The hack of Sony Pictures Entertainment placed Sony Entertainment Pictures in the spotlight for the last two months of 2015, highlighting the company’s lax security protocols and placing international focus on the recently released James Franco/Seth Rogan comedy “The Interview”. For the uninitiated, a group calling themselves the “Guardians of Peace” (with the unfortunate acronym “GOP”) hacked into the Sony’s computer systems, gaining unauthorized access to a treasure trove of sensitive data, including: social security numbers of over 47,000 celebrities, freelancers, and Sony employees; several unreleased movie titles that were later released to file-sharing websites; and corporate files including email correspondence, film budgets and passport/visa information for movie casts and crew. The data breach appeared to be supported by North Korea, which denied responsibility. While the United States National Security Agency directly blamed North Korea for the attack, other industry insiders claim North Korea had nothing to do with the attack.
Regardless who sponsored the Sony hack, there are many lessons to be learned and best practices to be implemented. One in particular can greatly reduce the accompanying fallout in the event of a cyberattack.
Protect & Secure Passwords
When it comes to passwords, the industry standard maintains that passwords should be encrypted. Encrypted passwords are coded such that only authorized parties can read them. If they are not encrypted, passwords should be hashed and salted, which provides some level of security from most prying eyes. Whichever approach is taken, and regardless of the difference between encryption and hashing, either will secure data to a greater industry standard and prove a more difficult target.
The Sony hackers released reams of sensitive documents. Tucked away in the approximately 100 terabytes of data was the folder titled “Password”. Included in the folder were thousands upon thousands of private passwords. A majority of the passwords were stored in text documents with no protection of any kind.
Not only is it embarrassingly bad form that such a global corporate entity would exhibit such a lax display of security, worse may be that only four years ago the company suffered from a similar attack, which was one of the largest data security breaches in history. The April 2011 hack of the Sony PlayStation Network resulted in the theft of approximately 77 million user accounts. Much like the recent attacks on Sony Pictures Entertainment, in the previous attack user personal details, including passwords, were not encrypted.
The takeaway here is simple: Protect and encrypt sensitive data, including passwords. Whether running a business or providing a service, a reasonable duty of care is expected when handling personal user data. Failing to exercise such care can expose that business to data theft and the resulting fallout, which may extend further than you might think. In Sony’s case, several class action suits have already been filed.
Passwords have become a necessity of life for businesses and people alike. While full-spectrum, enterprise-level password management may be outside of the scope of many small businesses and individuals, basic industry best practices provide a safe and reliable path for implementing data encryption and security company-wide. Companies would be wise to learn from Sony’s mistakes and secure users personal information, including passwords
To get started on the path to security, companies and individuals should:
- Encrypt folders and files on computers using programs like BitLocker for Windows, or FileVault2 on a Mac. These programs are bundled with recent operating systems, and provide solid base-level of protection. For more information, see http://lifehacker.com/a-beginners-guide-to-encryption-what-it-is-and-how-to-1508196946
- Encrypt internet browser traffic by using a virtual private network (VPN), which creates a secure “tunnel” to a trusted third-party server. Data sent through the tunnel is encrypted, which protects the data even if it is intercepted. For more information, see http://www.pcworld.com/article/2025462/how-to-encrypt-almost-anything.html
- Create and manage strong, secure passwords. This means creating strong passwords of eight characters or more, and not sharing passwords with anyone. Passwords should be easy for you to remember but hard for others to guess.
- Finally, if you’re using any of the passwords that appear on the 2014 Worst Password List, you should immediately click the following link for more information http://www.connectsafely.org/tips-to-create-and-manage-strong-passwords/