BMIT5103 – IT for managers – assignment Page | 1 BMIT5103 – IT for managers – assignment Name: Abdulilah A. Sallam USTY ID: 201313089 OUM: CGYE00017068 Doctor: Mohammed Al-Amer
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 1
BMIT5103 – IT for managers – assignment
Name: Abdulilah A. Sallam
USTY ID: 201313089
OUM: CGYE00017068
Doctor: Mohammed Al-Amer
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 2
1. Survey and report on information security system:
EY Global conducted a survey in October 2014. As reported 1,825 leading organizations all over
the world responded to the survey which focuses on cyber threats, and what the organizations
need to manage the cyber threats, and what they must do against today’s cyber criminals.
With contrast to previous surveys had been conducted (2013 and before); there has been a
progress and awareness in these organizations were observed and they were all victims to
business impact due to severe cyber-attacks.
During 2014, these organizations pursued building the foundations of cyber security; although
this progress and the foundations of cyber security were evaluated as moderate level of maturity.
The base of these foundations were adapted according to measures of changes in these
organizations’ businesses, strategy and operations; (for example, a merger, acquisition,
introduction of a new product, entrance to new markets, and/or implementation of new software)
1.1 Dimensions of the survey:
The survey outlays three dimensions:
1.1.1 Activation covers the foundations of the cyber security: what is the situation in 2014; and
what are the most important elements that need more solicitude?
1.1.2 Adaptation: what are going to be adapted to the cyber security measure and the changing
requirements? Are there any integrated and advanced techniques to defend against cyber-crimes
and cyber threats change?
1.1.3 Anticipation: how leading organizations can reach a state of readiness – to be confident in
their assessment of the risks and threat and prepared for what is coming up.
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 3
1.2 Reasons of complexity of effective cyber security:
The survey was conducive to reasons behind the complexity of effective cyber security to be
delivered, these top five reasons illustrate the size of pressure that organizations defenses
undergo, further eroding the traditional perimeter and, successively, create motivation for the
threats perpetrators:
1 Change The post-economic crises prompted the business to move up
very fast. New product launches, mergers, acquisitions,
market expansion and penetration, and introduction of new
technology; where they must be all on the rise. All these
changes and developments have a complicating impact on
the strength of an organization’s cyber security
2 Mobility and
Consumerization
The digital improvement and the adopting mobile computing
blurred the organization boundaries; IT is made closer to the
user and more further from the organization.
The use of internet, smart phones and tablets with a
combination with ‘bring-your-own-device’ has made the
data more exposed everywhere and every time.
3 Ecosystem Ecosystem is presented within the perimeter we live in,
which is digitally connected entities, so people and data
increase the likelihood of exposure to cybercrime in both the
work and home environment.
4 Cloud With the arise of third party data storage ‘known as cloud
service’, new channels of risk have emerged which do not
exits previously.
5 Infrastructure The operating systems are now given IP addresses to be
managed throughout the network; the cyber threats find their
way to these systems with breaking through these back-
office systems into critical infrastructure such as: power
generation and transportation systems, and other systems.
1.3 The growing attacking power of cyber criminals:
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 4
From time to another, and as time passing; attackers gain experience and self-improved from
their ongoing hack and failures; this time, they are more patient and sophisticated than ever
before; they are hunting network vulnerabilities in the whole working perimeter – including staff
and business processes.
- Who or what do you consider the most likely source of a cyber-attack?
Employee
External contractor working on our side
Customer
Supplier
Other business partners
Criminal syndicates
State sponsored attackers
Hacktivists
Lone wolf hacker
57%
35%
10%
12%
14%
53%
27%
46%
41%
Defining risk source of cyber-crimes within the responding organizations in this survey will
answer this question.
In the previous years’ surveys, Employee is considered the most likely source of an attack; as
well as this year, Employee is still observed as a significant risk source. However, criminal
syndicates, state sponsored attackers, hacktivists and lone wolf hackers were considered the most
likely source of cyber-attack.
1.4 Hindrances that face organization to get ahead of cybercrimes:
Responding organizations defined three roadblocks by which they difficultly build their cyber
security systems and they recommend removing these hindrances in order to be capable to run
their cyber security systems more elegantly and efficiently.
1.4.1 These organizations are lacking agility:
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 5
According to the organizations responses in the survey, there are known vulnerabilities in their
cyber security systems; however, these organizations are not developing so fast to eliminate
these vulnerabilities:
- 37% of these organizations have no real time insight on cyber risks.
- 27% only of these organizations, somewhat they have this insight.
As a result, these organizations delay to establish foundational cyber security.
- Which threats and vulnerabilities have most increased your risk exposure over the
last 12 months?
Outdated information security controls or architecutre
Careless or unaware employees
Cloud computing use
Mobile computing use
Social media use
Unauthorized access
35%
38%
17%
16%
7%
14%
17%
19%
22%
25%
25%
20%
15%
16%
18%
22%
24%
23%
16%
14%
18%
20%
20%
24%
17%
13%
25%
17%
24%
19%
Vulnerabilities
Note: Vulnerability is defined as exposure to the possibility of being attacked or harmed
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 6
Cyber attacks to disrupt or deface the organizationCyber attacks to steal financial information
Cyber attacks to steal intellectual property or dataEspionage
FraudInternal attacks
MalwareNatural disasters
PhishingSpam
Zero-day attacks
25%28%
20%16%19%
11%15%15%17%
13%16%
20%23%
24%24%
23%20%
19%14%
22%18%
20%
21%18%
22%20%
22%23%
24%16%
21%19%
19%
16%19%
17%18%
21%18%
25%21%
22%20%
20%
18%12%
17%22%
15%28%
17%34%
18%30%
25%
Threats
Note: Threat is defined as the potential for a hostile action from perpetrators in the external environment.
1.4.2 Lack of Budget:
In order for cyber security system adaptation in an organization; budget is the keystone of
implementing information security system. As the cyber threats are increasing and progressing in
its methods and nature, budget and assigned amount of budget must relatively increase.
However, most of organizations, this year, reported that their cyber security budget remains flat.
1.4.3 Working staff lacks of relevant skills:
5% of the organizations an intelligence team with dedicated analysts and external advisors that
evaluate information for credibility, relevance and exposure against threat actors.
The importance of specialists or experts in cyber security system deepens from time to another;
but significantly, this survey shows lack of specialists is a constant and growing issue.
The sophisticated organizations not only defend themselves against cyber-attacks; they use
analytical intelligence to anticipate what could happen, pre-defining risk sources; anticipating
new attackers’ methods.
Thru this survey, we pointed out that it is not easy to hire specialists to perform the analysis of
threat intelligence data, draw relevant and actionable conclusions, and enable decisions and
responses to be taken.
1.3 Three stages of cyber security maturity:
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 7
The survey discussed the three phases of cyber security maturity “Activate, Adapt, and
Anticipate”
1.3.1 Activate: this is the first phase of cyber security maturity by which every organization
need to build a solid foundation. Building this foundation is a complicated task; standards and
specifications which are needed based on type of industry and geography.
In case, these organizations feel enough by activating the foundations and have not gone beyond
or step forward, will definitely have the following shortfalls:
Bolt-on cyber security: because an organization’s cyber security system has been added
to the business processes and activities; it is seen as cost object as it has not been
integrated yet into the business and it is not seen as added-value activity.
A focus on safeguarding the current environment: the company remains in the ‘Activate’
level, as this level is only a foundation level in which the cyber security deals with the
risk and threats according to prior experience; and the goal is to make sure the measures
are in place that will solve any weaknesses. So, if the whole topic is about risk
assessments, controls efficiency and risk mitigation, then the organization remains in the
‘Activate’ level.
A static approach: this level is aimed at enabling the business to carry out its known and
day-to-day functions securely. The organization will be rule-based and compliance-
driven, relying on metric-driven reporting – it can only deal with threats in a world
without change.
Foundational components of cyber security:
Regardless the advance of business in some organizations; cyber security foundational
components should be in place and these organizations must achieve mastery of the
foundational requirements of cyber security. The respondents to this survey, most
organizations do not have all foundational components of cyber security in place. The
critical areas, which were spotted in this survey, were focused based on prior experience of
EY Global:
- Executive buy-in
- Resources
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 8
- Performance
- Access to data
- Cost Vs. value
i. Executive buy-in:
Issue:
- Leadership and management of cyber security come from lower levels of organizations
and some of them see that it is an IT issue.
- Lack of discussion about threats in the boardrooms regularly; and absence of threat
management at the same time.
Survey findings:
- Nearly 86% of CIOs or IT departments have the information security function reporting
directly to them.
- 14% reporting directly to CEOs
Implications:
- Senior leadership must be involved in cyber security.
- Lack of executive buy-in permits opportunity for mistakes and cyber criminals
ii. Resources:
Issue:
- Cyber security tasks are performed by unskilled staff, and skilled people are not
adequately resourced.
- Cyber security staff is short in threat knowledge and cybercriminal behaviors
Survey findings:
- Fewer than 20% have real time insight on cyber risks readily available.
- 20% have published sources of cyber-attacks on their sector peers readily available.
Implications:
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 9
- Cyber threats are overlooked or the response is too late.
- Lack of security awareness is the main reason behind the successful use of phishing.
iii. Performance:
Issue:
- The spread of some organization is too thin; they maintain too many cyber capabilities
and as a result with moderate effectiveness.
- The effectiveness of cyber security is not measured.
Survey findings:
- Between 35% and 45% of respondents rated themselves as “still a lot to improve”.
Implications:
- The cyber security processes are not ran properly; leaving a broad range of options for
those performing and advanced persisting threat “APT”.
iv. Access to data:
Issue:
- Identity and Access Management ‘IAM’ is weak; therefore, employees are a risk of cyber
security.
- Manual process of daily transactions opens chances to access data improperly by
employees; rather to the lack of close control.
- Movers, leavers, and joiners are a key risk area.
Survey findings:
- Two-thirds of responding organizations do not have a well-defined automated IAM
programs.
Implications:
- Organizations always wait for the risk coming from outside environment; while
employees might be a wide source of cyber risks.
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 10
v. Cost vs. Value:
Issue:
- Too many organizations view the cost of cyber security as considerable.
- Organizations do not appreciate the benefits of the measures they already have
- Organizations underestimate the potential cost of a cyber-attack.
Survey findings:
- 63% cite budget constraints as the main obstacle to making a contribution and delivering
value
- 50% will see no increase in budget over the coming 12 months.
Implications:
- Organizations must believe that they are under daily cyber-attack; by the time, attackers
gain experience and more skills to make their attack more successful, severer and more
targeted. The next breach could be fatal.
1.3.1.1 The Security Operation Center “SOC”:
Security Operation Center “SOC” is a valuable starting point because vital foundational cyber
security is the processes and technology that support the information Security function. These are
the most effective when they are centralized, structured and coordinated.
It is concerning that over 40% of organizations in the survey do not have a SOC. For those that
do, the benefits of centralization are either not being met or not communicated or understood by
organizations.
Over half of the respondents could not answer the question about how well the SOC met their
business needs, or answered as “unknown”, or that SOC didn’t interact with the business.
- How does your SOC ensure they are meeting the needs of business operations?
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 11
Unknown
Our SOC does not interact with the business
Our SOC receives annual updates from the business to understand and address their concerns and risks
Our SOC receives quarterly updates from the business so they can understand and address their concerns and risks
36%
22%
12%
10%
Lack of awareness is observed in the responding organizations on how to keep the SOC up-to-date, from one hand. From another, 50% of respondents could not answer the question or at least they do not know how long it takes for SOC to initiate the investigation on alerted incidents. Before taking any step forward in improvements, organizations must be well-informed about what SOC does.
- How long does SOC take to initiate the investigation on alerted incidents?
Within 10 minutes
Within 1 hour
Within 4 hours
Within 1 day
Longer than 1 day
Unknown
12%
25%
13%
13%
4%
33%
1.3.2 Adapt: This is the second phase which adds features to the “Activate” level as the following:
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 12
1.3.2.1 Built-in Security: in all organizations, cyber security is considered and involved in every
process and development that organization does. Any change in the business is immediately
assessed by a cyber-security prospective and any change in the cyber-security is built-in to all
business process. As a result, cyber-security will be up-to-date continuously.
1.3.2.2 Focus on the changing environment: High maturity cyber-security continuously adapts
to ongoing changes in the business and its environment. For example, going digital or using
cloud services; the cyber-security must be adaptable to any change and development in the
business in order to defend a network from any new threat spawned due to technology or
business development.
1.3.2.3 A dynamic approach: Cyber-security system is flexible, agile and under constant
revision. It is adapted to protect the overall business transactions.
i. Cycle of improvement: The approach to adaptability:
The following are potential examples of change that an organization might undergo:
Integrating new technologies such as “cloud, social media, etc…” into business process.
The exponential rise of mobile devices (BYOD, etc…), blurring the lines between the
business and personal world.
The raise in managed services and remote hosting, with greater reliance on complex apps
(many hosted remotely)
The integration of control infrastructure with the back office and the outside world.
Rapidly changing regulatory environment and requirements.
Therefore, the organizations must deal with an endless cycle of threats and challenges, which
requires the adoption of endless development and evaluation of the changing cyber security
capabilities.
So, here it comes the significance of the security system, that enables the organizations manage
this cycle in an efficient and effective manner and they benefit from embracing new or different
security opportunities which, in turn, enable the business and save cost.
EY Global provided the following exhibit that best explains the improvement cycle:
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 13
ii. Running backwards to grasp reality:
Keeping the cyber security measures at the optimum alignment with the business is very
important to get ahead with the cybercrime.
This survey finds the following:
- 13% of the responding organizations report that their security system fully meets their
organization’s needs – comparing to the last survey, this percentage is lower (17% in
2013)
- 63% of the responding organizations report that their security system partially meets
their organization’s needs – comparing to the last survey, this percentage is lower (68%
in 2013)
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 14
These result shows that organizations must pay more attention to the cyber security; using the
improvement cycle will help them to go back on track.
This survey illustrates why the cyber security measures are not meeting the needs of so many
organizations, for example in the breach detection:
- What statement best describes the maturity of your breach detection program?
2013
2014
12%
16%
We don't have a breach detection program
1.3.3 Anticipate: to be in this stage, the following steps should be taken.
1.3.3.1 Built-beyond security: be alerted, ready to act and respond quickly, in a balanced
manner. Management accepts cyber-attacks or risks as a core business issue, and cyber security
capabilities are part of a dynamic decision process.
1.3.3.2 Focus on the future environment: Know your internal and external environment to
estimate the risk source of cyber-attacks.
1.3.3.3 Proactive approach: being confident in your incident response and crisis response
mechanisms.
- Which statement best describes the maturity of your threat intelligence program?
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 15
We do not have a threat intelligence program
We have an informal threat intelligence program that incorporates information from trusted thir parties and email distribution lists
We have a formal threat intelligence program that includes subscription threat frees from external providers and internal sources, such as a security incident and event management tool
We have a threat intelligence team that collect internal and external threat and vulnerability feeds to analyze for credibility and relevance in our environment
We have an advanced threat intelligence function with internal and external feeds, dedicated intelligence analysts and external advisors that evaluate information for credibility, relevance and exposure against threat actors
36%
32%
17%
10%
5%
- Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the coming year for the following activities?
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 16
Business continuity/disaster recovery resilience
Cloud computing
Data leakage/data loss prevention
Forensics support
Fraud support
Identity and access management
Incident response capabilities
Information security transformation (fundamental redesign)
Insider risk/threats
Intellectual property
IT securing and operational technology integration
Mobile technologies
Offshoring/outsourcing security activities, including third-party supplier risk
Privacy measures
Privileged access management
Securing emerging technologies (e.g., cloud computing, virtualization, mobile computing)
Security architecture redesign
Security awareness and training
Security incident and event management (SIEM) and Security operations center (SOC)
Security operations (e.g., antivirus, patching, encryption)
Security testing (e.g., attack and penetration)
Social media
Third party risk management
Threat and vulnerability management (e.g., security analytics, threat intelligence)
41%
39%
41%
11%
14%
39%
33%
25%
19%
12%
30%
46%
21%
19%
29%
43%
24%
37%
34%
29%
33%
11%
18%
34%
53%
54%
53%
80%
78%
53%
60%
64%
74%
78%
63%
47%
68%
73%
63%
50%
66%
54%
58%
64%
59%
78%
74%
59%
6%
7%
6%
9%
8%
8%
7%
11%
7%
10%
7%
7%
11%
8%
8%
7%
10%
9%
8%
7%
8%
11%
8%
7%
Spend more Spend the same Spend less
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 17
Very logical that organization is seeking to learn from the past and prepare for the future;
therefore, organizations must be updated with all threats attacked others in the same industry;
should be informed about new threats, new trends of attack types and in methods, tools and
techniques to deal with them. It is very vital to keep these organizations informed about
emerging technologies and to keep exploring opportunities for the business, at the same time,
keeping an eye open on new risks and vulnerabilities. This 2014, shows that most organizations
are preoccupied with their current state and are not looking to the future, and this is what is read
in the above graph.
- How do you ensure that your external partners, vendors, or contractors are
protecting your organization’s information?
Assessments performed by your organization's information security, IT risk, procurement or internal audit function (e.g., questionnaires, site visits, security testing)
All third parties are risk-rated and appropriate diligence is applied
Accurate inventory of all third-party providers, network connections and data transfers is maintained and regularly updated
Independent external assessments of partners, vendors or contractors (e.g., SSAE 16, ISAE-3402)
Self assessments or other certifications performed by partners, vendors or contractors
Only critical or high-risk third parties are assessed
Fourth parties (also known as sub-service organizations) are identified and assessments performed (e.g., questionnaires issued, reliance placed on your vendor's assessment processes)
No reviews or assessments performed
56%
27%
27%
27%
34%
24%
8%
13%
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 18
This survey was conducted by EY Global Information
between Jun. 2014 and August 2014. More than 1800
organizations responded to this survey across all major
industries and in 60 countries.
There are five suggested steps that an organization must
take to implement the “Anticipate” stage:
- Intelligence strategy must be designed and
implemented to define a cyber-threat.
- Extended cyber security ecosystem must be
designed and encompassed.
- Take a cyber-economic approach
- Utilizing forensic data analytics and cyber threat intelligence.
- Ensure everyone “employees” understands what’s happening in the cyber threats’ world
2. Sony Corporation:It is referred as Sony, is a Japanese conglomerate corporation located in Kōnan Minato, Tokyo,
Japan. It has a diversified business but it focuses in electronics, appliances, entertainment, and
computer sector.
Sony is a one of the leading manufacturers of electronic products; and it is ranked 105 th on the
2014 list of Fortune Global 500.
Sony Corporation is the electronic unit, as business field, and a parent company of Sony Group,
which includes four operating segments “electronics including video gaming, network services,
and medical business”, motion picture, music, financial services.
2.1 Financial details and human resources till 20141:
Operating income $/Trillion 0.0002182Net income $/Trillion 0.0010573Total assets $/Trillion 0.1262922Total equity $/Trillion 2.258Number of employees (31st Mar. 2014 140,900
1 http://en.wikipedia.org/wiki/Sony
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 19
2.2 Shareholders as Mar. 31st, 20122
- Japan Trustee Services Bank, Ltd. (trust account) – (7.0%)- Moxley and Company (depositary bank for ADRs) – (6.7%)- The Master Trust Bank of Japan, Ltd. (trust account) – (5.1%)- SSBT OD05 Omnibus China Treaty 808150 – (2.4%)- Japan Trustee Services Bank, Ltd. (trust account 9) – (2.1%)- State Street Bank and Trust Company – (1.2%)- Japan Trustee Services Bank, Ltd. (trust account 1) – (1.0%)- State Street Bank and Trust Company 505225 – (1.0%)- Japan Trustee Services Bank, Ltd. (trust account 6) – (0.9%)- Mellon Bank (for Mellon Omnibus US Pension) – (0.9%)
2.3 Sony sales and distribution per region as 20093:
Goegraphic region Total sales in USDJapan 15,429.01United states 20,693.26Europe 19,007.33Other Areas 16,813.19
3. Security attack on Sony PlayStation network:
3.1 Background:
In 2011, Sony PlayStation network outage caused by external intrusion affected the PlayStation
network (online gaming system and console) and Qriocity services (on-demand streaming
music); in which personal profiles of 77 million accounts were compromised and abandoned
users to use PlayStation III and PSP consoles.
Between Apr. 17th and Apr. 19th, 2011; Sony was obliged to turn off the network on Apr. 20 th.
Then Sony Corporation confirmed the incident that 77 million users’ details were exposed; the
outage was for 23 days.
2 http://en.wikipedia.org/wiki/Sony3 http://en.wikipedia.org/wiki/Sony
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 20
Time of outage and the accounts which had been exposed (77 million accounts), this breach was
one of the 15 largest breaches in 21st century according to CSOonline.com4; comparing to TJX
“one of the largest apparel and home-fashion company in US” hack in 2007 which affected 45
million customers, Sony PlayStation hack in 2011 was higher.
On April 26th, Sony Corporation stated to get the service on within a week of time, then on May
14th, PlayStation 3 firmware version as a security patch was released and in order to enforce
users to change their password upon signing in, but the service or the network remained turned
off.
Regionally, the restoration of the service was announced by Sony Corporation CEO and a map of
regional restoration issued, initially the service restored in the United States.
3.2 Services affected by the outage:
- PlayStation and PSP online playing systems
- Online verification and downloaded games
- Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
- Access to account management and password reset
- Access to download un-expired Movie Rentals on PS3, PSP, and MediaGo
- PlayStation Home
- Friends List
- Chat Functionality
On May 1, Sony Corporation announced the above services were back to life through a
“Welcome Back” program for customers affected by the outage.
3.3 Case investigation:
4 http://www.csoonline.com/article/2130877/data-protection/the-15-worst-data-security-breaches-of-the-21st-century.html
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 21
The case was diagnosed as DDoS “distributed denial of service” committed by an external
intrusion “a hacktivist” committed “data theft” and caused them to close the PlayStation network
constituted “a criminal cyber-attack”.
Sony had announced in a blog that the case forward to law enforcement as well as recognizing a
technology security firm to conduct a complete investigation.
Data Forte was added to the investigation team of Guidance Software and Protiviti “finance and
staffing firm” in analyzing the attacks, while legal side of this case was forwarded to legal
agents.
Once the breach was identified, Sony conducted an internal investigation and reported its letter
to United States Congress.
3.3.1 George Hotze and Anonymous:
During 2010 and earlier in 2011, George Hotze “the hacktivist” appeared with intention to break
into Sony PlayStation network.
Hacking group “fail0verflaw” has been noted in the consumer electronics devices, and known for
the reverse engineering of security models. Through an academic presentation, they presented
methods though which the hackers devised for having successfully penetrated the devices’
security model, yielding the root signing and encryption keys; and these keys are the essential
element of a full breach; capable to install new software on any PlayStation 3 unit.
In Jan. 2011, Hotze posted these keys of PlayStation 3 on his website, and then these keys were
removed from his website as a result of legal action taken by Sony.
At the end of Apr. 2011, an anonymous hacker broke into the
PlayStation network and stole personal information of 77 million
users; 10 million of these users had their credit cards’ details.
Sony accused Hotze for doing so, but Hotze denied.
Sony reacted to this intrusion by asking a computer security
company to investigate it. Once, Sony came to the belief that it
customers’ details are exposed to be stolen, it employed a second
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 22
specialist “The U.S. Federal Bureau of Investigation which had launched a criminal
investigation.
3.4 Case Impact:
Sony had not determined the real impact of this case, as stated in many resources. According to
case scenario, that this malicious attack could expose all users’ details attached in the PlayStation
Network, and the total users are 77 million users.
3.4.1 Users’ impact:
77 million users’ data and 10 million users had their credit card details attached in PlayStation 3
Network. While Sony confirmed that no credit card company had reported any abuse in their
customers’ cards.
3.4.2 Financial impact5:
Sony applied several reactions against this cyber-attack; it needed to compensate the users,
investigation expenses, and enforcing defenses.
3.4.2.1 Compensation to users:
1. “Welcome back Program”. As well as “selected PlayStation entertainment content”; the
program offered 30-days free membership of PlayStation and for all PSN members.
2. Sony announced two PlayStation 3 games and two PSP games for free offer.
3.4.2.2 Government reaction:
What was mainly happened in the PlayStation network was a malicious act caused data theft of
individuals. Concerned authorities around the world stated that Sony Corporation would be
questioned and the investigation had to take place to judge if Sony had adequate precautions to
protect customer details. Under the UK’s Data Protection Act, Sony was fined £ 250,000
($264,388) for the breach.
5 http://en.wikipedia.org/wiki/2011_PlayStation_Network_outage
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 23
3.4.2.3 Legal action against Sony:
In Apr. 2011, a user on behalf of all PlayStation users in USA, has conducted a lawsuit against
Sony, accusing failure to encrypt data and establish adequate firewalls to handle a server
intrusion contingency, and Sony failed to prompt and adequate warnings of security breaches, as
well as the delay of getting back the PSN service online.
3.4.2.4 Credit card fraud:
There was no a single case reported formally of credit card fraud which was related to the
outage. There were reports on the net that some PlayStation users experience credit card fraud.
Approx.. 12.5 million users out of 77 million users had their credit cards’ details registered in the
PSN.
3.4.2.5 Overall impact:
The above impacts prompted a financial impact as hard costs as the following:
- 77 million users’ were attacked; 12.5 million had their credit cards’ details registered in
PSN.
- 171 million dollars hard costs
- 250 million dollars additional hard costs through the end of 2012, for users’ retention and
compensation, clean up the mess and re-enforce the defenses.
4. Enhancing the organization information system’s
security:
The information system security policies coexist with the threats; by the absence of threats,
policies do not exist. Always, threats pace to exist and the policies are created later as
counterattack against these threats, then these policies are needed to provide a framework
selecting and implementing measures against these threats. The written policy is enforces
everybody in an organization to behave in a manner coherently with the information security.
The main task of security policy is to define the objectives of the information system; and
simultaneously, outlines a strategy to achieve these objectives. On the contrary, an information
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 24
system without security policy is likely to a disjoint collection of countermeasures that address a
variety of threats.
Policies, standards, guidelines, and training materials that are obsolete and not enforced are
particularly dangerous to an organization, because management is often deceived that the
security policies do not exist and the organization is operating more effectively than it actually is.
Therefore, every organization must test and review, then it should remove any obsolete rules,
controls, and procedures to avoid this false sense of security.
4.1 Management Commitment:
This commitment is very essential to security to motivate information resource owners and users;
and to provide the visibility needed by the information system security team to ensure the
support of the business units. As a result of little natural motivation for security, other than actual
loss experience, managerial commitment to information security is the most important factor in a
successful security system.
In computer environment, management commitment can be demonstrated end-user and systems
staff through the managers’ practices and performance reviews.
Computers and systems training, guidelines, and practices should signed off and approved by
local authority – mainly managers who decide and issue rewards and penalties.
Management support of security provides the information system security team with vision and
embraces good relationship with the higher level of managers, especially the senior managers of
information intensive business units; without this kind of support, the security team is less to
support the role of information security.
When the loss occurs, obtaining the vision for the information system security will be a must.
The loss will be an abrupt motive to improve the security system, where the business units must
learn from this experience and can forecast more risk resources; by expanding the knowledge of
the security team, cyber-attacks will not have a deeper impact on the organization network.
Another method to obtain vision is for the information systems security team to publish lists of
business units ranked by the quality of their information security. This will enforces quality of
security level within the business units that take active role in information system security and
motivates other units that do not show high level of security achievements.
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 25
4.2 Management oversight committee:
There are two approaches applied for information systems security; some organizations have a
management oversight committee and others include the security issues in general oversight
committees for technical and administrative concerns. In both cases, IT services and corporate
security are reflected, but it does not apply to information systems security for a distributed
computing environment. In this case, the organization needs to expand or reorganize the existing
committees to represent the new order of distributed computing needs. The members of this
committee should be from the managers of business units actively engaged in the distributed
computing environment, as well as the managers who rely on external data communications,
such as sales and services. The committee is responsible reviewing, approving and distributing
corporate policies and standards. In order to increase the effectiveness of this committee, one of
the members, at least, should have regular access to the senior managers of the organization.
4.3 Policy development responsibilities:
The policy development is a main task of information system security or the IT policies and
standards group, for drafting appropriate policies and policy updates. Some organizations assign
this responsibility to the management oversight committee; but this responsibility is not given to
a third party since the style and form should be consistent with existing policies and should
reflect the corporate culture.
So, the team who is assigned to draft the policies should be familiar with both current
technologies and corporate culture to make intelligent decisions. While the knowledge about the
technologies requires an understanding of both the security capabilities and the limitations of
technological solutions to protect the organization against threats. Understanding the corporate
culture allows the policy development team to design an information systems security policy that
can best ensure compliance.
Before the team drafts the policies, they need to check best practice and experience of similar
industry organization, then they can outline an effective policy; some organizations of the same
field, might have their own threats which are different from those attacking others, that is
because of surrounding environment, economical factors, and the model of the information
systems security applied in an organization.
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 26
4.4 Policy acceptance:
User awareness, education, and participation are key factors toward gaining policy acceptance.
These factors can be promoted through information systems security marketing. The objective of
security marketing is to inform, educate, and persuade the business units and users to engage in
suggestions to the management oversight committee6.
In fact, external and internal threats do not lead toward compliance. So, here it comes the role of
the security marketing team effectively transfer the roles and responsibilities of the business
units and users with respect to information systems security. In return, the business units’ and
information systems security users’ innocent competing behavior can lead to disasters.
The security policies are impeccable and never changed, they still need to monitor their
performance and effectiveness; further to the updates and development upon loss experience
besides other organizations’ experiences. This improvement must be applied with coordination
between the business units and the information systems security team; focusing on business
practices that can make the organization to optimally reach its objectives.
The logic that a security policy cannot predict future threats not future malware mechanism; so it
is important that there is a widespread realization of the underlying principles of the
organization’s information systems security policies.
The information systems security policies must be understood and practical in order to be
effective. The policy acceptance depends on policy’s inherent ability to define which behavior is
acceptable and which is not, with respect to information systems security. The policy must define
the responsibility holders, what the basic information systems security policies are, and the
reasons for the policies. Then, the arbitrary policies will be obsolete, and ignored; while a clear,
concise, coherent, accurate policy that sets user information handling expectations is more likely
to be followed.
At the end, the security marketing team is mandated to make the policies easy to access, easy to
implement and clear to be followed by the business units and users. Another issue is automation
the process by which the organizations need to do for the process of disseminating the
information contained in its security policies in order to educate its user community.
6 SANS Institute, Developing effective information system security policies, p.5
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 27
4.5 Importance of policy:
The policies are taken as terms of reference (ToR) that inform the members of an organization of
their mandatory responsibilities for protecting the information systems; besides, these policies
define the proper mechanism to implement these responsibilities.
Information systems security policies provide foundations to acquire, configure, and audit
information systems for compliance with the policy.
Significantly, the policies are more important in a disseminated computing environment than
centralized computing environment because of the increased challenge of restricting activity
from a remote location. Such policies must be clear and legible to reduce the effort of
explanation and instruction the organization needs to exert. Policies should be confined to
general concepts rather than specific controls, for example, a policy stating “each computer user
must be authenticated by an acceptable method” is better than the more specific policy stating,
“Each computer user must be authenticated by a six-character password” since the policy does
not need to be changed.
The importance of policy also is in distributed computing environments as a means of
establishing security discipline for a large, different group of users and business units that are
generally reached by formal communication and audit.
5. Conclusion:
The survey combines the information systems security concept and report, and the
implementation of information systems security within the participating organizations.
In the previous surveys, “employees” is seen the most likely source of an attack; in 2014-survey,
still “employees” is seen a significant risk. The issue of being “employees” as the most like
source of cyber-attack has two extremes:
- Employees are the users of information systems security: lack of skills and never have
rapport with the business units. They are not educated on how to deal with the risk as the
time it is discovered and before the loss inflating, and they are not oriented with cyber-
attack mechanism and other organizations of the same field loss experience and best
practice to bust intrusions and mitigate risks. Communication gap between the
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 28
information systems security users and the business units will expose an organization to
more risk sources and more severe loss in their business models; best example of this gap
is the experience of Sony Corporation, where it had experienced a hacking activity in
Apr. 2011 and caused outage network of PlayStation online gaming besides several
services, then it underwent another hacking activity in 2014 of Sony Pictures
Entertainment using a similar scenario, as experts said and analyzed the root cause behind
this intrusion, Sony has more than 140,000 employees and more than 100 subsidiaries
globally, but this team could not manage all the corporate network, so there was no
centralization of security events information management7.
- Employees are from the same organization culture; they are familiar with network
vulnerabilities and they do not enjoy high level of loyalty to the organization or some of
them are just crook; then the organization might face heavy flow of cyber-attacks from
inside and outside.
However, for the first time, we found that when the different types of external attacker were
combined (criminal syndicates, state sponsored attackers, hacktivists and lone wolf hackers)
these threats were considered to be significantly more likely as a risk source. And nearly all
our respondents have one or more external attackers included in their rating.
In order to implement information systems security in your organizations, there are three stages
to go ahead:
Activate: Organizations need to have a solid foundation of cyber security. This
comprises a comprehensive set of information security measures which will provide basic
(but not good) defense against cyber-attacks. At this stage, organizations establish their
fundamentals.
Adapt: Organizations change — whether for survival or for growth. Threats also change.
Therefore, the foundation of information security measures must adapt to keep pace and
match the changing business requirements and dynamics otherwise they will become less
and less effective over time. At this stage, organizations work to keep their cyber security
up-to-date.
7 Photograph by Tomohiro Ohsumi — Bloomberg/Getty Images, Why Sony didn't learn from its 2011 hack
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 29
Anticipate: detract potential cyber-attacks. They must know exactly what they need to
protect (their ‘crown jewels’), and rehearse appropriate responses to likely attack incident
scenarios (including accidents): this requires a mature cyber threat intelligence capability,
a robust risk assessment methodology, an experienced incident response mechanism, and
an informed organization. At this stage, organizations are more confident about their
ability to handle more predictable threats and unexpected attacks.
Sony Corporation is one of leading company and one of the participants in 2014 survey; it had a
bad experience in 2011 and this cyber-attack ranked to be one of the 15 worst intrusions during
21st century, it afforded hard costs to reform and retain customers.
Information systems security as system is not efficient to fight cyber threats; there should be
policies to enhance the security level, these policies define risks, educate and train users and
business units, and assign tasks and responsibilities of users and business units according to an
organization’s strategy.
The policy will be accepted, if it is direct, clear, subjective, precise and easy to be understood. In
order to enforce these policies and role of information systems security should have a direct
contact to senior management. The importance of management oversight committee is to keep
senior management close enough to the information systems security procedures,
implementations, and policy adherence.
B M I T 5 1 0 3 – I T f o r m a n a g e r s – a s s i g n m e n t P a g e | 30
6. References:
EY global information security survey 2014. http://en.wikipedia.org/wiki/2011_PlayStation_Network_outage "Kazuo Hirai's Letter to the U.S. House of Representatives"
Mochizuki, Takashi (2010-04-07). "Japan Restart of Sony Online Games Services Not Yet Approved". FoxBusiness.com. Retrieved2011-06-02.
"Console Hacking 2010: PS3 Epic Fail" http://en.wikipedia.org/wiki/George_Hotz http://en.wikipedia.org/wiki/Sony Why Sony didn't learn from its 2011 hack - by John Gaudiosi