Ars:
The malware that thoroughly penetrated Sony Pictures Entertainment was so sophisticated it likely would have worked against nine out of 10 security defenses available to companies, a top FBI official told members of Congress.
So...I don't think there's really enough information there to form a conclusion.
"Would have gotten through 90% of defense mechanisms" isn't really a meaningful metric. Suppose that Sturgeon's Law holds and 90% of defense mechanisms are crap?
The last paragraph of the article sounds a lot like what Brent just said:
The comments don't sit well with some security professionals, who say they appear to allow Sony to hide behind a veil of persistent threats posed by determined and well-resourced hackers. While successful hacks happen to just about everyone, careful planning can often contain the damage they inflict and limit the data available to people who gain unauthorized access. So far, Demarest, Mandiant, and Sony have declined to provide any specific details about exactly what makes the malware "unprecedented."
It may be awhile before we know precise technical details. Occam's Razor says Sony Pictures just got caught with its pants down again.
Regardless of how the data was obtained, it does appear that there were several obvious mistakes Sony made:
1. Treating E-Mail like it's private. E-Mail is not private. It is trivial as fuck for someone else to read your E-Mail.
2. It sure sounds like confidential data (like SSN's) was stored in cleartext. Or, if it WAS encrypted, my guess is the people with access to it didn't use strong passwords.
3. It sure doesn't sound like data was separated properly. A single attack appears to have simultaneously compromised E-Mail, employee records, and unreleased movies. Is there a reason why having access to a server that's storing one of those things should give you access to the server(s) storing the other two? How many people are there in the company who need to have access to all three of those things?
I think Brent's on the money when he says even the most secure system can be compromised and it's more a question of minimizing the damage if it is. Sony sure doesn't seem to have done the latter, and the problem with the former is that the logical conclusion of "it can happen to anyone" is to excuse even the poorest of security measures as if there's no reason to try.