In light of the ongoing attacks on the Sony network, I felt inspired to write a simple plan on what I would do if I were the Network Security Manager at Sony. This article assumes that Sony doesn't have very advanced security measures and is not an accurate account of what is not present in their network environment:Hi, I'm Jeremiah Hainly and I'm the new Network Security Manager at Sony. Over the past decade, our networks have been highly targeted because we make decisions that other people love to hate. After our most recent attack, the previous Network Security Manager was released from his position, and now I'm leading the security efforts to prevent attacks from occurring in the future. This will help keep our employee's salaries confidential, and keep our gaming community happy since their servers can finally stay online reliably.
First, we need to implement network security monitoring by
placing sensors on all Internet-facing traffic that will keep logs of network activity
in order to negate unwanted third parties from connecting to our systems. The
increased visibility in our network will assist our security analysts in seeing
what is lacking from the rest of our security measures. We will be able to see what packets of
information are flowing throughout the network and pull out specific types of
data that will find differences from the way that our network normally runs on
a safe day compared to a possible intrusion after establishing a baseline of
normal network activity for a “safe” day. I would set up personal email alerts
to notify me of any statistical-anomalies to the established baseline. Items
that may produce suspicious anomalies include dramatic changes in web traffic, failed
logins, local file transfer, and FTP traffic volume amongst many other
suspicious actions on company devices.
Next, we will need to set up a strong intrusion
detection/prevention system that we can monitor for hits on our network, which
will be based on pre-defined security rules. These rules will help block suspicious
signatures from penetrating through our network. This could help block communications to
specific IPs that are identified as C2 servers. The system will require
consistent updates to the signatures that our IDS is looking for, which can be
pulled from an open-source database like Snort, as well as updated internally
based on the multiple intrusions that we have experienced over the past decade.
I would also stress the education of our employees to verify
that they know how to identify common phishing scams. Scams that will be
included in the education include suspicious links, spam, and requests for
personal information from unexpected mail senders. This will prevent malicious
parties from taking advantage of ignorant employees that believe that they have
just won millions of dollars in a lottery from Australia and click the links to
submit their VPN password in order to claim it.
Another security measure that I would take is the
implementation of two-step authentication on all connections to the network,
most specifically the VPN, but also any other storage locations with
business-critical data. After a user types in a password, they should also be
typing in an RSA token-generated key that changes every 30 seconds. This will
maintain additional confidentiality since compromised passwords will not fully jeopardize
a user’s account unless the attacker also has access to the RSA key.
Lastly, I would hire a team that is specifically looking at
threat hits that are generated by the collation of our security devices.
Between all of the software that is installed on all of the company’s devices,
there are too many hits for a single person to sweep through, so I would hire
an entire team dedicated to finding the evil within our highly-targeted
network.
In summary, there are many steps that need to be taken
within my company since so many consumers hold expectations for our networks to
be reliable on a daily basis. We have too much private information and network
services that we offer to be consistently compromised dating back to 2005.
