back to article Sucker for punishment? Join Sony's security team

Sony is seeking a steely-willed vulnerability management director in the wake of its thorough hosing by unknown attackers. The beleaguered media giant posted an online advertisement Friday seeking a security bod boasting a decade's hacking experience to, among other things, "Unify and enhance Sony’s global information security …

  1. Mark 85 Silver badge

    Better late than never, or horse gone now we can lock the barndoor?

    I'm not sure what they're doing though I would hope that other companies take things a bit more seriously than Sony did.

  2. Ole Juul

    No cure

    It's in their culture. When I read something like the following, I can't help but thinking that Sony does not, and is likely to never, take any responsibility for themselves.

    The company's also tossed a sueball at Twitter, asking it to remove Tweets containing screenshots of purloined documents or face future action over any losses Sony incurs.

    In other words, they don't get it. In the corporate world there's no cure for that.

  3. Mitoo Bobsworth
    Trollface

    "... face future action over any losses Sony incurs"

    If that means not making anymore overblown and underwhelming movies, I won't be upset.

    1. Anonymous Coward
      Anonymous Coward

      Re: "... face future action over any losses Sony incurs"

      It also potentially involves thousands of innocent job losses, 10x in indirect jobs, TV shows you probably didn't even know were made by Sony (Breaking Bad for example), Not to mention all their other divisions that generally make very good hardware (Sony current lineup of cameras destroy anything by Canon and Nikon), of course the PS4, then there is the medical imagining equipment. Lets hope you don't ever need medical imagining diagnostics by Sony equipment. What will you do?

      You idiotic comment is typical of many. Someone told you all Sony movies were trash, and you were too lazy to actually see if it was true, or any different from any other movies studios output (it's not. They all produce shite, as guess what, idiot consumers like shite...)

      1. gazthejourno (Written by Reg staff)

        Re: Re: "... face future action over any losses Sony incurs"

        Try looking at the icon before biting.

      2. Mitoo Bobsworth

        Re: "... face future action over any losses Sony incurs"

        Someone's had far too much coffee today!

  4. DryBones

    This is mean and bad for the workers and all, but I cannot stop laughing. How much is it going to take for these companies to realize that hey, they should be proactive, not reactive about their security. The very fact that they are looking for these people NOW, seems like it opens them up for gross negligence suits.

    1. Tom 35 Silver badge

      They had to make the wall st. raider happy

      Even after the example of the playstation hack, they cut security staff to a few plus a bunch of managers. But it's all ok the raider has already cashed out so everything is fine.

  5. Captain DaFt

    It's like advertising for a maid to do general housekeeping because the house has been bulldozed, innit?

    1. SolidSquid

      More like looking for a painter/decorator after your house was drowned for the building of a dam

  6. John Savard Silver badge

    The First Step

    Replace Microsoft Windows on your computers. And avoid Macintosh and Linux as well.

    Write your own operating system, with no vulnerabilities!

    If you can't license OS/2 as a starting point, or OpenVMS, then start from BSD.

    1. RankingRoger

      Re: The First Step

      Actually, out of all the noise on the Sony pictures hack, only 1 single story has anything I agree with, a cheap and easy way for companies of all sizes to reduce the risk to virtually zero. (as zero as it can be in online connected world), it's this one...

      http://philstephens.com.au/security-for-google-drive-businesses/

      Downvote me all you want, as you despise Google or whatever. But anyone that's got any knowledge of security, there are some very compelling arguments this guy mentions, and I firmly believe had Sony Pictures used this (of course, with enforced 2-factor auth group policy), they would not be seeing their current security problems.

      1. Robert Helpmann?? Silver badge
        Childcatcher

        Re: The First Step

        No, what the article describes is basically offshoring your data center. It offers no more security than the example with which he contrasts the use of Google's services with the added illusion that everything will be handled by Google. Additionally, while conventional data centers offer a well-known set of challenges and requirements, people who are not up to properly managing a data center are apt to me equally ill-prepared to analyze the requirements of cloud-based data services. To paraphrase, "There are ways to put the absolutely most secret things on local servers. They just require a little work to secure."

  7. Tom 35 Silver badge

    Yes it's very clear

    They need more management.

    vulnerability management director... that should impress the board.

  8. Pascal Monett Silver badge

    "face future action over any losses Sony incurs"

    I'm sure Twitter must be quaking in its boots. I wonder if they will have any difficulty proving to a judge that any losses incurred by Sony are Sony's fault entirely, and Twitter should counter-attack with a libel charge for being accused of having a hand in Sony's abysmal stupidity.

    Bring it on, Sony. You have a bigger lawsuit warchest than you have for security, so go and prove that you are indeed as stupid as you look now.

    Frankly I'd like a lawsuit to be filed, just to be able to read how a judge punted it out of the courtroom and fined Sony for contempt of court.

    Man I wish that could happen.

  9. Anonymous Coward
    Anonymous Coward

    LOL

    Sony could have hired (enough / the right) people when it had a nonzero reputation. Too late now.

  10. John Brown (no body) Silver badge

    "five year's red-teaming experience,"

    Oh crap. I only ever played on the blue team. No point in applying then :-(

    1. SolidSquid

      Re: "five year's red-teaming experience,"

      Looks like red-teaming is when you target your own company as if you were an outside aggressor, I'm guessing with the blue team being the guys who do the company's defence team

      1. P. Lee Silver badge

        Re: "five year's red-teaming experience,"

        Red Teaming is ok, but it shouldn't be your emphasis. It assumes your team can find all the things everyone on the internet might find, which is a poor assumption. Far better to get the architecture and procedures right.

  11. Bronek Kozicki Silver badge

    that's what I call

    ... challenging work conditions.

    1. Grikath

      Re: that's what I call

      challenging? An excercise in futility, since you know that somewhere someone up the corporate ladder will insist that he should still be able to.... Unless they authorise the use of the Cattleprod for all IT personnel it's ...well... hopeless..

  12. Anonymous Coward
    Anonymous Coward

    Idiots. NEVER employ hackers.

    Employing hackers to handle your security is not a wise move. By being a hacker, they have shown they are irresponsible. You p1ss them off, they will turn on you.

    You are also setting a very dangerous precedent that rewards hacking with lucrative jobs.

    It's an ex-Sony employee that started all this. They might not have turned the ignition, but they stole the keys...

  13. Glenn 6

    1) Keep rank-and-file employees off the internet.

    2) Only allow access to an approved list of websites, to an approved list of people.

    3) People are too stupid to know not to open every bloody URL sent to them, therefore, see steps 1 and 2.

    There, can I get paid now?

  14. Christian Berger Silver badge

    "Unify and enhance Sony’s global information security architecture"

    From all I hear one of the problem was that Sony had a very uniform computing architecture. How else could some malware infect nearly all of their systems. If systems were different in every department, the chance of a worm spreading in between them would be a lot slimmer.

  15. Kay Burley ate my hamster
    Joke

    Sony was also seeking an incident response manager in a job offer posted prior to the hack.

    #InsideJob

  16. Mike 137 Bronze badge

    The obvious wrong answer

    This is a classic example of the exact opposite of what is really needed. The prevalent technocentric approach to infosec has got us where we are, so doing more of it will not improve our state of security.

    What is really needed (and in my experience as a security consultant is almost universally missing) is a robust security management framework consisting of [1] a strategy that defines the security priorities of the organisation in terms of risk, [2] tactics for addressing the priorities, and [3] operational processes that fulfil the requirements defined by the tactics and strategy. The framework essentially needs to include monitoring and feedback to ensure that [a] perceived risk continues to accurately represent reality as things change, [b] control objectives have a realistic chance of protecting against threats, and [c] controls that actually work.

    Appointing techie "hackers" to oversee the security of a vast corporate (or indeed a government, as we seem to be doing here in the UK) is about as useful as appointing a bricklayer (however skilled) to oversee the building of a city.

    We need to wake up to the reality that information security is primarily a problem of business process management. Yes - we can be attacked via technologies and we use technologies extensively to protect ourselves, but as in the case of JP Morgan http://www.theregister.co.uk/2014/12/23/jpmorgan_breach_probe_latest/ it's in BAU management that the weaknesses mostly manifest themselves.

  17. Tree

    Re: The First Step

    Stopping use of Windows is most important, but disconnecting internal computers from internet facing computers is very important. Using encryption to send messages and other files is necessary as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019