Being qualified for the job does not mean one is prepared

Dec 23, 2014 14:28 GMT  ·  By

Anyone with at least ten years of experience in information security and at least five in penetration testing/red teaming could secure a Director of Vulnerability Management Engineering position with Sony Corporation of America (SCA), the company said in a job ad.

Of course, these are not the only qualification requirements, as education and some specific expert skills are also necessary, especially regarding advanced persistent threats.

The candidate also needs to have expert-level knowledge about vulnerability exploits and countermeasures, remote access Trojans (RATs), and social engineering.

Sony needs a global security overhaul

As far as responsibilities are concerned, the candidate should be prepared to participate in unifying and enhancing Sony’s “global information security architecture, to include a cohesive vulnerability management strategy encompassing all Sony Group companies.”

Other attributions listed in the job announcement refer to developing and refining the global information security standards, guidelines and training, leading highly technical engineers and developers, overseeing the development of vulnerability management systems, as well as technical assessment support.

Another responsibility relates to advisory tasks touching on the internal company services as far as security architecture and technology implementation are concerned. Furthermore, it is expected from the occupant of the position to offer advice and expertise regarding global information security priority initiatives.

These shoes are not easy to fill, especially following the cyber-incidents the company experienced in the past years. A security overhaul is much needed at Sony in order to maintain a high safety standard across all divisions of the company.

The Sony hack should probably be a clue of what to expect

This announcement comes about a month after the Sony Pictures Entertainment (SPE) suffered a serious breach that left their systems empty of data on November 24, but not before the attackers exfiltrated the files.

The attackers said to various media publications that they collected about 100 terabytes of data from the company’s computers, a few hundred gigabytes having been leaked through file sharing websites.

Judging by this detail, it is safe to assume that the hackers, who call themselves Guardians of Peace, were present on the company network a long time before the incident in November, which is similar to how advanced persistent threat groups behave.

At the moment, it seems that Sony is trying to stop the confidential information stolen by the hackers from popping up online and started to send legal notices to media, Twitter, and users for disseminating information from leaked emails.

This scandal should not affect the new Director of Vulnerability Management Engineering, since it has already unwound, but it should provide a clue about what needs to be done for the job in order to prevent such incidents from happening.