{br} STUCK with your assignment? {br} When is it due? {br} Get FREE assistance. Page Title: {title}{br} Page URL: {url}
UK: +44 748 007-0908, USA: +1 917 810-5386 [email protected]

QUESTION

Mkt 701 Assignment 2  

This one is two pages and minimum 2 references.

Case Topic and Questions:

Read the following case by downloading/opening the PDF file (attached at the bottom):

Answer the following question(s):

Was Sony’s response to the breach adequate? Why or why not?

Should the U.S. government help private organizations that are attacked (or allegedly attacked) by foreign governments? Why or why not?

Please pay attention to the Assignment Grading Rubric:

Note: Regarding the case assignment, please incorporate “1 or more” external sources for the question answered for full points.

For external sources you may use and search within your LSUS online library. Go to the LSUS Library at http://www.lsus.edu/offices-and-services/noel-memorial-library

Minimum 500 words needed for your assignment that applies to your grade on word count (review Assignment Grading Rubric)

 

 The Sony Pictures Entertainment Hack

The Problem

On November 24, 2014, a hacker group called the “Guardians of Peace” or GOP successfully attacked Sony Pictures Entertainment (www.sonypictures.com; SPE). The attackers obtained personally identifiable information about 47,000 current and former SPE employees and their dependents. These materials included numerous sensitive e-mails among top SPE executives concerning actors, financial deals, and creative disagreements; executive salaries; and complete copies of unreleased Sony films. The information included names, addresses, social security numbers, driver’s license numbers, passport numbers, bank account information, credit card information used for corporate travel and expenses, usernames and passwords, and compensation and other employment-related information. The hackers claimed to have stolen more than 100 terabytes of data from SPE.

The GOP initially released the most damaging information over the Internet. This information consisted of digital copies of SPE films that had been released (e.g., Fury) or were yet to be released (e.g., Annie). In addition, the attackers announced they would continue to release more interesting SPE information.

Although the specific motives for the attack had not been revealed as of mid-2016, the hack has been linked to the planned release of the SPE film The Interview. In this movie, producers of a tabloid television show learn that North Korea’s leader, Kim Jong Un, is a big fan of the show, and they set up an interview with him. While the show’s team is preparing for the interview, the CIA recruits them to assassinate Kim Jong Un.

Prior to the Sony hack, North Korean officials had expressed concerns about the film to the United Nations. The officials stated that “to allow the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war.”

On December 16, 2014, the GOP mentioned The Interview by name, and they threatened to take terrorist actions against the film’s New York City premiere at Sunshine Cinema on December 18. The GOP also threatened similar actions on the film’s America-wide release date of December 25 (Christmas).

On December 18, two messages allegedly from the GOP appeared. The first claimed that the GOP would not release any further information if SPE agreed not to release The Interview and to remove it completely from the Internet. The second

stated that SPE had “suffered enough” and it could release the film, but only if Kim Jong Un’s death scene was not “too happy.”

In the aftermath of the attack, the studio was forced to use fax machines, to communicate through hard-copy posted messages, and to pay its employees with paper checks. Employees worked with pen and paper, and shops located on Sony property accepted only cash.

The Law Enforcement Response

Meanwhile, the FBI launched an investigation into the incident. In 2014, the bureau announced it had connected the North Korean government to the attack. The FBI’s statement was based on intelligence gathered during a 2010 U.S. hack of North Korea’s networks. In that action, the United States had tracked the internal operations of North Korean computers and networks. North Korea responded to the charges by denying any responsibility for the hack. Although most of the speculation about the attack has focused on North Korea, the authorities are investigating alternative scenarios, including the possibility that an SPE employee or former employee was involved.

The Sony Response

As a result of the attack, SPE shut down its entire network on November 25, 2014, and pulled the theatrical release of The Interview on December 17. Two days later, President Obama labeled the attack as “cybervandalism” and not an act of war. He also charged that that Sony’s decision to pull the film from release rather than defy the hackers was a mistake because the company appeared to have capitulated to the hackers’ demands.

Following initial threats made towards theaters that showed The Interview, several cinema chains, including Carmike Cinemas, Bow Tie Cinemas, Regal Entertainment Group, AMC Theaters, and Cinemark Theaters, announced they would not screen the film. On December 23, 2014, SPE authorized 300 largely independent theaters to show the movie on Christmas Day. The following day SPE released The Interview to Google Play, Xbox Video, and YouTube.

Sony defended its decision to pull the film by claiming they were a blameless victim. Specifically, because the attackers came from a foreign government, they had far more resources to attack than Sony had to defend. Therefore, the studio concluded that the attack was unstoppable. Significantly, both the FBI and security company FireEye acknowledged that the malicious software used in the Sony hack was “undetectable by industry standard antivirus software.”

At the same time, however, Sony apparently failed to employ basic information security countermeasures. For example, the company’s e-mail retention

policy left up to seven years of old, unencrypted messages on company servers. Sony was using e-mail for long-term storage of business records, contracts, and documents it saved in case of litigation. Also, sensitive information—including user names and passwords for IT administrators—was stored in unencrypted spreadsheets and Word files with names such as “Computer Passwords.”

Sony has since implemented its “secure rebuild” information security strategy. The plan’s fundamental idea is zero trust. Its objectives are to keep attackers from entering the company’s networks, to prevent them from accessing information if they do get in, and to block them from stealing information if they actually manage to access it. Specifically:

 Internet access will be tightly restricted.

 Sony will keep as little information as possible on its active network. The remainder will be stored securely, encrypted, and cut off from the Internet.

 E-mails will be archived after a few weeks. System administrators will have access only to areas required to do their jobs.

 Employees will be able to install only preapproved applications.

 All users must use two-step login (multifactor authentication) procedures.

 Firewalls will be placed on their most restrictive settings.

 

The Results

Beginning on December 22, 2014, North Korea experienced an Internet failure, for which the government blamed the United States, identifying the disruptions as an attack in retaliation for the SPE hack. The U.S. government denied any role in the disruptions.

Interestingly, North Korea’s only Internet connections run through servers in China. Therefore, China could interdict any hacking attempts originating in North Korea. However, China and the United States are embroiled in a dispute over bilateral hacking, so it does not seem likely that China will police North Korean hacking attempts.

The SPE attack had serious repercussions for Sony, for the U.S. government, and for every organization. Consider the damage to SPE. Analysts estimate that the costs of the attack could exceed $150 million. Such costs include business disruption, loss of information and revenue, decreased customer confidence, and many others. However, the damage done to SPE’s reputation (via very sensitive e-mails) could be incalculable.

In fact, several former SPE employees are suing the company for failing to

adequately protect their personal data. (SPE offered one year of free credit monitoring and fraud protection to current and former employees.) In July 2015, seven cases were consolidated into a proposed class action lawsuit in a Los Angeles federal court.

In October 2015, Sony agreed to pay up to $10,000 to each claimant for identity theft losses and up to $1,000 each to cover the cost of credit-fraud protection services in connection with the cyberattack. The total settlement was expected to cost Sony approximately $8 million.

The U.S. government is faced with a serious problem. By presidential directive, the U.S. military has the responsibility to help protect and defend the nation’s critical infrastructure, such as its power grid, banking system, and communications networks. However, U.S. and international entertainment companies are not part of that infrastructure. The question is: If a foreign government is attacking U.S. corporations, what is the federal government’s responsibility? A related question is: If the U.S. government had known of an impending cyberattack on SPE, why didn’t the government warn SPE?

And the lessons to be learned? SPE’s inability to protect its information from hackers serves as a reminder to corporations and individuals that if you are connected to the Internet, your information is simply not safe. Further, no one should commit anything on e-mail that he or she would not want to see on the front page of a newspaper. The likelihood of serious breaches is increasing, as is the damage these breaches can cause. Therefore, the time, effort, and money that organizations spend on information security needs to increase as well.

One final note: In February 2016, cybersecurity companies Kaspersky (www.kaspersky.com) and Alienvault (www.alienvault.com) announced that they had found new evidence linking the SPE attack with ongoing malware attacks directed at South Korea. The security firms did not definitively specify where the attacks originated, but noted only that their evidence pointed to a group operating out of North Korea.

Sources: Compiled from A. Tarantola, “Study Links North Korea to Sony Hack and Malware Campaign,” Engadget, February 12, 2016; W. Ashford, “Sony $8M Breach Settlement Underlines Need to Secure Personal Data,” Computer Weekly, October 22, 2015; P. Elkind, “Inside the Hack of the Century,” Fortune, July 1, 2015; N. Perlroth, “Jolted by Sony Hacking, Hollywood Is Embracing Digital Security,” The New York Times, March 30, 2015; W. Ashford, “Sony Data Breach Claims First Scalp as Co-Chair Steps Down,” Computer Weekly, February 6, 2015; A. David, “Security Think Tank: Sony Employee Lawsuit over Data Breach Marks Watershed Moment,” Computer Weekly, February, 2015; W. Ashford, “U.S. Blamed North Korea for Sony Attack Based on Data from 2010 U.S. Hack,” Computer Weekly, January 20, 2015; “North Korea Slams ‘Hostile’ U.S. Sanctions over Sony Cyber Attack,” Computer Weekly, January 5, 2015; M. Fackler, “North Korea Accuses U.S. of Staging Internet Failure,” The New York Times, December 27, 2014; “Sony Hack: The Consequences of Mocking Kim Jong Un,” The Week, December 26, 2014; B. Barnes and M. Cieply, “Sony, in About-Face, Will Screen ‘The Interview’ in a Small Run,” The New York Times, December 23, 2014; M. Williams, “Sony Looking for Ways to Distribute ‘The Interview’ Online,” IDG News Service, December 21, 2014; B. Tau, “Obama Calls Sony Hack ‘Cybervandalism’ Not Act of War,” Washington Wire, December 21, 2014; M. Elgan, “The Sony Pictures Hack Changes Everything,” Baseline Magazine, December 19, 2014; A. Bacle, “White House Is Treating Sony Hack as ‘Serious National Security Matter,’” Entertainment Weekly, December 18, 2014; D. Yadron, D. Barrett, and J. Barnes, “U.S. Struggles for Response to Sony Hack,” The Wall Street Journal, December 18, 2014; E. Weise, “Experts: Sony Hackers ‘Have Crossed the

Line’,” USA Today, December 17, 2014; D. Sanger and N. Perlroth, “U.S. Links North Korea to Sony Hacking,” The New York Times, December 17, 2014; M. Williams, “Sony Hackers Release More Data, Promise ‘Christmas Gift’,” IDG News Service, December 14, 2014; B. Child, “Hackers Demand Sony Cancel Release of Kim Jong-un-Baiting Comedy,” The Guardian, December 9, 2014; W. Ashford, “North Korea Denies Sony Hack That Exposed 47,000 Personal Records,” Computer Weekly, December 5, 2014; B. Fritz and D. Yadron, “Sony Hack Exposed Personal Data of Hollywood Stars,” The Wall Street Journal, December 5, 2014; B. Barnes and N. Perlroth, “Sony Pictures and F.B.I. Widen Hack Inquiry,” The New York Times, December 3, 2014; W. Ashford, “Films Leaked Online After Sony Pictures Hack,” Computer Weekly, December 1, 2014; “Sony’s New Movies Leak Online Following Hack Attack,” Variety, November 29, 2014; www.sonypictures.com, accessed July 29, 2015.

 

 

 

Subject Technology Pages 7 Style APA

Answer

The Sony Pictures Entertainment Hack

Question #1

            Sony inadequately and poorly responded to the breach because it failed to identify the breach early enough. As explained in the case scenario, the hackers intruded the company’s network for sometime before the breach was detected. While no information is given concerning the exact months or years that the breach lasted, it is evident that the firm failed to identify the intrusion early enough until such a time when the hacker’s malware had already gathered crucial and significant amount of its data to the hackers. Schwartz (2014) noted that the malware detonated, bricked systems and formatted the hard drives by quashing the master boot records of the Sony Incorporation.

            Barack Obama, the former US president, had leveled criticism against Sony Incorporation for heeding to the demands of the Guardians of peace, individuals who publicly announced that they orchestrated the cyberattack. These persons informed Sony Incorporation to cease from producing a play focusing on murder theme against a North Korean leader; Kim Jong. The company heeded to their demand and pulled down the interview. This is considered blackmail because there was no trustworthy threat and thus the act taken by the firm encouraged the cyberattack. The response such as the one given by Sony is what most companies do, particularly when they lack a plan. Moreover, the company failed to take responsibility. Apparently, Sony did not take the responsibility. In particular, its management failed to take the necessary action for the security attack and this gave a leeway for the personal information of the new and former workers to be hacked. Therefore, the firm should have taken the necessary action for its internet security activities because there were imminent threats from North Korea regarding revenge against the comedy. Information leaked by the unknown sources revealed the US government established that the stated cyberattack was planned and executed by North Korea.

Question #2

             The US government should assist private agencies and entities that are attacked by aliens or foreign governments. Nowadays, a month cannot pass before a multinational corporation suffers a security breach (Ropple & Jain, 2018). In fact, most of these breaches are orchestrated by states. The intrusions are insidious, hard to detect and interfere with personal information linked to millions of people. Currently, most firms have poor techniques to protect personal information of their clients (Ropple & Jain, 2018). As such, there is need to reorganizing the expectations for the role of private sector in cyberattack. As the dangers posed by cyber insecurity continue to be appreciated, there is evidence of increasing the punitive focus to make the US take the whole responsibility. Moreover, it is unrealistic to expect every company in the US to have the ability and sufficient resources to safeguard themselves against complex cyberattacks executed by foreign governments. As such, the rules focusing on finding organizations at fault should be eliminated rather than treating then as illegitimate cybersecurity victims. This technique is neither effective nor fair in improving the collective cybersecurity of a nation.

            In conclusion, because of this discussion and other aspect explained herein, companies that suffer security should be considered as victims. When financial institutions such as banks are robbed, people hardly think of shaming or blaming such institutions because there is a possibility that such institutions ought to have taken precautions against such attack. Although everyone expects institutions such as banks to put in place certain security precautions, there is no surety that these precautions will eradicate cyberattacks completely.  Clearly, despite expecting private organizations to have effective security precautions in place, there is no surety that they have sufficient resources to safeguard themselves against the stated-orchestrated attacks. As such, the US government should come in and assist private organizations that get attacked by foreign governments.

 

 

 

 

References

Schwartz, M. (2014). Sony’s 7 breach response mistakes. Bank information security news, training, education – BankInfoSecurity. Retrieved February 12, 2021, from https://www.bankinfosecurity.com/blogs/sonys-7-breach-response-mistakes-p-1785.

Ropple, L., & Jain, S. (2018, December 14). Stopping data breaches will require help from governments. Harvard Business Review. Retrieved February 12, 2021, from https://hbr.org/2018/12/stopping-data-breaches-will-require-help-from-governments

 

 

Related Samples

WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
👋 Hi, how can I help?