Professional Documents
Culture Documents
Table of Contents
Table of Contents
Abstract
Description of event
Description of event
Description of event
Comparative analysis
Conclusion
10
Appendix
11
References
Abstract
In recent years, both the frequency and severity of cyber-attacks have seen a sharp
increase. This report serves as a survey and analysis on the nature of these events,
including immediate and ongoing costs incurred by the corporation and its
consumers. The intended purpose of the material is to identify any systemic issues
that are causing these vulnerabilities, as well as recommendations on what can be
done for the future.
hacker tailors the request specifically for a user using previously discovered
information.
Denial of Service (DoS) - where the hacker prevents legitimate use of a system
by consuming all the available resources. These attacks can involve hundreds if not
thousands of malware infected computers sending bogus requests to the system in
order to tie up the systems available bandwidth or processing power.
Hackers use these tools to attack organizations a variety of ways. Using
sophisticated phishing and social engineering techniques, hackers look to steal user
credentials and infect an organizations computers with malware. Once the
malware is in place the hackers seek to exploit security vulnerabilities in the
organizations systems and networks.
began showing up on black markets for sale. This led to a systematic review of
Targets security infrastructure by the Secret Service, alongside U.S. Senate
Judiciary Committee inquiries. It was later discovered that Target ignored several
security warnings that could have successfully warded off the attack at its infancy.
Ultimately, this lead to the resignation of Targets CEO (Chief Executive Officer) and
CIO (Chief Information Officer), along with the creation of a new position: CISO
(Chief Information Security Officer). Also, Target has committed $100 million dollars
to update their security technology and to introduce chip-and-PIN technology for its
card use by early 2015.
Changes in Top Positions (Roman)
JPMorgan network (Goldstein). While affiliated with JPMorgan, the charity website is
managed by an outside company and isnt connected to the banks network (Wall
Street Journal, 2014). JPMorgan and its security vendors discovered a massive cache
of information from the charity website that linked to an outside IP address that
they found had breached their network. This allowed the banks security team to
confirm the breach and block the hackers before they could compromise the most
sensitive account information. The attack did not come to a complete halt until midAugust (Goldstein).
The data breach may have been avoided if all of JPMorgans network servers
were upgraded to the more secure two-factor authentication method. The banking
giant already spends $250 million annually in computer security but will have to
remain proactive to prevent attacks like this. In response to the attack, JPMorgan
has set up a business control group which consists of about a dozen technology
and cyber security executives. This group meets once every few weeks to discuss
the fallout of the attack and ways to prevent hackers from breaching its network in
the future. An internal assessment of the banks security system concluded that by
the end of 2014 the bank had made significant progress in reducing the number
of severe patch issues but is still working to address other critical issues. During this
review, it was also found that the server which did not have the two-factor
authentication also did not have the latest antivirus protection (Goldstein).
Going even further to prevent future breaches like this from occurring, the
banking giant has recently increased the requirements needed for employees to
attain the highest level of access to the banks network. High security access is
now limited to employees who must submit annual credit screening and criminal
background checks. They also perform routine checks to ensure that high security
access is justified for each particular user that it is granted to (Goldstein).
Despite the data breach, JPMorgan Chase is a leader in network security
among other companies that carry sensitive information on their networks. The
lengths to which JPMorgan Chase must go to battle hackers is immense. They
employ 1,000 people dedicated to cybersecurity; for comparison, Google Inc. has
over 400 (Bloomberg, 2014). Additionally, JPMorgan had to analyze data servers on
the other side of the world in order to discover a connection between the charity
race website breach and the breach on their own network. This is a prime example
of why companies must also analyze their vendors networks security as well as
their own networks in order to keep client information secure.
Comparative analysis
Sonys executive management showed gross negligence in failing to prioritize
their network security which ended up costing them between $15 and $35 million
dollars in damages from the attack. Despite the financial loss and based on
previous incidents, it is doubtful that the leadership at Sony will make the necessary
changes to their security practices to fully address their risk. Previous attacks on
Sony should have served as a wakeup call to management that the current security
risk framework was insufficient to deal with the threat. Even years after previous
attacks Sony still had failed to patch the exploited security flaws in their network
and processes.
Targets lack of oversight into their strategic vendors security practices
allowed a hacker to penetrate their network and steal a tremendous amount of
customer financial information. Due to the lack of proper security auditing
processes, Target wasnt even aware of the breach until they were informed by the
Secret Service. Unlike Sony, the executive leadership felt the ramifications keenly
when the CEO was forced to step down. Target responded to the incident by
investing in their security to the tune of $100 million dollars. They also adopted a
more secure card processing model at their point-of-sale to mitigate any future
attack.
Both the Sony and Target incidents share a common root cause, poor security
risk management. In both their cases the critical failing was the organizations lack
of understanding regarding the level of risk exposure they were operating under.
The JPMorgan Chase incident serves as an excellent counterpoint to Sony and
Target. In this case a hacker managed to penetrate JPMorgan Chase which
appeared to have all the appropriate safe guards backed by a rigorous security risk
management practice. The difference here was, JPMorgan Chase managed to detect
the breach prior to any significant loss of information occurring. Due to the
complexity involved in the hack it appears the hackers were far more skilled than
the ones involved with the Sony and Target incidents.
Conclusion
The executive management is ultimately accountable for an organizations
security. Unless they fully appreciate the level of exposure their companies are
operating under they will be unwilling to invest the capital and manpower needed to
adopt and enforce a rigorous security risk management program. In Targets case
this lack of understanding cost the CEO his position and damaged the reputation of
the Target brand. It is worth noting that even companies that have adopted
sophisticated security risk management mindsets are still vulnerable from a
determined expert level hacker. While no organization is invulnerable to a
cyberattack, having the appropriate security risk management controls in place can
work to minimize the damage incurred from such an attack.
Appendix
References
A Glossary of Common Cybersecurity Terminology. n.d. 8 March 2015.
<http://niccs.us-cert.gov/glossary>.
"Anatomy of a cyber-attack." 2012. dell.com. Document. 8 March 2015.
<http://software.dell.com/documents/anatomy-of-a-cyber-attack-ebook24640.pdf>.
CBS News. Was FBI wrong on North Korea? 23 December 2014.
<http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/>.
Copeland, Libby. Sony Pictures Hack Reveals Stark Gender Pay Gap. 5 December
2014. 9 March 2015.
<http://www.slate.com/blogs/xx_factor/2014/12/05/sony_pictures_hack_reveal
s_gender_pay_gap_at_the_entertainment_company_and.html>.
Cybersecurity 101. n.d. 9 March 2015. <http://niccs.uscert.gov/awareness/cybersecurity-101>.
Cyphort. Attack Timeline for Sony Pictures, Nov-Dec 2014. Digital image. Slideshare.
N.p., 30 Jan. 2015. Web. 24 Mar. 2015.
<http://image.slidesharecdn.com/cyphortmalwaremostwantedsonydestover150129195703-conversion-gate02/95/sony-attack-by-destover-malware-partof-cyphort-malware-most-wanted-series-6-638.jpg?cb=1422655113>.
Dawson, Freddie. What the Sony hack can teach about Cyber security. 27 February
2015. 8 March 2015.
<http://www.forbes.com/sites/freddiedawson/2015/02/27/what-the-sony-hackcan-teach-about-cyber-security/>.
Ellis, Ralph. Lawsuits say Sony Pictures should have expected security breach. 20
December 2014. <http://www.cnn.com/2014/12/20/us/sony-pictureslawsuits/>.
CBS News. Was FBI wrong on North Korea? 23 December 2014.
<http://www.cbsnews.com/news/did-the-fbi-get-it-wrong-on-north-korea/>.
Ellis, Ralph. Lawsuits say Sony Pictures should have expected security breach. 20
December 2014. <http://www.cnn.com/2014/12/20/us/sony-pictureslawsuits/>.
Faughnder, Ryan. 'The Interview' earns $31 million from VOD, $5 million at box
office. 6 January 2015.
<http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sonys-theinterview-vod-box-office-20150106-story.html>.
Fox-Brewster, Thomas. More Trouble For Sony? PlayStation Servers 'Used To Spread
Stolen Data'. 3 December 2014.
<http://www.forbes.com/sites/thomasbrewster/2014/12/03/sony-playstationserving-hacked-data/>.
Frizell, Sam. Sony Is Spending $15 Million to Deal With the Big Hack. 4 February
2015. <http://time.com/3695118/sony-hack-the-interview-costs/>.
Losing the plot. 3 January 2015. 8 March 2015.
<http://www.economist.com/news/leaders/21637390-states-should-policecorporate-cyber-security-more-toughlybut-react-breaches-cautiously-losing>.
McGregor, Jay. The Top 5 Most Brutal Cyber Attacks of 2014 So Far. 28 July 2014. 8
March 2015. <http://www.forbes.com/sites/jaymcgregor/2014/07/28/the-top5-most-brutal-cyber-attacks-of-2014-so-far/>.
Pepitone, Julianne. Massive hack blows crater in Sony brand. 10 May 2011. 9 March
2015. <http://money.cnn.com/2011/05/10/technology/sony_hack_fallout/?
iid=EL>.
Goldstein, M., Perlroth, N., & Sanger, D. (2014, October 3). Hackers' Attack Cracked
10 Financial Firms in Major Assault. Retrieved March 17, 2015.
Goldstein, M., Perlroth, N., & Corkery, M. (2014, December 22). Neglected Server
Provided Entry for JPMorgan Hackers. Retrieved March 17, 2015.
Goldstein, M., & Perlroth, N. (2015, March 15). Authorities Closing In on Hackers
Who Stole Data From JPMorgan Chase. Retrieved March 17, 2015, from
http://www.nytimes.com/2015/03/16/business/dealbook/authorities-closingin-on-hackers-who-stole-data-from-jpmorgan-chase.html
Komando, K. (2014, October 3). JP Morgan Chase hack: 4 steps you must do now.
Retrieved March 17, 2015, from http://www.foxnews.com/tech/2014/10/03/jpmorgan-chase-hack-4-steps-must-do-now/
Majority Staff Report (2014, March 26). A Kill Chain Analysis of the 2013 Target
Data Breach http://www.commerce.senate.gov/public/?
a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883
RBS. A Breakdown and Analysis of the December, 2014 Sony Hack. 5 December
2014. <https://www.riskbasedsecurity.com/2014/12/a-breakdown-andanalysis-of-the-december-2014-sony-hack/>.
Robertson, J., & Riley, M. (2014, August 29). JPMorgan Hack Said to Span Months Via
Multiple Flaws. Retrieved March 17, 2015.
Roman, Jeffery (2014, August 19) Target Breach: By the Numbers
http://www.bankinfosecurity.com/target-breach-by-numbers-a-7205
Rushe, Dominic. Hackers who targeted Sony invoke 9/11 attacks in warning to
moviegoers . 17 December 2014.
<http://www.theguardian.com/film/2014/dec/16/employees-sue-failureguard-personal-data-leaked-hackers>.
Two-factor Authentication. 1 Jan. 2015. Web. Digital image. Vasco: The
Authentication Company
Yadron, D., & Glazer, E. (2014, October 31). J.P. Morgan Found Hackers Through
Breach of Road-Race Website. Retrieved March 17, 2015, from
http://www.wsj.com/articles/j-p-morgan-found-hackers-after-finding-breachof-race-website-1414766443
Yahoo! Yahoo! Finance::Sony Corporation. 15 March 2015.
<http://finance.yahoo.com/echarts?s=SNE+Interactive#{%22range
%22%3A{%22start%22%3A%222014-11-24T19%3A00%3A00.000Z%22%2C
%22end%22%3A%222014-12-10T19%3A00%3A00.000Z%22}%2C%22scale
%22%3A%22linear%22}>.