Victimized by more than a dozen hack attacks earlier this year, most of them at the hands of the LulzSec group, which gained unauthorized access to more than 100 million customer data files, the gaming, media and electronics giant has faced massive lawsuits and reparation payments not to mention the embarrassment that the massive data breaches have caused them.
Now, further compounding the fallout, Zurich American Insurance Company, which insures Sony, has sought to have the courts declare it is not responsible for defending or indemnifying the company from the ocean of legal claims filed against Sony in the wake of the numerous data breaches that befell it earlier this year.
At last count, Sony has been hit with 55 class action lawsuits and has already projected losses in operating profits to the tune of $178 million over the rest of the year due to the data breaches. With its insurer all but trying to abandon it, Sony has to be reeling from the blows.
But before anybody jumps to Sony’s defense or sheds a tear for the company’s misery, perhaps we need to take a look at why this happened – that is, why it happened beyond the reason that a bunch of pretty intelligent hackers wanted to embarrass them.
While it is not publicly known what caused most of the breaches at the various units of Sony, we do know that the last couple of attacks were of the SQL Injection variety. This reveals a significant fact – the breaches were the result of vulnerabilities within the database layer of the affected applications. Those vulnerabilities could have been the result of latent issues in legacy applications that Sony had build on top of as it updated and upgraded its applications. They could also result from input that was not properly filtered or not typed precisely enough allowing it to be executed unexpectedly. Regardless of the exact nature of these vulnerabilities, the causes come down to one thing – structural problems within the applications.
While Sony seems to have been the hardest hit and most frequently targeted private-sector organization this year (the U.S. Government is a more frequent target), it is far from alone as the bearer of the bull’s-eye. Among the growing roster of major corporations that have been the prey of hackers this year (Sony, Sega, Citi, RSA, et. al.) each breach began with some point of vulnerability – a structural issue – within the victim’s software code. Some of these vulnerabilities exist in newly created code while others have carried over from issues in legacy code that either were dormant or not exploitable when the original code was written.
While companies should be doing more during the build process to locate areas of potential risk, most do little or nothing. And when you consider that only 0.025% of the lines of code in an average enterprise application contain vulnerabilities, it might make sense that companies would not spend the time or money to find those issues. But the average business application contains over 400,000 lines of code; that minute fraction actually adds up to roughly ONE HUNDRED points of infiltration for potential hackers – talk about leaving the back door open!
Even the best security system will only tell a company when someone or something has breached its structure; security software won’t keep out the unauthorized. In order to locate the potential risks within software, IT departments need to be more vigilant and perform thorough structural analysis of applications. By performing intensive application analysis, a company can identify points of vulnerability within the structure of its application software during the build process and know where the holes are that need plugging before an application is deployed.
Manual assessment of application software, however, is tedious, expensive and grossly inefficient. But if that analysis can be automated, the company can be afforded the ability to see the whole application much more efficiently and go beyond one developer’s view of things like input validation – which provides an easy entry for a hacker – or any business transaction that might fail on its own. Furthermore, it provides management the means to track, incentivize and ensure that security, stability and efficiency traps are not introduced either inadvertently or maliciously into its enterprise software. In other words, by gaining visibility to the potential threat, the company can eliminate it before it becomes a future security problem.
At a time in world economics when no company can afford to take on the added debt of making financial reparations to customers whose personal information has been accessed by unauthorized parties, Sony and other breach victims would do well to watch their back doors as much as they do their bottom lines.