Despite appointing military-grade CISOs, archaic systems result in Sony breach

As more details emerge about the Sony Pictures data breach, it has been revealed that several archaic systems at the company had provided numerous points of entry for potential cyber attackers, according to Arstechnica.

Sony Pictures Entertainment is believed to have a history of appointing tech ‘heavies’ – formidable chief information security officers with distinguished military backgrounds, such as Phil Reitinger, the former director of the National Cyber Security Centre at the Department of Homeland Security, and the latest CISO, John Scimone, former senior security advisor for the Department of Defense’s Joint Task Force-Global Network Operations.

Sony’s problems reportedly began with an attack on a company FTP server that was used in the company’s international theatrical sales and distribution system. The system, which stored invoice and payment confirmation information as .txt files, had been in place since 2008.

As we have seen so often in other major data breach incidents, it appears that Sony only found out about the breach after being alerted by a third party. This happened when the company was informed by a news reporter who was reporting on thousands of FTP logins being passed around in online forums.

In another twist, Sony Pictures Entertainment is said to have taken the threat of denial-of-service (DoS) attacks on its business very seriously following a DoS attack on its Sony PlayStation Network. But, as the article explains, this attack took place from the inside — a threat that seemed to have caught Sony’s intelligence off-guard.

Furthermore, the attackers were said to have collected a significant amount of intelligence on the network from Sony Pictures Entertainment’s own IT department.

The article states that it is clear that those behind the attack were deep inside Sony’s network for a long time before they set off the malware that erased Sony hard drives.

And that’s not the end. Sony Pictures Entertainment is still under siege, with the attackers (GoP) threatening to release even more information. “The sooner SPE accept our demands, the better, of course,” the GoP said in their latest post. “The farther time goes by, the worse state SPE will be put into and we will have Sony go bankrupt in the end. Message to SPE Staffers: We have a plan to release emails and privacy of the Sony Pictures employees. If you don’t want your privacy to be released, tell us your name and business title to take off your data.”

Conduct information security risk assessments better, faster and more comprehensively with vsRisk, the leading risk assessment software.

Available in Standalone, Network-enabled or Multi-user.

Leave a Reply

Your email address will not be published. Required fields are marked *