1.

Root cause analysis statement

Frustrated (or) previously laid off Employee/Money seeking hackers working for a specific country
seems to be the root cause of this targeted attack.
Targeted attacks are hard to dissect as attackers plan months ahead in a systematic way. Attackers
started identifying disgruntled employee(s), built relationships with them to gain access to physical
SONY facility that lacks physical security measures.

2. Vulnerabilities identified

1. Limited physical security

2. Software effected due to Zero-days vulnerability

Systems engineers have no time to patch the code that’s undetected and already been hacked. This led
to massive attack on SONY’s corporate network

3. Emails or email attachments with malicious code

Malicious code had been sent using email, which is called “phishing” to penetrate into SONY network.
This code landed in number of Inboxes.

4. Lacking Multifactor authentication for admin access

This is basic protection that should be first in place. Due to non-existing Multifactor authentication for
admin access, hackers just used password to enter systems.

5. Unprotected Sensitive documents

Confidential documents in clear text format exposed SONY proprietary information to public.

6. Poor or lack of network monitoring

SONY didn’t detect unusual network activities such as spike in volume of transactions

7. Missing Security Incident and Event Management

SONY didn’t detect unusual pattern of systems that caused wiper malware widespread

8. Missing Network Segmentation

SONY didn’t detect unusual pattern of systems that caused wiper malware widespread

9. Delayed incident response

SONY’s deployment of incident response is ineffective/delayed

10. Attackers found way to breach systems

SONY didn’t employ methods to exploit systematic flaws

11. Poor user awareness

SONY’s Employees didn’t have up-to- date training on security measures to be taken
administratively/technically and physically to protect against such attacks

3. Countermeasures (Technical, physical, administrative)

Remediation #1: Limited physical security

Below Physical Controls must be in place

Badge Systems

SONY must employ a badge system to control physical access to its premises .With this strategy for
control, employees and guests must wear appropriate badges at whatever point they are in access-
controlled territories. Badge reading systems are designed to permit entrance to authorized persons can
then effectively distinguish intruders.

Double Door Systems

As an additional security measure SONY needs to deploy Mantrap/entryway systems can be utilized at
entrances to restricted zones to drive individuals to identify themselves to the guard before they can be
discharged into the secured zone. Mantrap/Double entryways are a phenomenal approach to keep
intruders away from following behind approved persons and restricted zones.

Biometric Access Controls

As enhanced security measure, Biometrics should be utilized for distinguishing fingerprints, handprints,
voice patterns, signature samples, and retinal scans. Since biometrics can't be lost, stolen, or shared,
they give a more elevated levels of security than badges. Biometric identification is suggested for high-
security, low-traffic entrance control.

Motion Detectors

Motion detectors are valuable for pointing out potential intrusions. Motion detectors must be
continually checked by guards and SONY should consider this as one of its security measures.

CCTV Monitors
CCTV’s can be utilized to monitor the activities in computing areas where users or operators are not
present more often. Suspicious behaviors of the individuals can be detected by this method.

/CCTV is used to captured the video to detect suspicious and malicious activities and to trigger alarms.

Remediation #2: Software effected due to Zero-days vulnerability/

Below Technical Controls must be in place

Library Control Systems

These systems require that all changes to production programs be implemented by library control
personnel instead of the programmers who created the changes. This practice guarantees separation of
duties, which avoids unapproved changes to production programs.

. Audit Trails

An audit trail is a record of system activities that enables the reconstruction and examination of the
sequence of events of a transaction, from its inception to output of final results. Violation reports
present significant, security-oriented events that may indicate either actual or attempted policy
transgressions reflected in the audit trail. Violation reports should be frequently and regularly reviewed
by security officers and data base owners to identify and investigate successful or unsuccessful
unauthorized accesses.
Remediation #3: Emails or email attachments with malicious code

Below Technical Controls must be in place

Antivirus Software

SONY must ensure antivirus software be installed on all microcomputers to detect, identify, isolate, and
eradicate viruses. This software must be updated frequently to help fight new viruses. In addition, to
help ensure that viruses are intercepted as early as possible, antivirus software should be kept active on
a system, not used intermittently at the discretion of users.

Remediation #4: Lacking Multifactor authentication for admin access

Below Technical Controls must be in place

Smart Cards

SONY needs to deploy Smart cards that’re prerecorded, usually encrypted access control information
that is compared with data that the user provides

(e.g., a personal ID number or biometric data) to verify authorization to access the computer or
network.

Access Control Software

SONY should implement access control lists to provide access to data that designate which users are
allowed access. Access control software provides the ability to control access to the system by
establishing that only registered users with an authorized log-on ID and password can gain access to the
computer system.
Remediation #5: Unprotected Sensitive documents

Below Technical Controls must be in place

Encryption

SONY should implements both Hardware and Software Encryption. When large volumes of data are to
be processed,software encryption is the less expensive way and there is no overhead associated with
hardware encryption.

Sensitive data should be stored with strong encryption like AES256 and operating systems include built-
in capabilities to encrypt data at both the file level and the disk level.

Remediation #6: Poor or lack of network monitoring

Below Technical Controls must be in place

Deploy network-sniffing tool

A tremendous amount of traffic would have been generated with an terabytes of data being stolen by
the attackers. Sony only would have needed to detect a fraction of that in order to be tipped off that
their network was under attack.

Diligently automating a tool to hunt for unauthorized sensitive information leaving the network could
have greatly assisted Sony and prevented the majority of its sensitive information from being stolen.

Remediation #6: Missing Security Incident and Event Management

Below Technical Controls must be in place

Deploy Missing Security Incident and Event Management Tool. Using this tool in the infrastructure, Sony
could have detected that their infrastructure was breached by correlating activities that deviated from
their known baseline. Knowing what is normal in one’s infrastructure is imperative to detect malicious
activity.

Remediation #7: Missing Network Segmentation

Below Technical Controls must be in place

Segment network into multiple trusted zones

SONY should’ve implemented network segmentation with additional security in each segment to lessen
effect of attack with possible alerting mechanisms.

Remediation #8: Delayed incident response

Below Administrative Controls must be in place

Conduct periodic incident scenario sessions

Effectively practicing incident response handling could have assisted Sony with being able to recover and
bring the organization online quicker. Sony Pictures Entertainment technicians and experts are only now
beginning to roll out new computer systems with heightened security safeguards, six weeks after a hack
attack crippled operations

Remediation #9: Attackers found way to breach systems

Below Technical Controls must be in place

Conduct regular penetration tests

SONY should have conducted penetration tests both externally/internally to identify action items with
risk levels that could have prevented the attack

Remediation #10: Poor user awareness

Below Administrative Controls must be in place

Security Awareness and Technical Training

Security awareness training is a preventive measure that helps users to understand the benefits of
security practices. If employees do not understand the need for the controls being imposed, they may
eventually circumvent them and weaken the security program or render it ineffective.

Technical training can help users prevent the most common security problem —errors and omissions —
as well as ensure that they understand how to make appropriate backup files and detect and control
viruses. Technical training in the form of emergency and fire drills for operations personnel can ensure
that proper action will be taken to prevent such events from escalating into disasters.

Separation of Duties

SONY’s administrative process should be enhanced to separate a process into component parts, with
different users responsible for different parts of the process. Judicious separation of duties prevents one
individual from obtaining control of an entire process and forces collusion with others in order to
manipulate the process for personal gain.

Security Policies and Procedures

SONY’s security policies should be improved to cover the use of computing resources, marking of
sensitive information, movement of computing resources outside the facility, introduction of personal
computing equipment and media into the facility, disposal of sensitive waste, and computer and data
security incident reporting. Enforcement of these policies is essential to their effectiveness.

Security Reviews and Audits

SONY’s Management involvement in identifying/correcting deficiencies in its systems should improve as

per security policies for proper functioning computer security program to guard against such attacks.

4. How were the vulnerabilities exploited?

Limited physical security

SONY didn’t have facilities such as Mantrap doors or Fingerprint/electronic card assess systems in place

Software effected due to Zero-days vulnerability

Systems engineers have no time to patch the code that’s undetected and already been hacked. This led
to massive attack on Sony’s corporate network

Emails or email attachments with malicious code

Lacking Multifactor authentication for admin access

Malicious code had been sent using emails to gain access to Sony’s systems. It’s also called Spear
Phishing.

This took form of sending Apple ID verification emails to SONY executives who were prompted to enter
Apple ID and went through fake verification process.

Attackers collected Ids, password and using social engineering sites such as LinkedIn to compile login
information to SONY network in the form of Wiper malware.

Hackers had to just enter the password obtained from one of the SONY insiders.

The system never asked for additional PIN code that could have prevented unauthorized access

Unprotected Sensitive documents. Since Confidential documents are un-encrypted, hackers accessed,
read through information and parts of the information has been used to re-hack systems with updated
malware
Poor or lack of network monitoring

Hackers not only erased data from SONY’s systems, but also stole and made some of it public, including
movie prereleases, individual’s private information, and sensitive documents

Missing Security Incident and Event Management

Hackers have practiced same pattern of malware injection, months prior to attack, as SONY’s systems
didn’t employ any tools to monitor such patterns.

Missing Network Segmentation

It’s been easy for attackers not to bother about any network segmentation specific security, as no such
thing existed in SONY at the time of attack

Delayed incident response

Attackers were able to bring SONY website offline for a week due to missing incident response to bring
the site back up quickly.

Attackers found way to breach systems

Wiper malware has been flowing through SONY’s network freely as SONY infrastructure lacks ability to
withstand any such attacks due to missing penetration testing.

Poor user awareness

Lack of SONY’s administrative controls has exposed hackers to easily breach it systems with routine
hacking practices.

References
Retrieved From http://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-
controls-sony-implemented-36022

http://www.slideshare.net/IILGlobal/data-security-breach-the-sony-staples-story