cents on the matter as he stated that Network users were not promptly informed (Richard Blumenthal United States Senator of Connecticut, 2011). Cost of Security Breach Sony Corporation incurred very high costs after they were forced to shut down their systems after the threats were detected. As they were experiencing these problems, customers were offered services at no cost. Sources inside the company revealed that Sony had to pay more about $171 million for customer support, an upgrade of their network, and legal fees by the end of May. (McMillan, 2011). Needed actions The Obama Administration made proposals to merge security infrastructures both in the public and private sector. Very many policies need to be put in place in order for the public and private sector to work in tandem. This proposal contained several policies, for instance reporting any national data breaches. This policy required private institutions to inform the Federal Trade Commission of any security breaches within 60 days. The rationale behind this was to provide incentives in order to correct any security lapses. (Etzioni, 2012, p.62). The Federal Trade Commission was further mandated to impose penalties against the violators. On the other hand, the Department of Homeland Security would carry out regulatory functions over the cyber-security of key infrastructures, such as banking institutions defense firms and telecommunication industry. Those charged with cyber-crimes, should be be given obligatory sentences. (Etzioni, 2012, p.62). Conclusion SQL injection attacks continue to be one of the biggest threats to SQL servers. SQL Injection attacks are forms of attack that come from user inputs whose validity has not been confirmed or checked. The main objectives of such attacks is to manipulate the database system in running malicious codes thus revealing sensitive information or compromise the server in any other way. A database is susceptible to such attacks if the front-end application it supports contains an exploitable code. In such a case, a hacker can simply exploit it by injecting a rogue SQL into one of its applications’ data input fields. SQL injection attacks can be prevented, but the necessary steps have to taken to protect the system. Sony has experienced a high volume of intrusions into their systems and networks, with one attack on their PSN causing them to shut down for almost a month. This cost them more than $171 million and possibly some losses in consumer trust which cannot be quantified into monetary terms. In order to remedy this, Sony will have to re-evaluate their cyberspace security and policies. Read More