Data Security Breach: The Sony & Staples Story

© International Institute for Learning, Inc., All rights reserved. 1
Intelligence, Integrity and Innovation
© International Institute for Learning, Inc., All rights reserved.
Thank you for joining us today.
This webinar is brought to you by IIL – a global leader in:
Project, Program and Portfolio Management
Microsoft® Project and Project Server
Lean Six Sigma | Business Analysis
Agile | PRINCE2® | ITIL®
Leadership and Interpersonal Skills
Data Security Breach
The Sony & Staples Story

Global IIL Companies
IIL US
IIL Asia (Singapore)
IIL Australia
IIL Brasil
IIL Canada
IIL China
IIL Europe (United Kingdom)
IIL Finland
IIL France
IIL Germany
IIL Hong Kong
IIL Hungary
IIL India
IIL Japan
IIL Korea (Seoul)
IIL México
IIL Middle East (Dubai)
IIL Spain

In today’s world, companies generate and consume massive
amounts of data, as a day-to-day prerequisite of doing business.
This accumulated data becomes the most strategic asset of the
organization and more often than not gives a competitive
advantage in the market.
This critical nature of data makes it the new corporate target!
Data

Data security involves protecting data from the unwanted
actions of unauthorized users.
BUT
Data security must not come at the cost of not being available
when necessary.
Data Security

A security breach is any incident that results in unauthorized
access of data, applications, services, networks, and/or devices
by perpetrators bypassing underlying security mechanisms.
Security Breach

Data Breaches – Causes

“Well-meaning” insiders: who have no intention to breach but
inadvertently do so because they fail to follow security policies.
‒ Lost devices
‒ Exposed data – no measures in place
‒ Poor business processes
Targeted Attacks: Coordinated effort involving humans or
automated software to cyber attack another individual, entity or
organization.
‒ System vulnerabilities
‒ Malware
‒ Stolen credentials
Data Breaches Occur Through:

Malicious insiders: who intentionally breach security policies.
Terminated employees
Company data stored on home computers for career
progression
Industrial espionage
Data Breaches Occur Through:

Incursion: Hackers break into the company's network by
exploiting system vulnerabilities.
Discovery: The hacker maps out the organization's systems and
automatically scans for confidential data.
Capture: Exposed data on unprotected systems is immediately
accessed. Components called root kits are surreptitiously
installed on targeted systems and networks.
Exfiltration: Confidential data is sent back to the hacker team.
The Anatomy of a Data Breach

The Anatomy of a Data Breach

Damaged Intellectual Property: Blueprints, technical
specifications, designs, launch plans
Revenue Lost: Downtime
Theft: Bank information, transfer codes
Vandalism: False or discrediting information
Ruined reputation
Consequences of a Security Breach

Confidentiality, integrity, and availability, also known as the CIA
triad, is a model designed to guide policies for information security
within an organization.
Balances the competing requirements of confidentiality, integrity,
and integrity with equal emphasis on each.
Information Security Basics:
The CIA Triad

Confidentiality is required to prevent sensitive information from
reaching the wrong people.
Simple ways of ensuring confidentiality: data encryption, user
IDs and passwords or, for highly sensitive information, in hard-
copy form only.
More advanced techniques: storage on air-gapped computers,
disconnected storage devices.
Confidentiality

Integrity involves maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.
Data must not be changed in transit, and steps must be taken to
ensure that data cannot be altered by unauthorized people.
Techniques include the use of checksums and hashing.
Integrity

Data is meant to be used, when needed, by those authorized to
use it.
Techniques implemented to implement confidentiality and
integrity must not compromise on the availability of information.
Availability of data can be improved through implementing
redundancy, failover, RAID.
Availability

Part 1: The Sony Story

It was a release of confidential data belonging to Sony Pictures
Entertainment on November 24, 2014.
100 terabytes of data was stolen containing:
Personal information about Sony Pictures’ employees and
their families
E-mails between employees
Information about executive salaries at the company
Copies of unreleased Sony films
Sony Pictures Entertainment Hack – 2014

It is alleged that the attack was orchestrated by a group calling
themselves the “Guardians of Peace” or GOP.
There are alternate theories proposing that the Government of
North Korea and even former Sony employees were behind the
attack.
By whom?

A malware called Wiper has been identified as the agent used in
the attack and was responsible for destroying data on the
target's hard disk (or similar storage) on systems running
Microsoft® Windows.
The malware comes wrapped in an executable “dropper” that
installs it and supporting files. In this case, the “dropper” installs
itself as a Windows service when executed.
How was the Breach Orchestrated?

The malware service appears to create a network file share –
which points to the location of Windows system files in the PC’s
file directory structure (usually WINDOWS).
It then gives unrestricted access to that share, allowing any
other computer on the local network to access it.
Mechanics of the Attack

The dropper then communicates with a set of IP addresses in
Japan, possibly connected to Sony's corporate network. Then it
shuts itself down.
At some point – either based on a hard-coded time within the
malware package or after some other communication with the
attackers – the nasty part of the malware package gets
launched.
Mechanics of the Attack – II

Wiper then communicates with 3 IP addresses (one each in Italy,
Poland, and Thailand) to transfer the contents of the computer.
The malware starts accessing the hard drive and deleting its
contents sector by sector.
Once it’s complete, it suspends Windows for two hours, then
reboots the computer when it wakes.
At this point, the drive is completely wiped out – even making
physical changes to the hard drive.
Coup de Grâce

An e-mail released in the hack showed that Angelina Jolie
wanted David Fincher to direct her film Cleopatra.
In another e-mail, Scott Rudin referred to Jolie as "a minimally
talented spoiled brat“.
Several future Sony Pictures films, including Annie, Mr. Turner,
Still Alice, and To Write Love on Her Arms, were also leaked.
The Saucier Bits in the Stolen Data

Industry estimates that the data breach will cost Sony about
Y100 billion, or $1.25 billion from:
Lost business,
Various compensation costs and
New investments
Consequences for Sony

Maybe not! But the consequences could have been lesser if:
Sensitive IPR data was segregated
Back-up networks were disconnected from the primary network
so that back-ups are not affected.
The malware was identified early by having up-to-date patches.
The infected machine(s) were isolated immediately after
detection.
Sony had learned from the Sony 2011 PlayStation incident and
educated its users on what to look out for.
Could It Have Been Prevented?

Part 2: The Staples Story

Cardholder names, card numbers, expiration dates, and card
verification codes of 1.16 million customer credit and debit cards
used at 119 Staples locations in 35 American states.
This data was stolen over a period of up to six months.
Staples Data Breach 2014

It is alleged that a cybercrime gang using malware known as
Anunak was behind the Staples breach.
This same gang is believed to behind breaches at Sheplers (a
cowboy apparel chain) and Bebe (a women's clothing retailer),
as well as attacks on the Russian banking sector.
By whom?

Speculation is that the malware was cascaded using one of these
two methods:
Method 1:
Using rented computers called “BotNets”, Anunak members
sent phishing e-mails to the company’s employees.
The e-mails may have appeared to be from the Central Bank
of the Russian Federation, but actually contained malware
designed to infect the employees' computers.
Method 2:
A company-wide update might have pushed this malware to
all PoS terminals
How was the Breach Orchestrated?

The malware then infects the Point of Sale (PoS) terminals to
capture the information from cards swiped on these terminals.
Once the stolen card information was located the PoS’ memory,
after a card swipe, it is transmitted to a programmed IP where
the stolen data reaches the attackers.
Mechanics of the Attack – II

The attack cost Target $148 million, and cost financial
institutions $200 million.
Profits fell 46 percent in the fourth quarter of 2013.
Resignation of Beth M. Jacob, the company’s most senior
technology officer in February, and Gregg Steinhafel, CEO and
chairman of the board, in May.
Consequences for Staples

This attack may have been prevented if:
Secure readers for card data capture were used
Encrypting of data, upstream of the POS, all the way to the
payment processing host, beyond the retail store network was
done
No live data was stored on the PoS memory
Exclusive use of chip and pin cards
Prevention Methods

Data security breaches have the power to cripple a corporation
and often result in large losses, both monetary and non-
monetary.
Techniques for preventing breaches:
Stop targeted attacks through a combination of policies, patches,
encryption, and isolation.
Keep aligned with the global security intelligence.
Actively identify the most sensitive information.
Automate IT controls to prevent human errors and internal theft.
Prevent data exfiltration once stolen [Isolation and Disconnection]
Closing Notes

 White Paper, “Why breaches happen and what to do about it?”
 2014 Sony Pictures Entertainment hack,
http://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack
 Wiper Malware – A detection deep dive
http://blogs.cisco.com/security/talos/wiper-malware
 Inside the “wiper” malware that brought Sony Pictures to its knees
http://arstechnica.com/security/2014/12/inside-the-wiper-malware-
that-brought-sony-pictures-to-its-knees/
 Wiper (malware) http://en.wikipedia.org/wiki/Wiper_%28malware%29
 Target Hit by Credit-Card Breach
http://www.wsj.com/articles/SB100014240527023047731045792667432
30242538
References:

We invite you to get a closer look at what IIL can do for you
and your organization, by visiting www.iil.com or email
learning@iil.com and let us know how we can meet your
learning needs.
Please connect with IIL Socially:
Like us on: facebook.com/IIL.inc
Follow us: twitter.com/IILGLOBAL
Join our Discussions on LinkedIn
At IIL, Our Greatest Accomplishments are Yours

Data Security Breach: The Sony & Staples Story

More Related Content

What's hot

Viewers also liked

Similar to Data Security Breach: The Sony & Staples Story

More from International Institute for Learning

Recently uploaded

Data Security Breach: The Sony & Staples Story