TABLAZON, MATTHEW I.

116109, M61 IT6

I.

EXECUTIVE SUMMARY

Sony Pictures Corporation, a subsidiary of its parent company headquartered

in Tokyo, Japan, has been experiencing financial crisis over the past five (5)
years. The company, headed by Michael Lynton, admittedly said to a friend
through an email that he personally is having a hard time leading the
company in boosting profits. They were not able to meet projected revenues
from several movies, namely, The Amazing Spiderman, The Amazing
Spiderman 2, and the comedy movie Sex Tape. Meanwhile, Studio Chief Amy
Pascal was scavenging for a hit movie that will somehow turn the companys
future around from its upsetting financial performance and found Seth Rogen
and his producer Paul Goldberg making the movie The Interview. On
November 24, 2014, the company suffered from a tremendous cyberattack
which shocked American companies throughout the country especially the
company itself. It took Sony Corp. to get back up to its feet for roughly four
(4) months since the attack.

The company then asked for help from the FBI and some other firms that
offer cybersecurity services. During the investigation, firms and other
knowledgeable individuals commented that Sonys cybersecurity was weak
Page | 1

enough to leave the companys digital information into the hands of average
hackers. Norse Corp., a small threat-intelligence firm based in Silicon Valley
visited the companys site and found it unsecured, leaving all its information
vulnerable to any disguised person to enter the premises.

In its attempt to identify the perpetrator, with the close release of its movie
The Interview, depicting the assassination of North Koreas current leader,
Kim Jong-un, which then concluded by the FBI that it was the North Koreans
who attacked the company citing similar attacks to what had happened to
South Koreas digital infrastructure in 2009 known as DarkSeoul.

II.

STATEMENT OF THE PROBLEM

Michael Lynton, CEO of Sony Pictures Entertainment at that time has been
having a hard time leading the company from its pitiful financial performance
over the past five (5) years, he said to a friend. Due to consecutive
disappointed earnings from famous franchised movies, the company had
been suffering losses over the years. Lynton faced a much bigger problem
when hackers attacked his companys digital data on November 24, 2014.
Clueless of what hit them, they told the public that they see themselves as a
blameless victim.

Page | 2

Ideally, huge companies such as Sony Pictures Entertainment should have

highly sophisticated cyber defenses to protect themselves from hackers who
continually

seek

to

intrude

and

collect

information

from

significant

companies. But that was not the case to Sony Pictures. When Norse Corp.s
team visited the companys site to assess its cybersecurity 21 days before
the attack, the team found it very susceptible for unauthorized persons
intruding the place. Also, leaving the computers operating and logged in
without anyone to watch over the place, anyone could disguise and invade
the site easily. Sonys traditional virus-detection software has left the
company unprotected for its database only identifies previous threats. J. Alex
Halderman, a computer science professor at University of Michigan
commented that corporate networks should have had detection software
that can identify unusual activities within the network. Kevin Mandia, a
forensic expert, COO of FireEye, cybersecurity vendor, came up with the
statement that the hackers patiently copied company data over several
weeks from various company servers to attackers controlled locations. Sony
did not employ two-factor verification as well. Furthermore, earlier before the
attack, Sony made a movie with Seth Rogen and his producer Paul Goldberg,
The Interview, depicting the assassination of North Koreas current leader
Kim Jong-un. Being warned by experts to strengthen cyber defenses because
North Korea has an army of cyber warriors, Sony instead pulled out
marketing plugs that they think might cause conflicts with the North Korean
government.
Page | 3

As the company struggles through rough waters in its attempt to please its
investors in making more money in the future, Sony then proceeded with the
movie anyway. It was released on Christmas day, 2014. It had a hard time
launching the movie due to the hack that had occurred which caused
postponements of its release and refusal of theatres and online movie rentals
due in their fear of being the next victim of the hack.

III.

CAUSE OF THE PROBLEM

Due to its lack of security from its physical site to its IT infrastructure, the
perpetrators had found it easily to penetrate Sonys entire network.
Hence, leaving them vulnerable even to an average hacker, Ed Skoudis
commented, a white hat hacker. The company has had weak to average
cyber security controls to its information from its employee records, top
executives

email

exchanges,

unreleased

movies,

to

its

financial

information and future plans. Sony had not adopted the most recent cyber
security software that could potentially detect intrusions within the
network, they had not adopted a two-factor authentication to at least
make it difficult to hackers to penetrate personal information of their
employees in fear of a costly investment in cybersecurity rather than
seeing to it as a beneficial factor in future times.

Page | 4

With its profit continuously declining over the past seven years for
disappointed expected earnings from costly franchised movies, David
Loeb, a hedge fund investor of Sony said that the company is poorly
managed and badly positioned for the future.

IV.

DECISION CRITERIA AND ALTERNATIVE SOLUTIONS

Elements to consider in to come up with an alternative solution in this

case would be the Cost to implement upgrading, The Risk the company
can take, and the Time it will take to take effect. Its hard to say its easy
to maintain such a huge company network in putting up a lot of security
measures without considering its cost but it will also be beneficial in the
long run, especially, the recurrence of the hack that had happened last
year. Also, another decision criteria that we can consider is the risk that
comes along with it. Inversely related to the cost of investment you are
willing to put up to your cyber defense security. Not going for an upgrade
leads will lead the company to a higher risk in future intrusions of
companys data that might be more devastating than that of the hack
that had happened. At the same time, placing the company last in line as
to its competitive advantage in the industry it plays. However, putting up
with current security systems to enhance defenses of the companys
enormous data, though costly, promises the company a lower risk level
preventing future intrusions of outside entities. Lastly, the time it will take

Page | 5

to do the upgrade. Though an upgrade can be time consuming, yet it will

still be beneficial in the long run being able to prevent intrusions from
hackers.

V.

RECOMMENDED SOLUTION, IMPLEMENTATION AND JUSTIFICATION

As to recommendation of solution to such a problem, the best course of

action would be to build a clean network and start from there. Emails be
backed up shortly after being able to start with the clean slate network.
Measures in software installations and authorizations be set up requiring
only a specific administrator to access a particular area in the system that
is part of or required of his job. The company should as well adopt that
suggested two-factor authentication (log-in) process for employees.
Firewalls be set up for the most restrictive settings and embrace an array
of next generation cyber defense technologies.

VI.

EXTERNAL SOURCES
https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack
https://www.riskbasedsecurity.com/2014/12/a-breakdown-andanalysis-of-the-december-2014-sony-hack/
http://www.vox.com/2014/12/14/7387945/sony-hack-explained
http://fortune.com/sony-hack-part-1/

Page | 6

http://www.thewrap.com/11-sony-hack-shockers-from-explosivefortune-magazine-cover/

Page | 7