前车之鉴 索尼注定要被黑两次

本文摘要:Long before Sony Pictures Entertainment revealed in November that it had been hacked by a group calling itself the Guardians of Peace, another division of Sony was attacked by cyber attackers.索尼影业今年11月宣告,公司遭到了自称为“和平卫士”黑客的组织的反击。


Long before Sony Pictures Entertainment revealed in November that it had been hacked by a group calling itself the Guardians of Peace, another division of Sony was attacked by cyber attackers.索尼影业今年11月宣告,公司遭到了自称为“和平卫士”黑客的组织的反击。而在很早以前,索尼的另一个部门就遭遇过网络攻击。

Between April and May 2011, Sony Computer Entertainment’s online gaming service, PlayStation Network, and its streaming media service, Qriocity—plus Sony Online Entertainment, the company’s in-house game developer and publisher—were hacked by LulzSec, a splinter group of Anonymous, the hacker collective.在2011年4月至5月期间,索尼电脑娱乐公司的在线游戏服务平台PlayStation Network、流媒体服务Qriocity,以及索尼内部的游戏研发和发售部门索尼在线娱乐公司,陆续遭黑客团体匿名者的分支的组织LulzSec的反击。The online services were shut down between April 20 and May 15 as Sony attempted to secure the breach, which put the sensitive personal data for over 100 million customers at risk. The chief executive of Sony Computer Entertainment America at the time, Kazuo Hirai, wrote the following on the PlayStation blog:当年4月20日至5月15日,索尼重开了上述在线服务,企图修缮漏洞,以贯彻维护多达1亿用户的脆弱个人信息。时任索尼(美国)电脑娱乐公司首席执行官平井一夫在PlayStation的博客上写到:“We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer (CISO).”“我们采行了许多措施来制止未来产生漏洞,还包括提升数据保护和加密级别,强化找到软件侵略、越权读取和出现异常活动的能力,加设防火墙,在秘密地点创建安全级别更高的全新数据中心,任命新的首席信息安全官(CISO)。”Hirai is now president and CEO of Sony.如今,平井一夫已是索尼集团的首席执行官。

Philip Reitinger was appointed CISO of Sony Corporation America in September 2011, shortly after that year’s breach. This September, he left Sony to start his own security consulting business, VisionSpear. John Scimone replaced him.在被黑旋即后的2011年9月,菲利普o雷丁格被任命为索尼(美国)公司首席信息安全官。而在今年9月,菲利普离开了索尼,创办了自己的安全性咨询公司VisionSpear。约翰o希莫内接任了他的工作。Globally, Sony has more than 140,000 employees and more than 100 subsidiaries. “Not only did Reitinger have his hands full,” says Gary S. Miliefsky, CEO of cyber security firm SnoopWall, “but some people say that his team could not manage all the corporate network ‘touch points.’ So there was no centralization of security events information management.” Reitinger’s departure this year also created a security leadership gap at Sony when the company needed it most, Miliefsky adds.索尼在全球享有多达14万名员工和100多家子公司。

网络安全公司SnoopWall的首席执行官加里oSo米里夫斯基回应:“尽管雷丁格忙得焦头烂额,但有些人指出,他的团队无力管理公司网络的所有‘接触点’。所以说道,索尼并没集中管理安全事件信息。”米里夫斯基补足道,雷丁格今年的辞职也造成了索尼安全部门领导层的遗缺,而当时才是是索尼最必须这个岗位发挥作用的时候。Sony Computer Entertainment and Sony Pictures Entertainment declined to comment.索尼电脑娱乐公司和索尼影视娱乐公司拒绝接受公开发表评论。

Sony SNE 2.21% learned a lot of painful lessons from the 2011 breach, says Lewis Ward, research director for gaming at the market research firm IDC. The company reported a hard cost of $171 million, but Ward estimates that the hack ended up costing Sony more than $250 million through the end of 2012 as it worked to clean up the mess and reinforce its defenses. “On the gaming side, nothing like the PlayStation Network attack had happened before, or has happened since,” he says. “It was unprecedented in gaming.”市场研究公司IDC的游戏研究总监路易斯o沃德回应,索尼从2011年的风波中获得了许多悲惨的教训。该公司宣告黑客攻击导致的必要损失超过1.71亿美元,但沃德估计说道,累计2012年底,被黑事件导致的损失要多达2.5亿美元,因为该公司还要收拾残局、加强防卫。

沃德称之为:“在游戏界,类似于索尼PlayStation Network被白的事件之前没过,之后也没有再行再次发生过。这是游戏界空间亡故的一例。

”Sony and Microsoft MSFT -0.64% have experienced smaller breaches of their online gaming networks since 2011, including another PlayStation Network attack in October 2011 and a PlayStation Store attack earlier this month. But the April 2011 attack stands alone for its size and scope.自2011年以来,索尼和微软公司的在线游戏网络陆续遭遇一些小规模的反击。比如,2011年10月,PlayStation Network再度遇袭,就在本月早些时候,PlayStation Store也遭黑客攻击。但无论是就规模,还是就范围而言,2011年4月再次发生的那次被黑事件都是独一无二的。

That’s because the PlayStation Network suffered multiple kinds of attacks, Miliefsky says. One was a classic data breach—the release of otherwise secure information. The second was a distributed denial-of-service attack, or DDoS, that left the network inaccessible to gamers. Sony has since improved its stance against both attack types—for example, it’s now a strong partner of Amazon Web Services, the dominant cloud computing player, improving its odds against a DDoS—and Hirai has improved collaboration across Sony’s many divisions since taking the company’s top job.米里夫斯基回应,这是因为PlayStation Network那次遭到了多种类型的反击。其中之一是经典的数据泄漏——原本安全性的数据被黑客发布。第二种是分布式拒绝服务反击,这种反击不会玩家无法访问网络。


But there’s one major factor that prevented Sony from better using those 2011 lessons in 2014: organizational structure. The company has long had a reputation for operating in silos, says Michael Pachter, a video game analyst at Wedbush Securities, and no silo is more isolated than Sony Pictures Entertainment. “It’s the [Sony] movie guys who don’t talk to anybody,” Pachter says. “They learned nothing from the PlayStation Network breach. I don’t know the movie guys, but the game people have been very friendly and open-minded and would love to work with the Sony movie guys.”然而,有一个最重要因素使得索尼在2014年未能更佳地利用2011年获得的惨痛教训,那就是该公司的的组织结构。韦德布什证券公司电子游戏分析师迈克尔o帕切特回应,索尼多年来以孤岛式的运营著称,而索尼影视娱乐公司则是那个最孤立无援的岛屿。帕切特说道:“从来不与其他任何人说出的,就是(索尼)那些做电影的家伙。

他们没从PlayStation Network被反击中吸取教训。我不理解那些做电影的员工,但索尼游戏部门的员工仍然很友好关系很对外开放,应当不会不愿同电影部门的员工合作才是。”This type of corporate structure is hardly limited to Sony, but it helps explain why such a challenging period in 2011 didn’t better prepare the company to avoid a similar scenario in 2014. “Most organizations are in silos,” says Tim Eades, CEO of the security company vArmour. “They need better sharing and collaboration solution in security between their divisions and their supply chain. If Sony had that, it would have been stronger.”这种公司结构并非索尼公司所独特,但它有助说明索尼为何在2011年遭遇这样的挑战后,仍没作好更加充份的打算以防止在2014年重蹈覆辙。


”The problem? Sony didn’t address its organizational issues fast enough after the 2011 hack, Miliesky says. “From that moment on, their CIO should have implemented corporate-wide protection measures and beefed up info-sec training for employees that would be standardized across the organization,” he says. “The tools and techniques they decided to use to protect the public-facing PlayStation Network was a reactive approach—’We were attacked at point X by Y, so let’s defend point X with tools to stop successful exploitation by these kinds of Y attacks.’ It was completely reactive, not proactive.”问题在哪?米里夫斯基回应,在2011年被黑客攻击后,索尼没充足很快地处置的组织结构问题。他说道:“从那时起,他们的首席信息官就应当在全公司实行防水措施,强化员工的信息安全培训,这些应该沦为公司上下的标准化培训内容。

就面向大众的PlayStation Network而言,索尼使用了几乎被动的防水措施——‘我们在X点被Y反击了,所以我们用各种工具来增强X点,防止让与Y类似于的反击再度揭穿。’这几乎是被动防卫,而不是主动防御。”It’s a particularly knotty issue for a company as large as Sony. “The attack surface that Sony has is vast and requires significant investment and, unfortunately, time to deploy,” Eades says.对于索尼这样的大公司而言,作好防卫特别是在艰难。伊德斯回应:“索尼可以被反击的面很广,必须大量投资和时间来部署防卫,这的确令人遗憾。

”The email correspondence that leaked in the wake of the recent hack showed that Sony Pictures Entertainment may have been operating without adequate protection against phishing attacks, remote-access Trojans, password management policies, proper use of encryption, data storage, and backups, Miliesky says.米里夫斯基称之为,在最近的黑客攻击中泄漏的电子邮件通讯,证明索尼影视娱乐公司没采行充足措施来防止网络钓鱼反击和远程访问木马,没有效地的密码管理策略,也没合理地展开加密、数据储存和备份操作者。“Ultimately, SPE was wide open,” Miliesky says. “They probably had a firewall and antivirus and told their CISO ‘everything is safe and secure over here,” if that conversation even happened. A proper inventory control, vulnerability assessment, and employee training at SPE would have revealed much to the CISO.”米里夫斯基回应:“最后,索尼影视娱乐公司等于是门户大进。他们很有可能只是装有了个防火墙和杀毒软件,然后告诉他他们的首席信息安全官‘这里一切安全性’——如果知道有这类对话的话。如果索尼影视娱乐公司有合理的存储掌控、漏洞评估和员工培训机制,首席信息安全官本可以告诉得更加多。

”Sony has improved its internal coordination, thanks to both Hirai’s leadership and the return of Andrew House as president and Group CEO of Sony Computer Entertainment, Pachter says. For example, Sony Pictures Television is currently filming the original live action television series, Powers, for the PlayStation Network. But the budding synergy between divisions wasn’t enough to stop the most recent cyber attack against Sony, says P.J. McNealy, CEO of the market research firm Digital World Research.帕切特回应,拜平井一夫的领导和安德鲁o豪斯新的兼任索尼电脑娱乐公司总裁和集团首席执行官所赐,索尼的内部协商早已获得了提高。比如,索尼影视电视公司目前就正在为PlayStation Network摄制原创实景真人系列电视剧Powers。然而,市场调研公司Digital World Research的首席执行官P. J. 麦克尼利回应:仍正处于萌芽期的部门合作尚能足以制止近来针对索尼的网络攻击。In 2011, Sony Computer Entertainment worked hard to win back the trust of its gaming customers, and today it leads both Microsoft and Nintendo in the gaming console market with its PlayStation 4. “Consumers are quick to forgive on this front because at the end of the day it’s an entertainment product,” McNealy says. “I was surprised at how quickly the user numbers spiked back after the patch was fixed and the network went back online [in May 2011]. Consumers are accepting that this is the new world we live in, where hacks take place.”2011年,索尼电脑娱乐公司作出了大量希望来赢取其游戏消费者的信赖。

如今,索尼借PlayStation 4在游戏主机市场获得了对微软公司和任天堂的领先。麦克尼利说道:“消费者在这方面很更容易原谅,因为到头来这只是个娱乐产品。在(2011年5月)打好补丁,PS主机平台网络新的上线后,消费者重返的速度让我深感十分吃惊。

消费者早已开始拒绝接受这样一个事实:我们所在的是一个全新的世界,黑客攻击总是不免的。”Experts agree that while Sony’s reputation is suffering in the wake of the most recent attack, it is hardly the only company at risk from such issues.专家也否认,尽管由于最近的被黑事件,索尼遭受了名誉损失,但它不是唯一一家由于这类问题而陷于危机的公司。

“Can any corporation really firewall itself to be invulnerable to attacks today?” McNealy asked. “We’ve now seen hackers breach major corporations and major retailers. Everyone’s a target for hackers. There’s been a real shift in the hacking community from unleashing viruses through emails on select holidays to attract headlines 10 years ago, to trying to grab personal data and information.”麦克尼利问道:“如今知道有公司能确保自己不遭到黑客攻击吗?我们现在亲眼看到,黑客能攻陷大型公司和零售商。每个人都是黑客的目标。黑客的不道德早已有了确实的改变,他们仍然像10年前那样通过在特定节日发送到病毒邮件来博得头条,如今他们正试图盗取个人数据和信息。

”Joseph Demarest, assistant director of the cyber division of the Federal Bureau of Investigation, earlier this month declared to members of Congress that 90% of businesses could not have stopped the Sony Pictures Entertainment attack.联邦调查局网络安全部副主任约瑟夫o德马雷斯特于本月早些时候对国会回应,90%的公司都无法抵挡索尼影视娱乐公司遭到的反击。“I agree with that number,” Miliefsky says. “But the real issue is today’s security posture and employee training. The biggest weakness at Sony Pictures Entertainment was the employees. If you can’t train them to behave better, then what can you expect but another successful breach?”米里夫斯基说道:“我表示同意这个比例。