Free Sony hack case study
We have just published our security awareness case study on the Sony hack under a Creative Commons license.
The information sources are fully cited and referenced in the materials – all public domain stuff and no special inside-track from Sony I’m afraid*, hence there are probably errors and certainly omissions … and yet nevertheless this was a remarkably instructive incident touching on an usually wide range of information security topics.
One aspect that stands out for me is that, since information is Sony’s lifeblood, information risks arebusiness risks. Regardless of whether the North Koreans were or were not behind the hack, management’s strategic decision to press ahead with The Interview undoubtedly affected Sony’s information risk profile. Their strategic approach towards information and IT security has been implicated in several major infosec incidents over the years. There are lessons here about governance, risk management and security strategy.
The ongoing incident management and business continuity aspects are also interesting. The Sony hack may no longer be all over the news but (as far as I know) we have yet to discover how they ultimately responded to the extortion demands, and whether the FBI are homing-in on the culprits. Meanwhile, Sony recently had to ask for a special dispensation to miss a critical business reporting deadline as a result of the disruption caused to its systems and processes. It’s not hard to imagine the internal turmoil behind their relatively calm public statements.
* Hey, wouldn't it be good to have the information security equivalent of the official air accident investigations or public inquiries into other types of major incident i.e. a thorough, detailed examination of the facts by highly competent, diligent and independent experts with unrestricted access to the necessary information, leading to a public report with sound improvement recommendations to help us all avoid falling into the same traps? ...