The Sony Breach and Implemented Critical Controls Case Study

Introduction

Sony Pictures Entertainment (SPE) Inc. is an entertainment organization that acquires and distributes media in the form of recorded videos, theatrical motion pictures, and television programs worldwide. In 2011, SPE suffered a breach that was considered one of the most significant data hacks in history. Sony stated that it had implemented appropriate security measures to prevent future breaches.

However, three years later, in November 2014, the company was again hacked by a group referred to as the “Guardians of Peace,” and substantial and sensitive information was stolen. The second attack was supposedly associated with terrorism. Moreover, in both attacks, approximately 100 terabytes of data were stolen, constituting confidential customer, employee, and other organizational data. Specifically, these comprised usernames, passwords, unreleased movies, sensitive information regarding Sony’s network architecture, and personal information about employees and clients. The second breach elucidated the ignorance and laxity of Sony in implementing stringent data protection measures.

Protection of Personally Identifiable Information

Personally identifiable information (PII) is described as data that can be used to trace or differentiate a person’s identity. For instance, a name, biometric records, social security number, place, and date of birth. In the event of the SPE breaches, large volumes of PII were stolen, including social security numbers, salaries, and other PII regarding both the employees and users. As a result, according to the “CIS Critical Security Controls: Guidelines,” several critical control measures can be implemented to protect PII. For instance, SPE can begin by securing the configurations for hardware and software on electronic devices and servers through the installation of antivirus software and firewalls to prevent unauthorized attackers from gaining access to the systems. Second, SPE can perform assessments on the operation of security skills and training of employees to fill in the gaps. This is because the most common and conventional methods that hackers use to gain access to systems are by phishing employees. The third is data protection through the encryption of sensitive data.

Assess the Impact of the Breach on the Company

In 2014, numerous data breaches generated significant media attention; however, none had a substantial impact as the Sony breach. These breaches have resulted in commercial fallouts, large-scale international negotiation and sanction issues, national security implications, and personal embarrassments, among others. The Sony hack specifically led to the leaking of usernames, passwords, unreleased movies, sensitive information regarding Sony’s network architecture, and personal information about employees and clients that had been stolen. Consequently, the breach had significant impacts on the company. For instance, SPE incurred substantial financial costs that were estimated to be approximately $ 15 million. This cost was used to cater for investigation and the restoration of financial and information technology systems.

Secondly, Sony lost both time and finances. The company lost $35 million for the full fiscal year, and conversely, time was lost as the network had to go offline for several weeks to allow Sony’s technicians to rebuild the network system. Third, it brought the company embarrassment. The occurrence of the two breaches within a limited timeline embarrassed Sony as it is recognized as one of the world’s renowned film studios. This is because it brought to light the ignorance and insufficiency of resources that Sony was investing in its network security system. Fourth is the loss of employees. Amy Pascal, an influential movie executive, had to step down as the head of SPE due to the breach exposing private and damaging emails. Lastly, the breach brought about the loss of trade secrets, revenue models, and other revenue-generating assets that had an adverse compounding effect on Sony’s bottom line.

Security Issues the Company Was Facing Before the Breach

• Information was stored in an unencrypted format
• Sony failed to install malware defenses and firewalls
• Uncontrolled use of administrative responses
• Poor incident response system
• Lack of performance of audit logs
• Monitoring data leaving the institution

Suitable Control and Proper Tools for Security Issues

• Encryption of all sensitive information
• Installation of malware defenses that would flag unauthorized access
• Controlled use of administrative privileges
• Proper incident response and management
• Maintenance, monitoring, and analysis of audit logs
• Monitoring and controlling of accounts

Proper Risk Decision

• Data protection through the encryption of all sensitive information – Mitigation
• Installation of malware defenses – Defense
• Controlled use of administrative privileges – Mitigation
• Proper Incident response and management – Acceptance
• Maintenance, monitoring, and analysis of audit logs – Mitigation
• Monitoring and controlling of accounts – Mitigation

Tools Utilized on a Low Budget Security

In the instance of low-budget security, open-source tools are a viable option. Most commercial security services and applications have an open-source alternative. Although such tools are not fully featured as compared to their commercial counterparts, they are more budget-conscious and secure as the code is accessible to the public. However, their only disadvantage is that they lack a user-friendly interface.

The second strategy is shared staff, services, and tools. Through sharing the risks and costs of specific IT services, tools, and staff positions, companies can obtain benefits that might otherwise be out of reach. Institutions that are part of a system can identify their peers or consortia and build on existing relationships. On the other hand, sharing peer risk assessments from various service providers helps in cutting costs. Lastly, by sharing security tools such as antivirus systems, vulnerability scanners, intrusion prevention and protection systems, and firewalls, similar-sized companies can minimize the costs of purchasing related tools. Combining such tools enables institutions to acquire a robust and resilient security platform which, when merged with services from IT experts, leads to the provision of a broader range of services to a more diverse population. Nevertheless, the problem with shared services and tools is that the system is susceptible to system or server crashes.

Lessons Learnt from the Sony Breach

Several conclusions can be derived from the above review of critical security controls in relation to the Sony breach. For example, all institutions have data security risks. They are mostly applicable to financial services and healthcare companies as they operate with large volumes of PII; hence, they are required to meet particular regulatory standards to protect PII. However, the level of impact of the breach on Sony suggests that it is essential for every company to consider data security. Furthermore, the efficiency of security controls in protecting organizations from breaches requires the inculcation of the appropriate security culture.

Work Cited

“CIS Critical Security Controls: Guidelines.”SANS Institute, 2015, Web.