Policies And Procedures For The Sony Cyber Attack Essay.

Timeline of Events

Discuss About The Policies Procedures For Sony Cyber Attack?

A cyber attack was faced by the Sony PlayStation on 11^th April in the year 2011. The data breach hacked all the personal details of at least seventy seven million users and their access was also lost (Garrie and Mann 2014). The personal details that were lost included the user name of the customers, their residential addresses, email addresses, date of births, passwords of PlayStation and their usernames. The profile data of PlayStation, their history of purchase and their billing addresses with all the security questions were also hacked. The worse situation was that Sony was not able to understand if the details of their customer’s credit cards were also breached or not. All the details of case is stated in this report.

This report elaborates the details of the Sony PlayStation cyber attack. It gives a detail view on the scenario including the time line, the person mainly responsible for the data breach and the company’s response related to the data breach. It also deals with the implications of the cyber security attack that was faced by Sony. The related policies and the procedures that can be initiated by the company to mitigate the attack on the cyber space of Sony PlayStation. And lastly a personal review is given what is cyber security about and a clear review on cyber security.

Six years before from now, in the year 2011 PlayStation Network of Sony Company faced a data breach which hacked all the personal details of at least seventy seven million users and their access was also lost (Shackelford, Fort and Charoen 2016). This data breach of hacking the data of PlayStation was considered as the largest hacking that was ever faced by the gamers in the world. The impact of the data breach that happened resulted in- as short term impact to stop access of all the online services of PlayStation for weeks and as long term impact Sony had to gain the trust of the customer back.

The story began with the hacktivist group that was umbrella termed which made the attack on Sony PlayStation with DDOS (Distributed Denial of Services) attacks. The attack had made the PlayStation of Sony to come down to its knees several times in the year 2011, April to privacy breach (Kirsch 2014). The PlayStation 3 of Sony was hacked by George Hotz, an American developer on 2^nd January 2011. Sony made unforgiveable legal actions against Hotz which made the anonymous very upset. The anonymous group said that the information which Hotz gave was very useful about how to run games that were pirated, way of running homebrew software. The anonymous group declared that they were stopping the attack as because their intension was not to attack the gamers of the Sony PlayStation (Prakash and Dasgupta 2016). Their main motive was only to attack Sony. But again on April 19 2011, PlayStation was again hit by the group of anonymous people. This time the attack was more dangerous.

Implications of the Cyber Security Attack

After two days of the attack, Sony got to know that the attack was done and declared the PlayStation as offline. On April 21, Sony tweeted to all its users that the PlayStation was facing some of the problems regarding the online network services and it will remain unavailable until further notice (Chatfield and Reddick 2017). They also said that their support teams were investigating the problem cause which included all the outside parties. Their engineers are trying to solve the problems as soon as possible and regain the services. After working for five days Sony declared that the PlayStation would not come online for three weeks more. The customers could not come online before 48 hours as was declared by Sony (Gupta, Vashisht and Singh 2016). The next day, on 24^th April, Sony again apologized for the time it is taking to regain and declared that a severe problem has taken place and investigations are going on regarding its network. Sony has not confirmed that the personal data of their customers were at risk. A week after the accounting, Sony came to know the actual cause of the problem they were facing (Watkins et al. 2015). The engineers of Sony kept on working for hours and their customers were reassured continuously. On 26^th April, Sony finally declared about the data breach that has actually taken place. They announced that the personal data, credit card number of millions of people were lost. Sony admitted that they were still investigating on the incident and are trying to resolve the problem as soon as possible.

The personal details that were lost included the user name of the customers, their residential addresses, email addresses, date of births, passwords of PlayStation and their usernames (Rao, Chen and Dhillon 2014). The profile data of PlayStation, their history of purchase and their billing addresses with all the security questions were also hacked. The worse situation was that Sony was not able to understand if the details of their customer’s credit cards were also breached or not. Sony tweeted to their customers that the details of their credit cards may also be lost if they have provided them to the network site (Chaisiri, Ko and Niyato 2015). This made their customers more tensed about the data breach. Because all the systems of Sony failed they were not able to communicate with their customers. They could only aware the PlayStation users after one week of the attack that had taken place. All the posts that were posted on the chat logs by the hackers were all declared by Sony. The hackers insulted the outdated security of Sony (Carley and Morgan 2016). This was considered as the biggest security breach. Sony also had to give clarification about why it took a so much long time to inform its customers about the data breach that had taken place. On this regard the director of Sony Patrick Seybold explained there is a difference between the situation about when the company faced the intrusion and about when they got to learn that the details of the customers were at risk (Crimmins et al. 2015). On 19^th April, the company came to know about the intrusion that had taken place and all the services were shut down immediately. Experts were bought from outside to look into that matter and declare the scope of incident. It took several days to analyze the situation and after all these investigations, it was known that the customer’s information were at risk. They shared the news of data breach as soon as they got to know with all their PlayStation customers.

Related Policies and Procedures

After Sony announced the occurrence of data breach, the user of PlayStation tried to change their passwords of their account. They were unavailable to change their passwords as because the servers were all closed. After the identification of data breach, first class action of lawsuit was filed in between 24 hours (Balushi, Ali and Rehman 2016). Analysts worked on how to regain the trust of the customers which was the huge task for Sony at that time. No users would trust Sony because of the data breach that had taken place. The PlayStations remained offline during those days when analysis was going on. The government of United Kingdom promised and weighed an investigation from the commissioner’s office. Head of Sony Company had posted an open letter seeking apology to the customers about the intrusion that has taken place. Till date, there was no information about the details of credit cards of users was stolen or not (Pournouri and Craven 2014). They were still working on that sector which made the users of PlayStation more worried. New strategies of maintaining the security of the cyber space was implemented by Sony on May 1^st 2011. More apologies were also offered to the customers of PlayStation of Sony (Bradshaw 2015). On a compensation basis, the owners of PlayStation 3 and PlayStation 4 were offered with two games free per systems with an additional offer of subscription of free PlayStation Plus for a month. Sony also promised to have a protection on identity theft free for a year. The offer pleased the customers to some extent.

The data breach that took place in Sony PlayStation created a danger and a burden to the enterprises of America (Chamotra, Sehgal and Ror 2016). The previous data breaches, Home Depot and Target that took place were not such vulnerable as the data breach that took place in 2011. The attacks that took previously mainly related with less damage that was mainly related to repair the relationships with the harmed parties. A lawsuit was auctioned from the customers or the employees whose personal data was breached and the networks were strengthened to prevent the network from further attack (Mangla and Panda 2013). The data breach that took place in 2011 was very different from all the other data breaches that took place regarding the PlayStations of Sony. The user of PlayStation tried to change their passwords of their account (Deibert 2014). They were unavailable to change their passwords as because the servers were all closed. The impact of data beach lead to hacking of 77million PlayStation, which lead to a loss of 171 million dollar and also the Sony PlayStation website, was down for almost a month. Out of the 77 million hacked accounts, 12 million user’s credit cards were encrypted. The impact of the hack lead to access of the full names, e-mails, home addresses, credit card numbers, PlayStation login details and the passwords of all the 77 million users.

Personal Review on Cybersecurity

On 4^th May, Sony reported on the Blog of PlayStation about all the queries that the customers were having (Bou-Harb, Debbabi and Assi 2014). They said that they were following four principles regarded to the data breach that has taken place in their PlayStations. The principles were

1. Act with caution and care.
2. The related and valid information were provided to customers after the verification of breach.
3. Their obligations to their customers were Sony’s responsibility.
4. Work with the authorities of law enforcement.

The attack of data breach on the PlayStations of Sony happened 19^th April, 2011. Sony posted a blog on 26^th April explaining why it took such a long time to give their PlayStation users information about the data theft (Karanja 2017). They said that there is a difference between the situation about when the company faced the intrusion and about when they got to learn that the details of the customers were at risk. On 19^th April, the company came to know about the intrusion that had taken place and all the services were shut down immediately. Experts were bought from outside to look into that matter and declare the scope of incident. It took several days to analyze the situation and after all these investigations, it was known that the customer’s information were at risk (Zarate 2015). They shared the news of data breach as soon as they got to know with all their PlayStation customers.

As a conclusion, Sony had to face criticism in many sectors in regards the data breach that had taken place. Firstly Sony delayed in giving warning about the data breach that had taken place. Up to one week, they had no idea about what had actually happened. They came to know about the occurrence of data breach after one week it had already occurred. Even after that they had no clue about the credit card credentials of the customers. These lead to second criticism of the company (Dwyer 2015). The company was unable to detect about what number of details were actually lost in the data breach. The full names, e-mails, home addresses, PlayStation login details and the passwords of all the 77 million users were already stolen but they were not sure about the credit cards details of the PlayStation Users. Thirdly the British Information Commissioner Office also criticized Sony for not keeping the details of the users safe (Selznick and LaMacchia 2016). They said that if a company owns the personal details of their users, then it is the duty of the company to look at their security first and Make the security more prominent and strong.

On a compensation basis, the owners of PlayStation 3 and PlayStation 4 were offered with two games free per systems with an additional offer of subscription of free PlayStation Plus for a month. Sony also promised to have a protection on identity theft free for a year. The offer pleased the customers to some extent.

A lawsuit was proposed in regarded to the PlayStation data breach of Sony. Adequate encryption process and firewalls were suggested to use in the network system of Sony PlayStation (Trusky 2016). Legal actions were also taken against Sony for not keeping the details of the users safe. They said that if a company owns the personal details of their users, then it is the duty of the company to look at their security first and Make the security more prominent and strong.

The policies that can be considered to cover the gap of cyber security in Sony PlayStation have new sets of insurance products that can help to cover the risks. Companies are available that provide insurance policies to control the risk factor of related to cyber space in PlayStation of Sony. To fill the drawback that Sony have in regards with the security of their PlayStation user can be fulfilled by the insurers that provide policies of cyber risk (Marshall and Rimini 2015). The policies that are offered by the insurance companies are data compromise coverage, network risk, data coverage of the computer systems and also other cyber liabilities. Policy related to Network Protection and internet Liability are the standard policy that are promulgated by the company of insurance that provide security to the companies that needed insurance. The menu based policies that are included in the agreement of ISO are:

Liability regarded with publishing website

Liability that are regarded to network security

Restoration and replacement of data

Cyber extortion

Expenses and incomes of the company

Data breaches have become very common in this present digital world. To save the money and the valuable information of the customers of PlayStation, Sony should introduce some data breaches security. The impact of data beach lead to hacking of 77million PlayStation, which lead to a loss of 171 million dollar and also the Sony PlayStation website, was down for almost a month. Out of the 77 million hacked accounts, 12 million user’s credit cards were encrypted (Kelic et al. 2013). The impact of the hack lead to access of the full names, e-mails, home addresses, credit card numbers, PlayStation login details and the passwords of all the 77 million users. To save all these information, insurance companies should be hired so that the data can be kept safe. The policies that should be followed in maintaining the cyber space threats are:

The policy that is related with the cyber security of Sony PlayStation can range from a single sheet and can be extended up to a fifty page documentation that arise awareness of the users. The document should consist of all the policies from setting up of a secure network to maintenance of the network. If a robust plan is to be made to secure the network of Sony PlayStation, then the document explaining all the policies of the company should be clearly made (Bradshaw 2016). The institute on SANS provides templates to create such policies. The cyber security policy of the Sony should always be documented, maintained and reviewed on regular basis. All the important areas of Sony PlayStation that are related to network should be clearly mentioned in the policies.

Taking help of the federal government gives a roadmap to develop the cyber security plan of Sony PlayStation. The company should work within the law of the government (Sree and Bhanu 2016). Such organizations known as the HIPAA security rule are used to implement and maintain the procedures and policies for protecting technology and data of Sony PlayStation.

The company should have well maintained policy for maintain the infrastructure of the company. This provides Sony to create a safe guard against the security of the company. They must ensure their PlayStation users a safe and secure network data transfer. The information that is controlled by the policy of the cyber security is as:

• The types of security program that is to be implemented building of a secure and safe network. The layered security of the environment must be protected by using firewall, anti exploit software, anti malware and also antivirus.
• To put a limit a limit on the attack on the surface and to plug the vulnerabilities of the applications, patches and updates are to be applied by Sony PlayStation. Correct frequency should be set and other updates should be done that are enclosed in internet applications.
• All the data should be automatically backed up by some implemented software. Such software should be implemented by Sony to keep a backup of all the data of their users of PlayStation.

The policies should clearly mention the responsibilities and the roles of the employees (Aviles 2015). The policies that are included are: the person who issued the policy and person who is responsible to maintain those policies, the person responsible for policy enforcement, the person responsible for giving training on awareness of security, the person responsible for resolving the incidents of security and the way to control them and lastly the person responsible to control and right of the admin.

The priority should be given to all the functions that are related to security control of Sony PlayStation. The targeted threats are increasing day by day in this present world of digitization. The security functions mainly emphasize on what to do to mitigate the control of cyber security that comes on Sony PlayStation (Wilkinson 2013). The SANS Institute provides security mitigation control to all such organization that needs the help of for mitigating the risk on cyber security. Such 20 areas are mentioned where controls for mitigating risks are needed by the SANS institute. They are as follows:

For software and hardware secure configurations must be done on laptops, workstations, servers and mobile devices

Unauthorized  and  Authorized Devices inventory

Unauthorized  and  Authorized Software inventory

Continuous Remediation and Assessment Vulnerability

Security of Application Software

Capability to Recover Data

Malware Defenses

Control  on Wireless Access

To Fill the Gaps Proper Training is given and Assessment for Security Skill is done

Network Devices must have secure configurations such as Routers, Switches and Firewalls

Administrative Privileges should be used in a controlled way

Control and Limitation of Protocols, Network Ports and Services

The need to know are based on Controlled Access

Data Protection

Management and Response of the Incident

Penetration Tests and also Exercises of Red Team

Engineering  related to Secure Network

Analysis, Monitoring and Maintenance of Audit Logs

Controlled Access

Boundary Defense

Table: Critical Control by SANS Institute

The Sony PlayStation should adopt all the 20 areas of mitigating the control risk so that the data breach does not take place in future. There are steps that are approached by SANS Institute to reduce risk with the control measures are stated as follows:

Step 1:	The assessment of initial gap is performed which determines what is to be implemented
Step 2:	A roadmap is developed that are used to select specific controls and implement all the phases.
Step 3:	Control of First phase is implemented that identifies the tools to repurpose and utilize fully.
Step 4:	Control must be integrated to operations that focuses mainly on mitigation and monitoring and also proposes new processes.
Step 5:	Manage and Report all the progress that is implemented against the roadmap that was developed in step 2. After that step 3 and step 5  are followed

Table: Steps to Reduce the Risks

According to my aspect of view, cyber security is body of processes, designed practiced and the technologies that are needed to protect device programs, data and network from damage, unauthorized aspects and attack. Security of Information technology is refereed as cyber security. According to me, the Sony PlayStation cyber security data breach took place due to drawback of not using a correct policy and procedures for the security of data. Preventive methods, policies and procedures should have been taken to control the data breach. First of all a data breach took place was known to them after one week after the attack. They were not aware about their network security and the person who is responsible for the maintenance of security of the data of the users of PlayStation should be aware (Huso 2015). The types of security program that is to be implemented building of a secure and safe network should be implemented. The layered security of the environment must be protected by using firewall, anti exploit software, anti malware and also antivirus. To put a limit a limit on the attack on the surface and to plug the vulnerabilities of the applications, patches and updates are to be applied by Sony PlayStation. Correct frequency should be set and other updates should be done that are enclosed in internet applications. All the data should be automatically backed up by some implemented software. Such software should be implemented by Sony to keep a backup of all the data of their users of PlayStation. The user of Sony PlayStation can to know about the data breach much after the occurrence of the data breach.

Conclusion

The case study deals with the data breach of Sony PlayStation that has occurred in April, 2011. The data breach that took place in Sony PlayStation created a danger and a burden to the enterprises of America. The previous data breaches, Home Depot and Target that took place were not such vulnerable as the data breach that took place in 2011. The attacks that took previously mainly related with less damage that was mainly related to repair the relationships with the harmed parties. A lawsuit was auctioned from the customers or the employees whose personal data was breached and the networks were strengthened to prevent the network from further attack. The data breach that took place in 2011 was very different from all the other data breaches that took place regarding the PlayStations of Sony. The user of PlayStation tried to change their passwords of their account. They were unavailable to change their passwords as because the servers were all closed. The impact of data beach lead to hacking of 77million PlayStation, which lead to a loss of 171 million dollar and also the Sony PlayStation website, was down for almost a month. Out of the 77 million hacked accounts, 12 million user’s credit cards were encrypted. The impact of the hack lead to access of the full names, e-mails, home addresses, credit card numbers, PlayStation login details and the passwords of all the 77 million users.

This report sheds light on the details of the Sony PlayStation cyber attack. It gives a detail view on the scenario including the time line, the person mainly responsible for the data breach and the company’s response related to the data breach. It also deals with the implications of the cyber security attack that was faced by Sony. The related policies and the procedures that can be initiated by the company to mitigate the attack on the cyber space of Sony PlayStation. And lastly a personal review is given what is cyber security about and a clear review on cyber security. To serve the user with secured network should be the main objective of company and to fulfill those all companies should take initiative.

References

Al Balushi, T., Ali, S. and Rehman, O., 2016. Economics of Cyber Security and the Way Forward. International Journal of Cyber Warfare and Terrorism (IJCWT), 6(4), pp.41-57.

Aviles, G., 2015. How US political and socio-economic trends promotes hacktivist activity (Doctoral dissertation, Utica College).

Bou-Harb, E., Debbabi, M. and Assi, C., 2014. On fingerprinting probing activities. computers & security, 43, pp.35-48.

Bradshaw, S., 2015. Combating Cyber Threats: CSIRTs and Fostering International Cooperation on Cybersecurity.

Bradshaw, S., 2016. CHAPTER EIGHT: COMBATTING CYBER THREATS: CSIRTS AND FOSTERING. Cyber Security in a Volatile World, p.105.

Carley, K.M. and Morgan, G.P., 2016. Inadvertent leaks: exploration via agent-based dynamic network simulation. Computational and Mathematical Organization Theory, 22(3), pp.288-317.

Chaisiri, S., Ko, R.K. and Niyato, D., 2015, August. A joint optimization approach to security-as-a-service allocation and cyber insurance management. In Trustcom/BigDataSE/ISPA, 2015 IEEE (Vol. 1, pp. 426-433). IEEE.

Chamotra, S., Sehgal, R.K. and Ror, S., 2016. Honeypot Deployment in Broadband Networks. In Information Systems Security (pp. 479-488). Springer International Publishing.

Chatfield, A.T. and Reddick, C.G., 2017, June. Cybersecurity Innovation in Government: A Case Study of US Pentagon's Vulnerability Reward Program. In Proceedings of the 18th Annual International Conference on Digital Government Research (pp. 64-73). ACM.

Crimmins, D., Falk, C., Fowler, S., Gravel, C., Kouremetis, M., Poremski, E., Sturgeon, R.S.N., Zhang, Y. and Liles, S., 2015, March. US Bank of Cyber. In Proceedings of the 16th Annual Information Security Symposium (p. 30). CERIAS-Purdue University.

Deibert, R.J., 2014. Bounding cyber power: Escalation and restraint in global cyberspace. Organized Chaos: Reimagining the Internet.

Dwyer, T., 2015. Data Governance. In Convergent Media and Privacy (pp. 118-159). Palgrave Macmillan UK.

Garrie, D. and Mann, M., 2014. Cyber-Security Insurance: Navigating the Landscape of a Growing Field, 31 J. Marshall J. Info. Tech. & Privacy L. 379 (2014). J. Marshall J. Info. Tech. & Privacy L., 31, p.i.

Gupta, S., Vashisht, S. and Singh, D., 2016, February. A CANVASS on cyber security attacks and countermeasures. In Innovation and Challenges in Cyber Security (ICICCS-INBUSH), 2016 International Conference on (pp. 31-35). IEEE.

Huso, C., 2015. To Show, or Not to Show-That Was the Question: A Discussion regarding the First Amendment Issues Implicated by the Sony Pictures Entertainment Cyberhack & the Interview Debacle. J. Bus. Entrepreneurship & L., 9, p.235.

Karanja, E., 2017. The Role of the Chief Information Security Officer in the Management of IT Security. Information & Computer Security, 25(3).

Kelic, A., Collier, Z.A., Brown, C., Beyeler, W.E., Outkin, A.V., Vargas, V.N., Ehlen, M.A., Judson, C., Zaidi, A., Leung, B. and Linkov, I., 2013. Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environment Systems and Decisions, 33(4), pp.544-560.

Kirsch, C., 2014. The Grey Hat Hacker: Reconciling Cyberspace Reality and the Law. N. Ky. L. Rev., 41, p.383.

Mangla, V. and Panda, S.N., 2013. Spectrum of Cyber threats & Available Control Mechanisms. International Journal of Advanced Research in Computer Engineering & Technology (IJARCET), 2(4), pp.pp-1439.

Marshall, J.P. and da Rimini, F., 2015. Playstation, Demonoid and the orders and disorders of Pirarchy. Krisis: Journal for contemporary philosophy.

Pournouri, S. and Craven, M., 2014. E-business, recent threats and security countermeasures. International Journal of Electronic Security and Digital Forensics, 6(3), pp.169-184.

Prakash, C. and Dasgupta, S., 2016, March. Cloud computing security analysis: Challenges and possible solutions. In Electrical, Electronics, and Optimization Techniques (ICEEOT), International Conference on (pp. 54-57). IEEE.

Rao, A.A., Chen, L.F. and Dhillon, J.S., 2014, November. A preliminary study on online data privacy frameworks. In Information Technology and Multimedia (ICIMU), 2014 International Conference on (pp. 15-20). IEEE.

Selznick, L.F. and LaMacchia, C., 2016. Cybersecurity: Should the SEC Be Sticking Its Nose under This Tent. U. Ill. JL Tech. & Pol'y, p.35.

Shackelford, S.J., Fort, T.L. and Charoen, D., 2016. Sustainable Cybersecurity: Applying Lessons from the Green Movement to Managing Cyber Attacks. U. Ill. L. Rev., p.1995.

Sree, T.R. and Bhanu, S.M.S., 2016. HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce. Security and Communication Networks, 9(17), pp.4341-4357.

Trusky, A.R., 2016. Friend or foe? The societal benefits and cyber risks of video games (Doctoral dissertation, Utica College).

Watkins, L., Silberberg, K., Morales, J.A. and Robinson, W.H., 2015, October. Using inherent command and control vulnerabilities to halt DDoS attacks. In Malicious and Unwanted Software (MALWARE), 2015 10th International Conference on (pp. 3-10). IEEE.

Wilkinson, C., 2013. CYBER RISKS: THE GROWING THREAT.

Zarate, J.C., 2015. The Cyber Financial Wars on the Horizon.