Case study 9

profileneelpatel
CaseStudies1.pdf

6/21/22, 1:08 PMCase Studies

Page 1 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

Case Studies

Case One Fairplay Turns to a Managed Security Service Provider

Fairplay Finer Foods is an independent grocery retailer that operates in the greater

Chicago area. From its beginning, Fairplay’s mission has been to provide quality foods

at an affordable price along with exceptional customer service. Starting with a single

store in 1975, Fairplay has since grown to seven locations. The opening of each new

store led to increased sales and attracted new customers; however, expansion also

raised new information system needs as well as information security risks.

Due to its size, it was not practical for Fairplay to create and run its own information

systems organization, so it contracted with KCS Computer Technology, Inc., to provide

these services along with the necessary computer hardware and systems. One of KCS’s

key accomplishments for Fairplay was to implement and manage a corporate network

that the grocery chain uses to run applications and communicate across all of its stores.

Another important area of focus for KCS involved helping Fairplay manage issues

related to the Payment Card Industry Data Security Standard (PCI DSS). Retailers

accepting credit cards and other forms of electronic payment are required to comply with

the PCI DSS. The PCI DSS standard ensures that businesses follow best practices for

protecting their customers’ payment card information. A strong desire to ensure

Book Title: eTextbook: Fundamentals of Information Systems Chapter 9. Cybercrime and Information System Security Case Studies

6/21/22, 1:08 PMCase Studies

Page 2 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

compliance with the PCI DSS standard and concern over potential network security

issues led Fairplay and KCS to seek out a managed security service provider (MSSP).

After a thorough investigation, Fairplay and KCS selected ControlScan, an MSSP

headquartered in Atlanta, based on its simple pricing model, stable of certified security

experts, advanced technology, and solid reputation. As part of its contract with Fairplay,

ControlScan agreed to serve as an extension of KCS, delivering cloud-based security

technologies and related security support services, including:

Installing, configuring, and monitoring a system of next-generation firewalls

Investigating, responding to, and reporting on security-related events

Providing network usage reports for insights into company resource utilization

Upgrading the network on an ongoing basis by implementing the latest security

enhancements

Providing expertise to reduce network complexity and contain network-related

costs

ControlScan’s initial action was to install next-generation firewall appliances to protect

each of Fairplay’s locations. This work was completed overnight in a single night to

minimize business disruption. ControlScan then conducted a thorough PCI gap analysis

to compare current Fairplay security controls with those required by the PCI DSS.

ControlScan developed a detailed set of recommendations and options for eliminating

the gaps; thus, giving Fairplay management a roadmap to achieve full PCI DSS

compliance. Finally, ControlScan did a full review of all of Fairplay’s existing information

6/21/22, 1:08 PMCase Studies

Page 3 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

systems and security policies, working with the chain’s IS staff to tweak and customize

policies where necessary.

Critical Thinking Questions

1. What advantages does use of an MSSP offer a small retailer like Fairplay? Can you think of

any potential drawbacks of this approach? Is there a danger in placing too much trust in the

use of an MSSP? Explain?

2. Data breaches at major retailers, such as Neiman Marcus, Target, and others, in recent years

have shown that compliance with the Payment Card Industry Data Security Standard (PCI

DSS) is no guarantee against an intrusion (see Vijayan, Jaikumar, “After Target, Neiman

Marcus Breaches, Does PCI Compliance Mean Anything?,” ComputerWorld, January 24,

2014). If you were a member of Fairplay’s management team, what additional actions would

you take to ensure your customer’s credit card data is not stolen?

3. Do research on the Web to gain insight into the evolution of the PCI DSS standard. What

major changes were made in moving from PCI 2.0 to PCI 3.0? What changes are being

suggested for future versions of the PCI standard?

SOURCES: “About Fairplay,” Fairplay, www.fairplayfoods.com/about, accessed April 12, 2016; “KCS Computer Technology,” KCS Computer Technology, Inc., www.kcstech.com, accessed March 12, 2016; “Fairplay Finer Foods Secures Chain Stores with ControlScan Managed Security Services,” ControlScan, www.controlscan.com/fairplay-finer-foods-secures-chain-stores-with-c ontrolscan-managed-security-services, accessed April 12, 2016; “PCI Facts,” PCI Compliance Guide, www.pcicomplianceguid e.org/pci-faqs-2/#1, April 12, 2016.

Case Two Sony’s Response to North Korea’s Cyberattack

On November 24, 2014, employees of Sony Pictures Entertainment booted up their

computers to find an image of a skull along with a message from a group calling itself

6/21/22, 1:08 PMCase Studies

Page 4 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

the Guardians of Peace. The message read: “We’ve already warned you and this is just

the beginning. We’ve obtained all your internal data including your secrets and top

secrets [which will be released] if you don’t obey us.”

As Sony would eventually discover, the hackers had stolen reams of sensitive data,

including the Social Security numbers of 47,000 current and former employees, system

passwords, salary lists, contracts, and even copies of some Sony employees’ passports.

The hackers accessed hundreds of Outlook mailboxes as well as Sony IT audit

documents. They also stole media files and placed pirated copies of five of Sony’s

movies on illegal file-sharing servers. Sony was forced to completely shut down its

information systems in an attempt to stem the data breach. Ultimately, Sony would

determine that the damage done by the hackers was far more extensive than it first

believed. Not only had data been stolen, but 75 percent of the company’s servers had

been destroyed and several internal data centers had been wiped clean.

Contacted within hours of the event, the FBI soon identified the culprit. In June, several

months before the hack, North Korea’s Ministry of Foreign Affairs had declared that it

would take “a decisive and merciless countermeasure” if the U.S. government did not

prevent the planned release of Sony’s motion picture The Interview, which features two

reporters who venture to North Korea to interview and assassinate the country’s dictator,

Kim Jong-un. In the film, the main character, initially won over by the dictator’s apparent

kindness, discovers that the tyrant is lying about the country’s prosperity and freedoms.

The plot, along with the movie’s unflattering portrayal of the dictator as ruthless and

childish, had caught the attention of the North Korean government.

The U.S. government disclosed that it had proof that the North Koreans had made good

6/21/22, 1:08 PMCase Studies

Page 5 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

on their threat. The U.S. National Security Agency (NSA) had reportedly penetrated the

North Korean cyberwarfare unit four years prior to the attack and had been monitoring

its capabilities since then. After Sony alerted the FBI of the attack, the NSA was able to

trace the attack back to North Korea, using a digital fingerprint the hackers had left in

the malware. Several weeks after the attack, FBI Director James Comey, revealed in a

speech that the Sony hackers had been sloppy. “We could see that the IP [Internet

protocol] addresses that were being used to post and to send the emails were coming

from IPs that were exclusively used by the North Koreans.”

The hackers warned Sony not to release The Interview, and then on December 16, the

group issued a message threatening large terrorist attacks on theaters that showed the

film. The National Organization of Theatre Owners contacted the Department of

Homeland Security for information and advice. The FBI and NSA released a bulletin

explaining that they had no credible information about a plan to attack theaters, but they

could neither confirm nor deny whether the hackers had the ability to launch such an

attack. Shortly after the bulletin was released, the four largest U.S. theater chains

withdrew their requests to show the movie—Carmike Cinemas first, followed by Regal

Entertainment, AMC Entertainment, and Cinemark. Within hours, Sony announced that

it had canceled the film’s release. White House officials, Hollywood personalities, and

the media were aghast. Comedian Jimmy Kimmel tweeted that the decision by the

major theater chains to refuse to screen The Interview was “an un-American act of

cowardice that validates terrorist actions and sets a terrifying precedent.”

On December 19, President Obama addressed the issue publicly: “Sony is a

corporation. It suffered significant damage. There were threats against its employees.

I’m sympathetic to the concerns that they faced. Having said all that, yes, I think they

6/21/22, 1:08 PMCase Studies

Page 6 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

made a mistake.” Obama explained, “We cannot have a society in which some dictator

in some place can start imposing censorship in the United States.” The president’s

remarks highlighted the seriousness of the incident to the American public, many of

whom came to view the incident as an attack on the freedom of expression.

In response to Obama’s comments, Sony officials released a statement later the same

day: “Let us be clear—the only decision that we have made with respect to release of

the film was not to release it on Christmas Day in theaters, after the theater owners

declined to show it.... After that decision, we immediately began actively surveying

alternatives to enable us to release the movie on a different platform. It is still our hope

that anyone who wants to see this movie will get the opportunity to do so.”

In fact, on Christmas Day, the planned release day in the theater, The Interview became

available through video-on-demand outlets such as Amazon.com, and within less than a

month, the movie had brought in over $40 million in revenue. Approximately 6 million

viewers had rented or purchased the movie in this way. Several hundred movie theaters

that opted to screen the movie generated another $6 million. Over the next two months,

Sony also released the movie on Netflix, on DVD and Blu-Ray, and in theaters in other

countries.

Meanwhile, Sony has worked to recover from the damage done to the company itself by

the hack. Sony Pictures’ parent company, which is based in Japan, asked regulators

there for an extension to file its third-quarter financial results. It also fired executive Amy

Pascal whose leaked emails contained derogatory remarks about Hollywood producers

and the U.S. president’s movie preferences. The company also provided one year of

free credit protection services to current and former employees.

6/21/22, 1:08 PMCase Studies

Page 7 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

In February 2015, President Obama held the first-ever White House summit on

cybersecurity issues in Silicon Valley. The summit was billed as an attempt to deal with

the increasing vulnerability of U.S. companies to cyberattacks—including those backed

by foreign governments. However, the chief executives of Microsoft, Google, Facebook,

and Yahoo all refused to attend the summit. Those companies have long advocated for

the government to stop its practice of collecting and using private data to track terrorist

and criminal activities and have worked to find better ways to encrypt the data of their

customers. However, U.S. security agencies have continually pressured the IT giants to

keep the data as unencrypted as possible to facilitate the government’s law enforcement

work. Ultimately, both the government and private businesses will need to find a way to

work together to meet two contradictory needs—the country’s need to make itself less

vulnerable to cyberattacks while at the same time protecting itself from potential real-

world violence.

Critical Thinking Questions

1. Do you think that Sony’s response to the attack was appropriate? Why or why not?

2. What might Sony and the U.S. government done differently to discourage future such attacks

on other U.S. organizations?

3. Are there measures that organizations and the U.S. government can take together to prevent

both real-world terrorist violence and cyberattacks?

6/21/22, 1:08 PMCase Studies

Page 8 of 8https://ebooks.cenreader.com/api/v1/reader/stream/4da6eefb-47ed-4323-8856-9a5206b5adac/2/content/bd_ch_09_closer_10.html

SOURCES: Barrett, Devlin and Danny Yadron, “Sony, U.S. Agencies Fumbled After Cyberattack,” Wall Street Journal, February 22, 2015, www.wsj.com/articles/sony-u-s-agencies-fumbled-after-cyberattack-1424641424; Mitchell, Andrea, “Sony Hack: N. Korean Intel Gleaned by NSA during Incursion,” NBC News, January 18, 2015, www.nbcnews.com/storyline/sony-hack/sony-ha ck-n-korean-intel-gleaned-nsa-during-incursion-n288761; Schatz, Amy, “Obama Acknowledges Strains with SiliconValley,” SF Gate, February 14, 2015, http://blog.sfgate.com/techchron/2015/02/14/obama-acknowledges-strains-with-silicon-valley/; Dwy er, Devin and Mary Bruce, “Sony Hacking: President Obama Says Company Made ?Mistake’ in Canceling ‘The Interview,’” ABC News, December 19, 2014, http://abcnews.go.com/Politics/obama-sony-made-mistake-canceling-film-release/story?id=27720 800; Pallotta, Frank, “Sony’s ‘The Interview’ Coming to Netflix,” CNN Money, January 20, 2015, http://money.cnn.com/2015/01/ 20/media/the-interview-makes-40-million/; Pepitone, Julianne, “Sony Hack: ‘Critical’ Systems Won’t Be Back Online until Febr uary,” NBC News, January 23, 2015, www.nbcnews.com/storyline/sony-hack/sony-hack-critical-systems-wont-be-back-online- until-february-n292126; Cieply, Michael and Brooks Barnes, “Sony Cyberattack, First a Nuisance, Swiftly Grew into a Firestorm ,” New York Times, December 30, 2014, www.nytimes.com/2014/12/31/business/media/sony-attack-first-a-nuisance-swiftly-gre w-into-a-firestorm-.html; “The Interview: A Guide to the Cyber Attack on Hollywood,” BBC, December 29, 2014, www.bbc.co m/news/entertainment-arts-30512032; Whittaker, Zack, “FBI Says North Korea Is ‘Responsible’ for Sony Hack, as White House Mulls Response,” ZDNet, December 19, 2014, www.zdnet.com/article/us-government-officially-blames-north-korea-for-sony- hack/; Osborne, Charlie, “Sony Pictures Corporate Files Stolen and Released in Cyberattack,” ZDNet, November 28, 2014, www.z dnet.com/article/sony-pictures-corporate-files-stolen-and-released-in-cyberattack; Osborne, Charlie, “Sony Hack Exposed So cial Security Numbers of Hollywood Celebrities,” ZDNet, December 5, 2015, www.zdnet.com/article/sony-hack-exposed-social- security-numbers-of-hollywood-celebrities/; Sanger, David E. and Nicole Perlroth, “Obama Heads to Tech Security Talks amid T ensions,” New York Times, February 12, 2015, www.nytimes.com/2015/02/13/business/obama-heads-to-security-talks-amid-ten sions.html; Whitney, Lance, “Sony Seeks to Delay Filing Earnings in Wake of Cyberattack,” CNET, January 23, 2015, www.cnet. com/news/sony-asks-to-delay-filing-earnings-due-to-cyberattack.