Cyber Security Security Strategy Implementation Recommendations document 5-8 pages

Senior Security Analyst

Sifers-Grayson, IT Department

[email protected]

555-555-5555

SCADA Support Lab

1555 Pine Knob Trail S, Pine Knob, KY 42721

2. Incident Details

Status: Incident: 03/10/2020 at 12:30 pm EST, incident was discovered on 04/01/2020 at 2:12 pm EST, incident was reported on 04/01/2020 at 4:17 pm EST, and the incident was resolved on 12/14/2018 at 8:15 pm EST.

Physical location of the incident: Pine Knob, KY

Current status of the incident: Contained

Source/cause of the incident: Unsecured connection penetrated, R&D Center servers Hostname/IP RDSVR1 10.10.135.20/24.and RDSVR2 10.10.135.21/24 have been compromised.

Description of the incident: Red Team performed a penetration test and was able to access the R&D servers of the engineering center using a login and password obtained through a keylogger on a USB key left in one of the lunch tables of the organization. The Chief Operating Officer reported that the Red Team managed to steal 100% of the AX10 Drone System design documents and source code.

Description of affected resources:

Incident category: HIGH

Vectors of attack: External drive, Web, Improper usage, theft of property.

Indicators related to incident: New workers have not adequately researched and provided safe managed sensitive areas for organizational access. Unprotected cellular connection allowing unauthenticated users to access improperly configured network connections.

Prioritization factors Matrix: Due to the restoration of point procedures being planned and in operation, the overall effect on the normal role of company operations had been short lived. It took 2 hours to restore normal operating procedures while the restore points were disabled company wide. The effect of the data was complete and catastrophic as all confidential data in the penetration test like classified information was lost. Fortunately all data was backed and was able to restore point reset quickly after restore.

Mitigating factors: Theft of user accounts and credentials, stolen design documents, theft of source codes, theft of classified information

Response actions performed: The network was shut down and disconnected from host.

Other organizations contacted: SCADA Lab and R&D DevOps Lab

[Figure 1.0]

Cause of the Incident: Physical security checks failed which resulted in Red Team staff accessing the R&D Labs. Malware built on company networks leading to data and equipment being stolen from the client. See figure 1 above. The research and development systems were vulnerable to malware-based attack.

3. Cost of the Incident: $15,300.00 in repair costs, implementing CCTV long-term damage to the company is currently unfounded at this time.

4. Business Impact of the Incident: This attack shut down our entire company activities and cost Sifers-Grayson $15,300.00 in repair. Sifers-Grayson lost valuable digital data, classified information and may potentially lose their contract with government.

5. General Comments:

Systems run on behalf of Syfers-Grayson will be expected to follow the NIST SP 800-53 safety baselines within the agency to assess if their risk profile acts as the benchmark for low, moderate or high risk. In order to meet the reasonable baseline security controls, systems which contain CUI will be needed. Contractor systems that process the CUI incidental to the production of a product or service must comply with the NIST SP 800-171 baseline

Contractors running systems on behalf of Syfers-Grayson will be expected to report all cyber incidents in a timely manner, while contractors running their own systems will only report incidents that impact the CUI. Contractors working on behalf of Syfers-Grayson may have to install continuous monitoring software and use other monitoring software chosen from the SCADA Labs SOC team, or build proprietary software that meets minimum specifications and is approved by Syfers-Grayson. By comparison, contractors running their own systems will have to install continuous monitoring software in a manner compatible with the NIST guidelines 800-171 and will thus have more flexibility in the production or production of Installation of tools for monitoring tailored to their specific system requirements.

This Guidance calls on Syfers-Grayson to perform contractor system security reviews, obtain third-party reviews or rely on self-assessments from contractors. The Guidance indicates that Syfers-Grayson can obtain access to the facilities, equipment, operations, files, databases, IT systems, tools, and personnel used in the performance of the contract to conduct security inspection, assessment, investigation, or audit, and to retain evidence of incidents of information security. The Guidance also recommends that external business partners should create contract provisions that would allow contractors to approve client data sanitization when success is concluded.