For example, if you try and submit javascript tags to my websites, they'll just drop the connection. SQL injection attempts (at least, very obvious ones) are also logged and dropped.
There are commerical hardware devices that'll do the same sort of thing modsecurity does - I guess it's being suggested Sony didn't use any, which IMHO is very stupid.
If you look at the definition of firewall, modsecurity seems to fit it: "A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications." I don't think the term is being abused, just used in a way that people aren't familiar with. Most people seem to think a firewall is only a network (IP or Ethernet) level device.
Unless the attacker would be able to get root on the box via a privilege escalation vulnerability, they would not be able to disable a firewall that blocks access to ports other than 80.
"Sony said it has added automated software monitoring and enhanced data security and encryption to its systems in the wake of the recent security breaches."
sounds like they have thrown a substantial amount of money (instead of skills) into the problem.
A firewall might not have stopped the attackers from owning the web server, but a proper firewall or set of firewalls could perhaps have stopped the attackers from getting PAST the web server.
For example, HTTP traffic can be inspected to identify threat signatures. A firewall or IDS can be configured to drop packets from a threatening IP address after an attack signature has been identified.
An attack signature might be a blacklisted URL eg: /cgi-bin/mail.pl or it could be a SQL injection attempt, or a buffer overflow attempt, or a DDOS attempt.
The idea is to prevent this traffic from ever reaching the web server machine.
Also, re: blacklisting DDoS...hahaha, against a real botnet, good luck with that. I could take down RioRey in 30 seconds if I wanted to right now (google "slowloris.pl") by myself. Kind of hilarious seeing as they sell DDoS protection. All the DDoS prevention in the world can't stop crazy traffic with real-world-emulating usage patterns. It literally is indistinguishable from legitimate traffic if done correctly...just ask paypal.
Also, did they never do a security audit??
Given what I know about sony as a game developer, I would not be even remotely surprised to learn that they've never done a security audit.
Getting people to /allow/ you to patch servers is like pulling teeth. Seriously.
If the OS itself is so far out of date that you can hardly find patches for it anymore, the issue is even worse.
The mere specter of something possibly breaking is usually reason enough in many people's minds to not prioritize security updates, or in some case, flat out disallow them.
Sadly.
Edit: keep in mind that this is anecdotal, I'm sure there are companies that patch their servers properly.
If they're running RHEL (which is likely), the version number doesn't mean anything, since RedHat back ports all security patches.
http://republicans.energycommerce.house.gov/Media/file/Heari...
Quote:
In the Sony case, the majority of the victims are likely young people whose sense of risk, privacy and
consequence are not yet fully developed, and thus they may also not understand the full
ramifications of what has happened. Presumably, both companies are large enough that they
could have afforded to spend an appropriate amount on security and privacy protections of
their data; I have no information about what protections they had in place, although some
news reports indicate that Sony was running software that was badly out of date, and had
been warned about that risk.