Sony Must Secure Networks, Analysts Say
The apparent ease with which hackers have breached Sony networks in recent days shows how much work is still needed to fully secure the company's networks, analysts say.
Sony, along with three external security firms, has been working frantically to shore up its systems since the company in mid-April uncovered two breaches that compromised data on nearly 100 million members of its PlayStation Network and Sony Online Entertainment network.
About 10 days ago, Sony announced that it had fixed all problems with its PSN and SOE networks and restored partial services.
Since then, there have been at least three separate -- and relatively minor -- attacks reported against Sony systems.
The relative ease in which hackers were able pull off the most recent intrusions is surprising given the heightened attention to security that at Sony since the widely piblicized PlayStation Network hack.
"The original attacks [on the PlayStation Network and Online Entertainment networks] were probably quite targeted and quite skilled," Chester Wisniewski, senior security advisor at security firm Sophos. "Now it seems to be that every random hacker out there has jumped on the bandwagon" to attack Sony.
Wisniewski cited an attack against Sony BMG's site in Greece where hackers uploaded a database containing non-sensitive user information to a public site.
The attack was not sophisticated and involved a pretty simple exploit of an SQL injection flaw, analysts said. "I'm surprised they wouldn't have cleaned up something like this by now," Wisniewski said.
The attacks suggest that Sony may have more work to do securing its networks than it might have bargained for, said Phil Lieberman, CEO of Lieberman Software.
The company's hard-line stance on copyright protection has earned it several enemies within the hacker community. Many of them are taking advantage of the publicity surrounding the Sony intrusions to try and further embarrass Sony, he said.
"Taking a baseball bat to a hornet's nest is never an advisable strategy. Sony's strategy in defending its intellectual property was heavyhanded and has triggered the 'nuclear option' with those that it engaged," Lieberman said.
While Sony focused heavily on protecting IP and enforcing copyright protections, the company appears to have done little to protect its massive presence on the Internet, Lieberman said. "I think Sony's beginning to understand that they horribly underinvested in security. It's simply not in their DNA."
Jason Maloni, senior vice president of the crisis and litigation team at Levick Strategic Communications, said that Sony's ongoing security travails is sure to be taking a heavy toll on both its reputation and on consumer confidence in the company.
Maloni was part of a crisis management team that helped Heartland Payment Systems respond to a disastrous 2008 breach that exposed data on close to 100 million debit and credit cards.
Though the breach was one of the largest ever, Heartland strategy was "to run towards the light" rather than remain mostly quiet as Sony has, Maloni said. From the start Heartland was open about the breach, the scope of the intrusions, its causes and what it was doing to address them, he added.
Sony, in contrast, has been less open about the breach and its plan for fixing the underlying weaknesses in its networks. The company has also done a relatively poor job in setting user expectations after the breach, Maloni said.
"They should have started setting expectations very low. They should have done a better job [talking about] the perpetrators of the breach and how they were the true bad guys," he said. "I don't think Sony got out early enough, to spell out what it was doing and that has left a bad taste."
Maloni believes that if the problems persist, Sony will take more of a reputational hit than other companies that suffered major breaches, such as TJX and Heartland. Those companies may have gotten a bit of pass because they were one among the first companies to suffer really major data compromises, he said.
But consumers since then have become less tolerant because they expect companies to learn from previous breaches, Maloni said. He expects that users will soon be asking: "what was Sony doing when all of these other companies were getting breached."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com .
Read more about security in Computerworld's Security Topic Center.