In response to the news that the attack upon Sony was made possible by hackers stealing the computer credentials of a system administrator, Kurt Mueffelmann, President and CEO of Cryptzone says:
"If as reported, investigators now have evidence that hackers stole the computer credentials of a system administrator to get access to Sony's computer system, it clearly demonstrates the imperative for organizations to implement additional controls that minimize the ability to abuse access rights bestowed on privileged users.
"While steps need to be taken to secure networks from outside attacks equal care should be taken to protect the data within the networks – from outside hackers and internal misuse. Labelling sensitive information as such and not having additional layers of protection is like leaving the crown jewels exposed with no security - tempting visitors and criminals alike.
"We shouldn't think of a person's network credentials as the be-all and end-all of secure access, and his or her authorization rules shouldn't be one size fits all. It’s also important to take into consideration the context of the users request to access sensitive information.
"Furthermore, someone who does manage to break into the organization shouldn't automatically be able to see and access everything that's within. After all, this just tells them where to focus their attention. Organizations should look to implement dynamic access controls to limit the applications and content a user can view to limit the damage that can be done. Not all information should be accessed anytime, anywhere. Highly sensitive information should also have additional layers of security, such as encryption applied, to better mitigate risk."