Sony Network Security Analysis

Avoiding Serious Network Security Issues

In 2014, Sony experienced a network security breach which resulted in the release of thousands of emails, company communications, and other sensitive data (Pagliery, 2015). For a company as large as Sony, one would think that security would be a primary issue that is constantly reviewed and updated with the latest fixes and patches. Despite the large size of Sony and it need for continuous security study, the 2014 hack was the result of a lack of up to date protocols.

While many experts have claimed that the Sony hack was an “unprecedented” security attack, the reality is that this attack could have been prevented with proper protocols in place (Dragos, 2006). The following report outlines the security issues that plagued Sony and led to the network breach in 2014. This report will discuss how many networks such as Sony are breached due to poor policy, lack of security upgrades, and what solutions are available for these issues.

Introduction

Network security is an ongoing process of improvement. The rapid rate of technology and software advances continues to challenge organizations to secure their networks. The act of hardening security for networks is difficult for many reasons but one of the most significant issues in this area is the fact that networks must provide functionality and access as well as security. For this reason, networks often contain areas of weak security based on policies or lack of upgrading systems.

To understand this problem better, one can look at the now infamous Sony hack of 2014 which highlights the problems of balancing security with user functionality and access. The Sony Hack occurred due to a failure in policy as well as a lack of consistent effort to maintain the system security through upgrades both in hardware and software. 

Nature of the Sony Hack

To understand how network security can fail, one must understand the nature of the Sony Hack. Almost immediately after the hack on Sony occurred, it was blamed on North Korea. The evidence of North Korean involvement is indisputable as it was documented. According to the FBI, the attack was focused through a specific type of malware that infects a machine through a virus delivered in email, and once in a system, it attacks the Windows management instrumentation (WMI) tool to attack all machines in a network utilizing a denial of service attack that has a:

…primary feature of the malware is that it wipes the hard drives of targeted systems. This is at minimum a strong indication of North Korean involvement. Previous attacks attributed to North Korea, including one last year against TV networks and banks in South Korea, have often included wiping software that destroys all data stored on the system (Hesseldahl, 2014).

In the immediate time period after the Sony Hack, the FBI reported that the malware exploited the WMI allowing for machines to be accessed and then wiped clean by the malware.

Researchers have determined that the attack starts with [malware] BKDR_WIPALL.A, which is the main installer and is disguised as an executable file named “diskpartmg16.exe” (Kovacs, 2014).

(Kovacs, 2014)

This form of attack utilizes a series of encrypted usernames and passcodes that are placed into the SYS via malware and allows complete permission to the users with root access (Trend Micro, 2014). The malware then allows for all of the machines infected to access all restricted files in the network because the network thinks that the terminals have permission. Once the malware has breached the system information can be downloaded and stolen (Trend Micro, 2014). The initial malware BKDR_WIPALL.A carries with it BKDR_WIPALL.B which is the denial of service attack which begins attacking the system by sleeping for 10 minutes then reawakening and starting a reboot process which stops the backup to Microsoft Exchange and deletes all drives in the network as well as remote drives (Trend Micro, 2014).

The nature of this attack was not unique in the sense of delivery but was instead a unique form of implementation of malware. Despite being dangerous and destructive, the attack itself was caused by a standard security breach that is avoidable in most instances if policy and security upgrades are up to date and strong.

Policy Weakness

In the aftermath of the Sony Hack, it became clear that Sony's security was a lack in policy strength. In order to bypass the security measures policies for network security had to be relaxed because it would otherwise have been far more difficult to launch an attack of this magnitude using malware (Zetter, 2014). The failures in network security policy were a long time coming according to former employees of Sony:

…former employees, who asked to remain anonymous, have told us that they’re disappointed but not surprised by the massive hack given Sony Pictures’ long-running lax attitude toward security. They say that employees highlighted specific vulnerabilities on company websites and systems that were never addressed (Hill, 2014).

Current and former employees reported that security violations were reported and ignored. There were many simple policies that were overlooked such as applications that were responsible for collecting private data would do so using no encryption (Hill, 2014). At one point, a server at Sony was hacked due to an employee being logged into the network from a café and forgetting to log out when he left (Hill, 2014). These reports highlight the lack of security policy that governed Sony.

The security policies are as vital to a network as the hardware and software because these policies ensure the best practices of personnel for maintaining the integrity and security of the network. Policies are also deeply important because they provide for the practices with the hardware and software uses that need to be maintained. As it appears, the Sony Hack was a complete failure of policies both in user practice and in hardware and software. The hack originated from malware which tends to show that there was an immediate lapse in user policy. A strong user policy would have reduced the risk of the Sony attack or stopped it completely if it had been prioritized. It is unclear where the malware infiltrated the network (which machine or access point) but it is clear that the intrusion either occurred from email or from an insider threat.

There are a wide array of user policies that cover many different aspects of the network security including enforcing strong passcodes and utilizing claims-based authentication in order to verify users who enter from external or different computers by challenging the user for authentication (Microsoft, 2015). The policy failure that occurred at Sony was multifaceted as the users were routinely able to add devices and remove them from the network. An audit by PricewaterhouseCoopers,

…found one firewall and more than 100 other devices that were not being monitored by the corporate security team charged with oversight of infrastructure, but rather by the studio’s in-house group, which was tracking activity on logs (Chmielewski & Hesseldahl, 2014).

Handling the monitoring of devices in this manner created a massive gap in what is understood as the Network DMZ (demilitarized zone). A network DMZ is a form of security configuration that has computers operating on a LAN running behind a firewall such that they are protected from intrusions from the public network or internet. In a proper configuration, some computers will operate outside the firewall in order to intercept traffic and negotiate entrance into the LAN. This configuration was not present or at least not properly setup due to the lack of policy governing devices that were not being monitored by Sony security.

The problem of policy worsens because policies governing the most basic IT standards were completely lacking. In the audit of Sony’s security policies, it was discovered that Sony was using dangerous practices such as storing passwords in the same folder that was to be protected by the password. There were many folders found that were actually named “passwords”. These were not just user passwords but also security certificates. There were also many instances of manufacturer passwords (which are well known to most hackers) being used along with passwords that were written, “password” (Neil, 2015).

(Neil, 2015)

The failure in policies extended to the management of information by users. Sony had no policies or simply did not enforce policies that maintained how to store sensitive information. This could be seen in the employee data which was stored with sensitive information such as social security numbers alongside non-sensitive information such as email addresses. These issues show that Sony had no real security compliance policies being used properly.

Hardware and Software Issues

In the simplest of terms, Sony was not up to date with security practices or did not care about them. This can be seen in their security policies but also in their treatment of hardware and software. Sony hardware lacked any form of security in many instances as evidenced by the fact that hardware was often unknown and unmonitored by the network security. This was a failure in several large areas of hardware and software including:

o Computers and devices- The computers and other critical devices such as routers needed to be secured against attacks through encryption and 802.11 security which they were not since security was not aware of their existence.

o BranchCache- There was a lack of backup security for unknown reasons. Proper use of BranchCache would have provided Sony with backups for damaged files by creating copies on a separate terminal at their headquarters. The BranchCach provides a layer of security by saving file server contents and allowing access through IPS or a virtual network rather than a LAN or WAN. (Microsoft, 2015). If this measure had been implemented properly it would have reduced the ability of the hackers to gain access to the entire network. VLAN and Network Devices

o VLAN security on network devices- Had Sony been using proper security protocols with it network devices then the risk of intrusion would have been diminished. For example, all unused ports should have been shut-down or placed in a black hole VLAN. By shutting down or isolating all unused ports this would have reduced access to the network. This was not possible since the policies in place failed to identify and monitor these devices.

o Port security on network devices- This was a large failure since the attack originated from Taiwan on zombie computers which launched the attack on Sony’s network. Had port-security been enabled this would have limited the number of MAC addresses that can connect and send data on the ports they are connected to. This would have prevented a large amount of data from being stolen due to the inability to use fewer terminals during the attack.

o Terminal Security- There was a complete lack of terminal security. Had Sony used encryption such as Windows BitLocker Drive Encryption data would not have been easily accessed or copied due to the fact that BitLocker encrypts the hard drive and will not allow for things such as forced rebooting (Microsoft, 2015).

o User Account Control- This area of hardware and software security was sorely lacking at Sony. The User Account Control provides security by enforcing standard user-level access and administration authentication in the event that someone is attempting to make changes or modifications to a system (Microsoft, 2015). This would have stopped a large portion of the attack from spreading because it would have placed additional challenges in place when the malware attempted to access other areas of the network or make changes to it (Microsoft, 2015).

Discussion

The Sony Hack represents an example of both the importance of network security and the consequences of security failure. What can be learned from Sony is that there is an intrinsic relationship between user policy and current hardware and software practices. Specifically, if a company is lackadaisical in its policy or maintenance of hardware and software, this opens the door to security breaches. The problem at Sony is systemic of modern networks as many were designed without full consideration of data protection and information needs. This problem occurs for a variety of reasons such as older networks, lack of emphasis on security, and lack of understanding of the business requirements. The network security failure at Sony was a combination of these factors that resulted in a catastrophic loss of data. This problem may have been avoided if the network design had taken into account access, security, and integrity and constructed policies around these areas. For example, Sony needed to routinely consider its business requirements such as:

1. User Requirements- who needs access to the network and what specific information and areas on the network? How will user identity be authenticated? What policies need to be implemented to create strong password practices?
2. Customer management- What are the customer needs for access and communication on the network?
3. Financial constraints- What costs will be involved due to the size of the network, processor speeds, types of hardware, etc.
4. Enterprise functions such as billing and accounting
5. Information security such as permissions for access and firewalls, privacy concerns, data storage, and user access levels.

These policies would have provided the backbone for software and hardware maintenance.

1. Software Requirements- What software provides the best functionality and security? Is the software up to date?
2. Hardware Requirements- What servers or types of devices are needed, this could include devices such as routers and modems. What is needed to protect them?
3. OS Requirements- what type of operating system is needed such as Linux or Microsoft Server 2012.
4. Antivirus software, malware detection, virtual private networks, firewalls, etc.

Much like the strategic business plan, the design of a network must be continuously audited and revisited in order to reflect changes in business requirements which may have altered the network typology or required the software or hardware to become obsolete (Laudon & Laudon, 2005). Continuous vigilance with network security is the key to maintaining security and also for keeping policies and measures current. The FBI stated that malware was at the core of the attack and this means that even if the attack itself was unique it would it could do, the delivery itself could have been limited or stopped (Zetter, 2014). When one studies the Sony attack it is clear that the policy and hardware and software failures were at the center of this costly event. In the future, problems of this nature will continue because the expansion of networks serves to create an ever-increasing threat due to the complexity and growth of companies (Lin, 2010). In order to decrease this threat, policies for access as well as maintaining the relevant components and software on a network must be vigorously enforced.

References

Chmielewski, D., & Hesseldahl, A. (2014, December 12). Sony Pictures Knew of Gaps in Computer Network Before Hack Attack. Retrieved from Recode: http://recode.net/2014/12/12/sony-pictures-knew-of-gaps-in-computer-network-before-hack-attack/

Hesseldahl, A. (2014, December 2). Details Emerge on Malware Used in Sony Hacking Attack. Retrieved from Recode: http://recode.net/2014/12/02/details-emerge-on-malware-used-in-sony-hacking-attack/

Hill, K. (2014, December 4). Sony Pictures hack was a long time coming, say former employees. Retrieved from Fusion: http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/

Kovacs, E. (2014, December 4). Researchers Analyze Data-Wiping Malware Used in Sony AttackResearchers Analyze Data-Wiping Malware Used in Sony Attack. Retrieved from Security Week: http://www.securityweek.com/researchers-analyze-data-wiping-malware-used-sony-attack

Laudon, K., & Laudon, J. (2005). Management Information System: Managing the Digital Firm. Prentice Hall, NJ: Prentice Hall.

Lin, H. (2010). A virtual necessity: Some modest steps toward greater cybersecurity. Bulletin of the Atomic Scientists, 68(5), 75–87.

Microsoft. (2015, October 19). BranchCache Overview. Retrieved from Tech Net Microsoft: https://technet.microsoft.com/en-us/library/hh831696.aspx

Neil, M. (2015, January 16). After Sony Hack attack, companies are curtailing email use and storage. Cybersecurity , 1(34), 36.

Trend Micro. (2014, December 3). An Analysis of the “Destructive” Malware Behind FBI Warnings . Retrieved from Trend Micro: http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-the-destructive-malware-behind-fbi-warnings/

Zetter, K. (2014, December). Sony got hacked hard: what we know and don’t know so far. Retrieved from Wired: http://www.wired.com/2014/12/sony-hack-what-we-know/

Photo by Nahel Abdul Hadi on Unsplash