in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

UK Data Breach Security: Sony Will Not Appeal £250,000 ICO Fine

Sony has decided not to appeal the £250,000 monetary penalty that was assessed by the UK Information Commissioner's Office (ICO).  The penalty stands as the largest assessed to date under the ICO's purview.  This decision gives added impetus for companies in the United Kingdom to properly secure any personal information they have collected and resides in their computers (by using managed laptop encryption software) or smartphones and tablets (via the use of mobile device management software).

Sony Does Not Want to Reveal Security Strategy

According to v3.co.uk, the Japanese electronics powerhouse decided to drop the appeal after considering what it would have to reveal in court:
Sony said that it was giving up the appeal because it was wary of revealing more information on its security procedures the process would have required, rather than because of any change of heart.

"After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits," a spokesperson said.
Depending on your point of view, this is an artful dodge.  On the one hand, it makes sense.  Security types are highly critical of "security through obscurity," where obfuscation is the basis for safety; but, there's no reason why one should make it easy for the attackers even if one's security is state of the art.

On the other hand, any errors should have been corrected by now.  Plus, the perpetrators have not been caught, meaning they already know the weaknesses that were present in Sony's network.  And, last but not least, hackers do share with each other (gratis or for a price) the weaknesses they have unearthed.

In short, there's very little that Sony would be revealing to the criminal world in general.  If anything, the company could be caught in a position where it reveals to the public at large at how they failed miserably when it came to securing its networks (and protecting its customers).  Some of the stories I've heard, both confirmed and otherwise, include not encrypting sensitive data (when it was possible to do so) and not applying critical updated and patches, even after smaller attacks (but before the Big One), among others.  

Plus, there is the fact that Sony will debuting the PlayStation 4 next week.  While an appeal will take considerably longer to resolve than next week – heck, it'll probably take years – the last thing Sony wants to do is bring the wrong type of attention to its PlayStation Network for years to come.

On the other hand, there is something to the "confidentially of the network" claim Sony has made.  Have you seen the ICO's public release of Sony's Monetary Penalty Notice?  The interesting parts have been censored as if a Cold War NSA lackey went crazy with a black marker.  I don't know of any other MPN that looks like that.

For its part, the Information Commissioner's Office makes no bones about their position:
There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

The penalty we've issued today is clearly substantial, but we make no apologies for that. [ico.org]
 

What is Proper Security?

Most companies are not global conglomerates.  In fact, small and medium sized enterprises account for 75% to 90% of all companies in any given nation; however, SMEs can also be embroiled in a situation that affects too many clients.  For example, the ICO's website is littered with monetary penalties for the loss of laptops, USB flash drives, and other digital data storage devices (not to mention their analog counterparts: paper documents).  It won't be long before we see a fine for the loss of a smartphone or tablet computer, especially with the growing popularity of BYOD as well as company-issued mobile devices.

There is hope, however.  The ICO constantly issues reminders, and notes in Monetary Penalty Notices, that the use of disk encryption is a very effective method of preventing data breaches that involve personal information.

The use of encryption and other security-enhancing tools – such as AlertBoot's mobile device management (MDM) for smartphones and tablets – has the double-effect of protecting clients as well as protecting one's company.  It's very win-win.
Related Articles and Sites:
http://www.databreaches.net/?p=28153
http://www.v3.co.uk/v3-uk/news/2281269/sony-gives-up-gbp250-000-fine-appeal-after-playstation-hacks
http://www.ico.org.uk/news/latest_news/2013/ico-news-release-2013
 
<Previous Next>

HIPAA Encryption Software: BA Causes 188K HIPAA Breach In Indiana

Medical BYOD: Mobisante Launches A Tablet-Based Ultrasound System

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.