Professional Documents
Culture Documents
Assignment
Want create site? With Free visual composer you can do it easy.
A Cyber Risk Mitigation Strategy for Sony Assignment
Paper details
This module (see attached file: HAR CYB M8 U2 Notes, HAR CYB M8 U1 Video
Transcript) focused on the importance of risk mitigation and the value companies can
derive from implementing a risk mitigation strategy to improve organizational
resilience and manage risks effectively. This assignment requires you to complete a
cyber risk mitigation strategy that Sony should have followed in light of the 2014
hack.
NOTE: I can also send any notes from pervious module if required.
Brief
This module (see attached file: HAR CYB M8 U2 Notes, HAR CYB M8 U1 Video
Transcript) focused on the importance of risk mitigation and the value companies can
derive from implementing a risk mitigation strategy to improve organizational
resilience and manage risks effectively. This assignment requires you to complete a
cyber risk mitigation strategy that Sony should have followed in light of the 2014
hack.
NOTE: I can also send any notes from pervious module if required.
Note:
The word counts for each question serve as a guide; your submission should not
exceed 4,500 words in its entirety.
1. Introduction
Write a brief paragraph in which you provide a high-level overview of Sony’s need for
a risk mitigation strategy. (150 words)
List at least four strategic goals Sony must achieve to reduce its risks to an
acceptable level. List at least two objectives under each strategic goal that explain
what must be done to achieve the strategic goal. (450 words)
Note: A thorough risk mitigation strategy should include associated action plans and
milestones, but you are not required to detail these for the purposes of this
submission.
4. Metrics
List at least three metrics Sony will use to analyze the achievement of its
goals/objectives. These metrics should be specific to the goals/objectives listed in
the previous question. (150 words)
Note:
Include refined versions of your previous submissions in the sections below. Where
relevant, incorporate any feedback from your Tutor, as well as additional knowledge
gained during the course to improve on your previous submissions. – See attached file
– M2Assignment.docx
5. Threat actors and methods of attack
7. Cybersecurity governance
Integrate the three questions from your submission in Module 4 (see attached file: M4-
Assignment), in which you recommended a cybersecurity leadership plan,
improvements to management processes, and a cybersecurity awareness training
program. (1,200 words)
8. Protective technologies
Note:
This question requires you to submit a paragraph consolidating the information you
learned, and is not a resubmission of the questions you submitted in Module 5.
9. Legal considerations
Note:
This question requires you to submit a paragraph consolidating the information you
learned and is not a resubmission of the questions you submitted in Module 6.
Your ongoing project submission will be graded according to the following rubric:
Introduction
Student
and vision Student shows
No submission. demonstrates
an incomplete
OR satisfactory
understanding
understanding Student
Student has of the need for
Student fails to of the need Student demonstrates a
clearly outlined their strategy, or
clearly outline for their demonstrates a thorough and
the need for its long-term
the need for the strategy, and strong incisive
their risk vision.
strategy or its its long-term understanding understanding of
mitigation
long-term vision. of the need for the need for their
strategy, and
vision. their strategy, strategy, and its
what it aims to There is some
and its long- long-term
achieve by evidence that
There is no The student term vision. vision. The
implementing the student has
evidence that has clearly The answer student has been
the strategy. engaged with
the student has engaged with shows a strong able to critically
the content
used the content the content grasp of the apply their
Student has covered in the
covered in the covered in the content. (8.5) learning from the
thought course but this
course to inform course, but a course. (10)
critically and is not always
their response. more nuanced
incorporated accurately
(0) answer is
learnings from applied. (5.5)
required. (7)
the content.
Strategic goals No submission. Student shows Student Student
Student
and objectives OR an incomplete demonstrates demonstrates a
demonstrates a
understanding satisfactory thorough and
strong
Student fails to of their understanding incisive
understanding
Student has clearly outline strategy’s goals of their understanding of
of their
outlined at their strategy’s and objectives. strategy’s their strategy’s
strategy’s goals
least four goals and goals and goals and
and objectives.
strategic goals objectives. objectives. objectives.
that will reduce There is some
their There is no evidence that
The answer
organization’s evidence that the student has The student The student has
shows a strong
risks to an the student has engaged with has clearly been able to
acceptable used the content the content engaged with grasp of the critically apply
level. They covered in the covered in the the content content. (8.5) their learning
have included course to inform course but this covered in the from the course.
at least two their response. is not always course, but a (10)
objectives that (0) accurately more nuanced
clearly explain applied. (5.5) answer is
what must be required. (7)
done to achieve
each goal.
Student has
thought
critically and
incorporated
learnings from
the content.
Metrics
Student shows
No submission.
an incomplete Student
OR
The student has understanding demonstrates
listed at least of metrics their satisfactory Student
Student fails to Student
three metrics organization understanding demonstrates a
list three demonstrates a
their could use to of the metrics thorough and
metrics their strong
organization measure its their incisive
organization understanding
could use to cybersecurity. organization understanding of
could use to of the metrics
measure the The metrics could use to the metrics their
measure their
achievement of lack relevance measure its organization can
cybersecurity. organization
their goals, and to the identified cybersecurity use, and they are
The metrics are should use, and
the metrics are goals/objectives and they are specific to the
not specific to they are
specific to the . relevant to the goals/objectives
the identified specific to the
goals/objective goals and identified.
goals/objectives goals/objectives
s identified. objectives
. identified.
identified.
There is some The student The student has
There is no
evidence that has clearly been able to
evidence that The answer
Student has the student has engaged with critically apply
the student has shows a strong
thought engaged with the course their learning
used the content grasp of the
critically and the course content but a from the course.
covered in the content. (8.5)
incorporated content, but this more nuanced (10)
course to inform
learnings from is not always answer is
their response.
the content. accurately required. (7)
(0)
applied. (5.5)
Student has
thought
critically and
incorporated
learnings from
the content and
has applied this
to their chosen
organization.
M2 ASSIGNMENT
1. Question
In this module, you were introduced to three notable types of threat actors that have
emerged from the cyber landscape as threats to organizations’ cybersecurity, namely
nation states, cyber criminals, and insiders. You were also introduced to the methods
of attack these threat actors most commonly employ, and the types of sectors they
target.
In this ongoing project submission, you are required to complete the first part of your
risk mitigation strategy by identifying and analyzing potential threat actors to your
organization, or Sony.
Sony:
The Sony case study provides a foundation for which to base your ongoing project on,
however you are encouraged to conduct further research to engage with the nuances
of the case and to enforce your reasoning. You can find the Sony case study in Unit 2
of the Orientation Module or in this module’s Downloads folder. Address the following
points in your analysis:
Identify the threat Sony faced in the 2014 hack, and explain their motives. Explain
whether or not you think the aspects of Sony’s sector made it vulnerable to the threat
you have identified.
Offer an explanation of the methods of attack the threat actor employed to breach its
cybersecurity, and justify your reasoning.
Describe a scenario of what method of attack at least one other type of threat actor
could use in the future, and why.
2. Answer:
In 2014 the multimedia company Sony released the movie “The Interview”, starring
Seth Rogen and James Franco in a story involving the assassination of North Korean
leader Kim Jong Un. As a result, the North Korean government expressed disapproval
regarding the announced release of the movie. It is widely reported that the North
Korean government also had direct involvements with the hack of Sony’s systems and
databases during October and November of 2014 (Harvard, 2018). The hacks were of
significant importance because they directly affected the decision to cancel the
release of the movie, in addition to imposing enormous costs to the company as a
whole.
As a multimedia company with significant stakes in many countries around the world,
Sony has always been a security target. It is also worth mentioning that Sony has had
multiple breaches in the past, which has perhaps established the company as one that
is not as diligent about its security policies and practices as it should be. Sony was
also a prime target for a foreign actor such as North Korea because it could be used as
a demonstration of the hacking capabilities that the attackers had in terms of
breaching other major US companies. Therefore, the issue was not only of concern to
the IT sectors but to international defenses as well.
The scope of the attack on Sony was wide-ranging, which was achieved through a
long-term strategy and planning. This means that the hackers essentially used
malware tools in order to implant listening devices that captured sensitive internal
data within Sony’s framework. It is also possible that the hackers had help from the
inside (Smith, 2014). The total duration of the hack is estimated to have gone over at
least two months, although this is still a matter of uncertainty.
Due to the scope of Sony’s internal infrastructure, hackers decided to use viruses,
malware, and other types of discrete listening tools. This was the only way to avoid
detection over a longer period of time, and it ultimately proved successful. However,
what is more important to mention is that the hackers reportedly gained access to
Sony’s internal infrastructures physically. This means that hackers entered Sony’s
facilities in person and used physical methods in order to implant malware and spying
devices. For instance, a key password was reportedly stolen from someone working in
Sony’s IT sector. The password essentially provided hackers with full access to Sony’s
internal administration systems (Bort, 2014). Furthermore, this allowed the hackers to
easily install whatever malware tools were necessary and which would avoid
detection.
Another method of attack that could be used by another threat actor is phishing. The
attacker could potentially send well-designed phishing emails that would prompt users
to give out their credentials. There is always a likelihood that such an attack would
be employed because it has already worked in the past with high-profile politicians.
BIBLIOGRAPHY
Bort, J., 2014. How The Hackers Broke Into Sony And Why It Could Happen To Any
Company [WWW Document]. Business Insider.
URL https://www.businessinsider.com/how-the-hackers-broke-into-sony-2014-12
Smith, M., 2014. Sony Pictures hackers reportedly had help from insiders [WWW
Document]. CSO Online. URL https://www.csoonline.com/article/2851927/sony-
pictures-hacked-by-guardians-of-peace-with-help-from-insiders.html
M4 Assignment
Brief
Question 1
Drawing on your learnings from this module, explain the organization’s governing
structure, and its approach to cybersecurity (as detailed in its policies and, where
possible, observed in practice). If you are focusing on Sony, you may extrapolate the
formal roles from the data available (in the case study and from your own research) and
contrast this with what was observed.
Based on your substantiation above, recommend changes that should be implemented
and, if applicable, propose a new cybersecurity leadership plan that addresses its
shortcomings.
Answer:
Leaders of organizations, such as CEO’s, CIO’s, CSO’s, and CTO’s are central in
spearheading cybersecurity issues within organizations (Creery and Byres, 2005, p.
305). Leaders should also be receptive to dialogues with their workforces and need to
be well aware of the organizational culture and how it is applied among workers
within the organization since it is the leaders who set the tone and values of the
culture in the organization. Lastly, leaders should also be well educated and aware of
the different roles technology plays, and how it can impact people in multiple
aspects.
Question 2
Evaluate whether the management processes utilized by your organization are sufficient
to ensure good cybersecurity governance; and
Based on your substantiation above, recommend management processes for
implementing a cybersecurity governance plan.
Evaluate why the management processes utilized by Sony were insufficient to ensure
good cybersecurity governance; and
Based on your substantiation above, recommend management processes that would
have addressed Sony’s shortcomings in implementing a cybersecurity governance plan
and should be adhered to going forward.
Answer:
Sony’s failure to organize efficiently can be explained through its failure to have
proper frameworks in place in terms of governance. In the first place, the leaders of
the organization failed to create and instill an organizational culture that promoted
cybersecurity awareness. In other words, the top management positions failed to be
properly educated about cybersecurity risks and consequently failed to promote this
understanding within the organization (Ashford, 2014). Another issue was the lack of
an individual that was solely tasked with managing cybersecurity. Instead, Sony’s
organization had a structure resembling a government, where security officers would
look at all aspects of perceived risks and threats from cybersecurity attacks (Ten Liu
and Manimaran, 2008, p. 1840).
Sony also failed to realize the importance of not only designing a cybersecurity
culture but also making sure that the workforce was in tune with it. Another failure
on Sony’s part was that it failed to prepare itself with a clear system of procedures in
the event of a cyber-attack. There were no proper channels of communication, and
there were no clear policies and processes that were prescribed for such events.
Although Sony may have focused on its overall desires in terms of security
frameworks, it ultimately failed to implement any of them successfully.
Question 3
Unit 3 focuses on the importance of keeping an organization’s cybersecurity
awareness updated. To do so, the notes described the types of security awareness
training that are available and the topics that should ideally be included in training
programs. In your answer, address the following:
Your outline of the training program should cover the following three aspects:
Each aspect should be accompanied by reasons for your choices based on the
organization’s context and needs.
Note:
The word counts for each question serve as a guide; your submission should not
exceed 1,200 words in its entirety.
Answer:
Topics included in the training program: Physical devices can be used to ensure that
employees store their security information on gadgets that are set up by Sony’s
cybersecurity team. Therefore, awareness training topics can also include education
and knowledge about how these gadgets are used, and how essential they are for the
organization. For instance, mobile phone devices are always susceptible to hacking
attacks, meaning that the organization can institute mandatory switching of devices
before going to work, thereby making sure that all devices and gadgets within the
organization are approved and protected by Sony’s overall cybersecurity framework.
Nonetheless, employees would still be held accountable for any losses of data or
devices, but it would be much easier to monitor and control any breach points.
The program owners also need to ensure that all stakeholders of their organization
are made aware of cybersecurity awareness training programs, and are capable of
supporting the goals and cybersecurity applications. Finally, significant effort needs
to be invested in making sure that the proper training initiators are contracted,
meaning that they need to be assessed not only according to their skills but also to
their backgrounds in terms of trust and security (Ten, Liu and Govindarasu, 2007, p.
5).
References
Ashford, W., 2014. Sony hack exposes poor security practices [WWW Document].
Computer Weekly. URL https://www.computerweekly.com/news/2240236006/Sony-
hack-exposes-poor-security-practices (accessed 3.14.19).
Creery, A. and Byres, E.J., 2005, September. Industrial cybersecurity for power
system and SCADA networks. In Record of Conference Papers Industry Applications
Society 52nd Annual Petroleum and Chemical Industry Conference (pp. 303-309).
IEEE.
Ten, C.W., Liu, C.C. and Govindarasu, M., 2007, June. Vulnerability assessment of
cybersecurity for SCADA systems using attack trees. In 2007 IEEE Power Engineering
Society General Meeting (pp. 1-8). IEEE.
Ten, C.W., Liu, C.C. and Manimaran, G., 2008. Vulnerability assessment of
cybersecurity for SCADA systems. IEEE Transactions on Power Systems, 23(4),
(pp.1836-1846).
Tosh, D., Sengupta, S., Kamhoua, C., Kwiat, K. and Martin, A., 2015, June. An
evolutionary game-theoretic framework for cyber-threat information sharing. In 2015
IEEE International Conference on Communications (ICC) (pp. 7341- 7346).
Brief
Question 1
In Module 3, you were introduced to the critical systems, networks, and data that
organizations depend on to achieve their business goals. In this module, you explored
the various types of security technologies that are designed to protect organizations’
critical systems, networks, and data. For this online activity submission, you are
required to combine information from both Module 3 and Module 5 to answer the
following questions:
Based on the Module 3 ongoing project, provide a brief overview of the critical systems,
networks, and data your organization (or Sony) depends on. (Approx. 150 words)
Using your learnings from the Module 5 Unit 3 Notes, and your input from the small
group discussion forum, compile 10 questions you would direct to the chief information
officer (CIO), chief information security officer (CISO), or chief technology officer (CTO)
in your organization (or Sony) to understand the technologies that have been or should
be implemented to protect critical systems, networks, and data. (Approx. 500 words)
Answer:
Overview of the critical systems, networks, and data that Sony depends on.
Sony Inc. is a multimedia company that deals with diversified products and services.
The vital systems are constituted in critical mission systems, business critical systems,
and critical safety systems. As such, the company has different critical systems
including movie production software and connected devices, servers, client
credentials and much more. The essential network systems include the network
servers and Sony website. The systems form the core function of communication and
data sharing with clients and other businesses as well as making transactions. Critical
data constitute client credentials, stores movies and pictures, and sales records and
more. Also, important are the staff data and financial transactions. It is essential to
point out that a compromise to the security of any of the above critical systems,
networks, and data can lead to both financial loss and tarnished reputation of the
company.
Context – The company has the responsibility to keep its systems and client data safe.
It is also a legal requirement. In so doing, the company will be responding to previous
threats and to control future attacks.
Context – This is because there are various standards against which data are protected
like the General Data Protection Regulation. As such, this question informs on the
multiple measures that Sony adheres to ensuring cybersecurity.
5. What type of technologies does Sony use to protect its critical functions?
Context – It is essential to know the CISCO’s opinion given the enormous investment
dedicated to its cybersecurity. The company has a responsibility to assure safety to its
clients.
7. Do you consider an internal threat and which control measures do you have in
place?
Context – Besides having an external threat, internal threats are also eminent and
should be controlled. In essence, some external threats have insider connection or
vulnerability. It is a practice in cybersecurity to have security measures both internal
and external.
9. Should an attack or threat occur, which mechanisms are put in place to ensure
the company continues with its critical mission?
Context – The question is in the context that the organization is supposed to have
installed recovery systems. Besides, the data stored in the systems are sensitive if
lost. The response to a threat is critical to ensuring the minimal occurrence of
subsequent risks.
Context – This question is essential as per the compliance with the ISO 27001:2013
which require an independent review of the information security control of an
organization. In essence, because of the sensitivity of the data, systems, and
networks, the continuous audit is necessary to patch vulnerabilities.
M 6 ASSSIGNMENT
Question 1
Throughout this module, you have been introduced to the legal considerations
associated with cybersecurity. The goal of this module is not to make you a lawyer or
an expert on privacy and cybersecurity law, but to help you understand the
importance of mitigating litigation risk.
Using what you learned from the module, and from the input in the small group
discussion forum, compile a set of 10 questions that you would direct towards an
organization’s senior management and legal counsel in order to gauge the
organization’s legal risk mitigation strategy and the adequacy of their preparations.
Ensure that your questions clearly relate to the legal and compliance risks that are
relevant to the organization’s context.
Answer:
Below are the 10 questions that I would ask Sony’s Executive team as well as their
Legal Counsel team.
1. How does the organization control the relationship between the processor and the
controller? Context: the GDPR has provided the required protocols that are needed to
be followed by the two parties (M6notes, N.D). The contractual process provides both
parties with the ability to go over the term of their relation. However, with the current
trends in cybersecurity, it has become a matter of concern and it is essential to
understand the privacy policy between the two parties and the liability in case of a
breach.
2. In the case of infringement, who takes the responsibility between the organization
and the vendor? Context: most of the third parties have access to the organization
data, and it could prove to be detrimental in the case of a breach (M6notes, N.D). The
target incidence saw the hackers target the vendor to launch malware. Hence it is vital
to comprehend who the blame falls on in the case of a breach.
3. Under which circumstances are third parties held liable? Context: different
industries have specific measures regarding the third parties. For instance, the
guidelines set by HIPAA regulate the terms of health facilities (M6notes, N.D).
Therefore, it is essential to comprehend if all industries have similar regulatory bodies.
4. What would happen if the insurance is unable to cover the risk? Context: in the case
of a breach the organization covers the cost with the insurer (M6notes, N.D). However,
the clause does not stipulate what would happen in the case; the insurer finds the
company to be liable.
5. When an organization is going public, they are required to disclose their data? Does
the process put the organization in harm’s way? Context: the security exchange
requires an organization to disclose some of the confidential information such as the
number of risks (M6notes, N.D). In so doing, the investors would remain assured of their
investment. Nonetheless, the protocol does not provide on the extent of the
information to be disclosed.
6. Which policies has the organization implemented to overcome the challenges of
jurisdiction? Context: China has set up various policies regarding its cyberspace
(M6notes, N.D). Over the years, the plans continue to evolve as it has provided some
terms and conditions that attract fines. Thus, it is essential to understand the scope of
organization policies.
7. Do the policies set up by the United States apply to other countries? Context: while
in the United States the organization is required to be conversant with the laws
implemented by the country (M6 video, N.D). Nonetheless, each state has created its
won policies which do not articulate their sphere of influence. Therefore, it is essential
to have a grasp where the laws of individual countries have a similar impact on
countries they have ties.
8. Under what circumstances can the organization consider settling a case? Context:
the federal trade commission’s act has stipulated the types of losses (M6 video, N.D).
Some of the consumers may use deceptive practices to gain compensation. As a result,
some organizations would prefer to settle to avoid having the reputation tarnished.
9. How does the company specify the compensation procedure? Context: In the case of
a breach there are various categorize of o people that the organization has to consider,
from the large organizations to the federal state (M6 video, N.D). Furthermore, there is
an extensive list of people waiting for the chance to sue the organization. In such
circumstances, it is essential to understand the procedures undertaken.
10. Which procedures does the organization take to mitigate risks? Context: in the case
of a cyber-security breach, the organization cannot minimize their risk to zero (M6
video, N.D). The statement implies that breaches in cybersecurity are to be expected
since systems cannot be completely efficient. However, organizations have to take
specific steps to ensure that they can foresee the problems.
List of References