In this scenario, there could have been some things that could have led the employee to do what he did. First, the act of the employee going to change the normal salary they earn could be an indication that the employees are underpaid and that the employee was looking for a solution to a problem they faced. It, therefore, means that the Human Resource department failed to take care of their employee's wage and that led to the incident. The employee could have been disgruntled by the huge margin between his salary and that of the companys president, and that is perhaps why he deducted some of it to add on his salary. Furthermore, the information technology department was able to find out that there was a lack of authentication and encryption controls. This means that there were loopholes in the department (Podaras et al., 2016). For the employee to do such like an event, he might have seen the effects and decided to take advantage of the whole situation.
2. Identify who needs to be notified based on the type and severity of the incident
Based on the type and severity of this incident, the people who need to be notified are the human resource manager, the information technology manager, and the company financial manager. However, the incident squarely falls into the IT managers docket more than it does on HR and finance.
3. Outline how the incident could be contained
If a DRP had been established the incident would have been contained much faster. The incident could have been contained if the auditor would have responded in time when he discovered the discrepancy and sent mails immediately about it. The incident could have been contained by calling an urgent meeting with the officials of the financial department. They could have then held an emergency meeting to assign the CIRT to investigate the whole situation. Sending emails to the other employees without first looking at the root cause of the problem landed the organization into more problems since they went back to the fraudulent employee. By assigning the CIRT to investigate the matter, the incident response team would have been able to investigate the incident by taking the following steps. A forensic image of the affected server's filesystem would have been taken and a memory analysis would have been conducted. By performing the investigation, the CIRT would be able to find the source IP address of the attacker. Once the CIRT has the information, it would have been provided to the IT department in order to block offending IP addresses to contain the attack. After the CIRT understood that the network had been compromised and considered hostile, the CIRT would have established secure methods of communications in order to prevent the email spoofing that was encountered. The secure communication would have included contact points in the public relation team, human resources team and legal department.
After identifying the hacker employee, human resources department ought to summon the employee for interrogation and disciplining. There should be support from legal, technical and management people. If the hacker is allowed to continue to in the company, they should be denied access to the internet until the matter is resolved. This would ensure that the employee does not interfere with system recovery of get information about the new security details to be installed
4. Discuss how the factor that caused the incident could be eradicated
The IT department was able to establish the cause of the problem as lack of authentication. They then found out that if local root certificate authority were used, the second phase of the problem could not have been experienced. This is because there could have been security before any communication is made (Kappelman et al., 2016). Also, I believe that if the employee's salary could have been favorable, the employee could have been satisfied with what he was earning and could not have gone to hack the system to make him earn more. If the firm would have had in place more controls in place such as proper access control, network security monitoring, and audit trails such occurrence could not have taken place. By establishing proper network security monitoring the network-based attacks such as the IP spoofing would have been caught and the CIRT would have intervened early on. The firm needs to hire a third-party consultant in order to perform a security assessment to measure their incident response readiness and provide a network penetration test
5. Discuss how the system could be recovered to return to normal business practice
Recovery usually involves restoring data from clean backups. System administrators may also decide to build systems from scratch and do away with the corrupted systems. New patches as well as new passkeys may also be installed in the new system. Finally, security of the system is reinforced as the last step in the system recovery. In securing the system, existing firewalls are reinforced while access controls are edited. To verify the effectiveness of the system recovery, a system audit is done after all the damaged files and networks were restored. During the system recovery, the IT team may discover the vulnerability that contributed to the success of hacking as well as other similar vulnerabilities that were luckily not explored by the hacker. The first thing after recovery is to retest the already rectified system to find how vulnerable to infiltration it is. This testing involves attacking the software to find if the vulnerabilities were mended (Cichonski et al, 2012). To verify whether the operational capability of the system had been restored:
1.Ensure that the previous password were deleted and the system recognizes them as wrong
2.The human resource department may be ordered to carry out normal activities for seven days to see if the system could report any error
3.Compare the efficiency of the system before and after the attack
4.After reinstalling the system, reboot the computers and test the system
5.Report on the comparison and modify accordingly
Follow-up of the post-event evaluation
1. Identify areas that were not addressed by the IT staff's response to the incident
The IT department did not look into the configuration that permitted the attacker access to the company's information. Due to the lax network configuration the attacker was able to traverse across the network, and conduct further attacks and spoofing. Furthermore, they failed to look at the other possible causes that could lead to similar event. One of these areas is the issue with the email authentication, the IT department should install an email gateway in order to prevent spoofing and email-based attacks. Failure of identifying these areas means that the response was not satisfactory, and the system could be attacked in the future.
2. Identify the other attacks mentioned in the scenario that was not noticed by the organization
The response team was not able to identify out that the IP address was changed and because of this tracking the employee was hard. This is one trick that the fraud employee used to hide his identity. The other attacks mentioned in the scenario but not addressed include sending of inaccurate information to employees, and altering of company data. The spread of inaccurate information is critical as it may lead to all the other problems. The auditor was not able to identify the discrepancy that reflected in the payroll data of the employees (Johnson, 2016). After reviewing the attack, its clear that the attacker used a man-in-the-middle attack in order to assume the identity of a member of the IT department. With this level of access, he was able to have the keys to kingdom and to elevate his account's privileges causing this to be an event of critical severity. In order to prevent a MITM attack, proper network security practices must be put in place, such as multi-factor authentication for account with high privileges such a domain admin. Network Segmentation must be conducted to block an attacker from cruising through the network once an account has been comprised. This can be performed through the use of VLANs. In order to prevent IP spoofing access control lists must be put in place on the routers and switches to be able to reject spoofed packets. Email spoofing is a difficult problem to resolve, but one way to prevent this type of attack is through the use of Pretty Good Privacy (PGP). When sensitive information is being discussed, all emails should be encrypted with the recipients private key and digitally signed in order to demonstrate the email is legitimate and only the intended party can open its contents.
3. Recommend a recovery procedure to restore the computer systems back to a fully operational state
1. Identify the magnitude of the attack. This will enable the company to prepare for the amount of work that will be needed in system recovery.
2. Pull out all the relevant data from the affected system to prevent further corruption. This step goes hand in hand with halting of all online activities associated with the affected system, meaning that the human resource department has to rely on offline backups for its transactions.
3. Put a team of IT specialists savvy with hacking and system recovery. The IT team is supposed to mend any program files that might have been damaged.
4. If no files were damaged, the program should be uninstalled from all the computers.
5. The computers should be shut down for some time and then booted again.
6. The programs should then be reinstalled.
7. The user authentication protocols should be reset and all the retrieved files uploaded back to the system.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. NIST Special Publication, 800, 61.Johnson, V. (2016). Leading the historical enterprise: strategic creativity, planning, and advocacy of the digital age. Archives and Records, 37(1), 84-86.
Kappelman, L., McLean, E., Johnson, V., & Torres, R. (2016). The 2015 SIM IT Issues and Trends Study. MIS Quarterly Executive, 15(1).
Okolita, K. (2016). Building an Enterprise-Wide Business Continuity Program. CRC Press.
Podaras, A., Antlov, K., & Motejlek, J. (2016). Information management tools for implementing an effective enterprise business continuity strategy. Economics and Management.
Cite this page
1. Describe the series of malicious events that led up to the incident. (2019, Oct 16). Retrieved from https://speedypaper.com/essays/1-describe-the-series-of-malicious-events-that-led-up-to-the-incident
If you are the original author of this essay and no longer wish to have it published on the SpeedyPaper website, please click below to request its removal:
- Citations Referred for Criminal Proceedings
- Who was Nat Turner and why he was significant in history
- Tangible Assets verses Intangible Assets
- Catholic Charities of the Archdiocese of Galveston Houston
- Should Californias Three Strikes law be repealed?
- Cathode Ray Oscilloscope and Digital Storage Oscilloscope
- The Impact of Mobile and Cloud Technology on Business