IT for managers

B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 1

BMIT5103 – IT for managers – assignment

Name: Abdulilah A. Sallam

USTY ID: 201313089

OUM: CGYE00017068

Doctor: Mohammed Al-Amer


1. Survey and report on information security system:

EY Global conducted a survey in October 2014. As reported 1,825 leading organizations all over

the world responded to the survey which focuses on cyber threats, and what the organizations

need to manage the cyber threats, and what they must do against today’s cyber criminals.

With contrast to previous surveys had been conducted (2013 and before); there has been a

progress and awareness in these organizations were observed and they were all victims to

business impact due to severe cyber-attacks.

During 2014, these organizations pursued building the foundations of cyber security; although

this progress and the foundations of cyber security were evaluated as moderate level of maturity.

The base of these foundations were adapted according to measures of changes in these

organizations’ businesses, strategy and operations; (for example, a merger, acquisition,

introduction of a new product, entrance to new markets, and/or implementation of new software)

1.1 Dimensions of the survey:

The survey outlays three dimensions:

1.1.1 Activation covers the foundations of the cyber security: what is the situation in 2014; and

what are the most important elements that need more solicitude?

1.1.2 Adaptation: what are going to be adapted to the cyber security measure and the changing

requirements? Are there any integrated and advanced techniques to defend against cyber-crimes

and cyber threats change?

1.1.3 Anticipation: how leading organizations can reach a state of readiness – to be confident in

their assessment of the risks and threat and prepared for what is coming up.


1.2 Reasons of complexity of effective cyber security:

The survey was conducive to reasons behind the complexity of effective cyber security to be

delivered, these top five reasons illustrate the size of pressure that organizations defenses

undergo, further eroding the traditional perimeter and, successively, create motivation for the

threats perpetrators:

1 Change The post-economic crises prompted the business to move up

very fast. New product launches, mergers, acquisitions,

market expansion and penetration, and introduction of new

technology; where they must be all on the rise. All these

changes and developments have a complicating impact on

the strength of an organization’s cyber security

2 Mobility and

Consumerization

The digital improvement and the adopting mobile computing

blurred the organization boundaries; IT is made closer to the

user and more further from the organization.

The use of internet, smart phones and tablets with a

combination with ‘bring-your-own-device’ has made the

data more exposed everywhere and every time.

3 Ecosystem Ecosystem is presented within the perimeter we live in,

which is digitally connected entities, so people and data

increase the likelihood of exposure to cybercrime in both the

work and home environment.

4 Cloud With the arise of third party data storage ‘known as cloud

service’, new channels of risk have emerged which do not

exits previously.

5 Infrastructure The operating systems are now given IP addresses to be

managed throughout the network; the cyber threats find their

way to these systems with breaking through these back-

office systems into critical infrastructure such as: power

generation and transportation systems, and other systems.

1.3 The growing attacking power of cyber criminals:


From time to another, and as time passing; attackers gain experience and self-improved from

their ongoing hack and failures; this time, they are more patient and sophisticated than ever

before; they are hunting network vulnerabilities in the whole working perimeter – including staff

and business processes.

- Who or what do you consider the most likely source of a cyber-attack?

Employee

External contractor working on our side

Customer

Supplier

Other business partners

Criminal syndicates

State sponsored attackers

Hacktivists

Lone wolf hacker

57%

35%

10%

12%

14%

53%

27%

46%

41%

Defining risk source of cyber-crimes within the responding organizations in this survey will

answer this question.

In the previous years’ surveys, Employee is considered the most likely source of an attack; as

well as this year, Employee is still observed as a significant risk source. However, criminal

syndicates, state sponsored attackers, hacktivists and lone wolf hackers were considered the most

likely source of cyber-attack.

1.4 Hindrances that face organization to get ahead of cybercrimes:

Responding organizations defined three roadblocks by which they difficultly build their cyber

security systems and they recommend removing these hindrances in order to be capable to run

their cyber security systems more elegantly and efficiently.

1.4.1 These organizations are lacking agility:


According to the organizations responses in the survey, there are known vulnerabilities in their

cyber security systems; however, these organizations are not developing so fast to eliminate

these vulnerabilities:

- 37% of these organizations have no real time insight on cyber risks.

- 27% only of these organizations, somewhat they have this insight.

As a result, these organizations delay to establish foundational cyber security.

- Which threats and vulnerabilities have most increased your risk exposure over the

last 12 months?

Outdated information security controls or architecutre

Careless or unaware employees

Cloud computing use

Mobile computing use

Social media use

Unauthorized access

35%

38%

17%

16%

7%

14%

17%

19%

22%

25%

25%

20%

15%

16%

18%

22%

24%

23%

16%

14%

18%

20%

20%

24%

17%

13%

25%

17%

24%

19%

Vulnerabilities

Note: Vulnerability is defined as exposure to the possibility of being attacked or harmed


Cyber attacks to disrupt or deface the organizationCyber attacks to steal financial information

Cyber attacks to steal intellectual property or dataEspionage

FraudInternal attacks

MalwareNatural disasters

PhishingSpam

Zero-day attacks

25%28%

20%16%19%

11%15%15%17%

13%16%

20%23%

24%24%

23%20%

19%14%

22%18%

20%

21%18%

22%20%

22%23%

24%16%

21%19%

19%

16%19%

17%18%

21%18%

25%21%

22%20%

20%

18%12%

17%22%

15%28%

17%34%

18%30%

25%

Threats

Note: Threat is defined as the potential for a hostile action from perpetrators in the external environment.

1.4.2 Lack of Budget:

In order for cyber security system adaptation in an organization; budget is the keystone of

implementing information security system. As the cyber threats are increasing and progressing in

its methods and nature, budget and assigned amount of budget must relatively increase.

However, most of organizations, this year, reported that their cyber security budget remains flat.

1.4.3 Working staff lacks of relevant skills:

5% of the organizations an intelligence team with dedicated analysts and external advisors that

evaluate information for credibility, relevance and exposure against threat actors.

The importance of specialists or experts in cyber security system deepens from time to another;

but significantly, this survey shows lack of specialists is a constant and growing issue.

The sophisticated organizations not only defend themselves against cyber-attacks; they use

analytical intelligence to anticipate what could happen, pre-defining risk sources; anticipating

new attackers’ methods.

Thru this survey, we pointed out that it is not easy to hire specialists to perform the analysis of

threat intelligence data, draw relevant and actionable conclusions, and enable decisions and

responses to be taken.

1.3 Three stages of cyber security maturity:


The survey discussed the three phases of cyber security maturity “Activate, Adapt, and

Anticipate”

1.3.1 Activate: this is the first phase of cyber security maturity by which every organization

need to build a solid foundation. Building this foundation is a complicated task; standards and

specifications which are needed based on type of industry and geography.

In case, these organizations feel enough by activating the foundations and have not gone beyond

or step forward, will definitely have the following shortfalls:

Bolt-on cyber security: because an organization’s cyber security system has been added

to the business processes and activities; it is seen as cost object as it has not been

integrated yet into the business and it is not seen as added-value activity.

A focus on safeguarding the current environment: the company remains in the ‘Activate’

level, as this level is only a foundation level in which the cyber security deals with the

risk and threats according to prior experience; and the goal is to make sure the measures

are in place that will solve any weaknesses. So, if the whole topic is about risk

assessments, controls efficiency and risk mitigation, then the organization remains in the

‘Activate’ level.

A static approach: this level is aimed at enabling the business to carry out its known and

day-to-day functions securely. The organization will be rule-based and compliance-

driven, relying on metric-driven reporting – it can only deal with threats in a world

without change.

Foundational components of cyber security:

Regardless the advance of business in some organizations; cyber security foundational

components should be in place and these organizations must achieve mastery of the

foundational requirements of cyber security. The respondents to this survey, most

organizations do not have all foundational components of cyber security in place. The

critical areas, which were spotted in this survey, were focused based on prior experience of

EY Global:

- Executive buy-in

- Resources


- Performance

- Access to data

- Cost Vs. value

i. Executive buy-in:

Issue:

- Leadership and management of cyber security come from lower levels of organizations

and some of them see that it is an IT issue.

- Lack of discussion about threats in the boardrooms regularly; and absence of threat

management at the same time.

Survey findings:

- Nearly 86% of CIOs or IT departments have the information security function reporting

directly to them.

- 14% reporting directly to CEOs

Implications:

- Senior leadership must be involved in cyber security.

- Lack of executive buy-in permits opportunity for mistakes and cyber criminals

ii. Resources:

Issue:

- Cyber security tasks are performed by unskilled staff, and skilled people are not

adequately resourced.

- Cyber security staff is short in threat knowledge and cybercriminal behaviors

Survey findings:

- Fewer than 20% have real time insight on cyber risks readily available.

- 20% have published sources of cyber-attacks on their sector peers readily available.

Implications:


- Cyber threats are overlooked or the response is too late.

- Lack of security awareness is the main reason behind the successful use of phishing.

iii. Performance:

Issue:

- The spread of some organization is too thin; they maintain too many cyber capabilities

and as a result with moderate effectiveness.

- The effectiveness of cyber security is not measured.

Survey findings:

- Between 35% and 45% of respondents rated themselves as “still a lot to improve”.

Implications:

- The cyber security processes are not ran properly; leaving a broad range of options for

those performing and advanced persisting threat “APT”.

iv. Access to data:

Issue:

- Identity and Access Management ‘IAM’ is weak; therefore, employees are a risk of cyber

security.

- Manual process of daily transactions opens chances to access data improperly by

employees; rather to the lack of close control.

- Movers, leavers, and joiners are a key risk area.

Survey findings:

- Two-thirds of responding organizations do not have a well-defined automated IAM

programs.

Implications:

- Organizations always wait for the risk coming from outside environment; while

employees might be a wide source of cyber risks.


v. Cost vs. Value:

Issue:

- Too many organizations view the cost of cyber security as considerable.

- Organizations do not appreciate the benefits of the measures they already have

- Organizations underestimate the potential cost of a cyber-attack.

Survey findings:

- 63% cite budget constraints as the main obstacle to making a contribution and delivering

value

- 50% will see no increase in budget over the coming 12 months.

Implications:

- Organizations must believe that they are under daily cyber-attack; by the time, attackers

gain experience and more skills to make their attack more successful, severer and more

targeted. The next breach could be fatal.

1.3.1.1 The Security Operation Center “SOC”:

Security Operation Center “SOC” is a valuable starting point because vital foundational cyber

security is the processes and technology that support the information Security function. These are

the most effective when they are centralized, structured and coordinated.

It is concerning that over 40% of organizations in the survey do not have a SOC. For those that

do, the benefits of centralization are either not being met or not communicated or understood by

organizations.

Over half of the respondents could not answer the question about how well the SOC met their

business needs, or answered as “unknown”, or that SOC didn’t interact with the business.

- How does your SOC ensure they are meeting the needs of business operations?


Unknown

Our SOC does not interact with the business

Our SOC receives annual updates from the business to understand and address their concerns and risks

Our SOC receives quarterly updates from the business so they can understand and address their concerns and risks

36%

22%

12%

10%

Lack of awareness is observed in the responding organizations on how to keep the SOC up-to-date, from one hand. From another, 50% of respondents could not answer the question or at least they do not know how long it takes for SOC to initiate the investigation on alerted incidents. Before taking any step forward in improvements, organizations must be well-informed about what SOC does.

- How long does SOC take to initiate the investigation on alerted incidents?

Within 10 minutes

Within 1 hour

Within 4 hours

Within 1 day

Longer than 1 day

Unknown

12%

25%

13%

13%

4%

33%

1.3.2 Adapt: This is the second phase which adds features to the “Activate” level as the following:


1.3.2.1 Built-in Security: in all organizations, cyber security is considered and involved in every

process and development that organization does. Any change in the business is immediately

assessed by a cyber-security prospective and any change in the cyber-security is built-in to all

business process. As a result, cyber-security will be up-to-date continuously.

1.3.2.2 Focus on the changing environment: High maturity cyber-security continuously adapts

to ongoing changes in the business and its environment. For example, going digital or using

cloud services; the cyber-security must be adaptable to any change and development in the

business in order to defend a network from any new threat spawned due to technology or

business development.

1.3.2.3 A dynamic approach: Cyber-security system is flexible, agile and under constant

revision. It is adapted to protect the overall business transactions.

i. Cycle of improvement: The approach to adaptability:

The following are potential examples of change that an organization might undergo:

Integrating new technologies such as “cloud, social media, etc…” into business process.

The exponential rise of mobile devices (BYOD, etc…), blurring the lines between the

business and personal world.

The raise in managed services and remote hosting, with greater reliance on complex apps

(many hosted remotely)

The integration of control infrastructure with the back office and the outside world.

Rapidly changing regulatory environment and requirements.

Therefore, the organizations must deal with an endless cycle of threats and challenges, which

requires the adoption of endless development and evaluation of the changing cyber security

capabilities.

So, here it comes the significance of the security system, that enables the organizations manage

this cycle in an efficient and effective manner and they benefit from embracing new or different

security opportunities which, in turn, enable the business and save cost.

EY Global provided the following exhibit that best explains the improvement cycle:


ii. Running backwards to grasp reality:

Keeping the cyber security measures at the optimum alignment with the business is very

important to get ahead with the cybercrime.

This survey finds the following:

- 13% of the responding organizations report that their security system fully meets their

organization’s needs – comparing to the last survey, this percentage is lower (17% in

2013)

- 63% of the responding organizations report that their security system partially meets

their organization’s needs – comparing to the last survey, this percentage is lower (68%

in 2013)


These result shows that organizations must pay more attention to the cyber security; using the

improvement cycle will help them to go back on track.

This survey illustrates why the cyber security measures are not meeting the needs of so many

organizations, for example in the breach detection:

- What statement best describes the maturity of your breach detection program?

2013

2014

12%

16%

We don't have a breach detection program

1.3.3 Anticipate: to be in this stage, the following steps should be taken.

1.3.3.1 Built-beyond security: be alerted, ready to act and respond quickly, in a balanced

manner. Management accepts cyber-attacks or risks as a core business issue, and cyber security

capabilities are part of a dynamic decision process.

1.3.3.2 Focus on the future environment: Know your internal and external environment to

estimate the risk source of cyber-attacks.

1.3.3.3 Proactive approach: being confident in your incident response and crisis response

mechanisms.

- Which statement best describes the maturity of your threat intelligence program?


We do not have a threat intelligence program

We have an informal threat intelligence program that incorporates information from trusted thir parties and email distribution lists

We have a formal threat intelligence program that includes subscription threat frees from external providers and internal sources, such as a security incident and event management tool

We have a threat intelligence team that collect internal and external threat and vulnerability feeds to analyze for credibility and relevance in our environment

We have an advanced threat intelligence function with internal and external feeds, dedicated intelligence analysts and external advisors that evaluate information for credibility, relevance and exposure against threat actors

36%

32%

17%

10%

5%

- Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the coming year for the following activities?


Business continuity/disaster recovery resilience

Cloud computing

Data leakage/data loss prevention

Forensics support

Fraud support

Identity and access management

Incident response capabilities

Information security transformation (fundamental redesign)

Insider risk/threats

Intellectual property

IT securing and operational technology integration

Mobile technologies

Offshoring/outsourcing security activities, including third-party supplier risk

Privacy measures

Privileged access management

Securing emerging technologies (e.g., cloud computing, virtualization, mobile computing)

Security architecture redesign

Security awareness and training

Security incident and event management (SIEM) and Security operations center (SOC)

Security operations (e.g., antivirus, patching, encryption)

Security testing (e.g., attack and penetration)

Social media

Third party risk management

Threat and vulnerability management (e.g., security analytics, threat intelligence)

41%

39%

41%

11%

14%

39%

33%

25%

19%

12%

30%

46%

21%

19%

29%

43%

24%

37%

34%

29%

33%

11%

18%

34%

53%

54%

53%

80%

78%

53%

60%

64%

74%

78%

63%

47%

68%

73%

63%

50%

66%

54%

58%

64%

59%

78%

74%

59%

6%

7%

6%

9%

8%

8%

7%

11%

7%

10%

7%

7%

11%

8%

8%

7%

10%

9%

8%

7%

8%

11%

8%

7%

Spend more Spend the same Spend less


Very logical that organization is seeking to learn from the past and prepare for the future;

therefore, organizations must be updated with all threats attacked others in the same industry;

should be informed about new threats, new trends of attack types and in methods, tools and

techniques to deal with them. It is very vital to keep these organizations informed about

emerging technologies and to keep exploring opportunities for the business, at the same time,

keeping an eye open on new risks and vulnerabilities. This 2014, shows that most organizations

are preoccupied with their current state and are not looking to the future, and this is what is read

in the above graph.

- How do you ensure that your external partners, vendors, or contractors are

protecting your organization’s information?

Assessments performed by your organization's information security, IT risk, procurement or internal audit function (e.g., questionnaires, site visits, security testing)

All third parties are risk-rated and appropriate diligence is applied

Accurate inventory of all third-party providers, network connections and data transfers is maintained and regularly updated

Independent external assessments of partners, vendors or contractors (e.g., SSAE 16, ISAE-3402)

Self assessments or other certifications performed by partners, vendors or contractors

Only critical or high-risk third parties are assessed

Fourth parties (also known as sub-service organizations) are identified and assessments performed (e.g., questionnaires issued, reliance placed on your vendor's assessment processes)

No reviews or assessments performed

56%

27%

27%

27%

34%

24%

8%

13%


This survey was conducted by EY Global Information

between Jun. 2014 and August 2014. More than 1800

organizations responded to this survey across all major

industries and in 60 countries.

There are five suggested steps that an organization must

take to implement the “Anticipate” stage:

- Intelligence strategy must be designed and

implemented to define a cyber-threat.

- Extended cyber security ecosystem must be

designed and encompassed.

- Take a cyber-economic approach

- Utilizing forensic data analytics and cyber threat intelligence.

- Ensure everyone “employees” understands what’s happening in the cyber threats’ world

2. Sony Corporation:It is referred as Sony, is a Japanese conglomerate corporation located in Kōnan Minato, Tokyo,

Japan. It has a diversified business but it focuses in electronics, appliances, entertainment, and

computer sector.

Sony is a one of the leading manufacturers of electronic products; and it is ranked 105 th on the

2014 list of Fortune Global 500.

Sony Corporation is the electronic unit, as business field, and a parent company of Sony Group,

which includes four operating segments “electronics including video gaming, network services,

and medical business”, motion picture, music, financial services.

2.1 Financial details and human resources till 20141:

Operating income $/Trillion 0.0002182Net income $/Trillion 0.0010573Total assets $/Trillion 0.1262922Total equity $/Trillion 2.258Number of employees (31st Mar. 2014 140,900

1 http://en.wikipedia.org/wiki/Sony


2.2 Shareholders as Mar. 31st, 20122

- Japan Trustee Services Bank, Ltd. (trust account) – (7.0%)- Moxley and Company (depositary bank for ADRs) – (6.7%)- The Master Trust Bank of Japan, Ltd. (trust account) – (5.1%)- SSBT OD05 Omnibus China Treaty 808150 – (2.4%)- Japan Trustee Services Bank, Ltd. (trust account 9) – (2.1%)- State Street Bank and Trust Company – (1.2%)- Japan Trustee Services Bank, Ltd. (trust account 1) – (1.0%)- State Street Bank and Trust Company 505225 – (1.0%)- Japan Trustee Services Bank, Ltd. (trust account 6) – (0.9%)- Mellon Bank (for Mellon Omnibus US Pension) – (0.9%)

2.3 Sony sales and distribution per region as 20093:

Goegraphic region Total sales in USDJapan 15,429.01United states 20,693.26Europe 19,007.33Other Areas 16,813.19

3. Security attack on Sony PlayStation network:

3.1 Background:

In 2011, Sony PlayStation network outage caused by external intrusion affected the PlayStation

network (online gaming system and console) and Qriocity services (on-demand streaming

music); in which personal profiles of 77 million accounts were compromised and abandoned

users to use PlayStation III and PSP consoles.

Between Apr. 17th and Apr. 19th, 2011; Sony was obliged to turn off the network on Apr. 20 th.

Then Sony Corporation confirmed the incident that 77 million users’ details were exposed; the

outage was for 23 days.

2 http://en.wikipedia.org/wiki/Sony3 http://en.wikipedia.org/wiki/Sony

http://en.wikipedia.org/wiki/Japan

http://en.wikipedia.org/wiki/United_States


http://en.wikipedia.org/wiki/China








Time of outage and the accounts which had been exposed (77 million accounts), this breach was

one of the 15 largest breaches in 21st century according to CSOonline.com4; comparing to TJX

“one of the largest apparel and home-fashion company in US” hack in 2007 which affected 45

million customers, Sony PlayStation hack in 2011 was higher.

On April 26th, Sony Corporation stated to get the service on within a week of time, then on May

14th, PlayStation 3 firmware version as a security patch was released and in order to enforce

users to change their password upon signing in, but the service or the network remained turned

off.

Regionally, the restoration of the service was announced by Sony Corporation CEO and a map of

regional restoration issued, initially the service restored in the United States.

3.2 Services affected by the outage:

- PlayStation and PSP online playing systems

- Online verification and downloaded games

- Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers

- Access to account management and password reset

- Access to download un-expired Movie Rentals on PS3, PSP, and MediaGo

- PlayStation Home

- Friends List

- Chat Functionality

On May 1, Sony Corporation announced the above services were back to life through a

“Welcome Back” program for customers affected by the outage.

3.3 Case investigation:

4 http://www.csoonline.com/article/2130877/data-protection/the-15-worst-data-security-breaches-of-the-21st-century.html


The case was diagnosed as DDoS “distributed denial of service” committed by an external

intrusion “a hacktivist” committed “data theft” and caused them to close the PlayStation network

constituted “a criminal cyber-attack”.

Sony had announced in a blog that the case forward to law enforcement as well as recognizing a

technology security firm to conduct a complete investigation.

Data Forte was added to the investigation team of Guidance Software and Protiviti “finance and

staffing firm” in analyzing the attacks, while legal side of this case was forwarded to legal

agents.

Once the breach was identified, Sony conducted an internal investigation and reported its letter

to United States Congress.

3.3.1 George Hotze and Anonymous:

During 2010 and earlier in 2011, George Hotze “the hacktivist” appeared with intention to break

into Sony PlayStation network.

Hacking group “fail0verflaw” has been noted in the consumer electronics devices, and known for

the reverse engineering of security models. Through an academic presentation, they presented

methods though which the hackers devised for having successfully penetrated the devices’

security model, yielding the root signing and encryption keys; and these keys are the essential

element of a full breach; capable to install new software on any PlayStation 3 unit.

In Jan. 2011, Hotze posted these keys of PlayStation 3 on his website, and then these keys were

removed from his website as a result of legal action taken by Sony.

At the end of Apr. 2011, an anonymous hacker broke into the

PlayStation network and stole personal information of 77 million

users; 10 million of these users had their credit cards’ details.

Sony accused Hotze for doing so, but Hotze denied.

Sony reacted to this intrusion by asking a computer security

company to investigate it. Once, Sony came to the belief that it

customers’ details are exposed to be stolen, it employed a second


specialist “The U.S. Federal Bureau of Investigation which had launched a criminal

investigation.

3.4 Case Impact:

Sony had not determined the real impact of this case, as stated in many resources. According to

case scenario, that this malicious attack could expose all users’ details attached in the PlayStation

Network, and the total users are 77 million users.

3.4.1 Users’ impact:

77 million users’ data and 10 million users had their credit card details attached in PlayStation 3

Network. While Sony confirmed that no credit card company had reported any abuse in their

customers’ cards.

3.4.2 Financial impact5:

Sony applied several reactions against this cyber-attack; it needed to compensate the users,

investigation expenses, and enforcing defenses.

3.4.2.1 Compensation to users:

1. “Welcome back Program”. As well as “selected PlayStation entertainment content”; the

program offered 30-days free membership of PlayStation and for all PSN members.

2. Sony announced two PlayStation 3 games and two PSP games for free offer.

3.4.2.2 Government reaction:

What was mainly happened in the PlayStation network was a malicious act caused data theft of

individuals. Concerned authorities around the world stated that Sony Corporation would be

questioned and the investigation had to take place to judge if Sony had adequate precautions to

protect customer details. Under the UK’s Data Protection Act, Sony was fined £ 250,000

($264,388) for the breach.

5 http://en.wikipedia.org/wiki/2011_PlayStation_Network_outage


3.4.2.3 Legal action against Sony:

In Apr. 2011, a user on behalf of all PlayStation users in USA, has conducted a lawsuit against

Sony, accusing failure to encrypt data and establish adequate firewalls to handle a server

intrusion contingency, and Sony failed to prompt and adequate warnings of security breaches, as

well as the delay of getting back the PSN service online.

3.4.2.4 Credit card fraud:

There was no a single case reported formally of credit card fraud which was related to the

outage. There were reports on the net that some PlayStation users experience credit card fraud.

Approx.. 12.5 million users out of 77 million users had their credit cards’ details registered in the

PSN.

3.4.2.5 Overall impact:

The above impacts prompted a financial impact as hard costs as the following:

- 77 million users’ were attacked; 12.5 million had their credit cards’ details registered in

PSN.

- 171 million dollars hard costs

- 250 million dollars additional hard costs through the end of 2012, for users’ retention and

compensation, clean up the mess and re-enforce the defenses.

4. Enhancing the organization information system’s

security:

The information system security policies coexist with the threats; by the absence of threats,

policies do not exist. Always, threats pace to exist and the policies are created later as

counterattack against these threats, then these policies are needed to provide a framework

selecting and implementing measures against these threats. The written policy is enforces

everybody in an organization to behave in a manner coherently with the information security.

The main task of security policy is to define the objectives of the information system; and

simultaneously, outlines a strategy to achieve these objectives. On the contrary, an information


system without security policy is likely to a disjoint collection of countermeasures that address a

variety of threats.

Policies, standards, guidelines, and training materials that are obsolete and not enforced are

particularly dangerous to an organization, because management is often deceived that the

security policies do not exist and the organization is operating more effectively than it actually is.

Therefore, every organization must test and review, then it should remove any obsolete rules,

controls, and procedures to avoid this false sense of security.

4.1 Management Commitment:

This commitment is very essential to security to motivate information resource owners and users;

and to provide the visibility needed by the information system security team to ensure the

support of the business units. As a result of little natural motivation for security, other than actual

loss experience, managerial commitment to information security is the most important factor in a

successful security system.

In computer environment, management commitment can be demonstrated end-user and systems

staff through the managers’ practices and performance reviews.

Computers and systems training, guidelines, and practices should signed off and approved by

local authority – mainly managers who decide and issue rewards and penalties.

Management support of security provides the information system security team with vision and

embraces good relationship with the higher level of managers, especially the senior managers of

information intensive business units; without this kind of support, the security team is less to

support the role of information security.

When the loss occurs, obtaining the vision for the information system security will be a must.

The loss will be an abrupt motive to improve the security system, where the business units must

learn from this experience and can forecast more risk resources; by expanding the knowledge of

the security team, cyber-attacks will not have a deeper impact on the organization network.

Another method to obtain vision is for the information systems security team to publish lists of

business units ranked by the quality of their information security. This will enforces quality of

security level within the business units that take active role in information system security and

motivates other units that do not show high level of security achievements.


4.2 Management oversight committee:

There are two approaches applied for information systems security; some organizations have a

management oversight committee and others include the security issues in general oversight

committees for technical and administrative concerns. In both cases, IT services and corporate

security are reflected, but it does not apply to information systems security for a distributed

computing environment. In this case, the organization needs to expand or reorganize the existing

committees to represent the new order of distributed computing needs. The members of this

committee should be from the managers of business units actively engaged in the distributed

computing environment, as well as the managers who rely on external data communications,

such as sales and services. The committee is responsible reviewing, approving and distributing

corporate policies and standards. In order to increase the effectiveness of this committee, one of

the members, at least, should have regular access to the senior managers of the organization.

4.3 Policy development responsibilities:

The policy development is a main task of information system security or the IT policies and

standards group, for drafting appropriate policies and policy updates. Some organizations assign

this responsibility to the management oversight committee; but this responsibility is not given to

a third party since the style and form should be consistent with existing policies and should

reflect the corporate culture.

So, the team who is assigned to draft the policies should be familiar with both current

technologies and corporate culture to make intelligent decisions. While the knowledge about the

technologies requires an understanding of both the security capabilities and the limitations of

technological solutions to protect the organization against threats. Understanding the corporate

culture allows the policy development team to design an information systems security policy that

can best ensure compliance.

Before the team drafts the policies, they need to check best practice and experience of similar

industry organization, then they can outline an effective policy; some organizations of the same

field, might have their own threats which are different from those attacking others, that is

because of surrounding environment, economical factors, and the model of the information

systems security applied in an organization.


4.4 Policy acceptance:

User awareness, education, and participation are key factors toward gaining policy acceptance.

These factors can be promoted through information systems security marketing. The objective of

security marketing is to inform, educate, and persuade the business units and users to engage in

suggestions to the management oversight committee6.

In fact, external and internal threats do not lead toward compliance. So, here it comes the role of

the security marketing team effectively transfer the roles and responsibilities of the business

units and users with respect to information systems security. In return, the business units’ and

information systems security users’ innocent competing behavior can lead to disasters.

The security policies are impeccable and never changed, they still need to monitor their

performance and effectiveness; further to the updates and development upon loss experience

besides other organizations’ experiences. This improvement must be applied with coordination

between the business units and the information systems security team; focusing on business

practices that can make the organization to optimally reach its objectives.

The logic that a security policy cannot predict future threats not future malware mechanism; so it

is important that there is a widespread realization of the underlying principles of the

organization’s information systems security policies.

The information systems security policies must be understood and practical in order to be

effective. The policy acceptance depends on policy’s inherent ability to define which behavior is

acceptable and which is not, with respect to information systems security. The policy must define

the responsibility holders, what the basic information systems security policies are, and the

reasons for the policies. Then, the arbitrary policies will be obsolete, and ignored; while a clear,

concise, coherent, accurate policy that sets user information handling expectations is more likely

to be followed.

At the end, the security marketing team is mandated to make the policies easy to access, easy to

implement and clear to be followed by the business units and users. Another issue is automation

the process by which the organizations need to do for the process of disseminating the

information contained in its security policies in order to educate its user community.

6 SANS Institute, Developing effective information system security policies, p.5


4.5 Importance of policy:

The policies are taken as terms of reference (ToR) that inform the members of an organization of

their mandatory responsibilities for protecting the information systems; besides, these policies

define the proper mechanism to implement these responsibilities.

Information systems security policies provide foundations to acquire, configure, and audit

information systems for compliance with the policy.

Significantly, the policies are more important in a disseminated computing environment than

centralized computing environment because of the increased challenge of restricting activity

from a remote location. Such policies must be clear and legible to reduce the effort of

explanation and instruction the organization needs to exert. Policies should be confined to

general concepts rather than specific controls, for example, a policy stating “each computer user

must be authenticated by an acceptable method” is better than the more specific policy stating,

“Each computer user must be authenticated by a six-character password” since the policy does

not need to be changed.

The importance of policy also is in distributed computing environments as a means of

establishing security discipline for a large, different group of users and business units that are

generally reached by formal communication and audit.

5. Conclusion:

The survey combines the information systems security concept and report, and the

implementation of information systems security within the participating organizations.

In the previous surveys, “employees” is seen the most likely source of an attack; in 2014-survey,

still “employees” is seen a significant risk. The issue of being “employees” as the most like

source of cyber-attack has two extremes:

- Employees are the users of information systems security: lack of skills and never have

rapport with the business units. They are not educated on how to deal with the risk as the

time it is discovered and before the loss inflating, and they are not oriented with cyber-

attack mechanism and other organizations of the same field loss experience and best

practice to bust intrusions and mitigate risks. Communication gap between the


information systems security users and the business units will expose an organization to

more risk sources and more severe loss in their business models; best example of this gap

is the experience of Sony Corporation, where it had experienced a hacking activity in

Apr. 2011 and caused outage network of PlayStation online gaming besides several

services, then it underwent another hacking activity in 2014 of Sony Pictures

Entertainment using a similar scenario, as experts said and analyzed the root cause behind

this intrusion, Sony has more than 140,000 employees and more than 100 subsidiaries

globally, but this team could not manage all the corporate network, so there was no

centralization of security events information management7.

- Employees are from the same organization culture; they are familiar with network

vulnerabilities and they do not enjoy high level of loyalty to the organization or some of

them are just crook; then the organization might face heavy flow of cyber-attacks from

inside and outside.

However, for the first time, we found that when the different types of external attacker were

combined (criminal syndicates, state sponsored attackers, hacktivists and lone wolf hackers)

these threats were considered to be significantly more likely as a risk source. And nearly all

our respondents have one or more external attackers included in their rating.

In order to implement information systems security in your organizations, there are three stages

to go ahead:

Activate: Organizations need to have a solid foundation of cyber security. This

comprises a comprehensive set of information security measures which will provide basic

(but not good) defense against cyber-attacks. At this stage, organizations establish their

fundamentals.

Adapt: Organizations change — whether for survival or for growth. Threats also change.

Therefore, the foundation of information security measures must adapt to keep pace and

match the changing business requirements and dynamics otherwise they will become less

and less effective over time. At this stage, organizations work to keep their cyber security

up-to-date.

7 Photograph by Tomohiro Ohsumi — Bloomberg/Getty Images, Why Sony didn't learn from its 2011 hack


Anticipate: detract potential cyber-attacks. They must know exactly what they need to

protect (their ‘crown jewels’), and rehearse appropriate responses to likely attack incident

scenarios (including accidents): this requires a mature cyber threat intelligence capability,

a robust risk assessment methodology, an experienced incident response mechanism, and

an informed organization. At this stage, organizations are more confident about their

ability to handle more predictable threats and unexpected attacks.

Sony Corporation is one of leading company and one of the participants in 2014 survey; it had a

bad experience in 2011 and this cyber-attack ranked to be one of the 15 worst intrusions during

21st century, it afforded hard costs to reform and retain customers.

Information systems security as system is not efficient to fight cyber threats; there should be

policies to enhance the security level, these policies define risks, educate and train users and

business units, and assign tasks and responsibilities of users and business units according to an

organization’s strategy.

The policy will be accepted, if it is direct, clear, subjective, precise and easy to be understood. In

order to enforce these policies and role of information systems security should have a direct

contact to senior management. The importance of management oversight committee is to keep

senior management close enough to the information systems security procedures,

implementations, and policy adherence.


6. References:

EY global information security survey 2014. http://en.wikipedia.org/wiki/2011_PlayStation_Network_outage "Kazuo Hirai's Letter to the U.S. House of Representatives"

Mochizuki, Takashi (2010-04-07). "Japan Restart of Sony Online Games Services Not Yet Approved". FoxBusiness.com. Retrieved2011-06-02.

"Console Hacking 2010: PS3 Epic Fail" http://en.wikipedia.org/wiki/George_Hotz http://en.wikipedia.org/wiki/Sony Why Sony didn't learn from its 2011 hack - by John Gaudiosi

http://fortune.com/author/john-gaudiosi/

http://en.wikipedia.org/wiki/Sony

http://en.wikipedia.org/wiki/George_Hotz

http://en.wikipedia.org/wiki/2011_PlayStation_Network_outage

IT for managers

Documents