'Sony doesn't understand security': Why PlayStation Network is such an attractive target for hackers

Sony's poor reputation for security and the prestige of taking down a gaming giant attracts hackers

Sony's PlayStation Network (PSN) has once again been hit by cyber vandals, with the service - which serves as the backbone of the PlayStation 4 online ecosystem - recently brought down in a distributed denial of service (DDoS) attack.

PSN wasn't the only gaming service targeted by hackers, with Microsoft's Xbox Live and Blizzard's Battle.net all reportedly victims of attack. However, when it comes to cyber attacks in the games industry, it's arguably Sony that always comes out worst off.

Hackers previously exposed Sony's poor security practices in 2011 when personal details about millions of PSN users were stolen, an incident that knocked the service offline for almost a month - and even saw Sony admit that the personal data it was holding on its customers wasn't even encrypted.

The latest attack was carried out by hacker group "Lizard Squad", which appears to have perpetrated it to highlight its belief that cyber security at Sony remains weak.

"Sony, yet another large company, but they aren't spending the waves of cash they obtain on their customers' PSN service. End the greed," the group said in a post.

The fact Sony has once again seen its service taken down has drawn strong condemnation from experts, including Dr Kevin Curran, senior member of IEEE and a senior lecturer in computer science at the University of Ulster. He told Computing "Sony does not understand security".

He continued: "Data theft of personal information of 70 million PlayStation Network members still annoys those of us involved in the security industry."

He suggested that Sony's poor response to the initial PSN hack still makes it an attractive target for hackers.

"They basically had no encryption worth mentioning on those records, it was simply incredible how poorly they protected those records. They also had a terrible PR response to the situation and I honestly believe many hackers have not forgotten that," said Dr Curran.

TK Keanini, chief technology officer at network security company Lancope, agreed. He argued that Sony still has yet to fully learn the lessons of the extensive 2011 PlayStation Network hack.

"Security is a business-level commitment, much like safety or quality: it requires all levels of the organisation to change and do things different. For whatever reason, PSN is not there yet despite their high-profile history of security breaches," he told Computing.

He added, though, that he expects Sony to eventually solve its security issues. "I'm certain they will get there over time because they must. The users are counting on them to 'co-evolve' and remain resilient to these threats. They need to level up."

Keanini argued that this is specifically the case for a network like Sony's, which not only stores personal details, such as names and dates of birth, but also debit and credit card numbers, therefore making it a top target for cyber criminals.

"Regarding the cyber-crime networks, the personal and financial data that each individual must disclose to be a part of the PSN network is right up there with your bank. The reason is that PSN is a marketplace and in order to be a part of it, you must have a way to pay for things which range from credit cards to credits you can buy at retailers," he said.

Keanini also suggested that services like PSN will always be a high-profile target for hackers because if the service is disrupted in any way, the furore this causes among users can be a great source of prestige within the hacking community.

"Regarding the 'hacktivists' or threat actors who want to make a point and be very public about that statement, every time PSN has problems, not only does it make the news but every single gamer who is hyper-connected and extremely active on social networks will amplify the message," he said.

So, what does Sony need to do in order to protect itself from threats in future? Ashley Stephenson, CEO at Corero Network Security, argued that Sony needs to ensure it has both the products and people required in order to prevent further attacks on PSN - or minimise impact if defences are breached.

"There are two very practical initiatives that every business should consider to improve their defensive posture to internet-borne threats," he told Computing.

"First, invest in proactive technology capable of mitigating DDoS attacks and cyber threats to prevent them from achieving their goal of disrupting or compromising the business," said Stephenson.

"And secondly, ensure that the corresponding emergency response teams and plans are developed and put in place before the disruption caused by an attack strikes the organisation."