前車之鑑 索尼註定要被"黑"兩次

Long before Sony Pictures Entertainment revealed in November that it had been hacked by a group calling itself the Guardians of Peace, another division of Sony was attacked by cyber attackers.

索尼影業今年11月宣佈，公司遭受了自稱爲“和平衛士”黑客組織的攻擊。而在很早以前，索尼的另一個部門就遭遇過網絡攻擊。

Between April and May 2011, Sony Computer Entertainment’s online gaming service, PlayStation Network, and its streaming media service, Qriocity—plus Sony Online Entertainment, the company’s in-house game developer and publisher—were hacked by LulzSec, a splinter group of Anonymous, the hacker collective.

在2011年4月至5月期間，索尼電腦娛樂公司的在線遊戲服務平臺PlayStation Network、流媒體服務Qriocity，以及索尼內部的遊戲開發和發行部門索尼在線娛樂公司，相繼遭到黑客團體匿名者的分支組織LulzSec的攻擊。

The online services were shut down between April 20 and May 15 as Sony attempted to secure the breach, which put the sensitive personal data for over 100 million customers at risk. The chief executive of Sony Computer Entertainment America at the time, Kazuo Hirai, wrote the following on the PlayStation blog:

當年4月20日至5月15日，索尼關閉了上述在線服務，試圖修復漏洞，以切實保護超過1億用戶的敏感個人信息。時任索尼（美國）電腦娛樂公司首席執行官平井一夫在PlayStation的博客上寫道：

“We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer (CISO).”

“我們採取了許多措施來阻止未來產生漏洞，包括提高數據保護和加密級別，增強發現軟件入侵、越權存取和異常活動的能力，加設防火牆，在祕密地點建立安全級別更高的全新數據中心，任命新的首席信息安全官（CISO）。”

Hirai is now president and CEO of Sony.

如今，平井一夫已是索尼集團的首席執行官。

Philip Reitinger was appointed CISO of Sony Corporation America in September 2011, shortly after that year’s breach. This September, he left Sony to start his own security consulting business, VisionSpear. John Scimone replaced him.

在被黑不久後的2011年9月，菲利普o雷丁格被任命爲索尼（美國）公司首席信息安全官。而在今年9月，菲利普離開索尼，創立了自己的安全諮詢公司VisionSpear。約翰o希莫內接替了他的工作。

Globally, Sony has more than 140,000 employees and more than 100 subsidiaries. “Not only did Reitinger have his hands full,” says Gary S. Miliefsky, CEO of cyber security firm SnoopWall, “but some people say that his team could not manage all the corporate network ‘touch points.’ So there was no centralization of security events information management.” Reitinger’s departure this year also created a security leadership gap at Sony when the company needed it most, Miliefsky adds.

索尼在全球擁有超過14萬名員工和100多家子公司。網絡安全公司SnoopWall的首席執行官加里oSo米里夫斯基表示：“儘管雷丁格忙得焦頭爛額，但有些人認爲，他的團隊無力管理公司網絡的所有‘接觸點’。所以說，索尼並沒有集中管理安全事件信息。”米里夫斯基補充道，雷丁格今年的離職也造成了索尼安全部門領導層的空缺，而當時恰恰是索尼最需要這個崗位發揮作用的時候。

Sony Computer Entertainment and Sony Pictures Entertainment declined to comment.

索尼電腦娛樂公司和索尼影視娛樂公司拒絕發表評論。

Sony SNE 2.21% learned a lot of painful lessons from the 2011 breach, says Lewis Ward, research director for gaming at the market research firm IDC. The company reported a hard cost of $171 million, but Ward estimates that the hack ended up costing Sony more than $250 million through the end of 2012 as it worked to clean up the mess and reinforce its defenses. “On the gaming side, nothing like the PlayStation Network attack had happened before, or has happened since,” he says. “It was unprecedented in gaming.”

市場研究公司IDC的遊戲研究總監路易斯o沃德表示，索尼從2011年的風波中得到了許多慘痛的教訓。該公司宣佈黑客攻擊造成的直接損失達到1.71億美元，但沃德估算說，截止2012年底，被黑事件造成的損失要超過2.5億美元，因爲該公司還要收拾殘局、加強防衛。沃德稱：“在遊戲界，類似索尼PlayStation Network被黑的事件之前沒有過，之後也沒再發生過。這是遊戲界空間絕後的一例。”

Sony and Microsoft MSFT -0.64% have experienced smaller breaches of their online gaming networks since 2011, including another PlayStation Network attack in October 2011 and a PlayStation Store attack earlier this month. But the April 2011 attack stands alone for its size and scope.

自2011年以來，索尼和微軟的在線遊戲網絡相繼遭遇一些小規模的攻擊。比如，2011年10月，PlayStation Network再次遭襲，就在本月早些時候，PlayStation Store也遭到黑客攻擊。但無論是就規模，還是就範圍而言，2011年4月發生的那次被黑事件都是獨一無二的。

That’s because the PlayStation Network suffered multiple kinds of attacks, Miliefsky says. One was a classic data breach—the release of otherwise secure information. The second was a distributed denial-of-service attack, or DDoS, that left the network inaccessible to gamers. Sony has since improved its stance against both attack types—for example, it’s now a strong partner of Amazon Web Services, the dominant cloud computing player, improving its odds against a DDoS—and Hirai has improved collaboration across Sony’s many divisions since taking the company’s top job.

米里夫斯基表示，這是因爲PlayStation Network那次遭受了多種類型的攻擊。其中之一是經典的數據泄露——原本安全的數據被黑客公佈。第二種是分佈式拒絕服務攻擊，這種攻擊會讓玩家無法訪問網絡。從那以後，索尼就強化了應對這兩種攻擊的防護措施。比如，索尼如今攜手統治級的雲計算產品亞馬遜網絡服務系統，提高了防禦分佈式拒絕服務攻擊的成功率。此外，在出任索尼集團掌門人之後，平井一夫着手改善了公司各個部門的合作方式。

But there’s one major factor that prevented Sony from better using those 2011 lessons in 2014: organizational structure. The company has long had a reputation for operating in silos, says Michael Pachter, a video game analyst at Wedbush Securities, and no silo is more isolated than Sony Pictures Entertainment. “It’s the [Sony] movie guys who don’t talk to anybody,” Pachter says. “They learned nothing from the PlayStation Network breach. I don’t know the movie guys, but the game people have been very friendly and open-minded and would love to work with the Sony movie guys.”

然而，有一個重要因素使得索尼在2014年沒能更好地利用2011年得到的慘痛教訓，那就是該公司的組織結構。韋德布什證券公司電子遊戲分析師邁克爾o帕切特表示，索尼多年來以孤島式的運營聞名，而索尼影視娛樂公司則是那個最孤立的島嶼。帕切特說：“從不與其他任何人說話的，就是（索尼）那些搞電影的傢伙。他們沒有從PlayStation Network被攻擊中吸取教訓。我不瞭解那些搞電影的員工，但索尼遊戲部門的員工一直很友好很開放，應該會願意同電影部門的員工合作纔是。”

This type of corporate structure is hardly limited to Sony, but it helps explain why such a challenging period in 2011 didn’t better prepare the company to avoid a similar scenario in 2014. “Most organizations are in silos,” says Tim Eades, CEO of the security company vArmour. “They need better sharing and collaboration solution in security between their divisions and their supply chain. If Sony had that, it would have been stronger.”

這種公司結構並非索尼公司所獨有，但它有助於解釋索尼爲何在2011年遭遇這樣的挑戰後，仍沒有做好更充分的準備以避免在2014年重蹈覆轍。安全公司vArmour的首席執行官蒂姆o伊德斯表示：“大多數機構都是孤島式的。他們需要更好地在各個部門和供應鏈之間分享安全問題的解決方案，並展開更有效的合作。如果索尼這麼做了，它就會更加強大。”

The problem? Sony didn’t address its organizational issues fast enough after the 2011 hack, Miliesky says. “From that moment on, their CIO should have implemented corporate-wide protection measures and beefed up info-sec training for employees that would be standardized across the organization,” he says. “The tools and techniques they decided to use to protect the public-facing PlayStation Network was a reactive approach—’We were attacked at point X by Y, so let’s defend point X with tools to stop successful exploitation by these kinds of Y attacks.’ It was completely reactive, not proactive.”

問題在哪？米里夫斯基表示，在2011年被黑客襲擊後，索尼沒有足夠迅速地處理組織結構問題。他說：“從那時起，他們的首席信息官就應該在全公司推行防護措施，加強員工的信息安全培訓，這些應當成爲公司上下的標準化培訓內容。就面向大衆的PlayStation Network而言，索尼采用了完全被動的防護措施——‘我們在X點被Y攻擊了，所以我們用各種工具來強化X點，避免讓與Y類似的攻擊再次得逞。’這完全是被動防禦，而不是主動防禦。”

It’s a particularly knotty issue for a company as large as Sony. “The attack surface that Sony has is vast and requires significant investment and, unfortunately, time to deploy,” Eades says.

對於索尼這樣的大公司而言，做好防禦尤其困難。伊德斯表示：“索尼可以被攻擊的面很廣，需要大量投資和時間來部署防禦，這的確令人遺憾。”

The email correspondence that leaked in the wake of the recent hack showed that Sony Pictures Entertainment may have been operating without adequate protection against phishing attacks, remote-access Trojans, password management policies, proper use of encryption, data storage, and backups, Miliesky says.

米里夫斯基稱，在最近的黑客攻擊中泄露的電子郵件通訊，證明索尼影視娛樂公司沒有采取足夠措施來防範網絡釣魚攻擊和遠程訪問木馬，沒有有效的密碼管理策略，也沒有恰當地進行加密、數據儲存和備份操作。

“Ultimately, SPE was wide open,” Miliesky says. “They probably had a firewall and antivirus and told their CISO ‘everything is safe and secure over here,” if that conversation even happened. A proper inventory control, vulnerability assessment, and employee training at SPE would have revealed much to the CISO.”

米里夫斯基表示：“最後，索尼影視娛樂公司等於是門戶大開。他們很可能只是裝了個防火牆和殺毒軟件，然後告訴他們的首席信息安全官‘這裏一切安全’——如果真的有這類對話的話。如果索尼影視娛樂公司有恰當的存儲控制、漏洞評估和員工培訓機制，首席信息安全官本可以知道得更多。”

Sony has improved its internal coordination, thanks to both Hirai’s leadership and the return of Andrew House as president and Group CEO of Sony Computer Entertainment, Pachter says. For example, Sony Pictures Television is currently filming the original live action television series, Powers, for the PlayStation Network. But the budding synergy between divisions wasn’t enough to stop the most recent cyber attack against Sony, says P.J. McNealy, CEO of the market research firm Digital World Research.

帕切特表示，拜平井一夫的領導和安德魯o豪斯重新擔任索尼電腦娛樂公司總裁和集團首席執行官所賜，索尼的內部協調已經得到了改善。比如，索尼影視電視公司目前就正在爲PlayStation Network拍攝原創實景真人系列電視劇Powers。然而，市場調研公司Digital World Research的首席執行官P. J. 麥克尼利表示：仍處於萌芽期的部門合作尚不足以阻止近來針對索尼的網絡攻擊。

In 2011, Sony Computer Entertainment worked hard to win back the trust of its gaming customers, and today it leads both Microsoft and Nintendo in the gaming console market with its PlayStation 4. “Consumers are quick to forgive on this front because at the end of the day it’s an entertainment product,” McNealy says. “I was surprised at how quickly the user numbers spiked back after the patch was fixed and the network went back online [in May 2011]. Consumers are accepting that this is the new world we live in, where hacks take place.”

2011年，索尼電腦娛樂公司做出了大量努力來贏回其遊戲消費者的信賴。如今，索尼借PlayStation 4在遊戲主機市場取得了對微軟和任天堂的領先。麥克尼利說：“消費者在這方面很容易原諒，因爲到頭來這只是個娛樂產品。在（2011年5月）打好補丁，PS主機平臺網絡重新上線後，消費者回歸的速度讓我感到十分驚訝。消費者已經開始接受這樣一個事實：我們所在的是一個全新的世界，黑客攻擊總是難免的。”

Experts agree that while Sony’s reputation is suffering in the wake of the most recent attack, it is hardly the only company at risk from such issues.

專家也承認，儘管由於最近的被黑事件，索尼蒙受了名譽損失，但它不是唯一一家由於這類問題而陷入危機的公司。

“Can any corporation really firewall itself to be invulnerable to attacks today?” McNealy asked. “We’ve now seen hackers breach major corporations and major retailers. Everyone’s a target for hackers. There’s been a real shift in the hacking community from unleashing viruses through emails on select holidays to attract headlines 10 years ago, to trying to grab personal data and information.”

麥克尼利問道：“如今真的有公司能保證自己不遭受黑客攻擊嗎？我們現在親眼看到，黑客能攻破大型公司和零售商。每個人都是黑客的目標。黑客的行爲已經有了真正的轉變，他們不再像10年前那樣通過在特定節日發送病毒郵件來博取頭條，如今他們正試圖竊取個人數據和信息。”

Joseph Demarest, assistant director of the cyber division of the Federal Bureau of Investigation, earlier this month declared to members of Congress that 90% of businesses could not have stopped the Sony Pictures Entertainment attack.

聯邦調查局網絡安全部副主任約瑟夫o德馬雷斯特於本月早些時候對國會表示，90%的公司都無法抵禦索尼影視娛樂公司遭受的攻擊。

“I agree with that number,” Miliefsky says. “But the real issue is today’s security posture and employee training. The biggest weakness at Sony Pictures Entertainment was the employees. If you can’t train them to behave better, then what can you expect but another successful breach?”

米里夫斯基說：“我同意這個比例。但真正的問題是如今的安全態勢和員工培訓。索尼影視娛樂公司最大的弱點在於員工。如果你不能加強員工培訓，讓他們改善自己的行爲，那麼除了等着被黑客再次成功入侵，你還能指望什麼？”（財富中文網）