Analysis of SANS Institute Infosec Case Study: Critical Controls that Sony Should Have Implemented

After reviewing the SANS Institute Case Study: Critical Controls that Sony Should Have Implemented, I thought I would provide my own analysis and critique.

If you have any comments, please add them below!

Abstract

In 2014 a group calling itself The Guardians of Peace (GOP) breached Sony Pictures Entertainment and claimed to have stolen over 100 terabytes of data of private data. The stolen data was posted online with demands for Sony to stop the release of the movie The Interview. The case study discusses Critical Controls that could have been implemented to reduce the impact of the Sony breach. This case study critique will review the effectiveness and drawbacks of a few of these controls including malware defenses, monitoring, audit logs, encryption, and controlled use of administrative credentials.

Effectiveness of the Idea or Solution

Malware defenses

Malware was a major contributor of the Sony breach. The malware deleted data from hundreds of computers and rendered them unusable. Applying malware defenses and detection would have helped Sony prevent the wiper malware from spreading.

• If malware was spread via external devices, malware detection could have notified the security team that something unusual was occurring on Sony systems.
• Identifying malware with non-signature-based tools like detecting for executables in network traffic could have assisted Sony with exposing anomalies in the infrastructure.

Monitoring & Audit Logs

Sony could have used log analytic tools and log aggregation detection to be alerted of anomalies from their baseline network activity.

Encryption

Encrypting sensitive information like Social Security numbers, usernames, passwords, and email addresses would have added one more layer of difficulty for hackers to exfiltrate and post plain text data online.

Controlled use of administrative credentials

Use of multi-factor authentication for all administrative access could have prevented the GOP from compromising sensitive accounts.

Drawback of the Idea or Solution

Malware

One drawback of system wide Malware detection is latency on the network. Malware defenses are not a “set it and forget it” solution, they need to be regularly tuned and managed. Finally, Malware detection can produce many false positives.

While behavioral based malware detection can be a good additional tactic, it alone will not adequately protect the network and computers. This method will still allow some malware through because it is typically written to look like legitimate code. The risk of false positives is high with behavior based security.

Monitoring & Audit Logs

Audit logs can produce large amounts of inconsequential data that can be costly to store and be difficult to parse. Monitoring these logs can be time consuming and require specialized skills many IT employees don’t possess. Furthermore, software that has been custom built and modified off-the-shelf products may not be logging the detail needed to trigger alerts for anomalies.

Encryption

One of the biggest drawbacks of encryption is key management. Keeping track of private keys, and keeping them secure requires time and resources. The stronger the encryption used, the harder it can be to implement, deploy, configure, manage, and recover. Encryption also has a negative impact on performance and can grow data storage needs.

Controlled use of administrative credentials

Multi factor authentication for end users can be slow and cumbersome. Users have to possess the “something you have” all the time. System administrators tend to dislike multi factor authentication as well due to the overhead on systems and the extra points of failure.

Conclusion

The Sony breach was the result of insufficient or absent security controls including malware defenses, monitoring, audit logs, encryption, and controlled use of administrative credentials.

Implementing these technical controls outlined by the SANS Top 20 Critical Controls along with strong leadership support for security can help create a culture that is commitmented to maintaining security in day-to-