Case Study 2 On November 24, 2014, Sony Pictures Entertainment found out it had been hacked. The hackers were able to penetrate Sony systems and networks and take over 100 terabytes of company information, including trade secrets, email, and personnel records. Several Sony Twitter accounts were also taken over. The hackers then installed on Sonys computers a piece of malware called Wiper, which erased data from the companys servers and PCs. Investigators concluded that the hackers spent more than two months, from mid-September to mid-November 2014, mapping Sonys computer systems, identifying critical files, and planning how to destroy computers and servers. The malware made many Sony employees computers inoperable and full recovery difficult or impossible, slowing down company operations. Sony shut down its internal computer network to prevent the data-wiping software from causing further damage, forcing many employees to use paper and pen. Systems from which the company generates revenue, including those involved with marketing and distributing films and TV shows, were the first to be restored. The hackers, who called themselves the Guardians of Peace, released some of the stolen information to the public and threatened to release more. That information included very confidential and poten tially embarrassing tidbits about Sony staff; partners; Hollywood stars, including Sylvester Stallone, director Judd Apatow, and Australian actress Rebel Wilson; and President Obama. Confidential personal informa tion about employees such as names; addresses; 47,000 Social Security numbers; and financial details was also stolen. The personal data, along with contracts and other sensitive Sony documents, were posted on file-sharing networks such as Bit Torrent. The hackers also posted five Sony films to online file-sharing sites, including Brad Pitts Fury and a remake of the musical Annie. These films had not yet been released, so the hackers were essentially giving them away free before Sony could bring them to market. Sony quickly organized internal staff to deal with this problem and contacted the FBI and the private security firm FireEye to find ways to protect employees whose personal data had been exposed by the hack, repair the damaged computers, and hunt down the hackers. The attack may have been motivated in part by Sonys plans to release a film called The Interview about two bumbling TV reporters trying to assassinate North Korean leader Kim Jong-un. North Korean officials had previously expressed objections to the film at the United Nations. A December 16, 2014, message from the Guardians of Peace threatened terrorist actions at theaters showing the film. Sony pulled the film from theatrical release the next day, and a number of U.S. theater chains announced they would not screen the film. U.S. government officials stated on December 17 that they believed the North Korean government was involved with the Sony hack, pointing to North Korean hacker.

1. Case Study 2 On November 24, 2014, Sony Pictures Entertainment found out it had been hacked.
The hackers were able to penetrate Sony systems and networks and take over 100 terabytes of
company information, including trade secrets, email, and personnel records. Several Sony Twitter
accounts were also taken over. The hackers then installed on Sonys computers a piece of
malware called Wiper, which erased data from the companys servers and PCs. Investigators
concluded that the hackers spent more than two months, from mid-September to mid-November
2014, mapping Sonys computer systems, identifying critical files, and planning how to destroy
computers and servers. The malware made many Sony employees computers inoperable and full
recovery difficult or impossible, slowing down company operations. Sony shut down its internal
computer network to prevent the data-wiping software from causing further damage, forcing many
employees to use paper and pen. Systems from which the company generates revenue, including
those involved with marketing and distributing films and TV shows, were the first to be restored.
The hackers, who called themselves the Guardians of Peace, released some of the stolen
information to the public and threatened to release more. That information included very
confidential and poten tially embarrassing tidbits about Sony staff; partners; Hollywood stars,
including Sylvester Stallone, director Judd Apatow, and Australian actress Rebel Wilson; and
President Obama. Confidential personal informa tion about employees such as names; addresses;
47,000 Social Security numbers; and financial details was also stolen. The personal data, along
with contracts and other sensitive Sony documents, were posted on file-sharing networks such as
Bit Torrent. The hackers also posted five Sony films to online file-sharing sites, including Brad Pitts
Fury and a remake of the musical Annie. These films had not yet been released, so the hackers
were essentially giving them away free before Sony could bring them to market. Sony quickly
organized internal staff to deal with this problem and contacted the FBI and the private security
firm FireEye to find ways to protect employees whose personal data had been exposed by the
hack, repair the damaged computers, and hunt down the hackers. The attack may have been
motivated in part by Sonys plans to release a film called The Interview about two bumbling TV
reporters trying to assassinate North Korean leader Kim Jong-un. North Korean officials had
previously expressed objections to the film at the United Nations. A December 16, 2014, message
from the Guardians of Peace threatened terrorist actions at theaters showing the film. Sony pulled
the film from theatrical release the next day, and a number of U.S. theater chains announced they
would not screen the film. U.S. government officials stated on December 17 that they believed the
North Korean government was involved with the Sony hack, pointing to North Korean hackers
previous use of similar malicious hacking tools. There were similarities in specific lines of software
code, encryption algorithms, data deletion methods, and compromised networks. The attack code
was written on machines set with Korean characters as the default during Korean peninsula
working hours, and the types of remote servers used in the Sony hack have been linked to those
used by other breaches attributed to North Korea. The FBI found several IP addresses associated
with the mal ware that originated within North Korea. Because the North Korean government
controls all Internet access in that country, the government is thought to have played some role in
the attack. North Koreas news agency KCNA denied that countrys involvement. Nevertheless, the
United States stepped up its economic sanctions against North Korea. U.S. Secretary of
Homeland Security Jeh Johnson released a statement asserting that the cyberattack against Sony

2. wasnt just an attack on the company; it was also an attack on freedom of expression and the way
of life in the United States. Many saw the threats to Sony over The Interview as endangering free
speech. Several Hollywood filmmakers and actors, including Ben Stiller, Rob Lowe, Jimmy
Kimmel, and Judd Apatow, voiced their opposition to Sonys decision to pull the film. Peter Singer,
a cybersecurity strategist at the New America Foundation, warned that Sonys action set a disturb
ing precedent because it signaled to attackers that they can get all they want and even more.
President Barack Obama called Sonys decision to cancel release of The Interview a mistake and
urged the entertainment industry not to succumb to self-censorship. Cybersecurity experts and
members of the press, including Kurt Stammberger from cybersecurity firm Norsk, Kim Zetter from
Wired magazine, CloudFlare researcher Marc Rogers, and former hacker Hector Xavier
Monsegur, believe North Korea lacks the infrastructure to handle downloads of 100 terabytes of
data, and such actions would have had to go on for months or years without anyone noticing.
Stammberger told the FBI that the hack was probably an inside job, initiated by six disgruntled
former Sony employees who had the knowledge and motive to access secure parts of Sony
servers. Others have suggested that an outside group mimicking North Korean hackers was
responsible. Sony had suffered a massive data breach before. In April 2011 hackers were able to
obtain personal information, including credit, debit, and bank account numbers, from over 100
million PlayStation Network users and Sony Online Entertainment users. It was one of the largest
single data breaches in Internet history. To prevent that from happening again, Sony beefed up its
security, paying more attention to encryption and outdated software ver sions. Nevertheless, the
company was hacked again, and this attack is believed to be worseperhaps the worst attack to
date in corporate history. This time, it appears that the hackers exploited a previously undisclosed
zero-day vulnerability in Sony computer systems that gave them unfettered access to its networks.
These flaws are usually the result of errors made during the writing of the software, giving an
attacker wider access to an organizations systems and providing a platform for staging larger-
scale intrusions. Often the vulnerabilities remain unknown to the organization that created the
software. Details have not yet emerged about exactly which piece of software or system was
compromised. The New York Times reported that spear phishing attacks involving malicious code
were inserted in Sony email attachments in September. Spear phishing email messages appear to
come from someone known to the recipient, such as friend or fellow employee. If an unknowing
recipient clicks a link in the email, malicious code can be inserted in a computer system.
Apparently, Sony was experiencing spear phishing attacks in early September, but those attacks
did not look unusual. In retrospect, investigators realized that hackers had stolen the credentials of
a Sony systems administrator, which allowed them to move freely inside Sonys systems. That type
of attack has been used before to exploit zero-day vulnerabilities. Spear phishing can be difficult to
detect and prevent by using only firewalls. Uses have to be vigilant and sensitive to signs that
email is not authentic. Some experts also believe the hackers may also have employed a SQL
injection attack, in which the attacker executes unauthorized SQL commands by taking advantage
of insecure code on a system connected to the Internet. SQL injection attacks are used to steal
information from a database from which the data would normally not be available or to gain access
to an organizations computer systems. SQL injection attacks can be thwarted by encrypting data,
and Sony may have neglected to do this for key pieces of data. Doug Stone, president of film

3. newsletter Box Office Analyst, believes that Sony lost $120 million in U.S. and foreign box office
revenue from not releasing The Interview as well as tens of millions already spent on marketing.
Sales of this film to DVD, streaming video services, and some theaters in the future will not make
up for this. Sony will also lose revenue from the five films yet to be released that hackers
downloaded to online file-sharing services. According to a Carnegie Mellon University 2011 report,
such leaks can cost companies up to 19 percent of the revenue they would have otherwise
generated just on box office sales. Four former employees have sued Sony for not protecting their
private information from hackers. The lawsuits seek class-action status on behalf of the nearly
50,000 Sony Pictures employees whose Social Security numbers and other private data were
exposed. Legal experts expect more cases to be filed over the data breach in the future. Sony has
set aside $15 million to deal with ongoing damages from the attack; this may not be enough.
Difficult to estimate are the losses Sony will experience from its damaged brand image and
reluctance of actors and others in the film industry to work with Sony again. The company has
tightened information system security again, using redundant solutions to prevent similar data loss
or hacks in the future, but will this be enough? According to Kevin Mandia, who heads the
Mandiant security firm hired to investigate the breach, the 2014 attack was one for which neither
Sony nor other companies could have been fully prepared. Mandia believes the software used in
the attack against Sony was undetectable by industry standard antivirus software. In addition, the
scope of the attack was unlike anything he had ever seen because the hackers sought both to
destroy information and release it to the public. The Sony hack exposed many details about the
inner workings of a large and famous company salaries, health care records, office call lists of
employees in a prominent industry. Security experts could recall no other breach when so much
data on a high-profile company was made public in one data dump. Some also believe the Sony
hack is a harbinger of things to come for all companies. This type of attack would not have been
possible a few years ago. The likelihood of serious breaches is rising, the damage breaches can
cause is going up, and companies will need to spend more money and time on information
systems security to keep the hackers from pulling ahead.
Case Study Questions
1. List and describe the security and control weaknesses at Sony that are discussed in this case.
2. What people, organization, and technology factors contributed to this problem? How much was
management responsible?
3. What was the business impact of Sony hack? Explain your answer.
4. Is there a solution to this problem? Explain your answer.
5. Explain proactive and reactive cybersecurity.
6. Explain to a Guyanese business (business does not have to be named) what you have learnt
from this case study and why proactive cybersecurity measure establishment is more safe than
reactive measures