 |
| Image by BankInfoSecurity |
In November 2014, Sony Pictures Entertainment had a Cyber-attack due to the movie “The Interview”, which makes another famous chronicles of data theft activity. Apparently, the hack was informed by blackmails that indicating their compromised systems, stolen data and hackers’ expected demands. It is eventually proved as the North Korean “Guardians of Peace” (G.O.P.) is behind the attack and the consequences might lead to loss of Sony of hundreds of millions, which involves upcoming movie scripts, contract negotiations, salary details for movie stars, and copies of unreleased movies as well as personal details of more than 4,000 previous and current employees in Sony Pictures (RBS, 2014). The financial impacts can be reflected from Figure 1 about Sony’s stock value. Learning lessons from Sony Pictures hack, many outlets also revealed the company with major wealmess with its network security, which contains lack monitoring, corporate devices with incomplete inventory, minimal backup, together with failover capabilities.
 |
Figure 1:
Stock Value of Sony From 25, NOV 2014 – 10, DEC 2014 (RBS, 2014) |
The importance of information security is about preserving confidentiality, integrity and availability of data. While the definition of Information security is the combination of “technologies, standards, policies and management practices”, which can be applied to data to keep the security of it (Silic & Back, 2014). It has raised the public attention while increasingly numbers of organizations are relying on information under the current information era running by advanced technology. Insight Sony’s hack, it is obvious that different network security lessons could be learned via detailed investigation of what Sony could have done differently or what Sony could have improved in its daily operation. Therefore, this report would make an analysis of Sony Pictures’ case from the perspective of importance of information security. First of all, the timeline of whole hack event would be listed. Next, it comes to the similar hacking cases from HBGary Federal, LinkedIn and Anthem for reference. Some specific topics in terms of impacts of security breaches around the real world, difficult attributes to hack, data security, and cloud computing security are introduced and analyzed in detail as well. In the end, there would be some suggestions for Sony to recover from this hack.
II. Background of the Organization
Sony Pictures Entertainment decided to open the film in theaters Christmas Day 2014. November 21, 2014, an email addressed to Sony Pictures CEO Michael Lynton, Chairman Amy Pascal, and other executives made vague references to “great damage” and asked for “monetary compensation” to avoid it. November 24, 2014, a Reddit post appeared stating that Sony Pictures Entertainment had been breached and that their complete internal, nation-wide network had signs that the breach was carried out by a group calling themselves the GOP, The Guardians of Peace. The FBI directed a confidential alert to a number of U.S. businesses cautioning them that hackers have recently propelled a damaging “wiper” malware attack. The hackers claim to have stolen a vast trove of sensitive data from Sony, possibly as large as 100 terabytes of data, which they are slowly releasing in batches.
III. Analysis
Most of the affected customers were left vulnerable to attacks like ransomwares. The employees were the most affected as most of their personal information like salaries, home addresses were exposed to the public. The unreleased movies that were leaked caused the company to lose a lot of money. Emails from different partners that were leaked exposed a lot of personal information about their partners which would result in them terminating their contracts with Sony.
Sony Pictures Entertainment is a company that offers entertainment and helps in publication of media around the globe. North Korea it is country with the most controversial leader. Sony as an entertainment company this means that it has its own databases. The North Korea it is a threat as it had some role to play behind the attack. A lot of crucial data was compromised that include: Unreleased movies, employees, usernames and passwords, sensitive information about Sony’s network architecture, a host of documents exposing personal information about employees, emails from business partners.
The hackers leaked online the intelligence they had breached that is usernames, passwords, and sensitive information about Sony's network architecture and a mass of documents revealing personal information about employees, personal emails from their business partners and unreleased movies. Which left the employees vulnerable to attacks and the company lost millions of dollars.
Most of the affected customers were left vulnerable to attacks like ransomwares. The employees were the most affected as most of their personal information like salaries, home addresses were exposed to the public. The unreleased movies that were leaked caused the company to lose a lot of money. Emails from different partners that were leaked exposed a lot of personal information about their partners which would result in them terminating their contracts with Sony.
In a wide-ranging interview, Lynton, Sony CEO, responded to the isolation and uncertainty created by the attack and the unique position the company found itself in which he stated that “there’s no playbook for an incident such as this” which created greater hardship for Sony in their recovery after the breach. While Sony has reported in an earnings report that the hack would cost Sony $15 million “in investigation and remediation costs” for the quarter to December 31, senior general manager Kazuhiko Takeda stated that Sony would lose $35 million for the full fiscal year through March 3. This hack has also steered the Amy Pascal, one of Hollywood’s most powerful movie executives, stepping down as head of Sony Pictures in the wake of a hacking scandal that stemmed in her private and damaging emails being leaked.
IV. Evaluation
The Sony pictures entertainment should use the framework below to ensure security
- Perform an assessment of data to identity sensitive information that requires the application of encryption and integrity controls.
- Deploy an automated tool on network perimeters to monitor for certain sensitive information (i.e., personally identifiable information), keywords, and other document characteristics to discover unauthorized attempts to extract data across network boundaries and block such transfers while alerting information security personnel.
- Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
- Limit use of external devices to those that have a business need. Monitor for use and attempted use of external devices
- Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content.
- Ensure that each system is automatically backed up at least once a week, and more often for systems storing sensitive information.
- Use multifactor authentication for all administrative access, including domain administrative access.
- Install a SIEM (Security Incident and Event Management) or log analytic tools for log collection and consolidation from numerous technologies and for log correlation and analysis
- Segment the enterprise network into multiple, separate trust zones to provide a more granular control of system access and additional intranet boundary defenses.
- Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors.
- Conduct constant incident situation sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team.
- With Sony Pictures Entertainment insufficient malware defenses, monitoring, audit logs, encryption, controlled use of administrative credentials, and incident response contributed to the massive breach on the organization. Not only can organizations implement security changes, but they should be able to audit those changes in order to measure effectiveness. For every attack, organizations must learn its deficiencies and establish actionable items to constantly improve. This improvement must be supported by the highest level of the organization with a commitment to maintain security as an attribute of the day-to-day functions. However, just wanting to improve security is not enough. As cybercrimes exists everywhere and this analysis paves way for security specialists to enhance the cyber security within their organizations.
V. References
1. Sans institute journal a case study: critical controls that Sony should have implemented authors: Gabriel Sanchez
2. http://www.wsj.com/articles/sony-pictures-hack-reveals-more-data-than-previously-believed-1417734425
3. Sans institute journal a case study: critical controls that Sony should have implemented authors: Gabriel Sanchez
5. http://www.bbc.com/news/entertainment-arts-30512032
6. Rushe, D. (2015, February 5). Amy Pascal steps down from Sony Pictures in wake of damaging email hack | Film | The Guardian. Retrieved from http://www.theguardian.com/film/2015/feb/05/amy-pascal.
