Abstract image of a woman sitting on books and studying on a laptop

SEC 573 Project 1 2.22.15

Download as DOCX, PDF
H
haney888

The document summarizes the 2014 cyberattack on Sony Pictures that resulted in the theft of large amounts of sensitive data. It provides an overview of Sony as a company, describes how the attack occurred and what data was stolen, and analyzes the impact on data confidentiality, integrity and availability. It then lists and explains various security measures and tools that Sony could implement to prevent similar attacks in the future, such as encrypting passwords, limiting user privileges, implementing multi-factor authentication, and using security monitoring and analytics tools to detect anomalies. The document concludes that Sony needs to adopt best practices for security policies, procedures, user training, access controls and incident response to mitigate threats going forward.

1 of 15
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
1 Timothy S. Haney SEC 573: E-Business Security Research Project 1 Sony Breach Professor Ed Sadeghi Week 3 2/22/15
2 Table of Contents Company Overview…………………………………..……………………………………………………………………………….3 Analysis……………………………………………………………………….…………………………………………………….………3 Hacker Warning Picture…………………………………………….…………………………………………………………..….4 Phishing Diagram………………………………………………………….…………………………………………………….…….5 Solutions……………………………………………………………………………………………………………………………………8 Kill Chain Model Diagram…………………………………………………………………………………………………………13 Conclusion……………………………………………………………………………………………………………………………….13 References……………………………………………………………………………………………….…………………………..…15
3 Company Overview Sony Corporation of America is based in New York, and is a subsidiary of Japan’s Sony Corporation. Sony’s principle businesses include Sony Music Entertainment Inc., Sony/ATV Music Publishing, Sony Pictures Entertainment Inc., Sony Electronics Inc., and Sony Computer Entertainment Inc. Sony announced total revenue of $75.5 billion in 2014, the highest the figure has been since 2008 (Statista, 2015). Sony specializes in producing movies, music, game consoles, and personal electronics, among other product and services. Analysis On November 22, 2014, a group calling itself #GOP (the Guardians of Peace), displayed a screen shot on every company PC showing a red skull with warnings and threats of extortion. Sony’s Twitter accounts were also seized by the hackers, who posted an image of Sony CEO Michael Lynton in hell (Zetter, 2014). It was at this moment when many servers and PCs started crashing. The network was unusable and had to be shut down. The hackers were believed to be from North Korea, and had supposedly infiltrated Sony’s systemfor approximately a few months to a year before anyone was aware. The attackers appeared to be skilled and very knowledgeable about Sony’s system. In the months prior to the warnings posted on the PCs, the hackers leaked large amounts of highly sensitive information online in the form of unreleased movies and film scripts, network usernames and passwords, network architecture information, employee health care data, salary data, social security numbers, and email communications (Alvarez, 2014; Krebs on Security, 2014). Approximately 100 terabytes of data were stolen from Sony’s systems (Zetter, 2014).
4 Fig. 1: Screenshot of the “red skull”warningthatappeared on Sony’s computers on the day the GOP hacker group made themselves known (Zetter, 2014). It is still unclear exactly how this breach occurred. Many hacks of this type start with a phishing attack, which involves sending emails to employees to get them to click on malicious attachments or links to websites where malware is actively downloaded to their machines (Zetter, 2014). The other, more likely scenario involves the hackers obtaining the user credentials from a disgruntled employee in exchange for money or revenge. Once the attackers possessed the administrator credentials, they were able to map the network and gain access to other protected systems. This access enabled them to look at the network architecture for servers and databases around the world, and obtain all of the usernames and passwords for this equipment. Within the information they obtained was a list of routers, switches, and load balancers with usernames and passwords to administer them. Sony had to completely shut down its network once it detected the attack in order to re-structure and secure the network.
5 Fig. 2: Graphic describingtheprocess of a malwarephishingattack commonly used to enable hackers to obtain usernames and passwords fromusers. This event was extremely damaging to Sony’s reputation. It was very embarrassing to have all of this sensitive data leaked online. More importantly for Sony’s bottom line, however, was that the stolen data also included the script for an unreleased TV show pilot by Vince Gilligan, the creator of Breaking Bad, as well as full copies of several Sony films, most of which had not been released in theaters yet (Zetter, 2014). An FBI warning was released the week of the Sony hack alerting companies and organizations about destructive malware designed to destroy data. The alert warned users about malware capable of wiping data from systems in such an effective way as to make the data unrecoverable (Zetter, 2014). The memo warned about how the malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The
6 overwriting of data files makes it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods (Zetter, 2014). Once analyzed, the malware was shown to contain a hard-coded list that named 50 internal Sony computer systems based in the U.S. and U.K. that the malware was attacking, as well as the log-in credentials it used to access them. To do the wiping, the attackers used a driver from a commercially-available product designed to be used by system administrators for legitimate maintenance of systems. The product is called RawDisk and is made by Eldos. The driver is a kernel-mode driver used to securely delete data from hard drives or for forensic purposes to access memory (Zetter, 2014). Some of the malware files examined appear to have been compiled on a machine that was using Korean language. This refers to the encoding language on a computer, which is the language spoken by the user. The FBI has claimed it hacked North Korea a year ago, and has evidence from the malware which it released on the North Korean network indicating the IP addresses of the known Korean hackers are the same as the IP addresses used in the attack against Sony. The hack also coincided with the releasing of the movie The Interview, about an assassination attempt by the U.S. on Kim Jong Un, leader of North Korea. The potential damages to Sony for the stolen data are loss of reputation, a drop in stock price, and a decrease in consumer confidence. People will be less likely to shop at Sony for fear of having their credit card information leaked online on the Internet for everyone to see. Sony will lose out a lot of potential revenue for the movies and scripts which were leaked online.
7 Potential employees may not want to work at Sony for fear of their private information being hacked. This hack had a noted effect on data confidentiality, integrity, and availability. Data confidentiality is affected when unauthorized individuals or groups have access to sensitive information. In the case of the Sony breach, when the private company’s information, movies, medical history, and other sensitive data was leaked online, this affected data confidentiality. Sony’s data integrity was affected when the malware deleted the files from the servers and databases. Data integrity is affected when data is altered or changed. When the hackers shut down the systemby deleting the MBR on servers and databases making the network unusable, Sony had to shut down and re-architect the network, thus affecting data availability. Data availability is affected when the data is not available to use. For risk assessment of assets, risk equals vulnerability multiplied by threat. We assess assets for vulnerabilities and remove them to decrease risk. We still have to take into account the potential threats. A threat is an object, agent, or event that could cause damage to the organization’s assets. Threats typically cannot be eliminated altogether. Acts of nature, for instance, are beyond our control; so, too, are most threats. We can prosecute a hacker, but we cannot eliminate the threat that hackers pose. According to Verizon’s Data Breach Investigation Report (DBIR), 92% of the attacks in the last ten years have been either cyber- espionage, DoS attacks, crimeware, web application attacks, insider misuse, miscellaneous errors, physical theft & loss, payment card skimmers, or point-of-sale intrusions (Verizon, 2015).
8 According to the Verizon DBIR, the most likely attacks are web application attacks and cyber-espionage (Verizon, 2015). The threat for the Sony breach was probably a combination of cyber-espionage and insider misuse. It is likely an insider gave administrator credentials to the hackers. Once inside the network, the hackers took advantage of the unencrypted passwords for all of the servers, databases, routers, and switches around the world, which were easily accessible in one data folder. The fact that all these important passwords were unencrypted is an indicator of compromise (IOC). The threat (in this situation, the group of hackers) could use this information to cause a lot of damage. Another IOC could be if one of the hackers left a USB drive in the parking lot of Sony and one of the Sony employees plugged it into the system, giving the attackers access to the network. To mitigate these threats, Lockheed Martin’s Computer Incident Response Teamhas created an intelligence-driven defense process, Cyber Kill Chain, which allows information security professionals to proactively remediate and mitigate advanced threats in the future. By using this tool, Sony could anticipate what the threats will do and put controls into place to minimize the threat. Solutions There are potentially many controls Sony could put into place to mitigate potential threats. One control to put into place could be to stop a disgruntled employee with escalated privileges from attacking or allowing the network to be attacked by outside intruders. A common challenge organizations are faced with is balancing end user productivity with security. Sony leaned too far towards a user friendly system, allowing the attackers to move freely throughout the organization once compromised. It is typical that companies which permit users to run as administrators are more susceptible to a breach. If this was the entry point,
9 removing end user admin permission would be a key change (Tribbey, 2014). The users would have only need-to-know access—for example, the ability of systems admins to perform application and database privileges would be restricted (Quora, 2014). The passwords that the hackers found were in clear-text documents. A very obvious control to put into place would be encryption of all passwords on the shared network and desktops. Attackers would have a much tougher time obtaining passwords if they were encrypted. A policy stating that no passwords can be stored in clear-text should be implemented and must be enforced. Another control to put into place would be user awareness training detailing best practices for security. It would also explain how to avoid common phishing scams. A strong spam blocker could be implemented from Microsoft. The product will send malicious emails with attachments to the spam folder to be flagged and checked. Sony could hire a new CISO (chief information security officer) to rewrite Sony’s security policies and procedures to coincide with best practices and standards. This officer would attempt to go above and beyond minimum requirements to gain back the confidence in their company which was lost due to the breach. The CISO would be responsible for configuring all tools properly. Companies have many information security tools, but they do no good unless configured properly. The CISO must also put the processes in place to monitor and use the tools correctly. Tools are useless without processes. The CISO should implement a plan for regular audits and an incident response plan (DRP/BCP), which should be tested regularly.
10 Sony did not manage the personally identifiable information well. This information could be segmented and isolated from the rest of the network, along with encryption. It should go on the high risk asset list to be watched over more carefully than less important data. A new policy could be put into place to not allow USB ports to upload/download information. The product USB Block will prevent theft and data leakage of important files, documents and source codes from devices like USB Drives, CD/DVD, and network computers. Sony can white-list their own USB drives and devices. Whenever an unauthorized device is detected, a password prompt comes up (USB Block, 2015). Sony’s attackers indicated on screenshots that their doors were no longer locked. Sony could hire security guards to increase physical security to check for intruders piggybacking an employee at the entrance. A badge should be required to enter the garage, garage elevator, the building, and to use the elevator in the building. High-resolution cameras should be installed everywhere to view license plates and faces. Sony could invest in some tools to detect the intruders while they are still in the beginning enumeration phase of hacking. The FireEye network security malware tool recognizes the behavior of viruses while in transit. This tool blocks zero-day web exploits due to the behavioral anomaly technology. It also blocks multi-protocol callbacks to help scale their advanced defenses across a range of deployments. When the viruses call back to the sender (attacker) the software tracks the destination of the callback to find a location. This product is designed to detect malware on a system. This tool would prevent future attacks using malware to steal sensitive company data (FireEye, 2014).
11 Another useful product Sony could implement is the log management device Splunk. Splunk provides the industry-leading software to consolidate and index any log and machine data, including structured, unstructured, and complex multi-line application logs. You can collect, store, index, search, correlate, visualize, analyze, and report on any machine-generated data to identify and resolve operational and security issues in a faster, repeatable, and more affordable way. It is an enterprise—ready, fully integrated solution for log management data collection, storage and visualization (Splunk, 2015). This tool would help accumulate the data needed to find an intruder. The event data goes from Splunk to sys log server to be stored. The tool Exabeam could be used for behavioral analysis. Exabeam adds security intelligence on top of existing SIEM (security information and event management) and log management data repositories to understand a complete picture of the user session, allowing the technology to detect and assemble the full attack chain. The Exabeam User Intelligence solution uses a powerful combination of session assembly and Stateful User Tracking, behavior analysis and risk scoring to automatically determine the likelihood of an attack and prioritize responses. The product specializes in behavior analysis, but performs many functions, such as enhance current SIEM investments, detect threats in real time, and customize deployment. The behavior analysis learns user and peer group behavior and characteristics across multiple dimensions. Dimensions can be time, day of the week, location, or object access, and each dimension is compared against the normal baseline. Then anomalies are identified (Exabeam, 2015). This tool will notify the security team that something is not right within a certain user’s behavior because it would not be consistent with the observed pattern of normal user behavior.
12 The managed security services of Solutionary could really help out Sony’s security team. Solutionary delivers flexible managed security services that work the way the clients want; enhancing their existing security program, infrastructure, and personnel while relieving the information security and compliance burden. Solutionary combines deep security expertise and proven operational processes with the patented, cloud-based ActiveGuard security and compliance platform to improve security and address compliance with regulations such as PCI DSS (payment card industry data security standard), HIPAA (health insurance portability and accountability act), GLBA (Gramm–Leach–Bliley act), Sarbanes-Oxley, and more (Solutionary, 2015). Sony likely has millions of events generated each day for their security team to look over. Solutionary has trained engineers ready to take over that monitoring position. Companies like Target could have used Solutionary to catch the high risk events. Sony could use this service to notice the attackers once the notification is generated by Splunk. The kill chain model has seven phases, which are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The steps involve gathering information, creating a malicious program to infiltrate, delivery of the program, installing the program on the network, taking command of the network, achieving the goal with keyboard power over the network. These threats are much tougher now than 15 years ago. The threats now are considered APT (advanced persistent threat). The APT will get on the network and stay as long as possible until detected. Companies with weak information security infrastructures are easy prey for these advanced attackers.
13 Conclusion There are many policies, procedures, products, and services that will effectively mitigate the risk of the e-commerce threat. There were many IOCs (indicators of compromise) revealed
14 at the Sony breach which should indicate to Sony that they must implement controls to mitigate the threat. Sony should use these IOCs to create a kill chain framework. The kill chain framework will focus on the threat instead of the assets. The threat would exploit the weaknesses I have described earlier to infiltrate the network. Controls will be put into place to mitigate the threat. The changes should start with a new CISO, enforcing industry policies and procedures for best practices. The FireEye, Splunk, and Exabeamtools, if implemented with proper processes, will effectively mitigate a similar intruder in the future by noticing behavior anomalies and flagged events. The services of Soutionary could facilitate that idea to be handled properly. The users should not have too many privileges in case of a disgruntled employee, passwords should not be stored in clear-text (policy of encrypting passwords should be implemented), and USBs should not be used to upload or download information from the network. The CISO should implement user awareness training for better email security, stricter physical security, regular audits, and DRP/BCP with regular testing.
15 References Alvarez, E. (2014, December 10). Sony Pictures hack: the whole story. Retrieved from http://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/ Exabeam. (2015). Exabeam Solution Overview. Retrieved from http://www.exabeam.com/wp- content/uploads/Exabeam_SolutionOverview_v0115.pdf FireEye. (2014). FireEye Network Threat Prevention Platform. Retrieved from https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye- network-threat-prevention-platform.pdf Krebs on Security. (2014, December 2). Sony Breach May Have Exposed Employee Healthcare, Salary Data. Retrieved from krebsonsecurity.com/2014/12/sony-breach-may-have-exposed- employee-healthcare-salary-data/ Quora. (2014, December 23). What Do Security Professionals Think Sony Should Have Done Differently Between the 2011 Playstation Hack and the 2014 Sony Pictures Hack to Protect Themselves? Retrieved from http://www.quora.com/What-do-security-professionals-think- Sony-should-have-done-differently-between-the-2011-Playstation-Hack-and-the-2014-Sony- Pictures-Hack-to-protect-themselves Solutionary. (2015). Managed Security Services | Solutionary. Retrieved from http://www.solutionary.com/services/managed-security-services/ Splunk. (2015). Log management solutions: tap log data to see what's happening in your business | Splunk. Retrieved from http://www.splunk.com/en_us/solutions/solution-areas/log- management.html Statista. (2015, January). Sony business segments sales share 2014 | Statistic. Retrieved from http://www.statista.com/statistics/279272/proportion-of-sonys-sales-by-business/Zetter, K. (2014, December 3). Tribbey, C. (2014, December 22). Experts: Lessons to be learned from Sony Cyber Attack (CDSA): Content Delivery and Security Association. Retrieved from http://www.cdsaonline.org/latest-news/experts-lessons-to-be-learned-from-sony-cyber-attack- cdsa/ USB Block. (2015). USB Block - Data Leak Prevention Software - Free Download. Retrieved from http://www.newsoftwares.net/usb-block/ Verizon. (2015, January). 2014 Verizon Data Breach Investigations Report (DBIR) | Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com/DBIR/2014/ Zetter (December, 2014) Sony Got Hacked Hard: What We Know and Don't Know So Far | WIRED. Retrieved from http://www.wired.com/2014/12/sony-hack-what-we-know/

More Related Content

DOCX
Insider Attacks: Theft of Intellectual and Proprietary Data
Lindsey Landolfi
 
PPTX
Attack on Sony
Nick Bilogorskiy
 
PPTX
Lecture about network and host security to NII students
Akiumi Hasegawa
 
PDF
Puna 2015
Salaj Goyal
 
PDF
A Guide to Internet Security For Businesses- Business.com
Business.com
 
PDF
Unit ii-hackers and cyber crimes
Sweta Kumari Barnwal
 
PDF
Hackers and cyber crimes
Sweta Kumari Barnwal
 
PPTX
Information-Security-Lecture-7.pptx
anbersattar
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Lindsey Landolfi
 
Attack on Sony
Nick Bilogorskiy
 
Lecture about network and host security to NII students
Akiumi Hasegawa
 
Puna 2015
Salaj Goyal
 
A Guide to Internet Security For Businesses- Business.com
Business.com
 
Unit ii-hackers and cyber crimes
Sweta Kumari Barnwal
 
Hackers and cyber crimes
Sweta Kumari Barnwal
 
Information-Security-Lecture-7.pptx
anbersattar
 

What's hot (20)

PPTX
Security weekly september 28 october 4, 2021
Roen Branham
 
PDF
Combating Phishing Attacks
Rapid7
 
PDF
The good, the bad and the ugly of the target data breach
Ulf Mattsson
 
PDF
The Basics of Protecting Against Computer Hacking
- Mark - Fullbright
 
PDF
News Bytes - December 2012
n|u - The Open Security Community
 
PDF
eForensics_17_2013_KMOKER
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
DOC
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PDF
What is Penetration Testing?
Rapid7
 
PPTX
CyberCrime attacks on Small Businesses
Jose L. Quiñones-Borrero
 
PPTX
Data breach at sony
BlueBit Technologies
 
PDF
VulnerabilityRewardsProgram
Taha Kachwala
 
PDF
Mobile security hakin9_Revista
the_ro0t
 
DOC
NCSO
Avraham Lerner
 
PDF
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
PDF
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 
PDF
Invesitigation of Malware and Forensic Tools on Internet
IJECEIAES
 
PPTX
Grift horse money stealing trojan takes 10m android users for a ride
Roen Branham
 
PPTX
Cybercrime
Yash Kothari
 
PDF
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
PDF
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
Security weekly september 28 october 4, 2021
Roen Branham
 
Combating Phishing Attacks
Rapid7
 
The good, the bad and the ugly of the target data breach
Ulf Mattsson
 
The Basics of Protecting Against Computer Hacking
- Mark - Fullbright
 
News Bytes - December 2012
n|u - The Open Security Community
 
eForensics_17_2013_KMOKER
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
What is Penetration Testing?
Rapid7
 
CyberCrime attacks on Small Businesses
Jose L. Quiñones-Borrero
 
Data breach at sony
BlueBit Technologies
 
VulnerabilityRewardsProgram
Taha Kachwala
 
Mobile security hakin9_Revista
the_ro0t
 
NCSO
Avraham Lerner
 
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 
Invesitigation of Malware and Forensic Tools on Internet
IJECEIAES
 
Grift horse money stealing trojan takes 10m android users for a ride
Roen Branham
 
Cybercrime
Yash Kothari
 
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
NetIQ
 
Ad

Similar to SEC 573 Project 1 2.22.15 (20)

PDF
On April 19, 2011, system administrators at Sonys On April 22, Sony .pdf
amcointernationaljam
 
DOCX
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
James Dellinger
 
PDF
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdf
accuraprintengineers
 
PPSX
APT & Data Breach - Lesson Learned
Ade Ismail Isnan
 
PPTX
Data Security Breach: The Sony & Staples Story
International Institute for Learning
 
PDF
On November 24 2014 Sony Pictures Entertainment found out .pdf
aabdin101
 
PPTX
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Alisha Deboer
 
PDF
Cybersecurity and The Board
Paul Melson
 
DOCX
Target Data Breach Case Study 10242014
Joseph White MPA CPM
 
PPTX
Risk presentation Sony 2012 The PlayStation Network Security Breach
James Dellinger
 
PDF
Worst security data breaches till 2015 - SecPod
SecPod Technologies
 
PDF
Network Security Introduction Lecture #1
Benawa Institute of Higher Education
 
PPTX
220715_Cybersecurity: What's at stake?
Spire Research and Consulting
 
PDF
INFORMATION ASSURANCE AND SECURITY 1.pdf
EarlvonDeiparine1
 
PDF
The BIG ONE 2.0 - HouSecCon
Michael Gough
 
PDF
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...
BizLibrary
 
PDF
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 
PDF
Sony Hacking Presentation
Lauren Greenberg
 
PDF
Attack on Sony
Kirti Ahirrao
 
PPTX
Wax Switch
Prof John Walker FRSA Purveyor Dark Intelligence
 
On April 19, 2011, system administrators at Sonys On April 22, Sony .pdf
amcointernationaljam
 
(Sony) Risk assignment final high profile security breach of Sony’s Playstat...
James Dellinger
 
Case Study 2 On November 24 2014 Sony Pictures Entertainme.pdf
accuraprintengineers
 
APT & Data Breach - Lesson Learned
Ade Ismail Isnan
 
Data Security Breach: The Sony & Staples Story
International Institute for Learning
 
On November 24 2014 Sony Pictures Entertainment found out .pdf
aabdin101
 
Dave Mahon - CenturyLink & Cyber Security - How Modern Cyber Attacks Are Disr...
Alisha Deboer
 
Cybersecurity and The Board
Paul Melson
 
Target Data Breach Case Study 10242014
Joseph White MPA CPM
 
Risk presentation Sony 2012 The PlayStation Network Security Breach
James Dellinger
 
Worst security data breaches till 2015 - SecPod
SecPod Technologies
 
Network Security Introduction Lecture #1
Benawa Institute of Higher Education
 
220715_Cybersecurity: What's at stake?
Spire Research and Consulting
 
INFORMATION ASSURANCE AND SECURITY 1.pdf
EarlvonDeiparine1
 
The BIG ONE 2.0 - HouSecCon
Michael Gough
 
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...
BizLibrary
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 
Sony Hacking Presentation
Lauren Greenberg
 
Attack on Sony
Kirti Ahirrao
 
Wax Switch
Prof John Walker FRSA Purveyor Dark Intelligence
 
Ad

SEC 573 Project 1 2.22.15

  • 1. 1 Timothy S. Haney SEC 573: E-Business Security Research Project 1 Sony Breach Professor Ed Sadeghi Week 3 2/22/15
  • 2. 2 Table of Contents Company Overview…………………………………..……………………………………………………………………………….3 Analysis……………………………………………………………………….…………………………………………………….………3 Hacker Warning Picture…………………………………………….…………………………………………………………..….4 Phishing Diagram………………………………………………………….…………………………………………………….…….5 Solutions……………………………………………………………………………………………………………………………………8 Kill Chain Model Diagram…………………………………………………………………………………………………………13 Conclusion……………………………………………………………………………………………………………………………….13 References……………………………………………………………………………………………….…………………………..…15
  • 3. 3 Company Overview Sony Corporation of America is based in New York, and is a subsidiary of Japan’s Sony Corporation. Sony’s principle businesses include Sony Music Entertainment Inc., Sony/ATV Music Publishing, Sony Pictures Entertainment Inc., Sony Electronics Inc., and Sony Computer Entertainment Inc. Sony announced total revenue of $75.5 billion in 2014, the highest the figure has been since 2008 (Statista, 2015). Sony specializes in producing movies, music, game consoles, and personal electronics, among other product and services. Analysis On November 22, 2014, a group calling itself #GOP (the Guardians of Peace), displayed a screen shot on every company PC showing a red skull with warnings and threats of extortion. Sony’s Twitter accounts were also seized by the hackers, who posted an image of Sony CEO Michael Lynton in hell (Zetter, 2014). It was at this moment when many servers and PCs started crashing. The network was unusable and had to be shut down. The hackers were believed to be from North Korea, and had supposedly infiltrated Sony’s systemfor approximately a few months to a year before anyone was aware. The attackers appeared to be skilled and very knowledgeable about Sony’s system. In the months prior to the warnings posted on the PCs, the hackers leaked large amounts of highly sensitive information online in the form of unreleased movies and film scripts, network usernames and passwords, network architecture information, employee health care data, salary data, social security numbers, and email communications (Alvarez, 2014; Krebs on Security, 2014). Approximately 100 terabytes of data were stolen from Sony’s systems (Zetter, 2014).
  • 4. 4 Fig. 1: Screenshot of the “red skull”warningthatappeared on Sony’s computers on the day the GOP hacker group made themselves known (Zetter, 2014). It is still unclear exactly how this breach occurred. Many hacks of this type start with a phishing attack, which involves sending emails to employees to get them to click on malicious attachments or links to websites where malware is actively downloaded to their machines (Zetter, 2014). The other, more likely scenario involves the hackers obtaining the user credentials from a disgruntled employee in exchange for money or revenge. Once the attackers possessed the administrator credentials, they were able to map the network and gain access to other protected systems. This access enabled them to look at the network architecture for servers and databases around the world, and obtain all of the usernames and passwords for this equipment. Within the information they obtained was a list of routers, switches, and load balancers with usernames and passwords to administer them. Sony had to completely shut down its network once it detected the attack in order to re-structure and secure the network.
  • 5. 5 Fig. 2: Graphic describingtheprocess of a malwarephishingattack commonly used to enable hackers to obtain usernames and passwords fromusers. This event was extremely damaging to Sony’s reputation. It was very embarrassing to have all of this sensitive data leaked online. More importantly for Sony’s bottom line, however, was that the stolen data also included the script for an unreleased TV show pilot by Vince Gilligan, the creator of Breaking Bad, as well as full copies of several Sony films, most of which had not been released in theaters yet (Zetter, 2014). An FBI warning was released the week of the Sony hack alerting companies and organizations about destructive malware designed to destroy data. The alert warned users about malware capable of wiping data from systems in such an effective way as to make the data unrecoverable (Zetter, 2014). The memo warned about how the malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The
  • 6. 6 overwriting of data files makes it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods (Zetter, 2014). Once analyzed, the malware was shown to contain a hard-coded list that named 50 internal Sony computer systems based in the U.S. and U.K. that the malware was attacking, as well as the log-in credentials it used to access them. To do the wiping, the attackers used a driver from a commercially-available product designed to be used by system administrators for legitimate maintenance of systems. The product is called RawDisk and is made by Eldos. The driver is a kernel-mode driver used to securely delete data from hard drives or for forensic purposes to access memory (Zetter, 2014). Some of the malware files examined appear to have been compiled on a machine that was using Korean language. This refers to the encoding language on a computer, which is the language spoken by the user. The FBI has claimed it hacked North Korea a year ago, and has evidence from the malware which it released on the North Korean network indicating the IP addresses of the known Korean hackers are the same as the IP addresses used in the attack against Sony. The hack also coincided with the releasing of the movie The Interview, about an assassination attempt by the U.S. on Kim Jong Un, leader of North Korea. The potential damages to Sony for the stolen data are loss of reputation, a drop in stock price, and a decrease in consumer confidence. People will be less likely to shop at Sony for fear of having their credit card information leaked online on the Internet for everyone to see. Sony will lose out a lot of potential revenue for the movies and scripts which were leaked online.
  • 7. 7 Potential employees may not want to work at Sony for fear of their private information being hacked. This hack had a noted effect on data confidentiality, integrity, and availability. Data confidentiality is affected when unauthorized individuals or groups have access to sensitive information. In the case of the Sony breach, when the private company’s information, movies, medical history, and other sensitive data was leaked online, this affected data confidentiality. Sony’s data integrity was affected when the malware deleted the files from the servers and databases. Data integrity is affected when data is altered or changed. When the hackers shut down the systemby deleting the MBR on servers and databases making the network unusable, Sony had to shut down and re-architect the network, thus affecting data availability. Data availability is affected when the data is not available to use. For risk assessment of assets, risk equals vulnerability multiplied by threat. We assess assets for vulnerabilities and remove them to decrease risk. We still have to take into account the potential threats. A threat is an object, agent, or event that could cause damage to the organization’s assets. Threats typically cannot be eliminated altogether. Acts of nature, for instance, are beyond our control; so, too, are most threats. We can prosecute a hacker, but we cannot eliminate the threat that hackers pose. According to Verizon’s Data Breach Investigation Report (DBIR), 92% of the attacks in the last ten years have been either cyber- espionage, DoS attacks, crimeware, web application attacks, insider misuse, miscellaneous errors, physical theft & loss, payment card skimmers, or point-of-sale intrusions (Verizon, 2015).
  • 8. 8 According to the Verizon DBIR, the most likely attacks are web application attacks and cyber-espionage (Verizon, 2015). The threat for the Sony breach was probably a combination of cyber-espionage and insider misuse. It is likely an insider gave administrator credentials to the hackers. Once inside the network, the hackers took advantage of the unencrypted passwords for all of the servers, databases, routers, and switches around the world, which were easily accessible in one data folder. The fact that all these important passwords were unencrypted is an indicator of compromise (IOC). The threat (in this situation, the group of hackers) could use this information to cause a lot of damage. Another IOC could be if one of the hackers left a USB drive in the parking lot of Sony and one of the Sony employees plugged it into the system, giving the attackers access to the network. To mitigate these threats, Lockheed Martin’s Computer Incident Response Teamhas created an intelligence-driven defense process, Cyber Kill Chain, which allows information security professionals to proactively remediate and mitigate advanced threats in the future. By using this tool, Sony could anticipate what the threats will do and put controls into place to minimize the threat. Solutions There are potentially many controls Sony could put into place to mitigate potential threats. One control to put into place could be to stop a disgruntled employee with escalated privileges from attacking or allowing the network to be attacked by outside intruders. A common challenge organizations are faced with is balancing end user productivity with security. Sony leaned too far towards a user friendly system, allowing the attackers to move freely throughout the organization once compromised. It is typical that companies which permit users to run as administrators are more susceptible to a breach. If this was the entry point,
  • 9. 9 removing end user admin permission would be a key change (Tribbey, 2014). The users would have only need-to-know access—for example, the ability of systems admins to perform application and database privileges would be restricted (Quora, 2014). The passwords that the hackers found were in clear-text documents. A very obvious control to put into place would be encryption of all passwords on the shared network and desktops. Attackers would have a much tougher time obtaining passwords if they were encrypted. A policy stating that no passwords can be stored in clear-text should be implemented and must be enforced. Another control to put into place would be user awareness training detailing best practices for security. It would also explain how to avoid common phishing scams. A strong spam blocker could be implemented from Microsoft. The product will send malicious emails with attachments to the spam folder to be flagged and checked. Sony could hire a new CISO (chief information security officer) to rewrite Sony’s security policies and procedures to coincide with best practices and standards. This officer would attempt to go above and beyond minimum requirements to gain back the confidence in their company which was lost due to the breach. The CISO would be responsible for configuring all tools properly. Companies have many information security tools, but they do no good unless configured properly. The CISO must also put the processes in place to monitor and use the tools correctly. Tools are useless without processes. The CISO should implement a plan for regular audits and an incident response plan (DRP/BCP), which should be tested regularly.
  • 10. 10 Sony did not manage the personally identifiable information well. This information could be segmented and isolated from the rest of the network, along with encryption. It should go on the high risk asset list to be watched over more carefully than less important data. A new policy could be put into place to not allow USB ports to upload/download information. The product USB Block will prevent theft and data leakage of important files, documents and source codes from devices like USB Drives, CD/DVD, and network computers. Sony can white-list their own USB drives and devices. Whenever an unauthorized device is detected, a password prompt comes up (USB Block, 2015). Sony’s attackers indicated on screenshots that their doors were no longer locked. Sony could hire security guards to increase physical security to check for intruders piggybacking an employee at the entrance. A badge should be required to enter the garage, garage elevator, the building, and to use the elevator in the building. High-resolution cameras should be installed everywhere to view license plates and faces. Sony could invest in some tools to detect the intruders while they are still in the beginning enumeration phase of hacking. The FireEye network security malware tool recognizes the behavior of viruses while in transit. This tool blocks zero-day web exploits due to the behavioral anomaly technology. It also blocks multi-protocol callbacks to help scale their advanced defenses across a range of deployments. When the viruses call back to the sender (attacker) the software tracks the destination of the callback to find a location. This product is designed to detect malware on a system. This tool would prevent future attacks using malware to steal sensitive company data (FireEye, 2014).
  • 11. 11 Another useful product Sony could implement is the log management device Splunk. Splunk provides the industry-leading software to consolidate and index any log and machine data, including structured, unstructured, and complex multi-line application logs. You can collect, store, index, search, correlate, visualize, analyze, and report on any machine-generated data to identify and resolve operational and security issues in a faster, repeatable, and more affordable way. It is an enterprise—ready, fully integrated solution for log management data collection, storage and visualization (Splunk, 2015). This tool would help accumulate the data needed to find an intruder. The event data goes from Splunk to sys log server to be stored. The tool Exabeam could be used for behavioral analysis. Exabeam adds security intelligence on top of existing SIEM (security information and event management) and log management data repositories to understand a complete picture of the user session, allowing the technology to detect and assemble the full attack chain. The Exabeam User Intelligence solution uses a powerful combination of session assembly and Stateful User Tracking, behavior analysis and risk scoring to automatically determine the likelihood of an attack and prioritize responses. The product specializes in behavior analysis, but performs many functions, such as enhance current SIEM investments, detect threats in real time, and customize deployment. The behavior analysis learns user and peer group behavior and characteristics across multiple dimensions. Dimensions can be time, day of the week, location, or object access, and each dimension is compared against the normal baseline. Then anomalies are identified (Exabeam, 2015). This tool will notify the security team that something is not right within a certain user’s behavior because it would not be consistent with the observed pattern of normal user behavior.
  • 12. 12 The managed security services of Solutionary could really help out Sony’s security team. Solutionary delivers flexible managed security services that work the way the clients want; enhancing their existing security program, infrastructure, and personnel while relieving the information security and compliance burden. Solutionary combines deep security expertise and proven operational processes with the patented, cloud-based ActiveGuard security and compliance platform to improve security and address compliance with regulations such as PCI DSS (payment card industry data security standard), HIPAA (health insurance portability and accountability act), GLBA (Gramm–Leach–Bliley act), Sarbanes-Oxley, and more (Solutionary, 2015). Sony likely has millions of events generated each day for their security team to look over. Solutionary has trained engineers ready to take over that monitoring position. Companies like Target could have used Solutionary to catch the high risk events. Sony could use this service to notice the attackers once the notification is generated by Splunk. The kill chain model has seven phases, which are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The steps involve gathering information, creating a malicious program to infiltrate, delivery of the program, installing the program on the network, taking command of the network, achieving the goal with keyboard power over the network. These threats are much tougher now than 15 years ago. The threats now are considered APT (advanced persistent threat). The APT will get on the network and stay as long as possible until detected. Companies with weak information security infrastructures are easy prey for these advanced attackers.
  • 13. 13 Conclusion There are many policies, procedures, products, and services that will effectively mitigate the risk of the e-commerce threat. There were many IOCs (indicators of compromise) revealed
  • 14. 14 at the Sony breach which should indicate to Sony that they must implement controls to mitigate the threat. Sony should use these IOCs to create a kill chain framework. The kill chain framework will focus on the threat instead of the assets. The threat would exploit the weaknesses I have described earlier to infiltrate the network. Controls will be put into place to mitigate the threat. The changes should start with a new CISO, enforcing industry policies and procedures for best practices. The FireEye, Splunk, and Exabeamtools, if implemented with proper processes, will effectively mitigate a similar intruder in the future by noticing behavior anomalies and flagged events. The services of Soutionary could facilitate that idea to be handled properly. The users should not have too many privileges in case of a disgruntled employee, passwords should not be stored in clear-text (policy of encrypting passwords should be implemented), and USBs should not be used to upload or download information from the network. The CISO should implement user awareness training for better email security, stricter physical security, regular audits, and DRP/BCP with regular testing.
  • 15. 15 References Alvarez, E. (2014, December 10). Sony Pictures hack: the whole story. Retrieved from http://www.engadget.com/2014/12/10/sony-pictures-hack-the-whole-story/ Exabeam. (2015). Exabeam Solution Overview. Retrieved from http://www.exabeam.com/wp- content/uploads/Exabeam_SolutionOverview_v0115.pdf FireEye. (2014). FireEye Network Threat Prevention Platform. Retrieved from https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye- network-threat-prevention-platform.pdf Krebs on Security. (2014, December 2). Sony Breach May Have Exposed Employee Healthcare, Salary Data. Retrieved from krebsonsecurity.com/2014/12/sony-breach-may-have-exposed- employee-healthcare-salary-data/ Quora. (2014, December 23). What Do Security Professionals Think Sony Should Have Done Differently Between the 2011 Playstation Hack and the 2014 Sony Pictures Hack to Protect Themselves? Retrieved from http://www.quora.com/What-do-security-professionals-think- Sony-should-have-done-differently-between-the-2011-Playstation-Hack-and-the-2014-Sony- Pictures-Hack-to-protect-themselves Solutionary. (2015). Managed Security Services | Solutionary. Retrieved from http://www.solutionary.com/services/managed-security-services/ Splunk. (2015). Log management solutions: tap log data to see what's happening in your business | Splunk. Retrieved from http://www.splunk.com/en_us/solutions/solution-areas/log- management.html Statista. (2015, January). Sony business segments sales share 2014 | Statistic. Retrieved from http://www.statista.com/statistics/279272/proportion-of-sonys-sales-by-business/Zetter, K. (2014, December 3). Tribbey, C. (2014, December 22). Experts: Lessons to be learned from Sony Cyber Attack (CDSA): Content Delivery and Security Association. Retrieved from http://www.cdsaonline.org/latest-news/experts-lessons-to-be-learned-from-sony-cyber-attack- cdsa/ USB Block. (2015). USB Block - Data Leak Prevention Software - Free Download. Retrieved from http://www.newsoftwares.net/usb-block/ Verizon. (2015, January). 2014 Verizon Data Breach Investigations Report (DBIR) | Verizon Enterprise Solutions. Retrieved from http://www.verizonenterprise.com/DBIR/2014/ Zetter (December, 2014) Sony Got Hacked Hard: What We Know and Don't Know So Far | WIRED. Retrieved from http://www.wired.com/2014/12/sony-hack-what-we-know/