1. Describe the nature of the incident.
The nature of this event describes an internal breach of security in order to access and manipulate sensitive data. This internal breach was caught by the auditor, but the communications from the auditor to those who’s data was breached was intercepted.
It was determined that authentication and encryption controls as well as a lack of PKI should have been implemented in order to prevent this breach of data.
2. Identify who needs to be notified based on the type and severity of the incident.
Severity of the incident
President of Company
Directly affected and upper management .
Must act to close breach.
Directly affected by the breach
& intruder had access to their sensitive files.
Human Resource Depart
It was the HR system that accessed the files and they also need to make sure everything has been corrected. High
3. Outline how the incident could be contained.
This incident could’ve been contained by implementing a multiauthentication system and data encryption. Permissions need to be set although because the attack was done accessing human resource files, that would not have been a direct help. The human resource department would have access to payroll and financial records. Email digital signatures would also have helped so the emails to the auditor would not have been able to be spoofed. 4. Discuss how the factor that caused the incident could be removed.
Implementing better network security standards and creating a communications plan that would include phone conversations would have not allowed the person to access the payroll, make changes, and spoof emails. Utilizing other communication methods would have helped since the attacker could not spoof the auditor. The employee that caused the incident should be not only terminated but also brought up on fraud charges through the local, state, and federal law. 5. Describe how the system could be restored to normal business practice.
The system can be restored to normal business practice by either using a backup that carried the correct data and restored the files that were affected. An incremental restore. The system could also be returned to its normal state with the human resource department going through the payroll and changing the files that were affected back to their normal pay scale. Without adding additional security though, the system is still vulnerable. 5a. Explain how the system could be verified as operational.
The system is verified as operational when all files have been restored to the normal state and the system is running smoothly. Management will need to review the affected files to ensure that the information in them is correct.
1. Identify areas that were not addressed by the IT staff’s response to the incident.
One of the areas that were not identified was how the network system allowed the spoofing and was not caught much earlier. Were permissions already in place? Do they have a network logging system that analyzes the logs? The lack of other system checks were not addressed in this scenario. 2. Outline the other attacks mentioned in the scenario that were not noticed by the organization.
An attack that was not mentioned in the scenario was social engineering. The employee that manipulated the system used social engineering as well to convince the auditor that not only did the emails get sent by the person to whom they were addressed, but that he or she was that person as well.
2a. Describe the nature of the attacks not noticed by the organization.
The nature of the attacks that was not noticed by the organization was human interaction (Peltier, n.d.). Using social engineering, the employee was able to monitor the situation from inside the office as well as spoof emails to the auditor. The auditor put trust in the emails instead of calling or talking to each person affected personally. This allowed for the social engineering attack to continue.
2b. Describe how these additional attacks can be prevented in the future.
These attacks can be prevented by offering employee training of different security awareness. Security policies should be updated to include additional actions to be taken to ensure that sensitive emails are indeed coming from the correct person by using a phone call or by talking to that person physically. 3. Recommend a recovery procedure to restore the computer systems back to their original state prior to such attacks.
Since the entire network was not affected, just certain files, I would recommend an incremental backup to restore the changed files back to their original form. Human Resources should verify to make sure that the information is correct. Once the system is restored, place in added security measures and backup the system again.
Peltier, T. (n.d.). Social Engineering: Concepts and Solutions. Retrieved January 27, 2014, from http://www.infosectoday.com/Norwich/GI532/Social_Engineering.htm