SHORT RESPONSE

Published by Articulate® Storyline www.articulate.com

CYB 250 Module Two Short Response Text Version Breach Analysis Simulation

Scenario One Breach Analysis Simulation Introduction

Read through the following scenario. You will then be asked to make choices based on your experience as a security analyst. While there is a best path through the simulation, many of the other options are viable. You are encouraged to explore all of the options to enhance your knowledge and to prepare you for future breaches. The purpose of this simulation is to develop your systems thinking mindset and mature your cyber defense strategies.

Published by Articulate® Storyline www.articulate.com

Breach Analysis Simulation: Scenario One

You are a security analyst working for a company that provides an e-commerce website. Over the last year, you have had discussions with your supervisor about updates to the systems, including a transition to Transport Layer Security (TLS) from Secure Sockets Layer (SSL). The changes have not been implemented due to budgetary constraints. While performing file system maintenance, you notice low disk quota on the web server. 1. Challenge One 1.1 Challenge One

What is this low disk quota? This is odd; last audit, there was sufficient space. Normal business operations wouldn’t cause this. What should you do next? Below are the possible answers:

● Try to diagnose the source of the breach ● Consult the incident response plan ● Notify your supervisor

Published by Articulate® Storyline www.articulate.com

1.2 Try to diagnose the source of the breach

Good thought, but beware! Breaches are complex issues. Many additional obligations beyond solving the breach need to be addressed. For instance, evidence gathering must be considered, and communications to stakeholders must be drafted. Finding the source of the breach may be time-consuming; consequently, other entities can be working on remediation actions during this time. Try selecting a different response. 1.3 Consult the incident response plan

Although technically this response is the correct process, all employees should know that alerting their supervisor is the first step; this results in faster action in initiating the proper response. When you consult the incident response plan, it directs you to immediately contact your supervisor. Where should the incident response plan be located? Below are the possible answers:

● Stored digitally on the network ● Each employee should have a hard copy at his/her desk ● Printed out and stored in one specific location

Published by Articulate® Storyline www.articulate.com

1.3.1 Stored digitally on the network

No, this is not the ideal selection because the network could be compromised or otherwise inaccessible. Try selecting a different response. 1.3.2 Each employee should have a hard copy at his/her desk

Not quite! Although organizations might choose to do this, it represents an overuse of resources and creates potential issues related to the frequent updating necessary to this document. Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

1.3.3 Printed out and stored in one specific location

Correct! This is standard practice; a single hard copy that is always up to date with the most current actions prevents issues. It is important to ensure that all individuals are notified when updates to this document occur. Now that you have determined where the incident response plan should be located, return to Challenge One and try selecting a different response. 1.4 Notify your supervisor

Correct! As an analyst, you need to contact your supervisor, who will contact the computer incident response team and mobilize the appropriate personnel to remedy the situation.

Published by Articulate® Storyline www.articulate.com

2. Challenge Two 2.1 Challenge Two: Dialogue with Supervisor

Supervisor: “There do appear to be irregularities with the network. I would like you to do some investigating and find evidence to support your concerns about a breach.” Where should you look first to try to find evidence of the breach? Below are the possible answers:

● Look for irregularities in the active directory ● Analyze access control logs ● Look at the files on the web server

2.2 Analyze access control logs

Looking at access control logs can be a good start when trying to identify who accessed which areas of the network. However, this is a time-consuming process, and if the hacker is experienced, it may be difficult to determine whether unauthorized individuals accessed parts of the network they weren’t supposed to. After review of the access control logs, no evidence of a breach was found here. Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

2.3 Look for irregularities in the active directory

A goal of hackers is to establish a presence in the network. From this presence, hackers look to escalate privilege to gain access to information on the system or network and hide their activity within the network. Looking for irregularities is a good foundational step in trying to identify rogue activity on a network. In this case, there was no clear evidence that the attack progressed past the initial access to the network. This choice is something to keep in mind if irregularities of individual performances occur on the network. Try selecting a different response. 2.4 Look at the files on the web server

Correct! Looking at the files on the web server has uncovered the presence of rogue or unauthorized files. Hackers typically test the waters by trying to upload files to web servers. They are trying to discover whether or not they can infiltrate your system. If successful, hackers would try to exploit this vulnerability and look to secure their presence in the network through the web server. For this challenge, all three choices are viable, but checking for rogue or unauthorized files can be one of the fastest methods of detecting an attack.

Published by Articulate® Storyline www.articulate.com

3. Challenge Three 3.1 Challenge Three: Conversation with Supervisor

Supervisor: “Good work on identifying the issues with rogue files on the network. It appears that the attacker was able to place the files on the network because of the weak SSL encryption. Moving forward, we have reevaluated the budget and made the transition to TLS a priority. But we need to complete some steps before moving to TLS.” 3.2 Challenge Three: Conversation with Supervisor, Continued

Supervisor: “What do you think is the most important step to be sure we are ready to transition to TLS?” Below are the possible answers:

● “Hardware. I think we need to ensure that processors, RAM, network media (gigabit ethernet or fiber optic), network peripherals, and servers are capable and up to the task. Processing time becomes a consideration when implementing TLS because cyphers can take time to process so you may experience a degradation of your network and lag time. We want to make sure that our communication infrastructure can handle the

Published by Articulate® Storyline www.articulate.com

bandwidth and our network peripherals are as up to date as possible. We will also want to assess the health of our servers and server operating systems.”

● “Desktop and server software. I think we need to perform a health check for the local machines and take an inventory of other information systems as a first step. The communication between software across the organization is complex, and we need to ensure that everything works and is thoroughly tested. The last thing we want is to lose availability of the network because of software upgrades. Another factor with software is the cost of licensing both desktop and server software. This can be a big consideration as we plan the transition to TLS.”

● “Personnel: Implementing TLS requires personnel who are trained in the technical complexities required to complete this task. These personnel need to know why implementing TLS is important and also how to implement it.”

3.3 Desktop and server software

Supervisor: “Great point! While software considerations are important, I think they are secondary to hardware considerations because hardware is the first major component we will focus on when upgrading to TLS. We need the underlying infrastructure in place before making the move. Hardware upgrades have their own challenges and need to be completed first. Software is an important consideration because, once the right infrastructure is in place, the correct software is also required for TLS implementation.” Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

3.4 Personnel

Supervisor: “Great point! While having the right personnel is key, I would argue that this is the third priority of the choices provided. Having the right personnel is an important consideration, along with being able to identify the right skill set needed, but having the proper infrastructure in place is the most important consideration.” Try selecting a different response. 3.5 Hardware

Supervisor: “I agree! This should be our highest priority consideration when transitioning to TLS. While it is important to take hardware, software, and personnel into consideration, hardware is the most important because having the infrastructure to run TLS is essential.”

Published by Articulate® Storyline www.articulate.com

Challenge Review

Your previous suspicions were aligned with what the incident response team discovered during its investigation. Your initial step of notifying your supervisor was key to having a timely response to the incident. The incident response team agreed that migrating from SSL to TLS is a part of the solution. 4. Challenge Four 4.1 Challenge Four

Supervisor: “Thanks for all of your help in identifying the breach and making recommendations for the remediation! We have successfully implemented TLS, and SSL has been removed from the system. Moving forward, what are your thoughts on what happens now that the upgrade has been implemented?” Below are the possible answers:

● “We can continue business as usual because updates have been made and vulnerability has been remediated.”

● “We should reevaluate security policies.” ● “We should conduct a security audit.”

Published by Articulate® Storyline www.articulate.com

4.2 “We can continue business as usual because updates have been made and vulnerability has been remediated.”

Supervisor: “I disagree. While we may be tempted to continue business as usual after implementing updates to remediate a vulnerability, it is really important to conduct a security audit to uncover any unintended consequences of those updates and to reevaluate our system health.” Try selecting a different response. 4.3 “We should reevaluate security policies.”

Supervisor: “Great point! This is an important step in implementing new solutions, but I think that conducting a security audit should be our first priority because we could uncover unintended consequences from the changes.” Try selecting a different response.

Published by Articulate® Storyline www.articulate.com

4.4 “We should conduct a security audit.”

Supervisor: “I agree! Conducting a security audit should be our first priority. By conducting the security audit, we will perform an evaluation of all systems, which may uncover other issues from implementation of the vulnerability remediation.” Breach Analysis Simulation Scenario One Summary

Nice work! This activity is meant to enhance your knowledge about managing a breach by exploring choices that you could make during a given scenario. It is important that during a breach you remain calm and stick to the incident response plan. The knowledge gained from this assignment will help you to form a baseline of cyber defense strategies and your systems thinking mindset.