Accordingto the scenario, there are quite a number of malicious events thatled to the incident of the firm authenticating and encrypting its ITdepartment. One of the employees hacked into the human resourcesystem of the firm. This is unauthorized access, and the main intentfor hacking into human resource records system was to increase theemployee’s salary. This was the main malicious intent as theemployee knew that he/she was not fit enough to get a pay raise. Thishappened by the employee deceiving an Internet Protocol (IP) addressso as to listen into other employees’ conversations. The mainreason for spoofing was so as the employee could know what each andevery department was saying about his unexpected pay rise. He hackedthe system and was able to actually get the pay rise he wanted for acouple of incomes. Besides the hacking menace, the employee was ableto deceive an auditor by the act of personification. When the auditorrealized that something was a mess with the employee’s paycheck, hetried to communicate with other employees in the firm informing themof the discovered error. The employee faked email responses to theauditor by pretending to be the other employees the auditor wascommunicating with. This is because he had already hacked into otheremployees’ accounts. Though the employee’s crafted fake messagesto the auditor, he was finally allowed full access to other financialrecords of the organization. With these other financial records, theemployee was able to slash the firm’s president’s salary andother employees’ paychecks and the difference, he added to his/herown salary, thus being able to increase the employee’s paycheck.This is a clear indication that the system was protected. Inaddition, since the menace continued for several months, it is aclear indication that the IT staffs were reluctant in their job. Forthose months, the employee was able to access the system, and theywere not able to detect any malicious activities. Ironically, theemployee was able to reply on behalf of other employees using theiremails accounts to the company’s auditor. There is no way all theemployee could have been replying to the auditor’s emails using theIP address. This is a clear indication that the IP staffs were notperforming their duties appropriately.
Basedon the type and the severity of the incident in this scenario, thereare quite a number of people or stakeholders who need to be notifiedabout this incident. Since the employee has hacked into the humanresource system and further sent fake emails to the auditor, thisshould be treated as a criminal offense. As if this was not enough,the employee reduced the president’s salary as well as otheremployees’ salaries and increased his own. According to Cichonskiet al (2012), the firm will need to communicate with outside teams,such as law enforcement people, other incident response teams as wellas concerned stakeholders in the organization. In this scenario, thelaw enforcement agencies need to be notified so as proper measurescan be taken against the employee for violating the law.
Besidesthe law enforcement, the organization needs to notify other employeesabout the incident since the employee reduced their paychecks. Theemployee has already had two paychecks through hacking of the system,thus the president of the organization is supposed to be notified aswell. If need be, for the sake of the organization’s reputationwith other firms as well as the clients, the media has to be informedof this incident so that the public can be aware that the humanresource system was hacked into, and measures are being taken againstthe employee who hacked the system. By informing the public, theorganization will be able to keep its reputation even as it tries towoo more clients. All these parties have to be notified according tothe communication’s procedures that comply with the firm’spolicies. Apart from the law enforcement, media, clients, andemployees, the shareholders and directors of the company ought to benotified about the incident. The shareholders are the owners of thebusiness, thus they have to be notified of any incident that occursin their organization (Gregg, 2006). Shareholders play a criticalrole in making decisions, especially during the annual generalmeeting as well as special or emergency meetings. Addition, since thecompany may end up making loss (for example, paying forinvestigations), the shareholders ought to know the causes of theloss. To coordinate the investigations, the company needs to contactthe law enforcer, like FBI to work with the IT staffs to conductcomprehensive investigations. Consequently, this will assist toidentify the perpetrator and appropriate way to protect the systemagainst a similar incident.
Additionally,the directors are involved in daily decision making of theorganization. Hence, they have to be notified in order to make theappropriate decision on how to handle the matter. However, beforenotifying the stakeholders, investigations need to be carried out,and find the exact employee who hacked the system. If an alarm israised before identifying the suspect, he or she will definitely runaway from the justice. Therefore, the organization ought to identifythe suspect and arrest him or her before notifying the stakeholderson what happened. Moreover, the organization needs to assure otheremployees that necessary measures have been implemented to overcomesuch incident in the future. This will increase the reputation of theorganization among the stakeholders (Scarfone, Grance, & Masone,2012).
Asper this scenario, there are quite a number of containment strategiesthat the organization must follow as reactive measures to each andspecific incident in the scenario. These containment strategies havebeen discussed in the NIST 800-61 document in pages 3-19 (Scarfone,Grance, & Masone, 2012). Scarfone, Grance, & Masone (2012)state that once the incident has been spotted and investigated, it isof great importance to try and contain the incident beforecirculating and devastating the resources even as its ravageincreases (Scarfone, Grance, & Masone, 2012). In this scenario,immediately, the IT staff detected the spoofing incident, they wereto try and contain the incident by shutting down the human resourcesystem.
Further,the IT staffs should disconnect the system from either a wired orwireless network so as to contain the incident by making the employeenot be able to eavesdrop on other employees. As noted by Miller,Grance, & Scarfone (2012), even as the IT staff does this, theyhave to bear in mind that there could be important info that can beused as a form of evidence against the employee, thus they have to becareful not to destroy this evidence. Therefore, the IT staff willhave to save the existing system, so that all data will not be lost.The saved file is the one that will be used for investigation. Inaddition, the IT staffs should as well disable the financialfunctions to the human resource system so as to deny the employee theaccess to private and confidential information about other employeesas well the organization at large (Miller, Grance, & Scarfone,2012). Alternatively, as added by Scarfone Grance & Masone(2012), the IT staff can change the master password and disconnectany network connection. This will deny access to third parties,including the company’s employees. The main reason for switchingthe network off is to disable any transfer of data from the server toa malware computer. For example, if the employee had installed a keylogger on the server, even if a password is changed, the maliciousemployee will still have the access to the new password, since thesystem is online hence all activities can be transferred as long asthe malicious software is still installed. Therefore, as noted byCichonski, Miller, Grance, & Scarfone (2012), the IT staffs canchange the system password while it is offline, and this will givethem the needed time to scrutinize the entire system and clear allmalicious software’s instated as well as fake data.
Besides,there could as well be the delayed containment strategy to enable theIT staff to gather more evidence against the employee. In thisincident, the delayed containment strategy is hazardous to theorganization because the employee will continue to receive increasedpaycheck even as other employees suffer. Encryption andauthentication are as well another way of containing and controllingthe incident. As noted by Cichonski, Miller, Grance, & Scarfone(2012), by encrypting the system, it means third parties will not beable to read the information stored correctly thus the data (such asfinancial and employees’ profile among other) will be highlyprotected. Authentication will also necessitate a master password inorder to access the system. This means that third parties will nothave access to the system since it is protected. Moreover, the ITstaff can install SSL certificate to assists in protecting the systemfrom malwares. The SSL certificate also assists in scanning thesystem daily, thus in case of any malware, it is detected and deletedimmediately. Therefore, such incident could not have occurred if thehuman resource system was protected will SSL certificate (Miller,Grance, & Scarfone, 2012). Moreover, since the attacker has theaccess to the entire system and is connected to network firewalls,there is a need to conduct a screening to all employees usingantivirus that will help to delete and identify any unauthorizedintrusions.
Thefactor that caused the incident could be eradicated through variousmeasures. This should take place after the incident has beencontrolled by the relevant stakeholders in the organization (Miller,Grance, & Scarfone, 2012). One of the measures of eradicating theincident is by installing an authentication as well as encryptioncontrol to the system. The organization can as well disable or evendelete the employee’s user account. As added by Miller, Grance, &Scarfone (2012), this will make him/her not being able to eavesdropon other employee and even the human resource. However, in this case,the method will not be effective since the employee has the access ofother employees, which is an indication that the employee can stilluse profile of his or her colleagues to his or her advantage. Inaddition, since the employee has the access to the entire system, heor she may also opt to create a fake account and cause a similarproblem.
Asnoted by Gregg (2006), a Public Key infrastructure (PKI) is anothermeasure that can be implemented to avert the scenario. In thismethod, every communication with the human resource system would needa special key or certificate that would identify each employeeuniquely. This would as well stop eavesdropping even as it preventsdeceiving and spoofing. The incident occurred because the firm hadnot taken the necessary measures as stated above to protect the humanresource system. The process of this eradication can either becarried out during the recovery process, or it can be done justbefore the recovery process (Miller, Grance, & Scarfone, 2012).
Toreturn to its normal business practice, the system in this scenariocould either be restored from clean backups or the organization candecide to do away with the old system and build a new system fromscratch. The clean backup will enable the firm to clear all the infofrom the previous system, but still retain the most important files,data, and apps that the organization still need (Cichonski, Miller,Grance, & Scarfone, 2012). The firm can as well decide to replacethe compromised files by the employee with other clean versions ofthe files. This would be less costly as compared to overhauling thewhole system. Just as the IT staffs were installing theauthentication and encryption keys and certificates, this would stillgo a long way in helping the firm to recover its lost data and returnto normalcy. Authentication, encryption keys and certificates areways of tightening network perimeter security so as to stop anyunauthorized personnel from accessing information that is private andconfidential. As noted by Cichonski, Miller, Grance, & Scarfone(2012), authentication and encryption keys and certificates wouldalso properly authenticate the host to avert any future spoofing. Toverify if the system is operational, the IT department is meant tocheck the system before it declares it is operational. Check to makesure that all the Authentication and encryption keys and certificatescannot be easily hacked into and that they are functioning well. TheIT staff will also be required to include third parties, likesecurity companies (McAfee Secure among others) in order to verifythat their revised system is out of harm. This will guarantee thatsuch incident will not occur in the future (Miller, Grance, &Scarfone, 2012). The security companies like McAfee will assist tocheck any possible malicious software installed or unauthorizedintrusions, thus securing the system.
Despitethe fact that the IT staffs had some response to the incident thereare other areas that the IT staffs did not identify. The IT staffsonly identified the spoofing area, but there are still other areasthat need an immediate response. For starters, the IT staffs did notidentify the malicious computer that was used to hack the system.Therefore, they were not able to identify the employee who hacked thesystem (Miller, Grance, & Scarfone, 2012). Another serious issuethat occurred and it was not identified is if there was a malicioussoftware installed in the system. For instance, how was the employeeable to create a fake email and exchange it with an auditor? Even ifthe IT staff was able to secure the network, if there was malicioussoftware installed, it means the employee will still be able toaccess the system, since the malware will be able to communicate withthe employee’s server. This is a very serious matter that couldlead to employees striking, thus making the company lose resourcesand money. Another area is that the IT staff did not identify iswhere the employee in question changed his/her base salary rate so asto obtain a pay rise. As noted by Miller, Grance, & Scarfone,2012), this is not only a mistake but a crime as well. The IT staffwould have noticed this so as to advise the appropriate managementaccordingly so as to avoid any future occurrence of such incident.Besides being able to get very private and confidential financialinformation, the employee was able to hack into other employees’email addresses and the IT staff still did not mention in this areasince he was just concerned about the human resource system.
QuestionB (2, a & b)
Besidesspoofing, other attacks mentioned in the scenario that theorganization did not notice are quite a number. To begin with, thereis an attack on the employee personifying him/herself as otheremployees and responding to emails send to them by the auditor. Thesewere fake responses that the organization needed to have noticed. Ifthe employee was able to reply on behalf of other employees, then itmeans that not only the human resource system was hacked, but othersystems of the organizations were as well hacked. This signifies thatthe entire network was not protected against an insider attack.Another attack that the IT staff did not mention is the fact that theemployee reduced other employees’ paychecks and raised his own fortwo paychecks. This is a clear indication that the employee had fullaccess to the entire system, which means that the entire humanresource system was not secured at all. To prevent such attacks inthe future, the organization needs to have an expert to be overseeingthe IT department as well as an overall expert to check such likeattacks.
Accordingto Cichonski, Miller, Grance, & Scarfone (2012), the type ofattacks not noticed by the organization is called small incidents.These small incidents are different from serious attacks as mentionedby Cichonski, Miller, Grance, & Scarfone (2012). To prevent theseattacks in the future, the organization can hold post-mortem meetingsthat go beyond team and firm borders come up with a mechanism forsharing of information. The organization has to make sure that itinvolves the right people while holding the most important meetingsso as to scrutinize the problem and prevent it from happening in thefuture (Cichonski, Miller, Grance, & Scarfone, 2012). Such peopleinclude the people that are directly involved in this incident. Forour scenario, the organization can invite the employee as well as theauditor and even the resource manager. The agenda of such meetingsshould be precise and up to the point to avoid wastage of time andresources by the organization. The organization has to put down allthe necessary rules and order before commencing the meeting and evenduring the meeting commences so as to reduce any form of confusion aswell as disharmony. These meetings can be able to come up withcorrective ways that are able to prevent any similar incident in thefuture. There can as well be what is called lesson learned meetingsof the organization and various departments within the organization(Cichonski, Miller, Grance, & Scarfone, 2012).
Tothe restore the computer system back to a fully operational state,there are recovery procedures that the organization will have toundertake. Of all the recovery procedures seen in the NIST 800-61document, this research paper recommends the procedure of rebuildingthe system from scratch (Cichonski, Miller, Grance, & Scarfone,2012). In as much as this is a very costly procedure to theorganization, it will enable the organization to change and overhaulall the previous systems so as to make sure that there are nopossibilities of any future recurrence of such an incident.Rebuilding the system from scratch will enable the organization tohave significant infrastructure changes to the system. This does notmean that the organization will lose its data, files, and apps thatare vital. Rebuilding the system from scratch will just be a recoverymeasure that will restore the computer system back to a fullyoperational state just as it was before the incident. Afterward, thenew system will necessitate strong security, like SSL certificate,authentication and encryption controls to prevent access to thirdparties. Through the use of encryption, it will also assist anyinsider attacks from taking place. The SSL certificate on anotherhand will assist in scanning any malware, and when detected, it willbe automatically get deleted, thus cases of hacking will be ahistory. Authentication will demand a master password beforeaccessing the system, thus preventing third parties from accessingthe system. Other recovery procedures such as replacing compromisedfiles and having new backups will only make it easy for suchincidents to appear again in the future since most employees alreadyhave access to things such as passwords and even the IP address ofthe system (Cichonski, Miller, Grance, & Scarfone, 2012). Inaddition, the system will require anti-virus software that willassist in daily screening of the system. The screening will assist toidentity any malicious software or unauthorized intrusions.Consequently, this will notify the IT staffs when any irregularactivity occurs, hence taking the appropriate measures to eradicatethe menace.
Cichonski, P., Miller, T., Grance, T., & Scarfone, a. K. (2012). Computer Security Incident Handling Guide. NIST 800-61, Revision 2, 2-11.
Gregg, M. (2006). Certified Ethical Hacker. Indianapolis, Ind: Que Certification.
Miller, T., Grance, T., & Scarfone, a. K. (2012). Computer Security Incident Handling Guide. NIST 800-61, Revision 3, 3-19.
Scarfone, K., Grance, T., & Masone, K. (2012). Computer Security Incident Handling Guide. NIST 800-61 Rev 1, 2-7.