Sony PlayStation case shows the importance of post-breach forensics
On April 27, 2011, Sony publicly disclosed that hackers had breached its PlayStation Network (which includes its Qriocity video and music-streaming services) and had gained access to 77 million consumer records. This revelation came several days after Sony had shut down the Network, saying at the time only that an outage had been responsible for the interruption. On the 27th Sony disclosed that the compromised consumer information included names, addresses, email addresses, birth dates, login and password information, purchase history, and possibly credit card information. A statement indicated that the credit card information was encrypted, and that there was no evidence it had been taken.
The massive size of the breach has caused much speculation about the expenses that Sony will incur in dealing with the matter. One article said that the costs could rise as high as $24B (yes, billion) but much of the early commentary has predicted expenses in the range of tens-to-hundreds of millions of dollars.
Some are angry that Sony knew of the breach several days before announcing it. They believe the delay hindered consumers from acting quickly to reduce the risk of identity theft. At least one lawsuit has already been filed.
There has been considerable chatter about Sony’s delayed disclosure of the breach. Hypotheses include public-relations concerns and requests from law enforcement investigators. Some wondered if Sony had adequate tools to determine the full scope of the breach quickly. Those who focused on Sony’s post-breach forensic investigation have raised issues that may yield useful risk management insights for other companies.
It seems that most companies direct their data security energies — and dollars — toward tools that help discourage and prevent breaches. Logs from security devices for firewalls, antivirus protection and intrusion detection provide some information, but rarely a sufficient trail for investigators to determine the extent of the breach. Application logs can yield invaluable data about a breach. Custom applications, and Web applications in particular, are a fertile target for hackers. But most companies don’t keep application logs, so the damage from breaches often cannot be quantified — there is an inadequate data trail. There are tools that enable companies to capture and store more complete information about network traffic, but apparently these tools are relatively expensive and only beginning to be widely used.
Companies’ post-breach responses can make it harder for forensic investigators to determine what data has been compromised. One common response is for the affected company to quickly shut down the breached parts of its network (as Sony did) to prevent further data theft. When companies take actions that indicate awareness of a breach, however, sophisticated hackers will respond by taking steps to cover their tracks, throw forensic investigators off their trail, and go deeper into hiding. They may, for example, be able to delete log files or replace them with fake ones, or plant data in the network that can give forensic investigators the false belief that the intruders have been found.
Investigators can learn more about the extent of a breach by conducting surveillance of intruders who don’t realize that they have been detected and therefore don’t feel the need to take countermeasures. Yet if they quietly analyze a breach without taking steps that would tip-off the hackers, companies simultaneously allow more data to be compromised — which would certainly be considered unacceptable behavior by people whose personal information was left at risk of theft. The desire to minimize the extent of a breach can therefore be at cross-purposes, or at least in tension, with the desire to understand the extent of the breach.
Given the expense of post-breach security tools, the sophistication of hackers and the competing goals of terminating breaches and of fully understanding them, it is not surprising that many companies struggle with their private and public responses to the discovery of breaches. The PlayStation breach may serve as a useful spur to other companies to (1) reassess the adequacy of their security apparatus and (2) reconsider whether their breach response plans adequately account for the complexities and pressures involved in determining the scope of a breach and in minimizing the harm caused.
Connect with John Doernberg on LinkedIn.