Sony continues to make headlines as one of the most savaged companies ever. Site after site under the Sony banner falls to hackers around the world. The latest one, Sony Brasil was still hacked as of this article being posted.
There was a question posted on Twitter earlier as to who would be daft enough to take a security job at Sony now? Honestly, I would. That is, if I didn’t already like my day job. Seriously, think of the opportunity you could have available to you. For people who love to build a practice from the ground up this is a golden opportunity. Lets be honest this would be an entire tear down (and mass sacking) and I don’t imagine Sony would be daft enough to be tight with a budget after all of this mess. I met a Sony security guy at Black Hat once. Poor bugger.
The folks over a Attrition have a great write up that looks at the timelines of the Sony hacks and raises some interesting questions about the past.
From Attrition:
The backstory about what event prompted who to attack and why will make a mediocre made-for-TV movie someday. This article is not going to cover the brief history of hacks; readers can find details elsewhere. Instead, the following only serves to create an accurate and comprehensive timeline regarding the recent breaches, a cliff notes summary for easy reference.
And I have to agree with Attrition.org…this has nothing to do with APT (advanced persistent threat). This is pure and simple APP (advanced persistent pantsing).
Sony is the best example we have as to why security policy and enforcement is a very important to have ongoing. Sony as a company does not have the framework to avoid future damages, and it’s not a lack of tools, or the implementation of best practices, but the lack of minimum practices.
Any company can fall to sophisticated and dedicated attack, but Sony is proving that it falls even to ADD script kiddies. The only question is why did they last so long from the low hanging fruit seekers to culminate into such persistent PR failpocalypse.