Wednesday, December 17, 2014

Implications of the Sony Cyber Attack

When Sony Pictures employees got into the office on Monday, November 24, they discovered that their corporate network had been hacked.

The attackers took terabytes of private data, deleted the original copies from Sony computers, and left messages threatening to release the information if Sony didn't comply with the attackers' demands.

My First Guess

When I first heard that Sony got hacked, my first thought was, "I bet those guys run Windows."

That suspicion has been confirmed.

Possible Attack Vector

The attackers researched Sony's IT infrastructure and knew their victim's vulnerabilities.

Cyber Attack

The attackers could have used email system or Microsoft IE browser vulnerabilities to initially gain access to a regular employees workstation.

Gain Admin Access

Knowing that Sony ran Microsoft Windows, the attackers could have used a known Microsoft Implemented Kerberos solution vulnerability to forge a Privilege Attribute Certificate, that the Kerberos Key Distribution Center validates, to elevate their privileges to that of any other account on the domain.

Destructive Malware

Once attackers gets administrative keys to a Microsoft-based network with unencrypted file systems, they were able to extract that information and expose corporate secrets *** and follow up with destroying the files using destructive BKDR_WIPALL Malware.

*** Corporate Secrets Exposed

Men are paid more than women. Sony's 17 biggest-earning executives are predominantly white men. According to a spreadsheet called "Comp Roster by Supervisory Organization 2014-10-21," Amy Pascal, the co-chair of Sony Pictures Entertainment is the only woman earning $1 million or more at the studio.

A series of emails between Pascal and movie producer Scott Rudin showed an ugly side to the beautiful business of Hollywood. Rudin called Angelina Jolie a "minimally talented spoiled brat" in an email exchange with Pascal. Pascal and Rudin also made racially charged jokes about President Obama's taste in movies. As you would expect, Pascal and Rudin apologized, saying they are so sorry for what they said.

For more details, see:

Why the Hack was so Effective

  • Sony's Employee Workstations and Network Run on Microsoft Windows
  • Private data was not encrypted
  • Woefully Inadequate Network Security Monitoring

Law Suit Filed

Two former employees of Sony Pictures filed a lawsuit against Sony alleging it didn't do enough to safeguard their personal information and prevent its loss in that cyberattack.

The lawsuit was filed Monday, December 15th 2014, in U.S. District Court for the Central District of California, asks the court to award monetary damages and also class-action status. Thousands of Sony employees past and present could join the suit.

The lawsuit alleges, "Sony failed to secure its computer system, servers and databases, despite weaknesses that it has known about for years, because Sony made a business decision to accept the risk of losses associated with being hacked."

How can Sony defend itself against solid claims of negligence?

IT Security Laws for Corporations


Sarbanes-Oxley, or 'Sarbox' as it is sometimes called, was enacted in 2002 to help prevent future Enron-like episodes from happening again. It requires companies to be accountable for identifying and mitigating risks to their financial stability and this includes information security.

Sarbanes-Oxley details a "chain of accountability" where senior executives and board members must sign off on the accuracy of financial reporting, then the managers that report to them must be darned sure that their information is accurate. That applies to the managers who report to them and the people who report to them and so on. While the average employee of a public company will most likely not go to jail over a Sarbanes-Oxley violation (C-level executives are not so fortunate) each employee does have an important role in maintaining the security and integrity of corporate data.

When Sarbanes-Oxley mentions "controls" it it talking about policies, procedures and guidelines that protect information in your company with a direct implication of adequate IT security enforcement.

HIPAA Security Rule

This massive cyberattack constitutes unauthorized access or acquisition of personal information subject to most state and federal data breach notification requirements, including the HIPAA Data Breach Notification Rule. The HIPAA Security Rule contains a number of provisions that require covered entities and business associates to maintain procedures to monitor system activity for potential security incidents and investigate any such potential security incidents.

The HIPAA Security Rule requires covered entities and business associates to “regularly review records of information system activity, such as audit logs, access records, and security incident tracking reports.” 45 C.F.R. § 164.306(a)(1)(ii)(D). HHS guidance materials further state that this specification “should also promote continual awareness of any information system activity that could suggest a security incident.” See CMS, HIPAA Security Series Vol. 2 Security Standards: Administrative Safeguards

The HIPAA Security Rule requires covered entities and business associates to create and maintain appropriate records of system activity. See 45 C.F.R. 164.312(b). However, covered entities and business associates have significant discretion to create and maintain activity records based upon the formal assessment of their security risks.

Breach Notification

Breach notice laws typically define, “personal information” as, "A user name or email address, in combination with a password or security question and answer that would permit access to an online account."


  • IT security should be taken seriously
  • As a C-level executive, you should know the laws pertaining to safeguarding your company and employees' data.
  • As a C-level executive, you are liable for lax IT security enforcement at your company.

Lessons Learned

  1. If you are a C-level executive and your company runs Windows, change that or get another job.
  2. Hire a professional to thoroughly evaluate your current security policies.
  3. Don't ask for trouble, but if you do don't run Windows.

SANS Instituted Cyber Attack Response Plan

For many organizations today, the question is no longer if they will fall victim to a targeted attack, but when. In such an event, how an organization responds will determine whether it becomes a serious event or if it stays a mere annoyance.

This requires something of a change of mindset for information security professionals. Previous techniques and many best practices are under the premise that an attacker can be kept out.

However, that’s no longer the case today. The malware used in targeted attacks is frequently not detected (because it’s been custom-made for specific organizations). A well-crafted social engineering attack can look like a normal business email or engaging click bait.

In short, an attacker with sufficient resources will be able to find their way inside their target, regardless of what the defender does. The defender can raise the price of getting in, but not prevent it entirely.

The SANS Institute provides some guidelines to organizations on how they should react to incidents. Broadly speaking, however, the response can be divided into four steps:


This involves responding to a targeted attack even before the attack actually takes place. Security professionals need to plan for a response to a targeted attack on their network. System administrators will routinely have plans, for example, for downtime-related events such as a data center going offline.

Similarly, it’s important to be aware of the normal, day-to-day threats that an organization faces. Information security professionals must not only deal with these attacks as they happen, but should understand what their “normal” problems are so that abnormal threats like targeted attacks can be quickly spotted. Threat intelligence and analysis is valuable in this step, in order to guide security professionals into understanding what the current situation is.

Security professionals must also plan to acquire the right skills to effectively deal with targeted attacks. One of the most important skills to learn is digital forensic techniques, which allow for the proper acquisition and analysis of information from compromise devices.

Many of these techniques are quite foreign to normal IT day-to-day work, but learning these techniques will help organizations gain information and be better prepared to deal with any attack in progress.


Upon identifying targeted attack in progress, the next step is to respond decisively. Responding to a targeted attacks has several components: containing the threat, removing it, and determining the scope of damage. The first step is to immediately isolate or contain the scope of any threat. Steps that can be performed here include isolating infected machines or taking compromised services offline. Ultimately, the goal is to prevent an attack from gaining further ground.

To determine any threats in place, working hand in hand with a security vendor that has knowledge of commonly used targeted attack tools and grayware is useful in order to locate the threats within an organization. Similarly, continuous monitoring of existing network activity can help determine the scale and scope of any existing attack.


Just as important as responding to an attack is restoring an organization to normal operations. While some disruption is a necessary part of responding to a targeted attack, in the long run an organization has to “return to normal” and go back to normal operations.

“Restoring” an organization to normal is not only about technical considerations. If necessary, an organization needs to reach out to partners, stakeholders, and customers to clearly communicate the scope of a targeted attack’s damage, and any steps being taken to reduce the damage. In many cases, goodwill and trust are big casualties of a targeted attack, and these must be addressed as well.


Once an attack is over, organizations need to figure out what can be learned from it. Every attack offers lessons for defenders – what worked? What could we have done better? It may turn out that the some of the assumptions and information that went into planning for security incidents was not correct or incomplete.

However, it is also important to not overreact to any single incident. Overreacting can be just as bad as under-reaction: it can impose burdens on the organization that have marginal gains in security, if any. Decisions must be made bas

In today’s world of frequent targeted attacks – when breaches are a matter of when and not if - a carefully crafted strategy to respond to targeted attacks must be part and parcel of the larger defense strategy. This can be the difference between a minor nuisance and a major breach that could spell the demise of an organization.

For original reference to this section see:


Share this article

This work is licensed under the Creative Commons Attribution 3.0 Unported License.

No comments:

Post a Comment