Sony's Interesting Take on Firewall Management
I have to admit, like most of you I was amazed to hear that in regard to the recent breaches on the PSN, Sony did not have a firewall in place. I guess one could say that is one way to solve the firewall management issue. ;-)
All kidding aside, I could almost understand not patching or updating their Apache software. Patching and keeping software up-to-date is a task that many organizations don’t do a great job of even though there are some great solutions out there. But putting in a firewall?
The most recent data I've seen says firewalls are installed in well over 95% of network installations. With even home cable and DSL routers having firewall software installed, I always assumed the small fraction of networks without firewalls had to be those small installs tucked back in some out-of-the-way corner. To think that a company the size of Sony would forego firewalls is mind boggling!
So, why would Sony not put a firewall in place? I would think it is a management issue (I know I am a bit obsessed with the “security needs management” theme lately). But, the same people who didn’t comment for almost a week after this incident, who have repeated incidents and breaches, who installed a root kit on their CDs a while back, just don’t seem to get the whole internet security/privacy thing.
Here is the lesson for the rest of us: Sony is going to pay dearly for this, I'm afraid. This could be a case that the authorities and courts use as an example. A defendant with deep pockets, sensitive financial data lost and it appears a negligent attitude and track record. I don’t think anyone is going to want to be the next Sony.
Go one step further though. Just putting a firewall in place is not enough. You need firewall analysis and firewall management if your investment in a firewall is going to be worthwhile. Just don’t stop at the firewall. Remember, security needs management!