Sony Playstation Case Study

Organizations inevitably experience crisis and whether or not the organization is prepared to determine few at hand. The Sony Crisis in 2011 is an important example to study the effect of crisis and its implications. Security breach at Sony of its PSN lead to stealing of credit card and personal information for its millions of customers. On April 20 2011 people woke up, turned on their PlayStation only to find the error message stating “An error has occurred” and being signed out of PlayStation network.

Users kept on trying to login again for hours but in vein. Users remained in confusion why Sony had shut down their services. Sony was attacked in a number of areas, including their website, network and gaming platform.

The hackers from the Lulz hacking group had decided that Sony was fair game by the nature of their lapse security, and indeed they claimed that the objecte was to prove that the Sony systems were easily breakable. April 26, 2011 Sony explained to PSN users why it took so long to declare about data theft.

There is a time interval between when an intruder is detected and when a threat to customer information occurs. We found out there was an interruption on April 19 and stopped the service. We then consulted with external experts to determine how the intrusion occurred and to conduct an investigation to determine the nature and extent of the incident. A few days of forensic analysis had to be done, and experts had to understand the scope of the offense until yesterday.

Get quality help now

Doctor Jennifer

Verified

Proficient in: Plays

5 (893)

“ Thank you so much for accepting my assignment the night before it was due. I look forward to working with you moving forward ”

+84 relevant experts are online

Hire writer

Sony was fined $ 250,000 ($ 395,000) for lack of security, disclosing subscriber data that violated European data protection law. The violations endanger the personal information of millions of customers, including names, addresses, e-mail addresses, birth dates, credit card details and account passwords. A few weeks after hackers entered the Sony PlayStation Network, hacker group LulzSec took responsibility for another attack on Sony Online Entertainment. During this attack, information from around 100 million user account profiles was revealed. I would recommend the Forefront Identity Manager.

It would be helpful in mitigating risk. The threat identified as unauthorized individuals gaining access to TOE to information and functions provided by TOE. This Product will grant access to information and services that it identifies i.e. only to individuals those have been authorized and given access during its implementation. Individuals those have not been grated access, who may want access to information are unauthorized user. T. Request: An authorized agent trying perform unauthorized actions on stored resources that may compromise the confidentiality of stored information. T. IMPORT: Identity information can be imported uncontrollably from the TOE’s control area, which may lead to unauthorized interrogation and possibly lose the integrity and confidentiality of the stored identity information.

An unauthorized person may attempt to access the TOE by performing unauthorized operations with identity resources or performing unauthorized identity management activities that could compromise the confidentiality and / or integrity of stored identity information. T. EXPORT: Identity information may be exported uncontrollably outside the control of the TOE, which may result in unauthorized interrogation and possibly result in loss of the integrity and confidentiality of the stored identity information In particular, an effective security measure that Sony needs is a VPN or virtual private network for their e-mail servers, corporate servers, and all Sony internal intranets set up within the organization.

This will help internalize corporate data and allow them to take additional countermeasures to these VPNs to maximize Sony’s basic data protection. In addition to VPN, Sony will need to evaluate the type of firewall it uses and invest in a high security firewall that allows them to control the logs of monitored firewalls and increase the reliability of their network system. For Sony, Cisco Catalyst Firewall and Cisco Catalyst security systems require IPSec VPN VPN protection against two products of the same protective family that work effectively. It is a trusted security product that Sony will be offered for efforts and features such as voice, data and video support on the same platform.

Due to other unpublished films and data as well as personal email, PII and more, multimedia protection will be a good solution for Sony. VPN really helpful for protecting Sony’s on-premise data, but customers don’t need their data on Sony’s external pages. For customers and non-customers with a user account on the Sony website, they should implement a product that can provide an advanced customer authentication system and a notification system that notifies the customer if they have suspicious or unauthorized activity. Log out of the account that makes your choice, ie email, SMS notification via text. This additional protection for the user will help customers become active participants in the protection of their data.

A software product like Oracle Identity Manager would be a good choice for Sony to deploy it to websites and customer-centric systems to better protect all Sony users. Oracle Identity Manager can be used on both internal and end systems. This product offers several security features that help Sony protect the privacy of its users. It contains an authentication feature that is disabled in Administrator roles and applies a minimum authorization policy to all users when examining their authority for each request they make. It does not store any password in clear text format. If it does store it does only in encrypted form, so that even if its hacked it would be difficult to de-crypt it.

This combination of protective measures will allow Sony better control over their own data and cyber protection and assurance that all of their activity is being audited, monitored and tracked so that if things were to go awry, they’d have a starting point for finding resolution. Our team would also recommend the following security controls in order to help mitigate risk and help prevent future security breaches for Sony. Account Management: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts periodically. Access Enforcement: The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.

Information Flow Enforcement: The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.  Remote Access: The organization documents, monitors, and controls all methods of remote access (e.g., dial-up, Internet) to the information system including remote access for privileged functions. Appropriate organization officials authorize each remote access method for the information system and authorize only the necessary users for each access method. AC-18 Wireless Access Restrictions: The organization: establishes usage restrictions and implementation guidance for wireless technologies; and documents, monitors, and controls wireless access to the information system. Appropriate organizational officials authorize the use of wireless technologies. AC-19: Access Control for Portable and Mobile Devices: The organization: establishes usage restrictions and implementation guidance for portable and mobile devices;

And documents, monitors, and controls device access to organizational networks. Appropriate organizational officials authorize the use of portable and mobile devices. Personally Owned Information Systems: The organization restricts the use of personally owned information systems for official U.S. Government business involving the processing, storage, or transmission of federal information. PE-2: Physical Access Authorizations: The organization develops and keeps current lists of personnel with authorized access to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and issues appropriate authorization credential. Designated officials within the organization review and approve the access list and authorization credentials.

Physical Access Control: The organization controls all physical access points (including designated entry/exit points) to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and verifies individual access authorizations before granting access to the facilities. The organization also controls access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk. Access Control for Transmission Medium: The organization controls physical access to information system transmission lines carrying unencrypted information to prevent eavesdropping, in-transit modification, disruption, or physical tampering. Access Control for Display Medium: The organization controls physical access to information system devices that display information to prevent unauthorized individuals from observing the display output.

Monitoring Physical Access: The organization monitors physical access to information systems to detect and respond to incidents. Emergency Shutoff: For specific locations within a facility containing concentrations of information system resources, the organization provides the capability of shutting off power to any information technology component that may be malfunctioning or threatened without endangering personnel by requiring them to approach the equipment. Access Agreements: The organization completes appropriate access agreements for individuals requiring access to organizational information and information systems before authorizing access. These controls would help mitigate risk because they would control the flow of information and restrict access to only authorized personnel and make sure functionality is in line with only what is needed for proper usage and they will also aid in emergency shutoff procedures to make sure the system can be investigated to survey the damage.

Rules of Behavior: The organization establishes and makes readily available to all information system users a set of rules that describes their responsibilities and expected behavior with regard to information system usage. The organization receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system. Privacy Impact Assessment: The organization conducts a privacy impact assessment on the information system. These controls make sure that everyone involved with the company understand the privacy implications that are associated with accessing and using the system, as well as the code of conduct that should be exercised while using the system, so as to cut down on possible insider attacks.

Risk Assessment: The organization conducts assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency.  Risk Assessment Update: The organization updates the risk assessment or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system. Vulnerability Scanning: Using appropriate vulnerability scanning tools and techniques, the organization scans for vulnerabilities in the information system or when significant new vulnerabilities affecting the system are identified and reported.

These security controls deal with the risk assessment aspects of the system, which will help mitigate risk because they will help determine how vulnerable the system is or could be, which in turn would help identify what measures could be taken to reduce those risks and vulnerabilities. Denial of Service Protection: The information system protects against or limits the effects of denial of service attacks. Transmission Integrity: The information system protects the integrity of transmitted information. Transmission Confidentiality: The information system protects the confidentiality of transmitted information. SC-11: Trusted Path: The information system establishes a trusted communications path between the user and the security functionality of the system. Cryptographic Key Establishment and Management.

The information system employs automated mechanisms with supporting procedures or manual procedures for cryptographic key establishment and key management. Use of Validated Cryptography: When cryptography is employed within the information system, the system performs all cryptographic operations (including key generation) using FIPS 140-2 validated cryptographic modules operating in approved modes of operation. Public Access Protections: For publicly available systems, the information system protects the integrity of the information and applications. Collaborative Computing: The information system prohibits remote activation of collaborative computing mechanisms (e.g., video and audio conferencing) and provides an explicit indication of use to the local users (e.g., use of camera or microphone).

IA-2: User Identification and Authentication: The information system uniquely identifies and authenticates users (or processes acting on behalf of users). Device Identification and Authentication: The information system identifies and authenticates specific devices before establishing a connection. Identifier Management: The organization manages user identifiers by: uniquely identifying each user;  verifying the identity of each user; receiving authorization to issue a user identifier from an appropriate organization official; ensuring that the user identifier is issued to the intended party; disabling user identifier after a period of inactivity; and  archiving user identifiers.Authenticator Management: The organization manages information system authenticators.

By defining initial authenticator content;  establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and changing default authenticators upon information system installation. IA-6: Authenticator Feedback: The information system provides feedback to a user during an attempted authentication and that feedback does not compromise the authentication mechanism. These controls help mitigate risk because they focus on system and user authentication, which is essential in this case to make sure everyone and everything is vetted properly, in order to reduce the instances of breaches happening again, both from an insider and outsider perspective.

Incident Response Training: The organization trains personnel in their incident response roles and responsibilities with respect to the information system and provides refresher training.  Incident Response Testing: The organization tests the incident response capability for the information system using organization-defined tests and exercises to determine the incident response effectiveness and documents the results. Incident Handling: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Incident Monitoring: The organization tracks and documents information system security incidents on an ongoing basis. Incident Reporting.

The organization promptly reports incident information to appropriate authorities. Incident Response Assistance: The organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of the organization’s incident response capability. These controls will help mitigate risk because they focus on the aspects of how to deal with incidents and the measures that need to be put in place after an attack as occurred, as well as how you monitor things in real-time as they are occurring. Finally, how to close out incidents after they are resolved.