Fresh Hack of 1 million Sony accounts, it's a Second Chance to Learn Lessons

June 2 was a rough day for Sony.

The hacker group LulzSec kept its promise as tweeted on May 27--the group hacked Sony again on June 2, obtaining 1 million users' account information. What's Sony's next move given this second chance? We hope, and hopefully you do too, that the Japanese electronic giant will learn the lesson, at last.

On the same day, the company held a hearing with the Subcommittee on Commerce, Manufacturing and Trade, part of the House of Representatives Energy & Commerce Committee. Tim Schaaff, president of Sony Network Entertainment International, told the committee, we believe the security we had was very, very strong and we were in good shape. Schaaff defended Sony's delayed response to the breach, saying that it is counterproductive to issue vague or speculative statements before grasping specific and reliable information.

During the hearing, Subcommittee Chairwoman Mary Bono Mack, R-Calif., called the Sony breach the Ground Zero of cyber attacks. Though Sony was severely criticized by the committee for the company's lack of prompt and sincere response, the committee did not plan to invite Sony for further investigation again.

So how will Sony react to this unwanted war? The company is investigating the report, and that's all we know now.

LulzSec, on its own website and through Twitter, stated that it has obtained 1 million users' account information from servers at Sony Pictures and Sony BMG, which was a very easy task as the data were not encrypted.

The hacker group LulzSec on its Twitter page had warned Sony on May 27 for another Sony operation the group was working on. This is the beginning of the end for Sony, the statement said.

While LulzSec stayed loyal to its promise, would Sony too prove its genuine concern for the company's loyal customers, or would it need several more wake-up calls?

At least this time Sony can no longer pretend to be the victim of hackers.

The company is criticized for not taking serious consideration of the well-known vulnerability of the customer information management system software.

Moreover, it was only after the breach that the U.S. branch of Sony, which the data leaked from, positioned a Chief Information Security Officer. Sony's security was apparently not in good shape at all. On top of the inadequate consideration of risk analyses, the system for information security was not functioning while their skeletons existed.

If Sony continues to claim the reinforcement of network business as the pillar of its strategy, the company will have to consider viable counter-measures.

Kiyotada Kabutomori, a professional service senior specialist at McAfee Enterprise, pointed out the necessary lessons Sony needs to learn.

It is not exactly a new security measure that's necessary, but the point is how Sony can activate the existent information security management system effectively, in line with the PDCA (plan-do-check-act) cycle, he said.

Coming back to the rudimentary lesson, Sony needs to run its management cycle remembering that security threats are variable.

As information technology permeates the society on every level, breaches and accidents have proven to be endless, despite the progress in security tools such as firewalls and IDS/IPS.

It gives a great chance to the hackers when businesses are relying heavily on security tools. In the case of Sony's PSN, there was blind assumption of safety dependent on the closed network accessible only from private machines.

While it is difficult to aim at hacker-proof security system, businesses are encouraged to check their daily security measures, and now is an era for the management team to actively protect personal information. In addition to regular assessment of data vulnerability, preparation for managing possible accidents and incidents also becomes crucial. For example, setting up an incident response system will allow companies to detect and respond to attacks promptly.

In general, many businesses tend to prioritize usability and efficiency over security.

The problem is what should be really protected is ambiguous and deemphasized. What should be protected is obviously important information, but what information takes greater priority? If Sony has the heart to find the answer from these bitter experiences with hackers, there may be some remedy for the Japanese electronics giant to get back on track. If Sony hasn't learned the lesson, at least other businesses have. After Sony's incident, the number of inquiries from businesses to McAfee increased, with many managers now more alert in rechecking their attitudes toward security.