Monday, May 30, 2011

Sony CEO Stringer Unaware of Attack 3 Years Ago and Still Surprised by April Attack


Here we go again. I previously wrote about Sony’s failure to inform customers of a data breach in reasonable time, and then subsequent failure to notify customers directly, by email, of their remedies. Since the April data breach, the theory behind the attack is hackers were seeking revenge for Sony suing hackers who modified their system (modifying or unlocking a console is considering hacking). It is also known that Sony did not have an effective firewall in place to defend the PlayStation network and those who wrote on company forums months before the attack noted this. Sony has been bashed in the media and by security experts as not being prepared despite threats of an attack. I recently read “Sony Chief Stringer Blindsided by Hackers Seeking Revenge” by Cliff Edwards, Michael Riley and Joseph Galante. As the title suggests, CEO Stringer is sticking by his claim that the massive hacker attack was a complete surprise.

But… oh but…

“Three years earlier, the company faced three breaches in Europe, including one in which Sony said some PlayStation Network user data might have been stolen.” Since then, evidence proves Sony did not put in a good security defense to prevent or lessen the wounds of a future attack. Another attack has happened since the April attack: the So-net Entertainment Corp. was breached, Sony websites have been down in some countries because they were targeted, and the PlayStation network is still down in some countries. The response from Stringer to the criticism of their security and response of previous attacks:

“Sony believed it had ‘good, robust security,’ Stringer said. He rejected suggestions that the company is paying for a lack of vigilance and said he was unaware of the 2008 intrusion on the PlayStation Network”

This has got to be a joke, a lie, or complete failure of communication between security and CEO. How could a CEO be unaware of an attack against his company, which is dependent on a secure online network? Stringer has been CEO since 2005 and I can’t imagine people within the company kept this attack secret. Maybe he’s being sabotaged but, unfortunately, as CEO, he is still held responsible for not preparing his company for an attack. The best security defenses may not have prevented the April attack but Sony cannot cry victim as they put up no padding against the threat of an attack. But Stringer is not done letting you know how surprised he was:

“We have a network that gave people services free, it didn’t seem like the likeliest place for an attack”

“I really don’t think I could apologize for not knowing… It’s a whole new experience for everybody at this scale”

Stringer can completely speak for himself; I’m pretty sure “everybody at this scale”, most executives at a tech company of Sony’s magnitude, are aware of the threat of hackers. The implication that a free service is free from hacking is insulting to the multiple public reports of Wi-Fi networks previously hacked and the lack of care for customers who share information on a free service. Any place online where credit cards are used is a target for hackers.

The biggest blunder of all: despite the ‘08 attack, Sony did not have a CISO or Chief Information Security Officer. They clearly know they needed one; following the April attack, they assigned one.  Kevin Kosh, partner of Chen PR “which represents tech companies” stated “Adding a CISO after the fact is like hiring a bodyguard after you’ve been fatally wounded… It creates an impression that there’s a lack of accountability”. I think he forgot to add: hiring a bodyguard after being wounded once, threatened, and then fatally wounded.

So after all of this information this is my point: Sony needs to stop publicly crying. They had time to build up their security. As said, there is no proof they could have prevented an attack but no one will know because Sony failed to do their best to build up a defense. The conclusion after many experts have contributed to articles and testified to congress is Sony simply failed.  Their failure put millions of personal information into the wrong hands and threatened the future of the company. CEO Howard Stringer needs to be quiet unless he has something intelligent to say that cannot be refuted by the evidence many people are now aware of. It is possible that Stringer is actually clueless. If so, he cannot be the CEO of a company that exists in an industry where not knowing will make you vulnerable and fall behind the competition.

P.S. There was more information in the article so please read it if you’re yearning for more info.

No comments:

Post a Comment