Description CASE STUDY: CYBER SECURITY BREACH Number each question as 1, 2, etc. to match the ques ...

---

Description CASE STUDY: CYBER SECURITY BREACH Number each question as 1, 2, etc. to match the question number. Use the citation rule. Adequate coverage of a single question (and there is more than one question in this assignment) is possible between 200 and 400 words. Any reference list, diagram, chart, table, etc. included are not counted towards the word limit. Question 1. From all the case studies provided in this weekly module, choose any one case study of your choice (it is your decision which one to choose). Explain the three key characteristics of the cyber security breach in that case study and relate these three characteristics with any of the components of the National Institute of Standards and Technology (NIST), and/or CIS Controls Top 18 and/or OWASP 10. In other words, as you find the characteristics of the cyber security breaches in the case study of your choice, relate them to the lessons on NIST and/or CIS Top 18 and/or OWASP 10. In your answer, match the incident with the specific standard name, or the control number so that I know the exact name of the standard/control. For example, clearly state that it matches with CIS Contol 3 on Data protection because (and elaborate accordingly). For any reason, if you do not find a matching standard or control, explain why. Number each characteristic as i, ii, iii so that I can clearly identify them. Question 2. If you were in charge of the data breach case study that you have chosen In the question above), what three things you would have done differently? Answer this question with any policy, tools, or technology that you would have used to prevent this from happening. Match each one of your recommendations with one/more of the NIST and/or CIS Top 18 and/or OWASP 10 by clearly stating the name of the standard or the control. For any reason, if you do not find a matching standard or control, explain why. Number each item as i, ii, iii so that I can clearly identify them. Question 3. What are the three cyber security concerns unique in the government/federal/military organization and what policies, tools, and techniques would you propose for the government organization for each concern? You may find similarities and dissimilarities between government and non-government organizations. You may propose the tools and policies used in the non-government organization to be used by the government organization. Number each concern as i, ii, iii so that I can clearly identify them. Question 4. This question asks you to cross-compare (similarities and differences) the case studies found in this weekly module and requires you to review all the case studies in this weekly module. From your learning of the case studies, analyze any two commonalities (any common reason for the cyber security breach between the case studies) and two differences (a case study that had a unique reason/characteristic for the cyber security breach). Share three commonalities and three differences in the cyber security breaches among the case studies. Clearly state the case study name (e.g. Sony, Target, Department of Defense, etc.) in the answer so that it is obvious which security breach is related to which case study. You can also use any additional case study (not included in the lesson) to answer this question if you choose to. It is not necessary that all the case studies must have the same commonalities. If you find the common reason between two to three case studies (e.g. both the case studies had weak authentication, unpatched software, etc.) that would suffice as a commonality. If a single case study stands out for a unique and obvious reason which is not found in any other case study (for example, the case study had unauthorized access, did not renew the software license, etc., which seems obvious but that was not addressed), that would suffice as a difference. This question encourages students to cross-compare the case studies. Number each commonality as i, ii, and each difference as i, ii so that I can clearly identify them. Question 5. For the SYO 601, explain any lessons that you have learned on domain 1 which is Attacks, Threats, and Vulnerabilities. It is not expected that you will have a complete mastery on this topic in one week, along with learning additional lessons. But this gives the students an exposure, if there is an interest.  4 attachments Slide 1 of 4 attachment_1 attachment_1 attachment_2 attachment_2 attachment_3 attachment_3 attachment_4 attachment_4 UNFORMATTED ATTACHMENT PREVIEW Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Case Study: Critical Controls that Sony Should Have Implemented On November 24, 2014, an incident almost pulled right out of a 90's hacker movie transformed into a massive computer hack. A group calling itself The Guardians of Peace (GOP) managed to breach Sony Pictures Entertainment and bring their systems down to a screeching halt. Resulting from this breach the GOP claims to have stolen over 100 terabytes of data containing Social Security numbers, salaries, movies, and other personally identifiable information. Within days, the stolen data was posted on the Internet along ... AD Copyright SANS Institute Author Retains Full Rights Case Study: Critical Controls that Sony Should Have Implemented GIAC (GSEC) Gold Certification Author: Gabriel Sanchez, gmgsanchez@gmail.com Advisor: Richard Carbone Accepted: June 1, 2015 Abstract On   November   24,   2014,   an   incident   almost   pulled   right   out   of   a   90’s   hacker   movie   transformed into a massive computer hack. A group calling itself The Guardians of Peace (GOP) managed to breach Sony Pictures Entertainment and bring their systems down to a screeching halt. Resulting from this breach the GOP claims to have stolen over 100 terabytes of data containing Social Security numbers, salaries, movies, and other personally identifiable information. Within days, the stolen data was posted on the Internet along with demands from the GOP group that included not releasing The Interview. This paper will point out some of the Critical Controls that could have been utilized to minimize the impact the GOP had on the Sony breach. Utilizing even a few of the Critical Controls such as malware defenses, monitoring, audit logs, encryption, controlled use of administrative credentials, and incident response could have provided the  necessary  implementations  required  to  prevent  a  90’s  hacker  movie  from  turning  into   reality. Critical Controls that Sony Should Have Implemented 2 1. Introduction What would soon characterize one of the worst hacks in recent history began when screenwriter Evan Goldberg and actor Seth Rogen joked about making a comedy about assassinating the leader of North Korea, Kim Jong-un. On March 2013, this joke became reality when Sony Pictures Entertainment announced that both Goldberg and Rogen would direct the comedy movie, The Interview. The original release date of The Interview was targeted for the end of 2014; however, before the movie could be released an incident occurred that put hackers in complete control of Sony Pictures Entertainment's network. As a portion of the claimed 100 Terabytes of data flooded to the Internet, Sony Pictures Entertainment was forced to take its network offline as Social Security numbers, movies, salaries, and personally identifiable information were released to the Internet. After this incident, observers began to formulate different methods of preventing another hack such as the Sony breach (Zetter, 2014). Despite concerns over the production of The Interview movie Sony Pictures Entertainment decided to open the film in theaters Christmas Day 2014. November 21, 2014, an email addressed to Sony Pictures CEO Michael Lynton, Chairman Amy Pascal, and other executives made vague  references  to  “great  damage”  and  asked  for  “monetary   compensation”  to  avoid  it  (Franceschi-Bicchiera, 2014a). November 24, 2014, a Reddit post appeared stating that Sony Pictures Entertainment had been breached and that their complete internal, nation-wide network had signs that the breach was carried out by a group calling themselves the GOP, The Guardians of Peace (RBS, 2014). The hackers claim to have stolen a huge trove of sensitive data from Sony, possibly as large as 100 terabytes of data, which they are slowly releasing in batches. Judging from the data that the hackers have leaked online, they have obtained usernames, passwords, and sensitive information about Sony's network architecture and a host of documents exposing personal information about employees (Zetter, 2014). December 2, 2014,  the  FBI  sent  a  confidential  “flash”  alert  to  numerous  U.S.  businesses  warning  them   that hackers have  recently  launched  a  destructive  “wiper”  malware  attack.  While  the  alert   Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 3 does not name the victim, numerous information security experts say that the malware appears to correspond with the malicious code used in the recent hack attack against Sony Pictures Entertainment (Schwartz, 2014). December 7, 2014, North Korea denied responsibility for hacking the computers of Sony Pictures Entertainment, yet they appeared to relish the attack that crippled the computer systems of the Hollywood company, which was set to release The Interview that involved a plot to assassinate its leader, Kim Jong-un (Sang-Hun, 2014). However, the United States public and government have claimed that the North Koreans are responsible for the attack. Although not all the details about the Sony breach have been revealed the following information has come to light due to public sources that seem to serve as a warning of a North Korean attack on Sony Pictures Entertainment. June 26, 2014, a North  Korean  foreign  ministry  spokesperson  said  in  state  media  that  the  movie’s  release would  be  an  “act  of  war”  (BBC  News,  2014). The following day, after the United States declared that North Korea was responsible for the breach of December 8, 2014, the CEO of Sony Pictures Entertainment sent a memo to all employees confirming that their information had indeed been compromised. The memo featured a letter by Kevin Mandia, head of the cyber security firm Mandiant, which was hired by Sony to probe the massive and embarrassing film studio hacking (Franceschi-Bicchiera, 2014b). December 10, 2014, after days of review concerning the incredible amount of leaked data, analysis shifted to the contents of Co-Chairman Amy Pascal's emails, Sony Pictures Entertainment, and Steve Mosko, President of Sony Pictures Television (RBS, 2014). Emails from both Amy Pascal and Steve Mosko revealed  embarrassing  remarks  commenting  on  President  Obama’s  film  preferences  that   had been exchanged via email at Sony Pictures Entertainment. December 19, 2014, after the FBI formally blamed North Korea for the cyber-attack against Sony Pictures Entertainment, the hack began to spur mounting calls for the U.S. government to purse a tough response against Kim Jong-un’s  regime  (Fox  News,  2014).   North Korea responded to U.S. accusations over its involvement in a cyber-attack against Sony  Pictures  Entertainment  as  “groundless  slander”  and  that  it  wanted  a  joint   Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 4 investigation into the incident with the United States. An unnamed spokesperson of North Korea’s  foreign  ministry  said  there  would  be  serious  consequences  if  Washington refused to agree to the probe and continue to accuse Pyongyang (Kim, & Holland, 2014). After the cyber-attack Sony nearly pulled the plug on releasing The Interview, however, President Obama's declaration that Sony should move forward with its movie release made Sony reconsider its position; it then proceeded with The Interview’s release. January 2, 2015, under a new executive order signed by President Obama, the Treasury Department imposed financial measures against ten North Korean officials and three government agencies (Morello, & Miller, 2015). This incident, besides the release of private information and movies, caused the studio’s network to be offline for weeks due to the fact that Sony’s technicians were forced to rebuild the network in order to bring it fully online again (Abdollah, 2015). In a wide-ranging interview, Lynton, Sony CEO, responded to the isolation and uncertainty created by the attack and the unique position the company found itself in which he stated that “there’s  no  playbook  for an incident such as this” which created greater hardship for Sony in their recovery after the breach (Abdollah, 2015). While Sony has  reported  in  an  earnings  report  that  the  hack  would  cost  Sony  $15  million  “in   investigation  and  remediation  costs”  for  the quarter to December 31, senior general manager Kazuhiko Takeda stated that Sony would lose $35 million for the full fiscal year through March 31 (Hornyak, 2015). This hack has also led to Amy Pascal, one of Hollywood’s  most  powerful  movie  executives,  stepping down as head of Sony Pictures in the wake of a hacking scandal that resulted in her private and damaging emails being leaked (Rushe, 2015). This paper will point out some of the Top 20 Critical Controls that could have been utilized to minimize the impact that the GOP had during the Sony breach. Utilizing even a few of these Critical Controls, such as malware defenses, monitoring, audit logs, encryption, controlled use of administrative credentials, and incident response could have provided the necessary  implementations  required  to  prevent  a  90’s  hacker  movie  from   Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 5 turning into reality. The Critical Controls provided can only be successful with the necessary culture shift required from every employee throughout an organization (SANS Institute, 2015). Putting a checkmark in a box or bolting on safeguards, as an afterthought, will only provide a false sense of security against any future attacks. 2. Security 2.1 Critical Controls The Critical Security Controls focus first on prioritizing security functions that are effective against the latest Advanced Targeted Threats. These security functions strongly emphasize“What  Works” (SANS Institute, 2015a). These controls also prioritize and focus on a smaller number of actionable controls with a high-payoff, aiming  for  a  “must   do  first”  philosophy  (SANS  Institute,  2015a).  Currently,  there  are  20  Critical  Controls   with various sub-controls that allow for organizations to accomplish tasks in phases. The SANS Institute lists the Top 20 Critical Controls as follows (SANS Institute, 2015b): Table 1: Top 20 Critical Controls (SANS Institute, 2015b). Top 20 Critical Controls 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Access Control 8. Data Recovery Capability Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 6 9. Security Skills Assessment and Appropriate Training to Fill Gaps 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Protection 18. Incident Response and Management 19. Secure Network Engineering 20. Penetration Tests and Red Team Exercises Organizations that adopt the Top 20 Critical Controls are left with the best and most timely option to prevent future hacks. Fortunately, dozens of early adopters of the Critical Controls have shared their experiences and lessons learned with the Consortium for Cybersecurity Action (SANS Institute, 2015b). According to the SANS Institute, the pattern that has emerged that allows for substantial progress in reducing risk using Critical Controls are as follows (SANS Institute, 2015b): Table 2: Steps for Reducing Risk with Critical Controls (SANS Institute, 2015b). Steps for Reducing Risk with Critical Controls Step 1: Perform Initial Gap Assessment - determining what has been implemented and where gaps remain for each control and sub-control. Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 7 Step 2: Develop an Implementation Roadmap - selecting the specific controls (and subcontrols) to be implemented in each phase, and scheduling the phases based on business risk considerations. Step 3: Implement the First Phase of Controls - identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training. Step 4: Integrate Controls into Operations - focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations. Step 5: Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap. 2.2 Culture at Sony Similarly, three and a half years ago Sony was again in the spotlight with respect to another major breach. April 26, 2011, Sony was reported to have suffered a massive breach in its video game online network that led to the theft of names, addresses, and possibly credit card data belonging to 77 million user accounts (Baker & Finkle, 2011). Several days later on May 4, 2011, Sony revealed that the breach might have affected 24.5 million users of Sony Online Entertainment, making this the largest personal data heist  in  history  (Lavasoft,  2011).  Sony’s  response  to  this  incident  has  been  widely   criticized by security experts, consumers, and politicians alike because it took Sony over a week to alert users that their personal details may have been stolen and that Sony stored these details in an unencrypted format (VentureBeat, 2011a, 2011b). According to Stuart Thomas, who previously built the PlayStation 2 network for Sony in 2001, the biggest mistake Sony made that led to the PSN hacks was its organizational complexity and a lack of proper security support at the board level (VentureBeat, 2011c). May 4, 2011, a Purdue University professor testified to a Congressional committee investigating the massive data breach of Sony Game and Entertainment networks which Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 8 revealed that Sony had also failed to use firewalls to protect its networks and was caught using obsolete web  applications,  which  made  the  company’s  sites  an  inviting  target  to   hackers (Rashid, 2011). While Sony declined to appear before the May 4, 2011, hearing convened by the House Committee on Energy and Commerce, the company sent an eight-page letter detailing what it was doing to the Subcommittee on Commerce, Manufacturing, and Trade (Rashid, 2011). This document outlined increased security of data by utilizing encryption along with new tools to defend against future attacks. Other improvements included internal detection mechanisms that would flag unauthorized access or anomalies on the network. Mr. Stinger, Chief Executive of Sony at the time, said that the attacks on Sony had prompted the company to strengthen security across all of its products (Bilton, 2011). The recent November 24, 2014, breach against Sony by the GOP group left employees and spectators wondering how such a large breach could occur again. Just three weeks later on December 15, 2014, after attackers launched a devastating wiper malware attack against Sony Pictures Entertainment and began leaking stolen data, Sony broke its silence by hiring a prominent U.S. attorney to threaten to sue media outlets that reproduce the leaked information and to demand that they delete all leaked-emails, contracts and other information (Schwartz, 2014b). Sony executives failed to take proactive responsibility for the  security  breach,  which  resulted  in  current  and  former  employees’  personal   information being leaked (Schwartz, 2014c). Sony Pictures executive Amy Pascal told Bloomberg News “I  don’t  think  that  anybody  thinks  that  this was  anyone’s  fault  who   works here, and I think continuity and support and going forward  is  what’s  important   now.” Since Sony suffered its hack attack, the company has issued very little information with respect to  the  breach,  except  to  say  that  it  was  “a  very  sophisticated  cyberattack”   (Schwartz, 2014c). Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 9 3. Applied Security to Sony 3.1 Critical Controls Applied Implementing even a few of the Critical Controls including certain sub-controls could have greatly assisted Sony with mitigating, or at least detecting the breach sooner. Unfortunately, missed opportunities by Sony resulted in a tragic incident that exposed sensitive documents to the world. Aside from the theft of electronic data, the GOP group made a statement not only to Sony but also to the world that failing to guard one’s data could put an organization in the same situation. Although there is no one-size fits all approach to security there does exist foundational concepts that every organization should utilize to help prevent a cyber-attack. The following are the Critical Controls and sub-controls that could have greatly assisted Sony in the breach of November 24, 2014. 3.1.1 Issue 1a The GOP group was allegedly able to obtain some 100 terabytes of data stolen from Sony servers including sensitive information including Social Security numbers, usernames, passwords, and emails. To put that into perspective, 10 terabytes can hold the entire printed collection of the Library of Congress (Robb, 2014). 3.1.1.1 Remediation 1a: Critical Control #17 - Data Protection The objective of Critical Control 17 is to protect data regardless if it is internal to the network  or  is  transferred  out.  In  Sony’s  case, protecting sensitive data from being uploaded to the Internet for the entire world to see was not the ideal situation. It is preferable to detect the exfiltration of data early in the attack; however, if one’s data is stolen having it encrypted complicates the attackers’ ability to decipher its contents. Table 3: Sub-Control 17-3 (SANS Institute, 2015a). Sub-Control 17-3 Description Applied to Sony Perform an assessment of data to identity Identification of sensitive information sensitive information that requires the including Social Security numbers, Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 10 application of encryption and integrity usernames, passwords, and emails give the controls. added mechanism of defense in the event of a breach. Had encryption with SubControl 17-3 been implemented on this sensitive information it would have increased the difficulty of uploading these sensitive documents in clear text to the Internet. Table 4: Sub-Control 17-5 (SANS Institute, 2015a). Sub-Control 17-5 Description Applied to Sony Deploy an automated tool on network A tremendous amount of traffic would perimeters to monitor for certain sensitive have been generated with an alleged 100 information (i.e., personally identifiable terabytes of data being stolen by the GOP. information), keywords, and other Sony only would have needed to detect a document characteristics to discover fraction of that in order to be tipped off that unauthorized attempts to exfiltrate data their network was under attack. Diligently across network boundaries and block such automating a tool to hunt for unauthorized transfers while alerting information sensitive information leaving the network security personnel. could have greatly assisted Sony and prevented the majority of its sensitive information from being stolen. Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 11 Table 5: Sub-Control 17-6 (SANS Institute, 2015a). Sub-Control 17-6 Description Applied to Sony Conduct periodic scans of servers using With Sub-Control 17-6 Sony could have automated tools to determine whether actively searched for sensitive information sensitive data (i.e., personally identifiable stored in clear text. Although no information, health, credit card, and organization wants their data to be stolen, classified information) is present on the had the data at least been encrypted it could system in clear text. These tools, which have greatly hindered the attackers’ ability search for patterns that indicate the to read the contents. presence of sensitive information, can help identify if a business or technical process is leaving behind or otherwise leaking sensitive information. Table 6: Sub-Control 17-12 (SANS Institute, 2015a). Sub-Control 17-12 Description Applied to Sony Monitor all traffic leaving the organization Sony could have established Sub-Control and detect any unauthorized use of 17-12 to further investigate large amounts encryption. Attackers often use an of data leaving their network. If Sony was encrypted channel to bypass network able to differentiate between legitimate security devices. Therefore, it is essential encryption channels vs. a possible back that organizations be able to detect rogue channel, it could have forewarned Sony connections, terminate the connection, and that they were under attack. remediate the infected system. Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 12 3.1.2 Issue 2a Wiper malware – so  called  because  it  erases  data  from  victims’  computer  drives  – played a key part in the costly cybersecurity breach directed against Sony Pictures Entertainment in late 2014 (Robinson, 2015). Given the destructive nature of this malware, early detection of the dropper and its installed files would have been essential to prevent significant data losses (Gallagher, 2014). 3.1.2.1 Remediation 2a: Critical Control #5 - Malware Detection Malware was a huge contributor of the Sony Pictures Entertainment breach in 2014 where the GOP deleted the contents of hundreds of computers in order to make them unusable by users. Applying malware defenses and detection would have assisted Sony Pictures Entertainment in possibly preventing the wiper malware from having spread. Table 7: Sub-Control 5-7 (SANS Institute, 2015a). Sub-Control 5-7 Description Applied to Sony Limit use of external devices to those that If malware or copying of data occurred via have a business need. Monitor for use and external devices, Sub-Control 5-7 would attempted use of external devices. have notified the security team that something unusual was occurring on Sony systems. Table 8: Sub-Control 5-9 (SANS Institute, 2015a). Sub-Control 5-9 Description Applied to Sony Use network-based anti-malware tools to Signature-based tools will only catch identify executables in all network traffic malware that it already knows about. and use techniques other than signature- However, utilizing techniques such as based detection to identify and filter out those listed in Sub-Control 5-9 to identify Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 13 malicious content before it arrives at the executables in network traffic could have endpoint. assisted Sony with anomalies in the infrastructure. 3.1.3 Issue 3a The GOP installed wiper malware on computer systems that deleted all the contents on the hard drive. 3.1.3.1 Remediation 3a: Critical Control #8 - Data Recovery Capability Restore computer systems as quickly as possible from trustworthy backups. Being able to restore data is one major piece to restoring the organizations infrastructure. Table 9: Sub-Control 8-1 (SANS Institute, 2015a). Sub-Control 8-1 Description Applied to Sony Ensure that each system is automatically For each day Sony was down it backed up at least once a week, and more undoubtedly cost the organization more often for systems storing sensitive money and time for restoration. Having the information. To help ensure the ability to capability to quickly restore from malware- rapidly restore a system from backup, the free backups for critical systems could have operating system, application software, and reduced the time Sony Pictures data on a machine should each be included Entertainment systems were kept offline. in the overall backup procedure. These three components of a system do not have to be included in the same backup file or use the same backup software. There should be multiple backups over time, so that in the event of malware infection, restoration can be from a version that is believed to predate the original infection. Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 14 All backup policies should be compliant with any regulatory or official requirements. Table 10: Sub-Control 8-3 (SANS Institute, 2015a). Sub-Control 8-3 Description Applied to Sony Ensure that backups are properly protected With the use of Sub-Control 8-3 Sony via physical security or encryption when would have been able to properly use they are stored, as well as when they are protected backups to limit the potential moved across the network. This includes scope of the Sony breach that the GOP remote backups and cloud services. gained in its attack. It also could have ensured trust worthy backups. 3.1.4 Issue 4a The GOP group was able to completely compromise the Sony Pictures Entertainment network. 3.1.4.1 Remediation 4a: Critical Control #12 - Controlled Use of Administrative Privileges The misuse of administrative privileges is the primary manner in which attackers spread inside a target enterprise (SANS Institute, 2015a). Even one account being compromised by the attacker can lead to a company-wide breach. Table 11: Sub-Control 12-12 (SANS Institute, 2015a). Sub-Control 12-12 Description Applied to Sony Use multifactor authentication for all Not only did the GOP infiltrate the Sony administrative access, including domain network, they also embedded legitimate Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 15 administrative access. Multi-factor username and credentials into the malware authentication can include a variety of for a higher success rate of spreading techniques, to include the use of smart throughout the infrastructure. Providing cards with certificates, One Time Password additional authentication for administrative (OTP) tokens, and biometrics. accounts could have prevented the GOP from compromising sensitive accounts. 3.1.5 Issue 5a The GOP group dropped the wiper malware, which took a foothold within the infrastructure of Sony Pictures Entertainment. 3.1.5.1 Remediation 5a: Critical Control #14 - Maintenance, Monitoring, and Analysis of Audit Logs Deficiencies in security logging and analysis allowed attackers to hide their location, malicious software, and activities on victim machines (SANS Institute, 2015a). Table 12: Sub-Control 14-9 (SANS Institute, 2015a). Sub-Control 14-9 Description Applied to Sony Deploy a SIEM (Security Incident and Using Sub-Control 14-9, Sony could have Event Management) or log analytic tools detected that their infrastructure was for log aggregation and consolidation from breached by correlating activities that multiple machines and for log correlation deviated from their known baseline. and analysis. Using a SIEM tool, system Knowing what is normal in one’s administrators and security personnel infrastructure is imperative to detect should devise profiles of common events malicious activity. so that they can tune detection to focus on unusual activity, avoiding false positives, more rapidly identifying anomalies, and prevent overwhelming analysts with Gabriel Sanchez, gmgsanchez@gmail.com Critical Controls that Sony Should Have Implemented 16 insignificant alerts. 3.1.6 Issue 6a The GOP group was able to bring down the entire Sony Pictures Entertainment technology infrastructure. 3.1.6.1 Remediation 6a: Critical Control #19 - Secure Networ