TECHNICAL REPORT SURVEY

AND ANALYSIS OF RECENT

CYBERATTACKS
March 24, 2015
Authors: Michael Hofmeister, Luis Echegaray, David Grayson, Billy Wilson

Table of Contents
Table of Contents

Abstract

Cybersecurity Terminology and Concepts

Survey of Recent Cyberattack Events

Sony 2014 Data Breach

Description of event

Damages and impact to

business/consumer

Details and Possible Mitigation

Target 2013 Data Breach

Description of event

Damages and impact to

business/consumer

Details and Possible Mitigation

JPMorgan Chase 2014 Data Breach

Description of event

Damages and impact to

business/consumer

Details and Possible Mitigation

Comparative analysis

Conclusion

10

Appendix

11

References

Abstract
In recent years, both the frequency and severity of cyber-attacks have seen a sharp
increase. This report serves as a survey and analysis on the nature of these events,
including immediate and ongoing costs incurred by the corporation and its
consumers. The intended purpose of the material is to identify any systemic issues
that are causing these vulnerabilities, as well as recommendations on what can be
done for the future.

Cybersecurity Terminology and Concepts

This report includes concepts pertaining to cybersecurity and computer based
crimes. The following material is intended to give the reader sufficient background
to understand the concepts as they pertain to the cases described in the report.
The terms cybercrime is used by numerous organizations to classify crimes
conducted over the internet with the intent to defraud, steal, or hinder an
organizations ability to operate. Cybercrime is a broad classification of related
crimes that includes numerous attack patterns. How various organizations go about
classifying specific cybercrimes and attacks varies significantly. This disparity
commonly leads to confusion across the corporate, government, and military
sectors. This paper uses terminology and classification from the Common Attack
Pattern Enumeration and Classification (CAPEC), an ontology of attack patterns and
their classification. CAPEC is sponsored and supported by the U.S. Department of
Homeland Security.
Several key tools in a hackers toolbox include:
Malware - Once installed, hidden software called malware can be used to steal
information, perform unauthorized activities, or even allow a hacker to directly take
control of the infected computer.
Phishing - A technique where a hacker attempts to fool a system user into
providing sensitive information. These attacks can be very effective when the

hacker tailors the request specifically for a user using previously discovered
information.
Denial of Service (DoS) - where the hacker prevents legitimate use of a system
by consuming all the available resources. These attacks can involve hundreds if not
thousands of malware infected computers sending bogus requests to the system in
order to tie up the systems available bandwidth or processing power.
Hackers use these tools to attack organizations a variety of ways. Using
sophisticated phishing and social engineering techniques, hackers look to steal user
credentials and infect an organizations computers with malware. Once the
malware is in place the hackers seek to exploit security vulnerabilities in the
organizations systems and networks.

Survey of Recent Cyberattack Events

Sony 2014 Data Breach
Description of event
On November 24th, 2014 Sony Pictures Entertainment Inc. had confidential
internal data released to the public in the form of several zip files across the web.
The perpetrators of the hack called themselves the GOP (Guardians of Peace) and
implied that former Sony employees had worked with them on this exploit. The FBI
quickly alleged that North Korea was behind the attempt; however, many security
experts and members of the press have expressed significant doubts about this
claim (CBS News, 2014). The GOP also issued threats to perform terrorist attacks on
any theatre showing the new film The Interview, it was all but stated that those
attacks would have been similar to 9/11 (Rushe, 2014).

A Timeline of the Sony Hack (Cyphort)

Damages and impact to business/consumer

According to Time Magazine Online Sony Pictures Entertainment Inc. has set
aside $15 million for costs associated with the hack. That money is almost
negligibly small considering that Sony Pictures Entertainment Inc.s parent
company, Sony Corp, earned $767 million in profit during the last quarter of 2014
(Frizell, 2015). According to CNN, 47,000 current and past employees had their
social security numbers and other private information stolen. Additionally, many
internal emails were leaked to the public which reflected badly on several Sony
officials. Those Sony employees have filed lawsuits against Sony Pictures
Entertainment Inc. for not preparing despite warnings and previous security
breaches. The previous security breaches they are referring to are the January and
April of 2011 and August 2014 breaches of PlayStation network (Ellis, 2014). Sony
has recently begun taking steps to repair that image by hiring FireEye, a private
security contractor, to help assess and fix their systems (Frizell, 2015). These
events have undoubtedly had some effect on Sonys public reputation, despite that
The Interview made a significant amount of money grossing $31 million through
video on demand as well as $15 million in Box office sales (Faughnder, 2015).

Details and Possible Mitigation

The security breach occurred on November 24th of 2014. The data stolen
during that breach was released on November 26 th. The GOP used the
compromised Sony servers to spread the data around the internet (Fox-Brewster,

2014). A second batch of data was released on December 3 rd containing sensitive

security information including many plaintext passwords (RBS, 2014). These leaks
continued to be posted by the GOP, mostly still using compromised Sony servers to
host and disseminate the information across the internet. The FBI blames North
Korean hackers for the security breach, but many security experts have expressed
great doubt as to the validity of the FBIs claims. They have stated, We are very
confident that this was not an attack masterminded by North Korea and that
insiders were key to the implementation of one of the most devastating attacks in
history (RBS, 2014). Sony could have prevented this attack with basic information
security techniques, such as making the employees change their passwords, or
providing randomly generated ones periodically. The lack of such basic information
security shows a disturbingly lax attitude towards the sensitive data they hold. This
is further illustrated by Sony only just now hiring FireEye.

Target 2013 Data Breach

Description of event
Between November 27th and December 15 of 2013, Target, one of the largest
retailers in the US, fell victim to a cyber-security breach which compromised the
financial and personal information for as many as 110 million customers. The
information was then transferred to servers in Eastern Europe and immediately

began showing up on black markets for sale. This led to a systematic review of
Targets security infrastructure by the Secret Service, alongside U.S. Senate
Judiciary Committee inquiries. It was later discovered that Target ignored several
security warnings that could have successfully warded off the attack at its infancy.
Ultimately, this lead to the resignation of Targets CEO (Chief Executive Officer) and
CIO (Chief Information Officer), along with the creation of a new position: CISO
(Chief Information Security Officer). Also, Target has committed $100 million dollars
to update their security technology and to introduce chip-and-PIN technology for its
card use by early 2015.
Changes in Top Positions (Roman)

Damages and impact to business/consumer

The costs associated with the data breach topped at $236 million dollars.
Transactions at Target fell three to four percent compared to its last year, while
other retailers showed strong gains. Seventy million consumer records were stolen
alongside forty million credit/debit numbers.

Details and Possible Mitigation

The hackers gained initial entry from stealing credentials from a third party
company, Fazio Mechanical Services. This company had remote access to Targets
network for various project management and billing purposes. They gained access
by infecting email with malware that stole the credentials. It is unknown how they
got access to the point-of-sale system, but it is suspected that that the portal was
not fully isolated from the rest of Targets systems.
In order to prevent this sort of attack, there needs to be a more proactive
security audit on internal systems. Instead of waiting for an attack, which usually
causes downtime, and then quickly recovering; there needs to be analysis on
security probes that hackers might be employing. This can highlight different
approaches they may use and can help target weak area of the security field.

There also needs to be a fundamental change in how third parties works

within Targets business. The initial intrusion was through a third party working with
Target on a system unrelated to their customers payment information. Additionally,

an outside company, which monitored security and intrusion attempts, noticed an

irregularity and notified Target timely. The fact that Target did not respond at all,
shows that there is a disconnect on how outside parties are handled throughout the
company.
A timeline of Targets breach. (Majority Staff Report)

JPMorgan Chase 2014 Data Breach

Description of event
Even with security systems as robust as that of Americas largest bank,
breaches are still possible. In September of 2014, the bank giant JPMorgan Chase
disclosed a data breach that compromised data associated with over 83 million
accounts 76 million being households while 7 million were small businesses.
Although no account information was compromised, it is considered one of the

largest data breaches in history and a very serious intrusion to American

cooperations information systems (Goldstein).

Damages and impact to business/consumer

The breach is reported to affect customers who visited the companys
website, including Chase.com, or used its mobile banking app any time during June
and July, 2014 (Komando). In total, 83 million accounts were affected by the breach;
76 million household accounts and 7 million business accounts. The theft of account
information was limited to email addresses, home addresses, and phone numbers.
No financial account information was compromised, and the bank claims no
fraudulent activity has been found related to the data breach.

Details and Possible Mitigation

JPMorgan Chase has stated that the breach appeared to have begun in early
June, 2014, but was not discovered until late July, 2014 (Goldstein). The breach
began with the hackers simply stealing the login credentials for a JPMorgan
employee. Most financial institutions use two-factor authentication, which requires a
second one-time password to gain access to a secure system. JPMorgans security
team uses the two-factor authentication method as well; however, they neglected
to upgrade one of its network servers with this scheme which ultimately allowed a
back door for hackers. Once inside of JPMorgans system, the hackers managed to
gain high-level access to more than 90 bank servers but were caught before they

were able to retrieve any private customer financial information (Goldstein).

Two-factor authentication (Vasco)
The hacking group also breached a website for a charitable race that the
bank had sponsored using the same IP address that they had used to infiltrate the

JPMorgan network (Goldstein). While affiliated with JPMorgan, the charity website is
managed by an outside company and isnt connected to the banks network (Wall
Street Journal, 2014). JPMorgan and its security vendors discovered a massive cache
of information from the charity website that linked to an outside IP address that
they found had breached their network. This allowed the banks security team to
confirm the breach and block the hackers before they could compromise the most
sensitive account information. The attack did not come to a complete halt until midAugust (Goldstein).
The data breach may have been avoided if all of JPMorgans network servers
were upgraded to the more secure two-factor authentication method. The banking
giant already spends $250 million annually in computer security but will have to
remain proactive to prevent attacks like this. In response to the attack, JPMorgan
has set up a business control group which consists of about a dozen technology
and cyber security executives. This group meets once every few weeks to discuss
the fallout of the attack and ways to prevent hackers from breaching its network in
the future. An internal assessment of the banks security system concluded that by
the end of 2014 the bank had made significant progress in reducing the number
of severe patch issues but is still working to address other critical issues. During this
review, it was also found that the server which did not have the two-factor
authentication also did not have the latest antivirus protection (Goldstein).
Going even further to prevent future breaches like this from occurring, the
banking giant has recently increased the requirements needed for employees to
attain the highest level of access to the banks network. High security access is
now limited to employees who must submit annual credit screening and criminal
background checks. They also perform routine checks to ensure that high security
access is justified for each particular user that it is granted to (Goldstein).
Despite the data breach, JPMorgan Chase is a leader in network security
among other companies that carry sensitive information on their networks. The
lengths to which JPMorgan Chase must go to battle hackers is immense. They
employ 1,000 people dedicated to cybersecurity; for comparison, Google Inc. has
over 400 (Bloomberg, 2014). Additionally, JPMorgan had to analyze data servers on
the other side of the world in order to discover a connection between the charity
race website breach and the breach on their own network. This is a prime example
of why companies must also analyze their vendors networks security as well as
their own networks in order to keep client information secure.

Comparative analysis
Sonys executive management showed gross negligence in failing to prioritize
their network security which ended up costing them between $15 and $35 million

dollars in damages from the attack. Despite the financial loss and based on
previous incidents, it is doubtful that the leadership at Sony will make the necessary
changes to their security practices to fully address their risk. Previous attacks on
Sony should have served as a wakeup call to management that the current security
risk framework was insufficient to deal with the threat. Even years after previous
attacks Sony still had failed to patch the exploited security flaws in their network
and processes.
Targets lack of oversight into their strategic vendors security practices
allowed a hacker to penetrate their network and steal a tremendous amount of
customer financial information. Due to the lack of proper security auditing
processes, Target wasnt even aware of the breach until they were informed by the
Secret Service. Unlike Sony, the executive leadership felt the ramifications keenly
when the CEO was forced to step down. Target responded to the incident by
investing in their security to the tune of $100 million dollars. They also adopted a
more secure card processing model at their point-of-sale to mitigate any future
attack.
Both the Sony and Target incidents share a common root cause, poor security
risk management. In both their cases the critical failing was the organizations lack
of understanding regarding the level of risk exposure they were operating under.
The JPMorgan Chase incident serves as an excellent counterpoint to Sony and
Target. In this case a hacker managed to penetrate JPMorgan Chase which
appeared to have all the appropriate safe guards backed by a rigorous security risk
management practice. The difference here was, JPMorgan Chase managed to detect
the breach prior to any significant loss of information occurring. Due to the
complexity involved in the hack it appears the hackers were far more skilled than
the ones involved with the Sony and Target incidents.

Conclusion
The executive management is ultimately accountable for an organizations
security. Unless they fully appreciate the level of exposure their companies are
operating under they will be unwilling to invest the capital and manpower needed to
adopt and enforce a rigorous security risk management program. In Targets case
this lack of understanding cost the CEO his position and damaged the reputation of
the Target brand. It is worth noting that even companies that have adopted
sophisticated security risk management mindsets are still vulnerable from a
determined expert level hacker. While no organization is invulnerable to a
cyberattack, having the appropriate security risk management controls in place can
work to minimize the damage incurred from such an attack.

Appendix
References
A Glossary of Common Cybersecurity Terminology. n.d. 8 March 2015.
<http://niccs.us-cert.gov/glossary>.
"Anatomy of a cyber-attack." 2012. dell.com. Document. 8 March 2015.
<http://software.dell.com/documents/anatomy-of-a-cyber-attack-ebook24640.pdf>.
CBS News. Was FBI wrong on North Korea? 23 December 2014.
<http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/>.
Copeland, Libby. Sony Pictures Hack Reveals Stark Gender Pay Gap. 5 December
2014. 9 March 2015.
<http://www.slate.com/blogs/xx_factor/2014/12/05/sony_pictures_hack_reveal
s_gender_pay_gap_at_the_entertainment_company_and.html>.
Cybersecurity 101. n.d. 9 March 2015. <http://niccs.uscert.gov/awareness/cybersecurity-101>.
Cyphort. Attack Timeline for Sony Pictures, Nov-Dec 2014. Digital image. Slideshare.
N.p., 30 Jan. 2015. Web. 24 Mar. 2015.
<http://image.slidesharecdn.com/cyphortmalwaremostwantedsonydestover150129195703-conversion-gate02/95/sony-attack-by-destover-malware-partof-cyphort-malware-most-wanted-series-6-638.jpg?cb=1422655113>.
Dawson, Freddie. What the Sony hack can teach about Cyber security. 27 February
2015. 8 March 2015.
<http://www.forbes.com/sites/freddiedawson/2015/02/27/what-the-sony-hackcan-teach-about-cyber-security/>.
Ellis, Ralph. Lawsuits say Sony Pictures should have expected security breach. 20
December 2014. <http://www.cnn.com/2014/12/20/us/sony-pictureslawsuits/>.
CBS News. Was FBI wrong on North Korea? 23 December 2014.
<http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/>.
Ellis, Ralph. Lawsuits say Sony Pictures should have expected security breach. 20
December 2014. <http://www.cnn.com/2014/12/20/us/sony-pictureslawsuits/>.

Faughnder, Ryan. 'The Interview' earns $31 million from VOD, $5 million at box
office. 6 January 2015.
<http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sonys-theinterview-vod-box-office-20150106-story.html>.
Fox-Brewster, Thomas. More Trouble For Sony? PlayStation Servers 'Used To Spread
Stolen Data'. 3 December 2014.
<http://www.forbes.com/sites/thomasbrewster/2014/12/03/sony-playstationserving-hacked-data/>.
Frizell, Sam. Sony Is Spending $15 Million to Deal With the Big Hack. 4 February
2015. <http://time.com/3695118/sony-hack-the-interview-costs/>.
Losing the plot. 3 January 2015. 8 March 2015.
<http://www.economist.com/news/leaders/21637390-states-should-policecorporate-cyber-security-more-toughlybut-react-breaches-cautiously-losing>.
McGregor, Jay. The Top 5 Most Brutal Cyber Attacks of 2014 So Far. 28 July 2014. 8
March 2015. <http://www.forbes.com/sites/jaymcgregor/2014/07/28/the-top5-most-brutal-cyber-attacks-of-2014-so-far/>.
Pepitone, Julianne. Massive hack blows crater in Sony brand. 10 May 2011. 9 March
2015. <http://money.cnn.com/2011/05/10/technology/sony_hack_fallout/?
iid=EL>.
Goldstein, M., Perlroth, N., & Sanger, D. (2014, October 3). Hackers' Attack Cracked
10 Financial Firms in Major Assault. Retrieved March 17, 2015.
Goldstein, M., Perlroth, N., & Corkery, M. (2014, December 22). Neglected Server
Provided Entry for JPMorgan Hackers. Retrieved March 17, 2015.
Goldstein, M., & Perlroth, N. (2015, March 15). Authorities Closing In on Hackers
Who Stole Data From JPMorgan Chase. Retrieved March 17, 2015, from
http://www.nytimes.com/2015/03/16/business/dealbook/authorities-closingin-on-hackers-who-stole-data-from-jpmorgan-chase.html
Komando, K. (2014, October 3). JP Morgan Chase hack: 4 steps you must do now.
Retrieved March 17, 2015, from http://www.foxnews.com/tech/2014/10/03/jpmorgan-chase-hack-4-steps-must-do-now/
Majority Staff Report (2014, March 26). A Kill Chain Analysis of the 2013 Target
Data Breach http://www.commerce.senate.gov/public/?
a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883
RBS. A Breakdown and Analysis of the December, 2014 Sony Hack. 5 December
2014. <https://www.riskbasedsecurity.com/2014/12/a-breakdown-andanalysis-of-the-december-2014-sony-hack/>.

Robertson, J., & Riley, M. (2014, August 29). JPMorgan Hack Said to Span Months Via
Multiple Flaws. Retrieved March 17, 2015.
Roman, Jeffery (2014, August 19) Target Breach: By the Numbers
http://www.bankinfosecurity.com/target-breach-by-numbers-a-7205
Rushe, Dominic. Hackers who targeted Sony invoke 9/11 attacks in warning to
moviegoers . 17 December 2014.
<http://www.theguardian.com/film/2014/dec/16/employees-sue-failureguard-personal-data-leaked-hackers>.
Two-factor Authentication. 1 Jan. 2015. Web. Digital image. Vasco: The
Authentication Company
Yadron, D., & Glazer, E. (2014, October 31). J.P. Morgan Found Hackers Through
Breach of Road-Race Website. Retrieved March 17, 2015, from
http://www.wsj.com/articles/j-p-morgan-found-hackers-after-finding-breachof-race-website-1414766443
Yahoo! Yahoo! Finance::Sony Corporation. 15 March 2015.
<http://finance.yahoo.com/echarts?s=SNE+Interactive#{%22range
%22%3A{%22start%22%3A%222014-11-24T19%3A00%3A00.000Z%22%2C
%22end%22%3A%222014-12-10T19%3A00%3A00.000Z%22}%2C%22scale
%22%3A%22linear%22}>.