ENTERPRISE CONTINUITY PLANNING
Responding to Attacks and Special Circumstances
Continued Assessments During a Disaster
By Charles Paddock
FXT2 – Task 2
November 5th, 2012
A. Perform a post event evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following:
1. Describe the nature of the incident.
The nature of the incident was that an internal employee successfully hacked into the human resources, payroll and electronic mail systems. The employee was then able to manipulate payroll data, intercept emails and impersonate staff through electronic means. There were a number of techniques used in this attack such ...view middle of the document...
Depending on the monetary value of the theft external data forensics consultants and authorities should be called.
3. Outline how the incident could be contained.
Without knowing the complete suite of products deployed at the company I can only suggest the basic containment practices and will give more detail on other methods of containment in the next section. They will need to audit and remove access to the compromised systems, remove network and system access for the identified hacker, confiscate all of the hacker’s devices, ensure log files on all affected systems are kept. Also beings we know that it was monetary theft the law enforcement should be notified and detain the individual. Once that is completed a forensic team should go through the equipment and ensure the extent of the compromise and gather evidence.
4. Discuss how the factor that caused the incident could be removed.
There were a number of factors that allowed this type of incident to happen but the main ones were IP Spoofing and network eavesdropping which allowed the hacker to escalate privileges and compromise other aspects of the infrastructure. I think that there are multiple items that should be implemented at this company. First, a well-known escalation and incident response plan. Second, an audited ERP system with governance modules that looks for these types of changes and automatically alert. Third, a network monitoring suite that attaches to Data Loss Prevention system. Fourth, enabling common network best practices such as port security and only allowing identified machines on the network and security (ACL) access to company confidential equipment.
5. Describe how the system could be restored to normal business practice.
You have a couple of options depending on the extent of the attack. You could do a complete audit of the logs to verify any changes to the data and system should be under taken and captured for future lawsuit or forensics. This will correct any unapproved changes that have occurred during the timeframe. Once that is complete you should run a few forensic tools to ensure that nothing was installed or other avenues for attack are open. Or if there was too much damage to the system a system restore from back up can be done and the system can be restored to an earlier state.
a. Explain how the system could be verified as operational.
After IT has put their new controls in place I would do a couple of network and system changes such as isolating the HR, Payroll systems to their own server network vlan and only allowing access to the HR and Payroll departments systems. Once that is done I would run a vulnerability scan against the system and see if there are any application level vulnerabilities that need to be addressed. Lastly I would ensure that access rights of all of the individuals that can make...