Sony Still Digging Its Way Out of Breach Investigation, Fallout

Sony knew of the vulnerabilities that led to the breach, a noted security expert tells Congress
However, Anonymous says it was not involved in the breach. Through its AnonOps Communications blog, the group's leaders say that Sony was simply "incompetent."

"While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and does not take responsibility for whatever has happened," the blog said.

Regardless of who was responsible for the hacking attack, it is clear that Sony and its outsourced investigators and forensics experts have their work cut out for them in the weeks and months to come.

"Typical intrusion analysis involves a formal report at the close of the investigation that details who, what, when, where, and why. This can and should be used as a remediation guide in order to rearchitect the compromised systems to a more secure end-state," Cox says. "This sort of remediation activity typically involves bringing additional technology and personnel capabilities to help fill gaps that were revealed by the intrusion investigation."

However, some within the industry believe that more drastic measures need to be taken to satisfy shareholders and customers enraged by Sony's lack of security measures prior to now. Today the House Subcommittee on Commerce, Manufacturing, and Trade held a hearing on the incident -- which Sony chose not to participate in beyond a letter -- in which respected security expert Dr. Gene Spafford of Purdue University noted that Sony knew of the vulnerabilities that led to the breach.

Spafford told the committee members that Sony was using an outdated Apache server that was unpatched and had no firewall installed, a fact that was reported on a forum monitored by Sony employees several months before the breaches occurred.

If true, these claims likely show a culture devoid of security emphasis. It's a common problem in enterprises today and one of the first things that needs to change if organizations are going to truly stem the tide of breached databases, Gossels says. "The only way to improve the situation is that organizations have to institutionalize security in their culture," he says.

As for Sony, the company may well need to clean house and name names in order to re-establish credibility and demonstrate true concern about customer data, says Phil Lieberman, CEO of Lieberman Software.

"I would love to know the name of the auditors responsible for the shoddy IT security audit of Sony, as well as the names of the CFO and CIO of Sony [who] was responsible for these decisions of under investing in security," Lieberman says. "Even better would be to see the CEO and the board toss them out of Sony publicly for not investing in security. That outcome would be justice to the stockholders and customers of Sony. Sony should also publicly fire their IT auditors for doing such a poor job."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.