Essentials from Sony Hacks

Politics and juicy tidbits aside, there are essentials to be taken away from Sony hacking incident. From the information available in the public domain, it can be believed that the security protocol at Sony was astonishingly sloppy, breathtakingly stupid and downright imbecile (Example: passwords and private data saved in folders named enticingly conspicuous).
However the sad state Sony finds itself in, the observation made by Joseph Demarset, Assistant Director of the FBI’s cyber division testimony to the Senate Banking Commission, that 90% of systems are susceptible to succumb, should make IT and other senior executives of organizations sit up and lose sleep. Having worked as an IT consultant, I tend to concur with Mr. Demarset.
In the past year alone, destructive activity targeting large corporations, such as, Target, Home Depot, Community Health System, JPMorgan Chase are well known. The Government agencies are not outside the scourge either. Edward Snowden dealt a debilitating blow to the CIA,   whatever the motive of his actions were. There are those who have been or are being hacked, but do not yet know that they have been hacked. 
This is another wake up call  to aside apathy and take necessary practical steps towards protecting valuable material such as financial, contracts, intellectual property and private data of employees and customers. It does not mean another layer of fire wall or another stack of antivirus software.  It necessarily involves integrated IT policies and strategies:

  1. Never be rest assured that you are not vulnerable. IT mid level leadership will always assure that everything is under control and all may go about business as usual. Set aside apathy. Institute security audits both internal and external. 
  2. Keep valuable information assets such as contracts, intellectual properties, financial information and employees and customer private data on a segregated systems not connected with internet.
  3. Disguise and mask confidential data in the development, testing and UAT environment. Masking can be done intelligently such that data will be transparent to developers and testers.Disguised data still can ensure data distribution and data integrity.
  4. Avoid operating systems with known weaknesses ( Example: Windows Management Instrumentation) and absence of security solutions. Beware of Windows hosting your mission critical applications and holding critical data. 
  5. Remove CD-ROMs, disable ATA/SATA ports and disable all USB ports where not required.
  6. Ensure comprehensive best practice include preventive tactics such as securing against SQL and Web injections.
  7. Avoid using email system virtually for everything. Email system is not the best way to manage the business. 
  8. Deploy additional layers of encryptions.

As technology advances, business processes, customer interactions and IT have become tightly integrated.  Software and computer should become and remain secure impregnable vault  at all times. 
If senior leadership ignores realities and considers expenses relating to IT security as superfluous, then, every day is a D day for its  brand to languish in the dust bin of history!