milestone 2 test Plan

The Breach at Limetree Updated November 18, 2017

Background: Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private corporations in the areas of healthcare, biotechnology, and other cutting-edge industries Limetree recently lost a DOD contract worth millions of dollars, because another competitor claimed to have “superior chemical process that brought about the desired results in half the time, with over seventy-five percent more yield than conventional technologies.” This contract loss troubled Limetree Inc. management because Limetree has been working on that exact same technology for years and they suspect that it’s no mere coincidence that a competitor has claimed their proprietary process for their own. The management then asked Jack Sterling, Limetree’s security manager, to investigate if there were any IT related security problems that could shed some light on the possibility of an insider threat. Jack performed an unannounced sweep of the office area and found serious problems. There were poor security practices with every workstation, such as unauthorized external hard- drives & USBs, passwords under mouse pads, unlocked displays, unauthorized software, obvious phone PINs, wireless passwords on bulletin boards, and improper destruction of sensitive documents. Jacks’ investigation lead him to three suspects: Jamie Kim at workstation #14 because her external hard-drive had the same proprietary processes files as was leaked to the competitor; Duncan Harris at workstation #11 because he had a USB with deleted files that also had the proprietary processes leaked; Steve Kim at workstation #4 because he had passwords and usernames of Jamie Kim on a partially shredded paper in the trash. No other employees had any file or potential access to the files that contained the proprietary processes. Jack also conducted a review of the access logs on the server to rule out any unwarranted wireless access from in or outside the facility. There were several unauthorized users using the wireless resource, but no access to the servers. Logs on the servers themselves revealed unauthorized directory traversals and DNS poisoning but these attacks were not in the narrow timeframe that the insider sold the proprietary process. Jack then navigated to the folder that the proprietary process was kept and observed there was no encryption; nor was it isolated on the network. Jack looked up the default password for the CISCO switch and sure enough, it had not been changed on the routers and switches. Jack also ran a root-kit detector and although it didn’t find one, it did show that a backdoor had been planted in the distant past but wasn’t active now. After finding the backdoor, Jack then examined the public-facing webpage and noticed that many of the input fields did not do any data integrity checks. Since that is a poor security practice, he made a mental note to consider common security misconfigurations when he had free time.

Jack went to the telecommunications closet and discovered that the door was unlocked and the AC was broken; it was critically hot in the small room. He also noticed that someone opened a ceiling panel (probably to allow fresh air into the closet). But now Jack wondered if there should be a false ceiling in sensitive area? He made another mental note to go through all the physical security concerns when he had time. Jack went to the main lobby and checked the sign-in visitor sheet. Clearly, the company wasn’t following procedures as there were only a few people that signed in per day, when he knew it should be over 10 people a day. He did notice one thing, and that was the only employee, of the three suspected, Steve Kim was visited by a “Jason Byway” several times. Jack ran simple background checks using social media (Facebook, LinkedIn, & Google) on all ninety-five people entering the facility during the time the leak occurred and only “Jason Byway” was a fake name. Jack decided to run credit report on all three suspects. The scores were: Jamie Kim 650; Duncan Harris 670; Steve Kim 540. Jack confiscated all three employees’ workstations and did a preliminary investigation of the hard drives. Of all the suspected employee’s only Steve Kim had deleted files with the personal health information (PHI) used in a research study. Thus, Jack concluded that Steve Kim stole the information from another employee (Jamie Kim) and was the insider that sold company secrets, probably to get out of financial trouble.