Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Case Study 2 On November 24, 2014, Sony Pictures Entertainment found out it had been hacked. The hackers were able to penetrate Sony systems and

Case Study 2 On November 24, 2014, Sony Pictures Entertainment found out it had been hacked. The hackers were able to penetrate Sony systems and networks and take over 100 terabytes of company information, including trade secrets, email, and personnel records. Several Sony Twitter accounts were also taken over. The hackers then installed on Sonys computers a piece of malware called Wiper, which erased data from the companys servers and PCs. Investigators concluded that the hackers spent more than two months, from mid-September to mid-November 2014, mapping Sonys computer systems, identifying critical files, and planning how to destroy computers and servers. The malware made many Sony employees computers inoperable and full recovery difficult or impossible, slowing down company operations. Sony shut down its internal computer network to prevent the data-wiping software from causing further damage, forcing many employees to use paper and pen. Systems from which the company generates revenue, including those involved with marketing and distributing films and TV shows, were the first to be restored. The hackers, who called themselves the Guardians of Peace, released some of the stolen information to the public and threatened to release more. That information included very confidential and poten tially embarrassing tidbits about Sony staff; partners; Hollywood stars, including Sylvester Stallone, director Judd Apatow, and Australian actress Rebel Wilson; and President Obama. Confidential personal informa tion about employees such as names; addresses; 47,000 Social Security numbers; and financial details was also stolen. The personal data, along with contracts and other sensitive Sony documents, were posted on file-sharing networks such as Bit Torrent. The hackers also posted five Sony films to online file-sharing sites, including Brad Pitts Fury and a remake of the musical Annie. These films had not yet been released, so the hackers were essentially giving them away free before Sony could bring them to market. Sony quickly organized internal staff to deal with this problem and contacted the FBI and the private security firm FireEye to find ways to protect employees whose personal data had been exposed by the hack, repair the damaged computers, and hunt down the hackers. The attack may have been motivated in part by Sonys plans to release a film called The Interview about two bumbling TV reporters trying to assassinate North Korean leader Kim Jong-un. North Korean officials had previously expressed objections to the film at the United Nations. A December 16, 2014, message from the Guardians of Peace threatened terrorist actions at theaters showing the film. Sony pulled the film from theatrical release the next day, and a number of U.S. theater chains announced they would not screen the film. U.S. government officials stated on December 17 that they believed the North Korean government was involved with the Sony hack, pointing to North Korean hackers previous use of similar malicious hacking tools. There were similarities in specific lines of software code, encryption algorithms, data deletion methods, and compromised networks. The attack code was written on machines set with Korean characters as the default during Korean peninsula working hours, and the types of remote servers used in the Sony hack have been linked to those used by other breaches attributed to North Korea. The FBI found several IP addresses associated with the mal ware that originated within North Korea. Because the North Korean government controls all Internet access in that country, the government is thought to have played some role in the attack. North Koreas news agency KCNA denied that countrys involvement. Nevertheless, the United States stepped up its economic sanctions against North Korea. U.S. Secretary of Homeland Security Jeh Johnson released a statement asserting that the cyberattack against Sony wasnt just an attack on the company; it was also an attack on freedom of expression and the way of life in the United States. Many saw the threats to Sony over The Interview as endangering free speech. Several Hollywood filmmakers and actors, including Ben Stiller, Rob Lowe, Jimmy Kimmel, and Judd Apatow, voiced their opposition to Sonys decision to pull the film. Peter Singer, a cybersecurity strategist at the New America Foundation, warned that Sonys action set a disturb ing precedent because it signaled to attackers that they can get all they want and even more. President Barack Obama called Sonys decision to cancel release of The Interview a mistake and urged the entertainment industry not to succumb to self-censorship. Cybersecurity experts and members of the press, including Kurt Stammberger from cybersecurity firm Norsk, Kim Zetter from Wired magazine, CloudFlare researcher Marc Rogers, and former hacker Hector Xavier Monsegur, believe North Korea lacks the infrastructure to handle downloads of 100 terabytes of data, and such actions would have had to go on for months or years without anyone noticing. Stammberger told the FBI that the hack was probably an inside job, initiated by six disgruntled former Sony employees who had the knowledge and motive to access secure parts of Sony servers. Others have suggested that an outside group mimicking North Korean hackers was responsible. Sony had suffered a massive data breach before. In April 2011 hackers were able to obtain personal information, including credit, debit, and bank account numbers, from over 100 million PlayStation Network users and Sony Online Entertainment users. It was one of the largest single data breaches in Internet history. To prevent that from happening again, Sony beefed up its security, paying more attention to encryption and outdated software ver sions. Nevertheless, the company was hacked again, and this attack is believed to be worseperhaps the worst attack to date in corporate history. This time, it appears that the hackers exploited a previously undisclosed zero-day vulnerability in Sony computer systems that gave them unfettered access to its networks. These flaws are usually the result of errors made during the writing of the software, giving an attacker wider access to an organizations systems and providing a platform for staging larger-scale intrusions. Often the vulnerabilities remain unknown to the organization that created the software. Details have not yet emerged about exactly which piece of software or system was compromised. The New York Times reported that spear phishing attacks involving malicious code were inserted in Sony email attachments in September. Spear phishing email messages appear to come from someone known to the recipient, such as friend or fellow employee. If an unknowing recipient clicks a link in the email, malicious code can be inserted in a computer system. Apparently, Sony was experiencing spear phishing attacks in early September, but those attacks did not look unusual. In retrospect, investigators realized that hackers had stolen the credentials of a Sony systems administrator, which allowed them to move freely inside Sonys systems. That type of attack has been used before to exploit zero-day vulnerabilities. Spear phishing can be difficult to detect and prevent by using only firewalls. Uses have to be vigilant and sensitive to signs that email is not authentic. Some experts also believe the hackers may also have employed a SQL injection attack, in which the attacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet. SQL injection attacks are used to steal information from a database from which the data would normally not be available or to gain access to an organizations computer systems. SQL injection attacks can be thwarted by encrypting data, and Sony may have neglected to do this for key pieces of data. Doug Stone, president of film newsletter Box Office Analyst, believes that Sony lost $120 million in U.S. and foreign box office revenue from not releasing The Interview as well as tens of millions already spent on marketing. Sales of this film to DVD, streaming video services, and some theaters in the future will not make up for this. Sony will also lose revenue from the five films yet to be released that hackers downloaded to online file-sharing services. According to a Carnegie Mellon University 2011 report, such leaks can cost companies up to 19 percent of the revenue they would have otherwise generated just on box office sales. Four former employees have sued Sony for not protecting their private information from hackers. The lawsuits seek class-action status on behalf of the nearly 50,000 Sony Pictures employees whose Social Security numbers and other private data were exposed. Legal experts expect more cases to be filed over the data breach in the future. Sony has set aside $15 million to deal with ongoing damages from the attack; this may not be enough. Difficult to estimate are the losses Sony will experience from its damaged brand image and reluctance of actors and others in the film industry to work with Sony again. The company has tightened information system security again, using redundant solutions to prevent similar data loss or hacks in the future, but will this be enough? According to Kevin Mandia, who heads the Mandiant security firm hired to investigate the breach, the 2014 attack was one for which neither Sony nor other companies could have been fully prepared. Mandia believes the software used in the attack against Sony was undetectable by industry standard antivirus software. In addition, the scope of the attack was unlike anything he had ever seen because the hackers sought both to destroy information and release it to the public. The Sony hack exposed many details about the inner workings of a large and famous company salaries, health care records, office call lists of employees in a prominent industry. Security experts could recall no other breach when so much data on a high-profile company was made public in one data dump. Some also believe the Sony hack is a harbinger of things to come for all companies. This type of attack would not have been possible a few years ago. The likelihood of serious breaches is rising, the damage breaches can cause is going up, and companies will need to spend more money and time on information systems security to keep the hackers from pulling ahead.

Case Study Questions

1. List and describe the security and control weaknesses at Sony that are discussed in this case.

2. What people, organization, and technology factors contributed to this problem? How much was management responsible?

3. What was the business impact of Sony hack? Explain your answer.

4. Is there a solution to this problem? Explain your answer.

5. Explain proactive and reactive cybersecurity.

6. Explain to a Guyanese business (business does not have to be named) what you have learnt from this case study and why proactive cybersecurity measure establishment is more safe than reactive measures

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Ethics for the Information Age

Authors: Michael J. Quinn

7th edition

134296540, 9780134296623 , 978-0134296548

More Books

Students also viewed these General Management questions

Question

What is Tax Planning?

Answered: 1 week ago