SlideShare a Scribd company logo

SEC 573 Project 1 2.22.15

Download as DOCX, PDF
H
haney888
1 of 15
1 Timothy S. Haney SEC 573: E-Business Security Research Project 1 Sony Breach Professor Ed Sadeghi Week 3 2/22/15
2 Table of Contents Company Overview…………………………………..……………………………………………………………………………….3 Analysis……………………………………………………………………….…………………………………………………….………3 Hacker Warning Picture…………………………………………….…………………………………………………………..….4 Phishing Diagram………………………………………………………….…………………………………………………….…….5 Solutions……………………………………………………………………………………………………………………………………8 Kill Chain Model Diagram…………………………………………………………………………………………………………13 Conclusion……………………………………………………………………………………………………………………………….13 References……………………………………………………………………………………………….…………………………..…15
3 Company Overview Sony Corporation of America is based in New York, and is a subsidiary of Japan’s Sony Corporation. Sony’s principle businesses include Sony Music Entertainment Inc., Sony/ATV Music Publishing, Sony Pictures Entertainment Inc., Sony Electronics Inc., and Sony Computer Entertainment Inc. Sony announced total revenue of $75.5 billion in 2014, the highest the figure has been since 2008 (Statista, 2015). Sony specializes in producing movies, music, game consoles, and personal electronics, among other product and services. Analysis On November 22, 2014, a group calling itself #GOP (the Guardians of Peace), displayed a screen shot on every company PC showing a red skull with warnings and threats of extortion. Sony’s Twitter accounts were also seized by the hackers, who posted an image of Sony CEO Michael Lynton in hell (Zetter, 2014). It was at this moment when many servers and PCs started crashing. The network was unusable and had to be shut down. The hackers were believed to be from North Korea, and had supposedly infiltrated Sony’s systemfor approximately a few months to a year before anyone was aware. The attackers appeared to be skilled and very knowledgeable about Sony’s system. In the months prior to the warnings posted on the PCs, the hackers leaked large amounts of highly sensitive information online in the form of unreleased movies and film scripts, network usernames and passwords, network architecture information, employee health care data, salary data, social security numbers, and email communications (Alvarez, 2014; Krebs on Security, 2014). Approximately 100 terabytes of data were stolen from Sony’s systems (Zetter, 2014).
4 Fig. 1: Screenshot of the “red skull”warningthatappeared on Sony’s computers on the day the GOP hacker group made themselves known (Zetter, 2014). It is still unclear exactly how this breach occurred. Many hacks of this type start with a phishing attack, which involves sending emails to employees to get them to click on malicious attachments or links to websites where malware is actively downloaded to their machines (Zetter, 2014). The other, more likely scenario involves the hackers obtaining the user credentials from a disgruntled employee in exchange for money or revenge. Once the attackers possessed the administrator credentials, they were able to map the network and gain access to other protected systems. This access enabled them to look at the network architecture for servers and databases around the world, and obtain all of the usernames and passwords for this equipment. Within the information they obtained was a list of routers, switches, and load balancers with usernames and passwords to administer them. Sony had to completely shut down its network once it detected the attack in order to re-structure and secure the network.
5 Fig. 2: Graphic describingtheprocess of a malwarephishingattack commonly used to enable hackers to obtain usernames and passwords fromusers. This event was extremely damaging to Sony’s reputation. It was very embarrassing to have all of this sensitive data leaked online. More importantly for Sony’s bottom line, however, was that the stolen data also included the script for an unreleased TV show pilot by Vince Gilligan, the creator of Breaking Bad, as well as full copies of several Sony films, most of which had not been released in theaters yet (Zetter, 2014). An FBI warning was released the week of the Sony hack alerting companies and organizations about destructive malware designed to destroy data. The alert warned users about malware capable of wiping data from systems in such an effective way as to make the data unrecoverable (Zetter, 2014). The memo warned about how the malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The
6 overwriting of data files makes it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods (Zetter, 2014). Once analyzed, the malware was shown to contain a hard-coded list that named 50 internal Sony computer systems based in the U.S. and U.K. that the malware was attacking, as well as the log-in credentials it used to access them. To do the wiping, the attackers used a driver from a commercially-available product designed to be used by system administrators for legitimate maintenance of systems. The product is called RawDisk and is made by Eldos. The driver is a kernel-mode driver used to securely delete data from hard drives or for forensic purposes to access memory (Zetter, 2014). Some of the malware files examined appear to have been compiled on a machine that was using Korean language. This refers to the encoding language on a computer, which is the language spoken by the user. The FBI has claimed it hacked North Korea a year ago, and has evidence from the malware which it released on the North Korean network indicating the IP addresses of the known Korean hackers are the same as the IP addresses used in the attack against Sony. The hack also coincided with the releasing of the movie The Interview, about an assassination attempt by the U.S. on Kim Jong Un, leader of North Korea. The potential damages to Sony for the stolen data are loss of reputation, a drop in stock price, and a decrease in consumer confidence. People will be less likely to shop at Sony for fear of having their credit card information leaked online on the Internet for everyone to see. Sony will lose out a lot of potential revenue for the movies and scripts which were leaked online.
7 Potential employees may not want to work at Sony for fear of their private information being hacked. This hack had a noted effect on data confidentiality, integrity, and availability. Data confidentiality is affected when unauthorized individuals or groups have access to sensitive information. In the case of the Sony breach, when the private company’s information, movies, medical history, and other sensitive data was leaked online, this affected data confidentiality. Sony’s data integrity was affected when the malware deleted the files from the servers and databases. Data integrity is affected when data is altered or changed. When the hackers shut down the systemby deleting the MBR on servers and databases making the network unusable, Sony had to shut down and re-architect the network, thus affecting data availability. Data availability is affected when the data is not available to use. For risk assessment of assets, risk equals vulnerability multiplied by threat. We assess assets for vulnerabilities and remove them to decrease risk. We still have to take into account the potential threats. A threat is an object, agent, or event that could cause damage to the organization’s assets. Threats typically cannot be eliminated altogether. Acts of nature, for instance, are beyond our control; so, too, are most threats. We can prosecute a hacker, but we cannot eliminate the threat that hackers pose. According to Verizon’s Data Breach Investigation Report (DBIR), 92% of the attacks in the last ten years have been either cyber- espionage, DoS attacks, crimeware, web application attacks, insider misuse, miscellaneous errors, physical theft & loss, payment card skimmers, or point-of-sale intrusions (Verizon, 2015).
8 According to the Verizon DBIR, the most likely attacks are web application attacks and cyber-espionage (Verizon, 2015). The threat for the Sony breach was probably a combination of cyber-espionage and insider misuse. It is likely an insider gave administrator credentials to the hackers. Once inside the network, the hackers took advantage of the unencrypted passwords for all of the servers, databases, routers, and switches around the world, which were easily accessible in one data folder. The fact that all these important passwords were unencrypted is an indicator of compromise (IOC). The threat (in this situation, the group of hackers) could use this information to cause a lot of damage. Another IOC could be if one of the hackers left a USB drive in the parking lot of Sony and one of the Sony employees plugged it into the system, giving the attackers access to the network. To mitigate these threats, Lockheed Martin’s Computer Incident Response Teamhas created an intelligence-driven defense process, Cyber Kill Chain, which allows information security professionals to proactively remediate and mitigate advanced threats in the future. By using this tool, Sony could anticipate what the threats will do and put controls into place to minimize the threat. Solutions There are potentially many controls Sony could put into place to mitigate potential threats. One control to put into place could be to stop a disgruntled employee with escalated privileges from attacking or allowing the network to be attacked by outside intruders. A common challenge organizations are faced with is balancing end user productivity with security. Sony leaned too far towards a user friendly system, allowing the attackers to move freely throughout the organization once compromised. It is typical that companies which permit users to run as administrators are more susceptible to a breach. If this was the entry point,
9 removing end user admin permission would be a key change (Tribbey, 2014). The users would have only need-to-know access—for example, the ability of systems admins to perform application and database privileges would be restricted (Quora, 2014). The passwords that the hackers found were in clear-text documents. A very obvious control to put into place would be encryption of all passwords on the shared network and desktops. Attackers would have a much tougher time obtaining passwords if they were encrypted. A policy stating that no passwords can be stored in clear-text should be implemented and must be enforced. Another control to put into place would be user awareness training detailing best practices for security. It would also explain how to avoid common phishing scams. A strong spam blocker could be implemented from Microsoft. The product will send malicious emails with attachments to the spam folder to be flagged and checked. Sony could hire a new CISO (chief information security officer) to rewrite Sony’s security policies and procedures to coincide with best practices and standards. This officer would attempt to go above and beyond minimum requirements to gain back the confidence in their company which was lost due to the breach. The CISO would be responsible for configuring all tools properly. Companies have many information security tools, but they do no good unless configured properly. The CISO must also put the processes in place to monitor and use the tools correctly. Tools are useless without processes. The CISO should implement a plan for regular audits and an incident response plan (DRP/BCP), which should be tested regularly.
10 Sony did not manage the personally identifiable information well. This information could be segmented and isolated from the rest of the network, along with encryption. It should go on the high risk asset list to be watched over more carefully than less important data. A new policy could be put into place to not allow USB ports to upload/download information. The product USB Block will prevent theft and data leakage of important files, documents and source codes from devices like USB Drives, CD/DVD, and network computers. Sony can white-list their own USB drives and devices. Whenever an unauthorized device is detected, a password prompt comes up (USB Block, 2015). Sony’s attackers indicated on screenshots that their doors were no longer locked. Sony could hire security guards to increase physical security to check for intruders piggybacking an employee at the entrance. A badge should be required to enter the garage, garage elevator, the building, and to use the elevator in the building. High-resolution cameras should be installed everywhere to view license plates and faces. Sony could invest in some tools to detect the intruders while they are still in the beginning enumeration phase of hacking. The FireEye network security malware tool recognizes the behavior of viruses while in transit. This tool blocks zero-day web exploits due to the behavioral anomaly technology. It also blocks multi-protocol callbacks to help scale their advanced defenses across a range of deployments. When the viruses call back to the sender (attacker) the software tracks the destination of the callback to find a location. This product is designed to detect malware on a system. This tool would prevent future attacks using malware to steal sensitive company data (FireEye, 2014).
11 Another useful product Sony could implement is the log management device Splunk. Splunk provides the industry-leading software to consolidate and index any log and machine data, including structured, unstructured, and complex multi-line application logs. You can collect, store, index, search, correlate, visualize, analyze, and report on any machine-generated data to identify and resolve operational and security issues in a faster, repeatable, and more affordable way. It is an enterprise—ready, fully integrated solution for log management data collection, storage and visualization (Splunk, 2015). This tool would help accumulate the data needed to find an intruder. The event data goes from Splunk to sys log server to be stored. The tool Exabeam could be used for behavioral analysis. Exabeam adds security intelligence on top of existing SIEM (security information and event management) and log management data repositories to understand a complete picture of the user session, allowing the technology to detect and assemble the full attack chain. The Exabeam User Intelligence solution uses a powerful combination of session assembly and Stateful User Tracking, behavior analysis and risk scoring to automatically determine the likelihood of an attack and prioritize responses. The product specializes in behavior analysis, but performs many functions, such as enhance current SIEM investments, detect threats in real time, and customize deployment. The behavior analysis learns user and peer group behavior and characteristics across multiple dimensions. Dimensions can be time, day of the week, location, or object access, and each dimension is compared against the normal baseline. Then anomalies are identified (Exabeam, 2015). This tool will notify the security team that something is not right within a certain user’s behavior because it would not be consistent with the observed pattern of normal user behavior.
12 The managed security services of Solutionary could really help out Sony’s security team. Solutionary delivers flexible managed security services that work the way the clients want; enhancing their existing security program, infrastructure, and personnel while relieving the information security and compliance burden. Solutionary combines deep security expertise and proven operational processes with the patented, cloud-based ActiveGuard security and compliance platform to improve security and address compliance with regulations such as PCI DSS (payment card industry data security standard), HIPAA (health insurance portability and accountability act), GLBA (Gramm–Leach–Bliley act), Sarbanes-Oxley, and more (Solutionary, 2015). Sony likely has millions of events generated each day for their security team to look over. Solutionary has trained engineers ready to take over that monitoring position. Companies like Target could have used Solutionary to catch the high risk events. Sony could use this service to notice the attackers once the notification is generated by Splunk. The kill chain model has seven phases, which are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The steps involve gathering information, creating a malicious program to infiltrate, delivery of the program, installing the program on the network, taking command of the network, achieving the goal with keyboard power over the network. These threats are much tougher now than 15 years ago. The threats now are considered APT (advanced persistent threat). The APT will get on the network and stay as long as possible until detected. Companies with weak information security infrastructures are easy prey for these advanced attackers.
13 Conclusion There are many policies, procedures, products, and services that will effectively mitigate the risk of the e-commerce threat. There were many IOCs (indicators of compromise) revealed
14 at the Sony breach which should indicate to Sony that they must implement controls to mitigate the threat. Sony should use these IOCs to create a kill chain framework. The kill chain framework will focus on the threat instead of the assets. The threat would exploit the weaknesses I have described earlier to infiltrate the network. Controls will be put into place to mitigate the threat. The changes should start with a new CISO, enforcing industry policies and procedures for best practices. The FireEye, Splunk, and Exabeamtools, if implemented with proper processes, will effectively mitigate a similar intruder in the future by noticing behavior anomalies and flagged events. The services of Soutionary could facilitate that idea to be handled properly. The users should not have too many privileges in case of a disgruntled employee, passwords should not be stored in clear-text (policy of encrypting passwords should be implemented), and USBs should not be used to upload or download information from the network. The CISO should implement user awareness training for better email security, stricter physical security, regular audits, and DRP/BCP with regular testing.
15 References Alvarez, E. (2014, December 10). Sony Pictures hack: the whole story. Retrieved from http://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/ Exabeam. (2015). Exabeam Solution Overview. Retrieved from http://www.exabeam.com/wp- content/uploads/Exabeam_SolutionOverview_v0115.pdf FireEye. (2014). FireEye Network Threat Prevention Platform. Retrieved from https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye- network-threat-prevention-platform.pdf Krebs on Security. (2014, December 2). Sony Breach May Have Exposed Employee Healthcare, Salary Data. Retrieved from krebsonsecurity.com/2014/12/sony-breach-may-have-exposed- employee-healthcare-salary-data/ Quora. (2014, December 23). What Do Security Professionals Think Sony Should Have Done Differently Between the 2011 Playstation Hack and the 2014 Sony Pictures Hack to Protect Themselves? Retrieved from http://www.quora.com/What-do-security-professionals-think- Sony-should-have-done-differently-between-the-2011-Playstation-Hack-and-the-2014-Sony- Pictures-Hack-to-protect-themselves Solutionary. (2015). Managed Security Services | Solutionary. Retrieved from http://www.solutionary.com/services/managed-security-services/ Splunk. (2015). Log management solutions: tap log data to see what's happening in your business | Splunk. Retrieved from http://www.splunk.com/en_us/solutions/solution-areas/log- management.html Statista. (2015, January). Sony business segments sales share 2014 | Statistic. Retrieved from http://www.statista.com/statistics/279272/proportion-of-sonys-sales-by-business/Zetter, K. (2014, December 3). Tribbey, C. (2014, December 22). Experts: Lessons to be learned from Sony Cyber Attack (CDSA): Content Delivery and Security Association. Retrieved from http://www.cdsaonline.org/latest-news/experts-lessons-to-be-learned-from-sony-cyber-attack- cdsa/ USB Block. (2015). USB Block - Data Leak Prevention Software - Free Download. Retrieved from http://www.newsoftwares.net/usb-block/ Verizon. (2015, January). 2014 Verizon Data Breach Investigations Report (DBIR) | Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com/DBIR/2014/ Zetter (December, 2014) Sony Got Hacked Hard: What We Know and Don't Know So Far | WIRED. Retrieved from http://www.wired.com/2014/12/sony-hack-what-we-know/

Recommended

Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
Attack on Sony
Attack on SonyAttack on Sony
Attack on SonyNick Bilogorskiy
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Puna 2015
Puna 2015Puna 2015
Puna 2015Salaj Goyal
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comBusiness.com
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesSweta Kumari Barnwal
 
Hackers and cyber crimes
Hackers and cyber crimesHackers and cyber crimes
Hackers and cyber crimesSweta Kumari Barnwal
 
Information-Security-Lecture-7.pptx
Information-Security-Lecture-7.pptxInformation-Security-Lecture-7.pptx
Information-Security-Lecture-7.pptxanbersattar
 

Recommended

Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataLindsey Landolfi
 
Attack on Sony
Attack on SonyAttack on Sony
Attack on SonyNick Bilogorskiy
 
Lecture about network and host security to NII students
Lecture about network and host security to NII studentsLecture about network and host security to NII students
Lecture about network and host security to NII studentsAkiumi Hasegawa
 
Puna 2015
Puna 2015Puna 2015
Puna 2015Salaj Goyal
 
A Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comA Guide to Internet Security For Businesses- Business.com
A Guide to Internet Security For Businesses- Business.comBusiness.com
 
Unit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesUnit ii-hackers and cyber crimes
Unit ii-hackers and cyber crimesSweta Kumari Barnwal
 
Hackers and cyber crimes
Hackers and cyber crimesHackers and cyber crimes
Hackers and cyber crimesSweta Kumari Barnwal
 
Information-Security-Lecture-7.pptx
Information-Security-Lecture-7.pptxInformation-Security-Lecture-7.pptx
Information-Security-Lecture-7.pptxanbersattar
 
Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking - Mark - Fullbright
 
News Bytes - December 2012
News Bytes - December 2012News Bytes - December 2012
News Bytes - December 2012n|u - The Open Security Community
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
CyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesCyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesJose L. Quiñones-Borrero
 
Data breach at sony
Data breach at sonyData breach at sony
Data breach at sonyBlueBit Technologies
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
NCSO
NCSONCSO
NCSOAvraham Lerner
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
 
Cybercrime
CybercrimeCybercrime
CybercrimeYash Kothari
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxarnoldmeredith47041
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Alisha Deboer
 

More Related Content

What's hot

Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Roen Branham
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking - Mark - Fullbright
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revistathe_ro0t
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideRoen Branham
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 

What's hot (20)

Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021 Security weekly september 28 october 4, 2021
Security weekly september 28 october 4, 2021
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breach
 
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking
 
News Bytes - December 2012
News Bytes - December 2012News Bytes - December 2012
News Bytes - December 2012
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
CyberCrime attacks on Small Businesses
CyberCrime attacks on Small BusinessesCyberCrime attacks on Small Businesses
CyberCrime attacks on Small Businesses
 
Data breach at sony
Data breach at sonyData breach at sony
Data breach at sony
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgram
 
Mobile security hakin9_Revista
Mobile security hakin9_RevistaMobile security hakin9_Revista
Mobile security hakin9_Revista
 
NCSO
NCSONCSO
NCSO
 
Verizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breachVerizon 2014 data breach investigation report and the target breach
Verizon 2014 data breach investigation report and the target breach
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDC
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet
 
Grift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a rideGrift horse money stealing trojan takes 10m android users for a ride
Grift horse money stealing trojan takes 10m android users for a ride
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White Paper
 

Similar to SEC 573 Project 1 2.22.15

The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxarnoldmeredith47041
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Alisha Deboer
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protectionecarrow
 
Perform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdfPerform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdffasttrackcomputersol
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Chema Alonso
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security ProtectionShawn Crimson
 
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...PavanKumarSurala
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdf
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdfCase Study 2 On November 24 2014 Sony Pictures Entertainme.pdf
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdfaccuraprintengineers
 
On November 24 2014 Sony Pictures Entertainment found out .pdf
On November 24 2014 Sony Pictures Entertainment found out .pdfOn November 24 2014 Sony Pictures Entertainment found out .pdf
On November 24 2014 Sony Pictures Entertainment found out .pdfaabdin101
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
APT & Data Breach - Lesson Learned
APT & Data Breach - Lesson LearnedAPT & Data Breach - Lesson Learned
APT & Data Breach - Lesson LearnedAde Ismail Isnan
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarJudgeEagle
 

Similar to SEC 573 Project 1 2.22.15 (20)

The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxThe uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docx
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
 
Why My E Identity Needs Protection
Why My E Identity Needs ProtectionWhy My E Identity Needs Protection
Why My E Identity Needs Protection
 
Hacking 04 2011
Hacking 04 2011Hacking 04 2011
Hacking 04 2011
 
Perform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdfPerform a search on the Web for articles and stories about social en.pdf
Perform a search on the Web for articles and stories about social en.pdf
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
Computer hacking
Computer hackingComputer hacking
Computer hacking
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
 
220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?
 
Axxera End Point Security Protection
Axxera End Point Security ProtectionAxxera End Point Security Protection
Axxera End Point Security Protection
 
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
Hacking_ The Ultimate Hacking for Beginners_ How to Hack_ Hacking Intelligenc...
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdf
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdfCase Study 2 On November 24 2014 Sony Pictures Entertainme.pdf
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdf
 
On November 24 2014 Sony Pictures Entertainment found out .pdf
On November 24 2014 Sony Pictures Entertainment found out .pdfOn November 24 2014 Sony Pictures Entertainment found out .pdf
On November 24 2014 Sony Pictures Entertainment found out .pdf
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
APT & Data Breach - Lesson Learned
APT & Data Breach - Lesson LearnedAPT & Data Breach - Lesson Learned
APT & Data Breach - Lesson Learned
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert Trend
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
 

SEC 573 Project 1 2.22.15

  • 1. 1 Timothy S. Haney SEC 573: E-Business Security Research Project 1 Sony Breach Professor Ed Sadeghi Week 3 2/22/15
  • 2. 2 Table of Contents Company Overview…………………………………..……………………………………………………………………………….3 Analysis……………………………………………………………………….…………………………………………………….………3 Hacker Warning Picture…………………………………………….…………………………………………………………..….4 Phishing Diagram………………………………………………………….…………………………………………………….…….5 Solutions……………………………………………………………………………………………………………………………………8 Kill Chain Model Diagram…………………………………………………………………………………………………………13 Conclusion……………………………………………………………………………………………………………………………….13 References……………………………………………………………………………………………….…………………………..…15
  • 3. 3 Company Overview Sony Corporation of America is based in New York, and is a subsidiary of Japan’s Sony Corporation. Sony’s principle businesses include Sony Music Entertainment Inc., Sony/ATV Music Publishing, Sony Pictures Entertainment Inc., Sony Electronics Inc., and Sony Computer Entertainment Inc. Sony announced total revenue of $75.5 billion in 2014, the highest the figure has been since 2008 (Statista, 2015). Sony specializes in producing movies, music, game consoles, and personal electronics, among other product and services. Analysis On November 22, 2014, a group calling itself #GOP (the Guardians of Peace), displayed a screen shot on every company PC showing a red skull with warnings and threats of extortion. Sony’s Twitter accounts were also seized by the hackers, who posted an image of Sony CEO Michael Lynton in hell (Zetter, 2014). It was at this moment when many servers and PCs started crashing. The network was unusable and had to be shut down. The hackers were believed to be from North Korea, and had supposedly infiltrated Sony’s systemfor approximately a few months to a year before anyone was aware. The attackers appeared to be skilled and very knowledgeable about Sony’s system. In the months prior to the warnings posted on the PCs, the hackers leaked large amounts of highly sensitive information online in the form of unreleased movies and film scripts, network usernames and passwords, network architecture information, employee health care data, salary data, social security numbers, and email communications (Alvarez, 2014; Krebs on Security, 2014). Approximately 100 terabytes of data were stolen from Sony’s systems (Zetter, 2014).
  • 4. 4 Fig. 1: Screenshot of the “red skull”warningthatappeared on Sony’s computers on the day the GOP hacker group made themselves known (Zetter, 2014). It is still unclear exactly how this breach occurred. Many hacks of this type start with a phishing attack, which involves sending emails to employees to get them to click on malicious attachments or links to websites where malware is actively downloaded to their machines (Zetter, 2014). The other, more likely scenario involves the hackers obtaining the user credentials from a disgruntled employee in exchange for money or revenge. Once the attackers possessed the administrator credentials, they were able to map the network and gain access to other protected systems. This access enabled them to look at the network architecture for servers and databases around the world, and obtain all of the usernames and passwords for this equipment. Within the information they obtained was a list of routers, switches, and load balancers with usernames and passwords to administer them. Sony had to completely shut down its network once it detected the attack in order to re-structure and secure the network.
  • 5. 5 Fig. 2: Graphic describingtheprocess of a malwarephishingattack commonly used to enable hackers to obtain usernames and passwords fromusers. This event was extremely damaging to Sony’s reputation. It was very embarrassing to have all of this sensitive data leaked online. More importantly for Sony’s bottom line, however, was that the stolen data also included the script for an unreleased TV show pilot by Vince Gilligan, the creator of Breaking Bad, as well as full copies of several Sony films, most of which had not been released in theaters yet (Zetter, 2014). An FBI warning was released the week of the Sony hack alerting companies and organizations about destructive malware designed to destroy data. The alert warned users about malware capable of wiping data from systems in such an effective way as to make the data unrecoverable (Zetter, 2014). The memo warned about how the malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The
  • 6. 6 overwriting of data files makes it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods (Zetter, 2014). Once analyzed, the malware was shown to contain a hard-coded list that named 50 internal Sony computer systems based in the U.S. and U.K. that the malware was attacking, as well as the log-in credentials it used to access them. To do the wiping, the attackers used a driver from a commercially-available product designed to be used by system administrators for legitimate maintenance of systems. The product is called RawDisk and is made by Eldos. The driver is a kernel-mode driver used to securely delete data from hard drives or for forensic purposes to access memory (Zetter, 2014). Some of the malware files examined appear to have been compiled on a machine that was using Korean language. This refers to the encoding language on a computer, which is the language spoken by the user. The FBI has claimed it hacked North Korea a year ago, and has evidence from the malware which it released on the North Korean network indicating the IP addresses of the known Korean hackers are the same as the IP addresses used in the attack against Sony. The hack also coincided with the releasing of the movie The Interview, about an assassination attempt by the U.S. on Kim Jong Un, leader of North Korea. The potential damages to Sony for the stolen data are loss of reputation, a drop in stock price, and a decrease in consumer confidence. People will be less likely to shop at Sony for fear of having their credit card information leaked online on the Internet for everyone to see. Sony will lose out a lot of potential revenue for the movies and scripts which were leaked online.
  • 7. 7 Potential employees may not want to work at Sony for fear of their private information being hacked. This hack had a noted effect on data confidentiality, integrity, and availability. Data confidentiality is affected when unauthorized individuals or groups have access to sensitive information. In the case of the Sony breach, when the private company’s information, movies, medical history, and other sensitive data was leaked online, this affected data confidentiality. Sony’s data integrity was affected when the malware deleted the files from the servers and databases. Data integrity is affected when data is altered or changed. When the hackers shut down the systemby deleting the MBR on servers and databases making the network unusable, Sony had to shut down and re-architect the network, thus affecting data availability. Data availability is affected when the data is not available to use. For risk assessment of assets, risk equals vulnerability multiplied by threat. We assess assets for vulnerabilities and remove them to decrease risk. We still have to take into account the potential threats. A threat is an object, agent, or event that could cause damage to the organization’s assets. Threats typically cannot be eliminated altogether. Acts of nature, for instance, are beyond our control; so, too, are most threats. We can prosecute a hacker, but we cannot eliminate the threat that hackers pose. According to Verizon’s Data Breach Investigation Report (DBIR), 92% of the attacks in the last ten years have been either cyber- espionage, DoS attacks, crimeware, web application attacks, insider misuse, miscellaneous errors, physical theft & loss, payment card skimmers, or point-of-sale intrusions (Verizon, 2015).
  • 8. 8 According to the Verizon DBIR, the most likely attacks are web application attacks and cyber-espionage (Verizon, 2015). The threat for the Sony breach was probably a combination of cyber-espionage and insider misuse. It is likely an insider gave administrator credentials to the hackers. Once inside the network, the hackers took advantage of the unencrypted passwords for all of the servers, databases, routers, and switches around the world, which were easily accessible in one data folder. The fact that all these important passwords were unencrypted is an indicator of compromise (IOC). The threat (in this situation, the group of hackers) could use this information to cause a lot of damage. Another IOC could be if one of the hackers left a USB drive in the parking lot of Sony and one of the Sony employees plugged it into the system, giving the attackers access to the network. To mitigate these threats, Lockheed Martin’s Computer Incident Response Teamhas created an intelligence-driven defense process, Cyber Kill Chain, which allows information security professionals to proactively remediate and mitigate advanced threats in the future. By using this tool, Sony could anticipate what the threats will do and put controls into place to minimize the threat. Solutions There are potentially many controls Sony could put into place to mitigate potential threats. One control to put into place could be to stop a disgruntled employee with escalated privileges from attacking or allowing the network to be attacked by outside intruders. A common challenge organizations are faced with is balancing end user productivity with security. Sony leaned too far towards a user friendly system, allowing the attackers to move freely throughout the organization once compromised. It is typical that companies which permit users to run as administrators are more susceptible to a breach. If this was the entry point,
  • 9. 9 removing end user admin permission would be a key change (Tribbey, 2014). The users would have only need-to-know access—for example, the ability of systems admins to perform application and database privileges would be restricted (Quora, 2014). The passwords that the hackers found were in clear-text documents. A very obvious control to put into place would be encryption of all passwords on the shared network and desktops. Attackers would have a much tougher time obtaining passwords if they were encrypted. A policy stating that no passwords can be stored in clear-text should be implemented and must be enforced. Another control to put into place would be user awareness training detailing best practices for security. It would also explain how to avoid common phishing scams. A strong spam blocker could be implemented from Microsoft. The product will send malicious emails with attachments to the spam folder to be flagged and checked. Sony could hire a new CISO (chief information security officer) to rewrite Sony’s security policies and procedures to coincide with best practices and standards. This officer would attempt to go above and beyond minimum requirements to gain back the confidence in their company which was lost due to the breach. The CISO would be responsible for configuring all tools properly. Companies have many information security tools, but they do no good unless configured properly. The CISO must also put the processes in place to monitor and use the tools correctly. Tools are useless without processes. The CISO should implement a plan for regular audits and an incident response plan (DRP/BCP), which should be tested regularly.
  • 10. 10 Sony did not manage the personally identifiable information well. This information could be segmented and isolated from the rest of the network, along with encryption. It should go on the high risk asset list to be watched over more carefully than less important data. A new policy could be put into place to not allow USB ports to upload/download information. The product USB Block will prevent theft and data leakage of important files, documents and source codes from devices like USB Drives, CD/DVD, and network computers. Sony can white-list their own USB drives and devices. Whenever an unauthorized device is detected, a password prompt comes up (USB Block, 2015). Sony’s attackers indicated on screenshots that their doors were no longer locked. Sony could hire security guards to increase physical security to check for intruders piggybacking an employee at the entrance. A badge should be required to enter the garage, garage elevator, the building, and to use the elevator in the building. High-resolution cameras should be installed everywhere to view license plates and faces. Sony could invest in some tools to detect the intruders while they are still in the beginning enumeration phase of hacking. The FireEye network security malware tool recognizes the behavior of viruses while in transit. This tool blocks zero-day web exploits due to the behavioral anomaly technology. It also blocks multi-protocol callbacks to help scale their advanced defenses across a range of deployments. When the viruses call back to the sender (attacker) the software tracks the destination of the callback to find a location. This product is designed to detect malware on a system. This tool would prevent future attacks using malware to steal sensitive company data (FireEye, 2014).
  • 11. 11 Another useful product Sony could implement is the log management device Splunk. Splunk provides the industry-leading software to consolidate and index any log and machine data, including structured, unstructured, and complex multi-line application logs. You can collect, store, index, search, correlate, visualize, analyze, and report on any machine-generated data to identify and resolve operational and security issues in a faster, repeatable, and more affordable way. It is an enterprise—ready, fully integrated solution for log management data collection, storage and visualization (Splunk, 2015). This tool would help accumulate the data needed to find an intruder. The event data goes from Splunk to sys log server to be stored. The tool Exabeam could be used for behavioral analysis. Exabeam adds security intelligence on top of existing SIEM (security information and event management) and log management data repositories to understand a complete picture of the user session, allowing the technology to detect and assemble the full attack chain. The Exabeam User Intelligence solution uses a powerful combination of session assembly and Stateful User Tracking, behavior analysis and risk scoring to automatically determine the likelihood of an attack and prioritize responses. The product specializes in behavior analysis, but performs many functions, such as enhance current SIEM investments, detect threats in real time, and customize deployment. The behavior analysis learns user and peer group behavior and characteristics across multiple dimensions. Dimensions can be time, day of the week, location, or object access, and each dimension is compared against the normal baseline. Then anomalies are identified (Exabeam, 2015). This tool will notify the security team that something is not right within a certain user’s behavior because it would not be consistent with the observed pattern of normal user behavior.
  • 12. 12 The managed security services of Solutionary could really help out Sony’s security team. Solutionary delivers flexible managed security services that work the way the clients want; enhancing their existing security program, infrastructure, and personnel while relieving the information security and compliance burden. Solutionary combines deep security expertise and proven operational processes with the patented, cloud-based ActiveGuard security and compliance platform to improve security and address compliance with regulations such as PCI DSS (payment card industry data security standard), HIPAA (health insurance portability and accountability act), GLBA (Gramm–Leach–Bliley act), Sarbanes-Oxley, and more (Solutionary, 2015). Sony likely has millions of events generated each day for their security team to look over. Solutionary has trained engineers ready to take over that monitoring position. Companies like Target could have used Solutionary to catch the high risk events. Sony could use this service to notice the attackers once the notification is generated by Splunk. The kill chain model has seven phases, which are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The steps involve gathering information, creating a malicious program to infiltrate, delivery of the program, installing the program on the network, taking command of the network, achieving the goal with keyboard power over the network. These threats are much tougher now than 15 years ago. The threats now are considered APT (advanced persistent threat). The APT will get on the network and stay as long as possible until detected. Companies with weak information security infrastructures are easy prey for these advanced attackers.
  • 13. 13 Conclusion There are many policies, procedures, products, and services that will effectively mitigate the risk of the e-commerce threat. There were many IOCs (indicators of compromise) revealed
  • 14. 14 at the Sony breach which should indicate to Sony that they must implement controls to mitigate the threat. Sony should use these IOCs to create a kill chain framework. The kill chain framework will focus on the threat instead of the assets. The threat would exploit the weaknesses I have described earlier to infiltrate the network. Controls will be put into place to mitigate the threat. The changes should start with a new CISO, enforcing industry policies and procedures for best practices. The FireEye, Splunk, and Exabeamtools, if implemented with proper processes, will effectively mitigate a similar intruder in the future by noticing behavior anomalies and flagged events. The services of Soutionary could facilitate that idea to be handled properly. The users should not have too many privileges in case of a disgruntled employee, passwords should not be stored in clear-text (policy of encrypting passwords should be implemented), and USBs should not be used to upload or download information from the network. The CISO should implement user awareness training for better email security, stricter physical security, regular audits, and DRP/BCP with regular testing.
  • 15. 15 References Alvarez, E. (2014, December 10). Sony Pictures hack: the whole story. Retrieved from http://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/ Exabeam. (2015). Exabeam Solution Overview. Retrieved from http://www.exabeam.com/wp- content/uploads/Exabeam_SolutionOverview_v0115.pdf FireEye. (2014). FireEye Network Threat Prevention Platform. Retrieved from https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye- network-threat-prevention-platform.pdf Krebs on Security. (2014, December 2). Sony Breach May Have Exposed Employee Healthcare, Salary Data. Retrieved from krebsonsecurity.com/2014/12/sony-breach-may-have-exposed- employee-healthcare-salary-data/ Quora. (2014, December 23). What Do Security Professionals Think Sony Should Have Done Differently Between the 2011 Playstation Hack and the 2014 Sony Pictures Hack to Protect Themselves? Retrieved from http://www.quora.com/What-do-security-professionals-think- Sony-should-have-done-differently-between-the-2011-Playstation-Hack-and-the-2014-Sony- Pictures-Hack-to-protect-themselves Solutionary. (2015). Managed Security Services | Solutionary. Retrieved from http://www.solutionary.com/services/managed-security-services/ Splunk. (2015). Log management solutions: tap log data to see what's happening in your business | Splunk. Retrieved from http://www.splunk.com/en_us/solutions/solution-areas/log- management.html Statista. (2015, January). Sony business segments sales share 2014 | Statistic. Retrieved from http://www.statista.com/statistics/279272/proportion-of-sonys-sales-by-business/Zetter, K. (2014, December 3). Tribbey, C. (2014, December 22). Experts: Lessons to be learned from Sony Cyber Attack (CDSA): Content Delivery and Security Association. Retrieved from http://www.cdsaonline.org/latest-news/experts-lessons-to-be-learned-from-sony-cyber-attack- cdsa/ USB Block. (2015). USB Block - Data Leak Prevention Software - Free Download. Retrieved from http://www.newsoftwares.net/usb-block/ Verizon. (2015, January). 2014 Verizon Data Breach Investigations Report (DBIR) | Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com/DBIR/2014/ Zetter (December, 2014) Sony Got Hacked Hard: What We Know and Don't Know So Far | WIRED. Retrieved from http://www.wired.com/2014/12/sony-hack-what-we-know/