DISASTER RECOVERY

An employee hacked into the human resource records system at the employee’s place of business and changed the employee’s base salary rate to obtain a pay raise. The employee did this by spoofing an IP address in order to eavesdrop on the network. Once the employee identified where the data was stored and how to modify it, the employee made the changes and received two paychecks with the new amount.

Fortunately, an auditor happened to discover the error. The auditor sent an e-mail to several individuals within the organization to let them know there was a potential problem with the employee’s paycheck. However, the employee was able to intercept the message and craft fake responses from the individuals the original e-mail was sent to. The employee and the auditor exchanged e-mails back and forth until the employee was soon given access permissions for some other financial records. With this new information, the employee was able to lower the salaries of the president of the company and several other employees and then to include the salary difference in the employee’s own paycheck.

The IT staff determined that the spoofing that occurred that allowed the employee to gain access to the human resources system was caused by a lack of authentication and encryption controls. As such, a local root certificate authority was installed to implement a public key infrastructure (PKI) in which all communication to the human resource system required a certificate. This would encrypt network traffic to and from the human resources system and prevent eavesdropping. It would also properly authenticate the host to prevent spoofing.

Task:

  1. Perform a postevent evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following:
  2. Describe the series of malicious events that led up to the incident.
  3. Identify who needs to be notified based on the type and severity of the incident.
  4. Outline how the incident could be contained.
  5. Discuss how the factor that caused the incident could be eradicated.
  6. Discuss how the system could be recovered to return to normal business practice.
  7. Explain how the system could be verified as operational.
  8. Perform a follow-up of the postevent evaluation by doing the following:
  9. Identify areas that were not addressed by the IT staff’s response to the incident.
  10. Identify the other attacks mentioned in the scenario that were not noticed by the organization.
  11. Describe the type and severity of the attacks not noticed by the organization.
  12. Describe how these additional attacks can be prevented in the future.
  13. Recommend a recovery procedure to restore the computer systems back to a fully operational state.
  14. When you use sources, include all in-text citations and references in APA format.

 

A1. Nature of the Incident
A2. Notification
A3. Containment
A4. Factor Removal
A5. System Restoration
A5a. System Verification
B1. Unaddressed Areas
B2. Other Attacks
B2a. Type and Severity of Other Attacks
B2b. Prevention
B3. Recommendation
Articulation of Response (clarity, organization, mechanics)
C. Sources

 

Task Technical Details

The purpose of the presentation is to perform a post- event evaluation. While working on this task, you may feel like you are being asked the same questions multiple times. Be sure to review the rubric for each task prompt to assure you are answering the criteria required for each task prompt. **Be sure to write your responses tailored around this specific scenario. Responses should not be generalized.

  1. Perform a post-event evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following:
  2. Describe the series of malicious events that led up to the incident. You will need to refer back to the scenario to detail all events that led up to along with the actually incident.
  3. Identify who needs to be notified based on the type and severity of the incident. Please write your responses tailored to the scenario. Chapter 6 – Operational Risk Management The Definitive Handbook of Business Continuity Management, Third Edition iPremier Readings Please review the incident notification section in the following NIST document for assistance: NIST 800-61 Computer Security Incident Handling Guide
  4. Outline how the incident could be contained. Do not confuse containment with mitigation. Please review the containment section in the following NIST document for assistance: NIST 800-61 Computer Security Incident Handling Guide Section 3.3.1 You will need to discuss containment strategies as reactive measures to the specific incident within the scenario.
  5. Discuss how the factor that caused the incident could be eradicated. Please write your responses tailored to the scenario. iPremier Readings Please review the NIST document for assistance: NIST 800-61 Computer Security Incident Handling Guide
  6. Discuss how the system could be recovered to return to normal business practice. Discuss how data, applications, and other services affected by the incident have been returned to normal operations. Review the NIST document for assistance by searching the key term “restore”: NIST 800-61 Computer Security Incident Handling Guide iPremier Readings
  7. Explain how the system could be verified as operational. Discuss the methodology you will use to verify the systems are operational. iPremier Readings
  8. Perform a follow-up of the post-event evaluation by doing the following:
  9. Identify areas that were not addressed by the IT staff’s response to the incident. As part of the “follow-up” of the post-event evaluation, review the scenario in detail and identify the areas that were not addressed in the response to the incident.
  10. Identify the other attacks mentioned in the scenario that were not noticed by the organization.

Discuss the events of the incident that were not noticed by the IT staff’s response to the incident. Discuss in detail the measures that can be taken to prevent these types of attacks in the future.

  1. Describe the type and severity of the attacks not noticed by the organization. Please review the recovery section in the following NIST document for assistance: NIST 800-61 Computer Security
  2. Describe how these additional attacks can be prevented in the future.
  3. Recommend a recovery procedure to restore the computer systems back to a fully operational state. Please review the recovery section in the following NIST document for assistance: NIST 800-61 Computer Security Incident Handling Guide iPremier Readings C. When you use source

Leave a Reply