It’s fashionable right now in the data security community to knock Sony Pictures for lax practices. While I refrain from jumping on that bandwagon, this article is not meant to be a defense of poor choices made by some within the company. It doesn’t really need to be, as the company already has Kevin Mandia of FireEye’s Mandiant division, defending them in a memo distributed with employees.
The Sony Pictures' data breach does appear to show really egregious lapses, most particularly in the fact that the attackers obtained a cleartext file of internal passwords. The latest revelation, relayed to me by Prime Factors’ head of Product Support, Sean Workman, reveals that the attackers appear to have also obtained a copy of Sony’s code-signing certificate! For those unfamiliar, this is a cryptographic key used to digitally sign software a vendor distributes, so that users can confirm the software comes from a known and reliable source. In our business, a compromise of a code signing key is a clear indication of poor controls.
I stop there -- there are enough writers out there bashing Sony Pictures right now. What this says to me, though, is that a great chasm still exists between enterprise data security practices and unavoidable human nature. Until organizations take steps to recognize that gap and retool their approaches to deal with it, broad and damaging breaches like that at Sony Pictures will continue to occur.
It comes down to the inarguable fact that employees tend to spend their work time, energy, and attention on the things they are compensated for. While there are a lot of psychological theories for human behavior, it’s very hard for me to view this situation as anything other than practical examples of B.F. Skinner’s theory of operant conditioning. The positive reinforcements of a recurring paycheck, bonuses, and advancement focus the attention of employees on those things that bring these rewards.
At Sony Pictures, out of the thousands of employees, how many do you think had “constantly follow all recommended data security practices” as one of the top five (…or seven, or even 20) goals that they would be evaluated for? Like all companies, there will be a very small cadre of data protection professionals who do, and the remaining majority is otherwise focused on developing and delivering the company’s intellectual properties to the market. (Yeah, I know – I’ve seen a lot of the company’s movies, too, and calling all of them “intellectual” anything can be a stretch – Jack and Jill, anyone? Still, in a strict Economics and Accounting sense, that’s what their products are….) Script writers focus on creating entertaining scripts, producers focus on completing popular movies at or under budget, casting directors focus on identifying the best performers to fit a director’s vision, and so on. If any of them happen to think about data security, even a little bit, it’s an unexpected bonus.
There is a tendency for those in my industry to look at this situation, and immediately begin ranting that “data protection is job #1” or “it’s everyone’s responsibility.” It would be swell if that could be the case…and if we all watched what we ate to maintain our AMA approved weight, exercised regularly to keep our hearts strong, got plenty of sleep, saved for retirement, flossed regularly, and called our mothers at least twice a week.
Enterprise data protection will not be effective in this new world of advanced persistent threats (APTs) targeting commercial enterprises until fundamental human nature is taken into account. People will continue to choose weak passwords that are easy to remember and, thereby, crack. People will still become distracted and neglect to focus on encrypting a document when rushing to meet a deadline, and so on. Data breaches at large organizations will continue to occur for as long as data protection is solely or even largely dependent on all the employees consistently doing the right thing all the time. It’s naïve to expect that -- we are engaged in a data protection war with a faceless guerilla underground. An enterprise’s employees have to do the right thing every time, while a criminal actor only has to be successful once to cause major harm.
Hmph – that was a bit of rant that I needed to get off my chest, it seems. The useful thought this all points to, is that data protection must be a truly transparent part of all employees’ activities. Data protection cannot depend on all workers constantly and consistently doing the right action, when that action is not something they are evaluated or rewarded for. Encryption of sensitive data must be built into user applications as automatic functions – encrypting drives & file systems that protect data without user intervention, field level encryption implemented at the database level so it requires no application changes or user intervention. Keys used to encrypt data must be long, random, and strong, best generated by vetted pseudo-random number generators. The one concession reasonable to make, to my mind, is the introduction of multi-factor (at least two factors) authentication, where the user must have something, a fob or app on their phone, in addition to their password. While this is a change for users, it falls very closely to other behaviors broadly reinforced by the market – presenting a loyalty card when buying a cappuccino, waving a phone at a point-of-sale.
The change that needs to occur is far less in the behaviors of end users, who are rewarded for producing the value of the company, and far more in how we as data protection professionals and technologists transparently integrate data protection into their normal work habits.
Please join me next week for an overview of Prime Factors' EncryptRIGHT to learn how it supports the goal of adding data protection transparently to your existing or new applications, removing more of the data protection obligation from employees. Click on the image below to reserve your place now.