索尼注定要被“黑”两次

    这种公司结构并非索尼公司所独有，但它有助于解释索尼为何在2011年遭遇这样的挑战后，仍没有做好更充分的准备以避免在2014年重蹈覆辙。安全公司vArmour的首席执行官蒂姆•伊德斯表示：“大多数机构都是孤岛式的。他们需要更好地在各个部门和供应链之间分享安全问题的解决方案，并展开更有效的合作。如果索尼这么做了，它就会更加强大。”

    问题在哪？米里夫斯基表示，在2011年被黑客袭击后，索尼没有足够迅速地处理组织结构问题。他说：“从那时起，他们的首席信息官就应该在全公司推行防护措施，加强员工的信息安全培训，这些应当成为公司上下的标准化培训内容。就面向大众的PlayStation Network而言，索尼采用了完全被动的防护措施——‘我们在X点被Y攻击了，所以我们用各种工具来强化X点，避免让与Y类似的攻击再次得逞。’这完全是被动防御，而不是主动防御。”

    对于索尼这样的大公司而言，做好防御尤其困难。伊德斯表示：“索尼可以被攻击的面很广，需要大量投资和时间来部署防御，这的确令人遗憾。”

    米里夫斯基称，在最近的黑客攻击中泄露的电子邮件通讯，证明索尼影视娱乐公司没有采取足够措施来防范网络钓鱼攻击和远程访问木马，没有有效的密码管理策略，也没有恰当地进行加密、数据储存和备份操作。

    米里夫斯基表示：“最后，索尼影视娱乐公司等于是门户大开。他们很可能只是装了个防火墙和杀毒软件，然后告诉他们的首席信息安全官‘这里一切安全’——如果真的有这类对话的话。如果索尼影视娱乐公司有恰当的存储控制、漏洞评估和员工培训机制，首席信息安全官本可以知道得更多。”

    帕切特表示，拜平井一夫的领导和安德鲁•豪斯重新担任索尼电脑娱乐公司总裁和集团首席执行官所赐，索尼的内部协调已经得到了改善。比如，索尼影视电视公司目前就正在为PlayStation Network拍摄原创实景真人系列电视剧Powers。然而，市场调研公司Digital World Research的首席执行官P. J. 麦克尼利表示：仍处于萌芽期的部门合作尚不足以阻止近来针对索尼的网络攻击。

    2011年，索尼电脑娱乐公司做出了大量努力来赢回其游戏消费者的信赖。如今，索尼借PlayStation 4在游戏主机市场取得了对微软和任天堂的领先。麦克尼利说：“消费者在这方面很容易原谅，因为到头来这只是个娱乐产品。在（2011年5月）打好补丁，PS主机平台网络重新上线后，消费者回归的速度让我感到十分惊讶。消费者已经开始接受这样一个事实：我们所在的是一个全新的世界，黑客攻击总是难免的。”

    专家也承认，尽管由于最近的被黑事件，索尼蒙受了名誉损失，但它不是唯一一家由于这类问题而陷入危机的公司。

    麦克尼利问道：“如今真的有公司能保证自己不遭受黑客攻击吗？我们现在亲眼看到，黑客能攻破大型公司和零售商。每个人都是黑客的目标。黑客的行为已经有了真正的转变，他们不再像10年前那样通过在特定节日发送病毒邮件来博取头条，如今他们正试图窃取个人数据和信息。”

    联邦调查局网络安全部副主任约瑟夫•德马雷斯特于本月早些时候对国会表示，90%的公司都无法抵御索尼影视娱乐公司遭受的攻击。

    米里夫斯基说：“我同意这个比例。但真正的问题是如今的安全态势和员工培训。索尼影视娱乐公司最大的弱点在于员工。如果你不能加强员工培训，让他们改善自己的行为，那么除了等着被黑客再次成功入侵，你还能指望什么？”（财富中文网）

    译者：严匡正

    This type of corporate structure is hardly limited to Sony, but it helps explain why such a challenging period in 2011 didn’t better prepare the company to avoid a similar scenario in 2014. “Most organizations are in silos,” says Tim Eades, CEO of the security company vArmour. “They need better sharing and collaboration solution in security between their divisions and their supply chain. If Sony had that, it would have been stronger.”

    The problem? Sony didn’t address its organizational issues fast enough after the 2011 hack, Miliesky says. “From that moment on, their CIO should have implemented corporate-wide protection measures and beefed up info-sec training for employees that would be standardized across the organization,” he says. “The tools and techniques they decided to use to protect the public-facing PlayStation Network was a reactive approach—’We were attacked at point X by Y, so let’s defend point X with tools to stop successful exploitation by these kinds of Y attacks.’ It was completely reactive, not proactive.”

    It’s a particularly knotty issue for a company as large as Sony. “The attack surface that Sony has is vast and requires significant investment and, unfortunately, time to deploy,” Eades says.

    The email correspondence that leaked in the wake of the recent hack showed that Sony Pictures Entertainment may have been operating without adequate protection against phishing attacks, remote-access Trojans, password management policies, proper use of encryption, data storage, and backups, Miliesky says.

    “Ultimately, SPE was wide open,” Miliesky says. “They probably had a firewall and antivirus and told their CISO ‘everything is safe and secure over here,” if that conversation even happened. A proper inventory control, vulnerability assessment, and employee training at SPE would have revealed much to the CISO.”

    Sony has improved its internal coordination, thanks to both Hirai’s leadership and the return of Andrew House as president and Group CEO of Sony Computer Entertainment, Pachter says. For example, Sony Pictures Television is currently filming the original live action television series, Powers, for the PlayStation Network. But the budding synergy between divisions wasn’t enough to stop the most recent cyber attack against Sony, says P.J. McNealy, CEO of the market research firm Digital World Research.

    In 2011, Sony Computer Entertainment worked hard to win back the trust of its gaming customers, and today it leads both Microsoft and Nintendo in the gaming console market with its PlayStation 4. “Consumers are quick to forgive on this front because at the end of the day it’s an entertainment product,” McNealy says. “I was surprised at how quickly the user numbers spiked back after the patch was fixed and the network went back online [in May 2011]. Consumers are accepting that this is the new world we live in, where hacks take place.”

    Experts agree that while Sony’s reputation is suffering in the wake of the most recent attack, it is hardly the only company at risk from such issues.

    “Can any corporation really firewall itself to be invulnerable to attacks today?” McNealy asked. “We’ve now seen hackers breach major corporations and major retailers. Everyone’s a target for hackers. There’s been a real shift in the hacking community from unleashing viruses through emails on select holidays to attract headlines 10 years ago, to trying to grab personal data and information.”

    Joseph Demarest, assistant director of the cyber division of the Federal Bureau of Investigation, earlier this month declared to members of Congress that 90% of businesses could not have stopped the Sony Pictures Entertainment attack.

    “I agree with that number,” Miliefsky says. “But the real issue is today’s security posture and employee training. The biggest weakness at Sony Pictures Entertainment was the employees. If you can’t train them to behave better, then what can you expect but another successful breach?”