Long before Sony Pictures Entertainment revealed in November that it had been hacked by a group calling itself the Guardians of Peace, another division of Sony was attacked by cyber attackers.
索尼影业今年11月宣布,公司遭受了自称为“和平卫士”黑客组织的攻击。而在很早以前,索尼的另一个部门就遭遇过网络攻击。Between April and May 2011, Sony Computer Entertainment’s online gaming service, PlayStation Network, and its streaming media service, Qriocity—plus Sony Online Entertainment, the company’s in-house game developer and publisher—were hacked by LulzSec, a splinter group of Anonymous, the hacker collective.
在2011年4月至5月期间,索尼电脑娱乐公司的在线游戏服务平台PlayStation Network、流媒体服务Qriocity,以及索尼内部的游戏开发和发行部门索尼在线娱乐公司,相继遭到黑客团体匿名者的分支组织LulzSec的攻击。
The online services were shut down between April 20 and May 15 as Sony attempted to secure the breach, which put the sensitive personal data for over 100 million customers at risk. The chief executive of Sony Computer Entertainment America at the time, Kazuo Hirai, wrote the following on the PlayStation blog:
当年4月20日至5月15日,索尼关闭了上述在线服务,试图修复漏洞,以切实保护超过1亿用户的敏感个人信息。时任索尼(美国)电脑娱乐公司首席执行官平井一夫在PlayStation的博客上写道:
“We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer (CISO).”
“我们采取了许多措施来阻止未来产生漏洞,包括提高数据保护和加密级别,增强发现软件入侵、越权存取和异常活动的能力,加设防火墙,在秘密地点建立安全级别更高的全新数据中心,任命新的首席信息安全官(CISO)。”Hirai is now president and CEO of Sony.
如今,平井一夫已是索尼集团的首席执行官。Philip Reitinger was appointed CISO of Sony Corporation America in September 2011, shortly after that year’s breach. This September, he left Sony to start his own security consulting business, VisionSpear. John Scimone replaced him.
在被黑不久后的2011年9月,菲利普o雷丁格被任命为索尼(美国)公司首席信息安全官。而在今年9月,菲利普离开索尼,创立了自己的安全咨询公司VisionSpear。约翰o希莫内接替了他的工作。Globally, Sony has more than 140,000 employees and more than 100 subsidiaries. “Not only did Reitinger have his hands full,” says Gary S. Miliefsky, CEO of cyber security firm SnoopWall, “but some people say that his team could not manage all the corporate network ‘touch points.’ So there was no centralization of security events information management.” Reitinger’s departure this year also created a security leadership gap at Sony when the company needed it most, Miliefsky adds.
索尼在全球拥有超过14万名员工和100多家子公司。网络安全公司SnoopWall的首席执行官加里oSo米里夫斯基表示:“尽管雷丁格忙得焦头烂额,但有些人认为,他的团队无力管理公司网络的所有‘接触点’。所以说,索尼并没有集中管理安全事件信息。”米里夫斯基补充道,雷丁格今年的离职也造成了索尼安全部门领导层的空缺,而当时恰恰是索尼最需要这个岗位发挥作用的时候。Sony Computer Entertainment and Sony Pictures Entertainment declined to comment.
索尼电脑娱乐公司和索尼影视娱乐公司拒绝发表评论。Sony SNE 2.21% learned a lot of painful lessons from the 2011 breach, says Lewis Ward, research director for gaming at the market research firm IDC. The company reported a hard cost of $171 million, but Ward estimates that the hack ended up costing Sony more than $250 million through the end of 2012 as it worked to clean up the mess and reinforce its defenses. “On the gaming side, nothing like the PlayStation Network attack had happened before, or has happened since,” he says. “It was unprecedented in gaming.”
市场研究公司IDC的游戏研究总监路易斯o沃德表示,索尼从2011年的风波中得到了许多惨痛的教训。该公司宣布黑客攻击造成的直接损失达到1.71亿美元,但沃德估算说,截止2012年底,被黑事件造成的损失要超过2.5亿美元,因为该公司还要收拾残局、加强防卫。沃德称:“在游戏界,类似索尼PlayStation Network被黑的事件之前没有过,之后也没再发生过。这是游戏界空间绝后的一例。”Sony and Microsoft MSFT -0.64% have experienced smaller breaches of their online gaming networks since 2011, including another PlayStation Network attack in October 2011 and a PlayStation Store attack earlier this month. But the April 2011 attack stands alone for its size and scope.
自2011年以来,索尼和微软的在线游戏网络相继遭遇一些小规模的攻击。比如,2011年10月,PlayStation Network再次遭袭,就在本月早些时候,PlayStation Store也遭到黑客攻击。但无论是就规模,还是就范围而言,2011年4月发生的那次被黑事件都是独一无二的。That’s because the PlayStation Network suffered multiple kinds of attacks, Miliefsky says. One was a classic data breach—the release of otherwise secure information. The second was a distributed denial-of-service attack, or DDoS, that left the network inaccessible to gamers. Sony has since improved its stance against both attack types—for example, it’s now a strong partner of Amazon Web Services, the dominant cloud computing player, improving its odds against a DDoS—and Hirai has improved collaboration across Sony’s many divisions since taking the company’s top job.
米里夫斯基表示,这是因为PlayStation Network那次遭受了多种类型的攻击。其中之一是经典的数据泄露——原本安全的数据被黑客公布。第二种是分布式拒绝服务攻击,这种攻击会让玩家无法访问网络。从那以后,索尼就强化了应对这两种攻击的防护措施。比如,索尼如今携手统治级的云计算产品亚马逊网络服务系统,提高了防御分布式拒绝服务攻击的成功率。此外,在出任索尼集团掌门人之后,平井一夫着手改善了公司各个部门的合作方式。But there’s one major factor that prevented Sony from better using those 2011 lessons in 2014: organizational structure. The company has long had a reputation for operating in silos, says Michael Pachter, a video game analyst at Wedbush Securities, and no silo is more isolated than Sony Pictures Entertainment. “It’s the [Sony] movie guys who don’t talk to anybody,” Pachter says. “They learned nothing from the PlayStation Network breach. I don’t know the movie guys, but the game people have been very friendly and open-minded and would love to work with the Sony movie guys.”
然而,有一个重要因素使得索尼在2014年没能更好地利用2011年得到的惨痛教训,那就是该公司的组织结构。韦德布什证券公司电子游戏分析师迈克尔o帕切特表示,索尼多年来以孤岛式的运营闻名,而索尼影视娱乐公司则是那个最孤立的岛屿。帕切特说:“从不与其他任何人说话的,就是(索尼)那些搞电影的家伙。他们没有从PlayStation Network被攻击中吸取教训。我不了解那些搞电影的员工,但索尼游戏部门的员工一直很友好很开放,应该会愿意同电影部门的员工合作才是。”This type of corporate structure is hardly limited to Sony, but it helps explain why such a challenging period in 2011 didn’t better prepare the company to avoid a similar scenario in 2014. “Most organizations are in silos,” says Tim Eades, CEO of the security company vArmour. “They need better sharing and collaboration solution in security between their divisions and their supply chain. If Sony had that, it would have been stronger.”
这种公司结构并非索尼公司所独有,但它有助于解释索尼为何在2011年遭遇这样的挑战后,仍没有做好更充分的准备以避免在2014年重蹈覆辙。安全公司vArmour的首席执行官蒂姆o伊德斯表示:“大多数机构都是孤岛式的。他们需要更好地在各个部门和供应链之间分享安全问题的解决方案,并展开更有效的合作。如果索尼这么做了,它就会更加强大。”The problem? Sony didn’t address its organizational issues fast enough after the 2011 hack, Miliesky says. “From that moment on, their CIO should have implemented corporate-wide protection measures and beefed up info-sec training for employees that would be standardized across the organization,” he says. “The tools and techniques they decided to use to protect the public-facing PlayStation Network was a reactive approach—’We were attacked at point X by Y, so let’s defend point X with tools to stop successful exploitation by these kinds of Y attacks.’ It was completely reactive, not proactive.”
问题在哪?米里夫斯基表示,在2011年被黑客袭击后,索尼没有足够迅速地处理组织结构问题。他说:“从那时起,他们的首席信息官就应该在全公司推行防护措施,加强员工的信息安全培训,这些应当成为公司上下的标准化培训内容。就面向大众的PlayStation Network而言,索尼采用了完全被动的防护措施——‘我们在X点被Y攻击了,所以我们用各种工具来强化X点,避免让与Y类似的攻击再次得逞。’这完全是被动防御,而不是主动防御。”It’s a particularly knotty issue for a company as large as Sony. “The attack surface that Sony has is vast and requires significant investment and, unfortunately, time to deploy,” Eades says.
对于索尼这样的大公司而言,做好防御尤其困难。伊德斯表示:“索尼可以被攻击的面很广,需要大量投资和时间来部署防御,这的确令人遗憾。”The email correspondence that leaked in the wake of the recent hack showed that Sony Pictures Entertainment may have been operating without adequate protection against phishing attacks, remote-access Trojans, password management policies, proper use of encryption, data storage, and backups, Miliesky says.
米里夫斯基称,在最近的黑客攻击中泄露的电子邮件通讯,证明索尼影视娱乐公司没有采取足够措施来防范网络钓鱼攻击和远程访问木马,没有有效的密码管理策略,也没有恰当地进行加密、数据储存和备份操作。“Ultimately, SPE was wide open,” Miliesky says. “They probably had a firewall and antivirus and told their CISO ‘everything is safe and secure over here,” if that conversation even happened. A proper inventory control, vulnerability assessment, and employee training at SPE would have revealed much to the CISO.”
米里夫斯基表示:“最后,索尼影视娱乐公司等于是门户大开。他们很可能只是装了个防火墙和杀毒软件,然后告诉他们的首席信息安全官‘这里一切安全’——如果真的有这类对话的话。如果索尼影视娱乐公司有恰当的存储控制、漏洞评估和员工培训机制,首席信息安全官本可以知道得更多。”Sony has improved its internal coordination, thanks to both Hirai’s leadership and the return of Andrew House as president and Group CEO of Sony Computer Entertainment, Pachter says. For example, Sony Pictures Television is currently filming the original live action television series, Powers, for the PlayStation Network. But the budding synergy between divisions wasn’t enough to stop the most recent cyber attack against Sony, says P.J. McNealy, CEO of the market research firm Digital World Research.
帕切特表示,拜平井一夫的领导和安德鲁o豪斯重新担任索尼电脑娱乐公司总裁和集团首席执行官所赐,索尼的内部协调已经得到了改善。比如,索尼影视电视公司目前就正在为PlayStation Network拍摄原创实景真人系列电视剧Powers。然而,市场调研公司Digital World Research的首席执行官P. J. 麦克尼利表示:仍处于萌芽期的部门合作尚不足以阻止近来针对索尼的网络攻击。In 2011, Sony Computer Entertainment worked hard to win back the trust of its gaming customers, and today it leads both Microsoft and Nintendo in the gaming console market with its PlayStation 4. “Consumers are quick to forgive on this front because at the end of the day it’s an entertainment product,” McNealy says. “I was surprised at how quickly the user numbers spiked back after the patch was fixed and the network went back online [in May 2011]. Consumers are accepting that this is the new world we live in, where hacks take place.”
2011年,索尼电脑娱乐公司做出了大量努力来赢回其游戏消费者的信赖。如今,索尼借PlayStation 4在游戏主机市场取得了对微软和任天堂的领先。麦克尼利说:“消费者在这方面很容易原谅,因为到头来这只是个娱乐产品。在(2011年5月)打好补丁,PS主机平台网络重新上线后,消费者回归的速度让我感到十分惊讶。消费者已经开始接受这样一个事实:我们所在的是一个全新的世界,黑客攻击总是难免的。”Experts agree that while Sony’s reputation is suffering in the wake of the most recent attack, it is hardly the only company at risk from such issues.
专家也承认,尽管由于最近的被黑事件,索尼蒙受了名誉损失,但它不是唯一一家由于这类问题而陷入危机的公司。“Can any corporation really firewall itself to be invulnerable to attacks today?” McNealy asked. “We’ve now seen hackers breach major corporations and major retailers. Everyone’s a target for hackers. There’s been a real shift in the hacking community from unleashing viruses through emails on select holidays to attract headlines 10 years ago, to trying to grab personal data and information.”
麦克尼利问道:“如今真的有公司能保证自己不遭受黑客攻击吗?我们现在亲眼看到,黑客能攻破大型公司和零售商。每个人都是黑客的目标。黑客的行为已经有了真正的转变,他们不再像10年前那样通过在特定节日发送病毒邮件来博取头条,如今他们正试图窃取个人数据和信息。”Joseph Demarest, assistant director of the cyber division of the Federal Bureau of Investigation, earlier this month declared to members of Congress that 90% of businesses could not have stopped the Sony Pictures Entertainment attack.
联邦调查局网络安全部副主任约瑟夫o德马雷斯特于本月早些时候对国会表示,90%的公司都无法抵御索尼影视娱乐公司遭受的攻击。“I agree with that number,” Miliefsky says. “But the real issue is today’s security posture and employee training. The biggest weakness at Sony Pictures Entertainment was the employees. If you can’t train them to behave better, then what can you expect but another successful breach?”
米里夫斯基说:“我同意这个比例。但真正的问题是如今的安全态势和员工培训。索尼影视娱乐公司最大的弱点在于员工。如果你不能加强员工培训,让他们改善自己的行为,那么除了等着被黑客再次成功入侵,你还能指望什么?”(财富中文网)