A security audit of Sony Pictures Entertainment’s computer network conducted just months before hackers unveiled a devastating cyberattack against the company showed gaps in the way the company monitored its systems.
This raised a red flag for the auditors, who said it could slow Sony’s response to a problem.
“Security incidents impacting these network or infrastructure devices may not be detected or resolved timely,” warns PriceWaterhouseCoopers, which conducted the audit from July 14 to Aug. 1.
The confidential report, dated Sept. 25, was among Sony Pictures General Counsel Leah Weil’s email correspondence, which hackers released to public file-sharing networks earlier this week. It included recommendations for bolstering security.
The report, obtained by Re/code, was independently verified by a person familiar with the matter.
The revelation that the studio knew of its network vulnerabilities comes as Sony struggles to recover from a crippling attack on Nov. 24 that resulted in the public disclosure of scores of personal emails, budgets, salary information and other previously private documents. In all, a hacker group calling itself Guardians of Peace claimed to have stolen under 100 terabytes of data.
Sony Pictures told law enforcement it is worried the studio might fall victim to another round of cyberattacks after it releases the film “The Interview” on Dec. 25, Reuters reported. Re/code first reported on Nov. 28 the studio explored the possibility that North Korea was behind the attack.
Investigators are evaluating whether the attack on the studio was in retaliation for the film, a comedy starring Seth Rogen and James Franco about a CIA-backed assassination attempt on North Korean leader Kim Jong-Un.
Months before the Guardians of Peace announced its attack on studio, auditors had been asked to evaluate unspecified security incidents at Sony Pictures, according to the audit. The investigation focused on inner workings of computer security procedures such as incident notifications and tracking, essentially keeping track of problems that might indicate a security breach is underway.
Auditors found that since transitioning from a third-party vendor in September 2013, Sony Pictures had failed to notify the corporate security team to monitor newly added devices, such as web servers and routers.
Studio management told the auditors its corporate security team is focused on bolstering devices on the perimeter of Sony’s networks and that it hasn’t applied “the same level of rigor” for other, non-security devices such as routers and web servers. The document doesn’t go into detail as to why a different standard was applied.
By the end of July, Sony Pictures provided a current inventory of all devices to be tracked.
Auditors also found that Sony Pictures failed to reconcile the list of security devices its corporate team should have been monitoring with those it was monitoring. As a result, they might have missed additional devices being added to or removed from the networking, adding that “critical security devices may not be monitored.”
Sony Pictures’ in-house staff pledged to develop a process for keeping track of its devices by Oct. 31 — barely a month before hackers made their presence on the studio’s corporate network known.
A spokesperson for the studio declined to comment on the audit report. A PwC auditor who received the report did not respond to interview requests.