立即打开
索尼注定要被“黑”两次

索尼注定要被“黑”两次

John Gaudiosi 2014-12-27
早在2011年,索尼的在线游戏服务平台PlayStation Network就遭到过黑客攻击。为何公司没有吸取教训来避免这次索尼影业被黑呢?专家表示,主要原因在于该公司孤岛式的组织结构。

    2011年5月,索尼电脑娱乐公司首席执行官平井一夫在记者招待会上。如今他已升任索尼集团的首席执行官。  

    索尼影业今年11月宣布,公司遭受了自称为“和平卫士”黑客组织的攻击。而在很早以前,索尼的另一个部门就遭遇过网络攻击。

    在2011年4月至5月期间,索尼电脑娱乐公司的在线游戏服务平台PlayStation Network、流媒体服务Qriocity,以及索尼内部的游戏开发和发行部门索尼在线娱乐公司,相继遭到黑客团体匿名者的分支组织LulzSec的攻击。

    当年4月20日至5月15日,索尼关闭了上述在线服务,试图修复漏洞,以切实保护超过1亿用户的敏感个人信息。时任索尼(美国)电脑娱乐公司首席执行官平井一夫在PlayStation的博客上写道:

    “我们采取了许多措施来阻止未来产生漏洞,包括提高数据保护和加密级别,增强发现软件入侵、越权存取和异常活动的能力,加设防火墙,在秘密地点建立安全级别更高的全新数据中心,任命新的首席信息安全官(CISO)。”

    如今,平井一夫已是索尼集团的首席执行官。

    在被黑不久后的2011年9月,菲利普•雷丁格被任命为索尼(美国)公司首席信息安全官。而在今年9月,菲利普离开索尼,创立了自己的安全咨询公司VisionSpear。约翰•希莫内接替了他的工作。

    索尼在全球拥有超过14万名员工和100多家子公司。网络安全公司SnoopWall的首席执行官加里•S•米里夫斯基表示:“尽管雷丁格忙得焦头烂额,但有些人认为,他的团队无力管理公司网络的所有‘接触点’。所以说,索尼并没有集中管理安全事件信息。”米里夫斯基补充道,雷丁格今年的离职也造成了索尼安全部门领导层的空缺,而当时恰恰是索尼最需要这个岗位发挥作用的时候。

    索尼电脑娱乐公司和索尼影视娱乐公司拒绝发表评论。

    市场研究公司IDC的游戏研究总监路易斯•沃德表示,索尼从2011年的风波中得到了许多惨痛的教训。该公司宣布黑客攻击造成的直接损失达到1.71亿美元,但沃德估算说,截止2012年底,被黑事件造成的损失要超过2.5亿美元,因为该公司还要收拾残局、加强防卫。沃德称:“在游戏界,类似索尼PlayStation Network被黑的事件之前没有过,之后也没再发生过。这是游戏界空间绝后的一例。”

    自2011年以来,索尼和微软的在线游戏网络相继遭遇一些小规模的攻击。比如,2011年10月,PlayStation Network再次遭袭,就在本月早些时候,PlayStation Store也遭到黑客攻击。但无论是就规模,还是就范围而言,2011年4月发生的那次被黑事件都是独一无二的。

    米里夫斯基表示,这是因为PlayStation Network那次遭受了多种类型的攻击。其中之一是经典的数据泄露——原本安全的数据被黑客公布。第二种是分布式拒绝服务攻击,这种攻击会让玩家无法访问网络。从那以后,索尼就强化了应对这两种攻击的防护措施。比如,索尼如今携手统治级的云计算产品亚马逊网络服务系统,提高了防御分布式拒绝服务攻击的成功率。此外,在出任索尼集团掌门人之后,平井一夫着手改善了公司各个部门的合作方式。

    然而,有一个重要因素使得索尼在2014年没能更好地利用2011年得到的惨痛教训,那就是该公司的组织结构。韦德布什证券公司电子游戏分析师迈克尔•帕切特表示,索尼多年来以孤岛式的运营闻名,而索尼影视娱乐公司则是那个最孤立的岛屿。帕切特说:“从不与其他任何人说话的,就是(索尼)那些搞电影的家伙。他们没有从PlayStation Network被攻击中吸取教训。我不了解那些搞电影的员工,但索尼游戏部门的员工一直很友好很开放,应该会愿意同电影部门的员工合作才是。”

    Long before Sony Pictures Entertainment revealed in November that it had been hacked by a group calling itself the Guardians of Peace, another division of Sony was attacked by cyber attackers.

    Between April and May 2011, Sony Computer Entertainment’s online gaming service, PlayStation Network, and its streaming media service, Qriocity—plus Sony Online Entertainment, the company’s in-house game developer and publisher—were hacked by LulzSec, a splinter group of Anonymous, the hacker collective.

    The online services were shut down between April 20 and May 15 as Sony attempted to secure the breach, which put the sensitive personal data for over 100 million customers at risk. The chief executive of Sony Computer Entertainment America at the time, Kazuo Hirai, wrote the following on the PlayStation blog:

    “We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer (CISO).”

    Hirai is now president and CEO of Sony.

    Philip Reitinger was appointed CISO of Sony Corporation America in September 2011, shortly after that year’s breach. This September, he left Sony to start his own security consulting business, VisionSpear. John Scimone replaced him.

    Globally, Sony has more than 140,000 employees and more than 100 subsidiaries. “Not only did Reitinger have his hands full,” says Gary S. Miliefsky, CEO of cyber security firm SnoopWall, “but some people say that his team could not manage all the corporate network ‘touch points.’ So there was no centralization of security events information management.” Reitinger’s departure this year also created a security leadership gap at Sony when the company needed it most, Miliefsky adds.

    Sony Computer Entertainment and Sony Pictures Entertainment declined to comment.

    Sony SNE 2.21% learned a lot of painful lessons from the 2011 breach, says Lewis Ward, research director for gaming at the market research firm IDC. The company reported a hard cost of $171 million, but Ward estimates that the hack ended up costing Sony more than $250 million through the end of 2012 as it worked to clean up the mess and reinforce its defenses. “On the gaming side, nothing like the PlayStation Network attack had happened before, or has happened since,” he says. “It was unprecedented in gaming.”

    Sony and Microsoft MSFT -0.64% have experienced smaller breaches of their online gaming networks since 2011, including another PlayStation Network attack in October 2011 and a PlayStation Store attack earlier this month. But the April 2011 attack stands alone for its size and scope.

    That’s because the PlayStation Network suffered multiple kinds of attacks, Miliefsky says. One was a classic data breach—the release of otherwise secure information. The second was a distributed denial-of-service attack, or DDoS, that left the network inaccessible to gamers. Sony has since improved its stance against both attack types—for example, it’s now a strong partner of Amazon Web Services, the dominant cloud computing player, improving its odds against a DDoS—and Hirai has improved collaboration across Sony’s many divisions since taking the company’s top job.

    But there’s one major factor that prevented Sony from better using those 2011 lessons in 2014: organizational structure. The company has long had a reputation for operating in silos, says Michael Pachter, a video game analyst at Wedbush Securities, and no silo is more isolated than Sony Pictures Entertainment. “It’s the [Sony] movie guys who don’t talk to anybody,” Pachter says. “They learned nothing from the PlayStation Network breach. I don’t know the movie guys, but the game people have been very friendly and open-minded and would love to work with the Sony movie guys.”

热读文章
热门视频
扫描二维码下载财富APP