Computer Science ISSC480 week 6 assignment
deweese3
Week6-FormFillable.docxYou will need to use the “Week6-Assignment Guide.pdf” to assist you in filling out this report.
You will fill out the following form using the incident you chose in Week 1.
Company Background Information
What is your main industry sector? ☐ Defense Industry ☐ Financial Services ☐ Healthcare ☐ Biotech/Pharmaceutical ☐ Food Production/Distribution ☐ Utilities (water, power, etc.) ☐ Transportation/port services ☐ Technology ☐ Energy Production (oil, natural gas, etc.) ☐ R&D/University ☐ Manufacturing ☐ Other ________________________
Does your organization consider itself to be a small, small-medium, medium-sized, or large business? ☐ Small Business (less than 100 employees) ☐ Small-Medium Business (100-999 employees) ☐ Medium-sized Business (1,000-9,999 employees) ☐ Large Business (10,000 employees or more)
How long has your organization been dedicating resources to cybersecurity? ☐ Started within the last year ☐ 1-3 years ☐ 3-5 years ☐ More than 5 years
Does your organization have someone responsible for cybersecurity/information security, such as a CISO (Chief Information Security Officer) or Chief Security Officer (CSO)?
|
☐ Yes |
☐ No |
Did your organization have someone responsible for cybersecurity/information security, such as a CISO (Chief Information Security Officer) or Chief Security Officer (CSO), at the time of the incident? ( Yes / No )
|
☐ Yes |
☐ No |
1 - Type of Incident
Please identify the major category description that best fits this incident. Check all that apply: ☐ Distributed Denial of Service (DDOS) ☐ Destructive WORM ☐ Ransomware/Extortion ☐ Data Theft ☐ Intellectual Property (IP) ☐ Personally Identifiable Information (PII) ☐ Financial Data ☐ Health Records ☐ Other type of data _______________ ☐ Unknown ☐ Web page defacement ☐ Malware (Variant, if known______________) ☐ Zero-Day Malware Attack ☐ SCADA or Industrial Control System Attack ☐ Accident/Human Error ☐ System Failure ☐ Natural or Man-made (Physical) Disaster ☐ Storage/Back-up Failure ☐ Network Intrusion ☐ Third-Party Event ☐ Phishing ☐ Industrial Espionage ☐ Physical Sabotage ☐ Configuration Error ☐ Insider Attack ☐ Lost Device ☐ Outage ☐ Other ☐ Additional Entry . . .
2 – Severity of Incident (See Assignment Guide Page 10 for charts)
|
Impact |
Financial or Asset Loss |
Time-to Market Delay |
Product Quality |
Environment |
Health & Safety |
Legal |
|
|
|
|
|
|
|
|
Fill out the information in the columns above. Then using the charts on Page 10, specify the Impact level.
3 – Company Posture at Time of Incident
Does your organization use a cyber risk management framework, best practice, regulation or standard as part of its cyber risk management activities?
|
☐ Yes |
☐ No |
If Yes, please identify: _________________
If you are required to be certified compliant with a technical regulation or standard, how are you assessed?
☐ Self-Assessed ☐ Self-Assessed with Third-Party Validation ☐ Third-Party Assessment and Validation ☐ Post-Market Surveillance ☐ N/A: Not Required
Are your organization’s risk management practices formally approved and expressed as policy?
|
☐ Yes |
☐ No |
Are your organization’s cybersecurity practices regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape?
|
☐ Yes |
☐ No |
Is cybersecurity integrated into your organization’s enterprise risk management?
|
☐ Yes |
☐ No |
Does your organization define risk-informed policies, processes, and procedures?
|
☐ Yes |
☐ No |
If Yes, are they implemented as intended
|
☐ Yes |
☐ No |
Are they reviewed?
|
☐ Yes |
☐ No |
Does your organization have methods in place to respond effectively to changes in risk?
|
☐ Yes |
☐ No |
Do your organization’s personnel possess the knowledge and skills to perform their appointed roles and responsibilities?
|
☐ Yes |
☐ No |
Does your organization understand its dependencies and partners and receive information from partners that enable collaboration and risk-based management decisions within your organization in response to events?
|
☐ Yes |
☐ No |
4 – Timeline of Incident
What is the interval between initial cyber intrusion to target or significant system compromise (including data records compromise)? ☐ Less than 4 hours (almost immediate) ☐ 4-24 hours (less than a day) ☐ 2-7 days (less than a week) ☐ 7-30 days (more than a week, but less than a month) ☐ 30-180 days (between 1 and 6 months) ☐ 180 days-365 days ( 6 months to a year) ☐ More than a year ☐ Unknown (initial date of intrusion, and/or system compromise undetermined
What is the interval between compromise and detection of the incident’s effects? ☐ Less than 4 hours (almost immediate) ☐ 4-24 hours (less than a day) ☐ 2-7 days (less than a week) ☐ 7-30 days (more than a week, but less than a month) ☐ 30-180 days (between 1 and 6 months) ☐ 180 days-365 days ( 6 months to a year) ☐ More than a year ☐ Unknown (initial date of intrusion, and/or system compromise undetermined
What is the interval between detection of the incident and containment/mitigation? ☐ Less than 4 hours (almost immediate) ☐ 4-24 hours (less than a day) ☐ 2-7 days (less than a week) ☐ 7-30 days (more than a week, but less than a month) ☐ 30-180 days (between 1 and 6 months) ☐ 180 days-365 days ( 6 months to a year) ☐ More than a year ☐ Unknown (initial date of intrusion, and/or system compromise undetermined
5 – Apparent Goal of Attackers
What was the attacker’s apparent end-state goal? Check all that apply.
☐ Acquisition/Theft – Illicit acquisition of valuable assets for resale or extortion in a way that preserves the assets’ integrity but may incidentally damage other items in the process.
☐ Business Advantage – Increased ability to compete in a market with a given set of products. The goal is to acquire business processes or assets.
☐ Technical Advantage – Illicit improvement of a specific product or production capability. The primary goal is to acquire production processes or assets rather than a business process.
☐ Damage to Property – Injury to the target organization’s physical/electronic assets, or intellectual property.
☐ Bodily Injury/Death – Injury to or death of the target organization’s personnel.
☐ Denial – Prevent the target organization from accessing necessary data or processes.
☐ Disruption of System/Service Availability – Interference with or degradation of the target organization’s legitimate business transactions.
☐ Production Loss – Reduction or halting of the target organization’s ability to create goods and services by damaging or destroying its means of production.
☐ Environmental Harm – Adverse impact to land, air, or water resources.
☐ Degradation of Reputation – Public portrayal of the target organization in an unflattering light, causing it to lose influence, credibility, competitiveness, or stock value.
☐ Unknown – Intent of the attack is not known.
☐ Not Applicable – Attack does not appear to have been an intentional/hostile incident.
☐ Additional Entry . . .
6 – Contributing Causes
|
Incident Progression |
Step 1 |
Step 2 |
Step 3 |
Step 4 |
Step 5 |
Step 6 |
|
Intentionally caused or conducted by third party vendor |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Unintentionally/negligently introduced through third party information sharing partner (e.g., link to an infected site, or poor protection of shared materials) |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Third party vendor infrastructure (e.g., remote access connection) |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Third party vendor account credentials |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Data was under third party control when compromised |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Direct access by Insider |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Physical access by unauthorized personnel |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Spear phishing email attachment |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Spear phishing email link |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Poor Passwords |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Stolen Authorized Credentials |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Employee Human Error in authorized procedure (e.g., distracted/multitasking, inadequate training) |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Employee Human Error – unauthorized/reckless activity (system or authorization misuse, benign shortcuts, etc.). |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Improper sensor tuning |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Malicious Insider Activity |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Unauthorized Device (e.g., personal laptop) |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Misconfigured Device (firewall, router, switch) |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Compromised mobile media (e.g. USB) |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Compromised firmware |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Known vulnerability not patched |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Previously unknown vulnerability |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Brute Force attack |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Virus w/ A/V |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Virus - No A/V |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Zero-Day |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Additional Entry… |
☐ |
☐ |
☐ |
☐ |
☐ |
☐ |
|
Other: |
|
|
|
|
|
|
7 – Specific Control Failures
Please identify the category of the involved security control as well as descriptors of the failure. Check all that apply:
Type of Security Control: ☐ Human ☐ Process ☐ Technology ☐ Environmental (e.g., facility power, cooling, natural disaster, etc.) ☐ Third Party
Level of Security Control: ☐ Network ☐ Business/Process Application ☐ System Control (SCADA/ICS) ☐ Data
Descriptor of the Failure: ☐ Poor Internal Security Processes ☐ Approaches/Tool Incompatible with All Platforms ☐ Improperly Tuned Sensor(s) ☐ Inadequate Maintenance/Patching Practices ☐ Working Control Failed to Prevent Incident and/or Attack ☐ Other ________________ ☐ Additional Entry . . .
8 – Assets Compromised or Affected
Please identify all assets that were affected by the compromise. Check all that apply: ☐ SCADA/ Industrial Control Systems (ICS) ☐ Databases ☐ Individual Accounts ☐ Business Application Servers ☐ Third Party Systems ☐ Websites (e.g., defacement) ☐ Structured Data (e.g., application/relational databases) ☐ Unstructured Data (e.g., office/individual’s files, PDFs, blueprints) ☐ Transactional Systems ☐ Decision Support Systems (including data warehouses) ☐ Building Management Systems ☐ Peripheral (e.g., USB, external hard drive) ☐ End-User Device (e.g., stolen iPad, phone, laptops) ☐ Data Center/Office Device (e.g., server, storage array, printer) ☐ Printed Hardcopy ☐ Other ☐ Additional Entry . . .
9 – Type of Impact(s)
Check all that apply:
What is the cybersecurity industry category affected? Check all that apply: ☐ Loss of confidentiality ☐ Loss of integrity ☐ Loss of availability
What is the amount of data compromised? ☐ 0-100,000 records/documents ☐ 100,001-500,000 records/documents ☐ 500,001-1,000,000 records/documents ☐ Over 1,000,000 records/documents ☐ Not Applicable
What is the duration of the experienced business interruption and/or outage? ☐ Less than one hour ☐ 1-3 hours ☐ 3-10 hours ☐ 10-24 hours ☐ 1-3 days ☐ 3-6 days ☐ Greater than one week
What is the sensitivity of the data involved? Check all that apply: ☐ Personally Identifiable Information (PII) ☐ Protected Health Information (PHI) ☐ Intellectual Property (IP) ☐ Credit Card Data ☐ Consumer Financial Data ☐ Employee Data ☐ Business Process Data (e.g., logistics information, trade secrets) ☐ Biometric Data ☐ Corporate Confidential Information ☐ Personal Confidential Information (e.g., an individual’s emails) ☐ Other _______________ ☐ Not Applicable ☐ Additional Entry . .
What was the actual outcome of the attack? Check all that apply: ☐ Acquisition/Theft – Illicit acquisition of valuable assets for resale or extortion. ☐ Business Advantage – Increased ability to compete in a market with a given set of products. ☐ Technical Advantage – Illicit improvement of a specific product or production capability. ☐ Damage to Property – Injury to the target organization’s physical or electronic assets, or intellectual property. ☐ Bodily Injury/Death – Injury to or death of the target organization’s personnel. ☐ Denial – Prevention of the target organization’s access to necessary data or processes. ☐ Disruption of System/Service Availability – Interference with or degradation of the target organization’s legitimate business transactions. ☐ Production Loss – Reduction or halting of the target organization’s ability to create goods and services by damaging or destroying its means of production. ☐ Environmental Harm – Adverse impact to land, air, or water resources. ☐ Degradation of Reputation – Public portrayal of the target organization in an unflattering light, causing it to lose influence, credibility, competitiveness, or stock value. ☐ No Apparent Impact – No impact has been detected or it is confirmed that the attack had no impact. ☐ Additional Entry . . .
10 – Incident Detection Techniques
If the incident was detected externally, how was the organization notified? Check all that apply: ☐ Not Applicable (Detected Internally) ☐ Disclosed by threat agent (e.g., extortion, public bragging) ☐ Compliance Audit ☐ Security/Vulnerability scan ☐ Emergency Response Team (e.g., ICS-CERT) ☐ Found Documents ☐ Fraud Detection (e.g., CPP) ☐ Notified while investigating separate incident ☐ Notified by law enforcement or government agency (what agency? __________________) ☐ Report of suspicious traffic ☐ Notified by partner/provider organization (select below) ☐ Antivirus Company (not AV product) ☐ Monitoring Service ☐ Audit Service ☐ Other _______________________ ☐ Additional Entry . . .
If the incident was detected internally, how was it detected? Check all that apply: ☐ Not applicable (Detected Externally) ☐ Host IDS or file integrity monitoring ☐ Informal IT review ☐ Network IDS or IPS alert ☐ Antivirus alert ☐ Vulnerability scan ☐ Data loss prevention software ☐ Financial audit/reconciliation process ☐ Analytics ☐ Fraud detection mechanism ☐ Discovered while responding to another (separate) incident ☐ Infrastructure monitoring ☐ External Threat Feed ☐ Log review process or SIEM ☐ Reported by employee who saw something odd ☐ Physical security system alarm ☐ Unknown ☐ Additional Entry . . .
11 – Incident Response Playbook
Please identify the tactics, techniques and procedures used to respond to the incident. Check all that apply: ☐ Blocking ☐ Install/update patch ☐ Change passwords ☐ Honeypot ☐ Sinkhole ☐ Isolation/segregation in the DMZ ☐ Disconnection ☐ Employ custom scripts for hunting ☐ Reconfigure network devices ☐ Direct personnel actions ☐ Re-tune Technical Controls ☐ Patch Management ☐ Other ____________________ ☐ Additional Entry . . .
12 – Internal Skill Sufficiency
Were internal skills sufficient?
|
☐ Yes |
☐ No |
What internal skills were employed? Check all that apply:
☐ Incident response coordination ☐ Forensics/investigations ☐ Response strategy development ☐ Technical skills ☐ Chain of custody/evidence management ☐ Systems analysis (e.g., correlation, event detection, log analyses) ☐ Enterprise architecture design ☐ Business impact assessment ☐ Malware analysis/reverse engineering ☐ Other __________ ☐ Additional Entry . . .
Does your organization outsource skills?
|
☐ Yes |
☐ No |
If yes, did the outsourcing work?
|
☐ Yes |
☐ No |
What external skills were employed? Check all that apply: ☐ Expert witness ☐ Incident response coordination ☐ Forensics/investigations ☐ Response strategy development ☐ Technical skills ☐ Chain of custody/evidence management ☐ Systems analysis (e.g., correlation, event detection, log analyses) ☐ Enterprise architecture ☐ Business impact assessment ☐ Malware analysis/reverse engineering ☐ Other __________ ☐ Additional Entry . . .
Does your organization have an incident response (IR) plan?
|
☐ Yes |
☐ No |
Does your organization have internal forensic capabilities?
|
☐ Yes |
☐ No |
Does your organization have a retainer for external forensic capabilities?
|
☐ Yes |
☐ No |
13 – Mitigation/Prevention Measures
Please identify which actions were taken to stop incidents and to prevent similar future occurrences. Check all that apply: ☐ Implemented New Policies/Procedures ☐ Conducted Training ☐ Performed Patch Management ☐ Corrected Configurations ☐ Installed Additional Authentication Measures ☐ Security Communications Program ☐ Revised Security Responsibilities. Check all that apply: ☐ Implemented new policies and procedures ☐ Formalized responsibility for security controls (e.g., documented and assigned) ☐ Added additional security solution to portfolio ☐ Engaged outside provider to support internal skill sets ☐ Other __________________ ☐ Additional Entry . . . ☐ Purchased Cybersecurity Insurance ☐ Engaged with a Third-party Vendor ☐ Deployed New Technology ☐ Captured Lessons Learned ☐ Additional Entry . . .
14 – Costs
|
COST CATEGORY |
COST ($$$) |
|
Direct Losses to Theft (e.g., Diverted Funds) |
|
|
Liability Claims/ Restitution |
|
|
Production Equipment Replacement |
|
|
System Administrator Overtime |
|
|
Third Party Assistance Costs (e.g., Investigation, Forensics) |
|
|
Staff Augmentation During Response |
|
|
Hardware/Equip (Replacement) |
|
|
Hardware/Equip (New, as in additional sensors/controls) |
|
|
System/ Software Installation |
|
|
Production Delays |
|
|
Backup Restoral |
|
|
Business Interruption/Lost Transactions |
|
|
Lost Wages/Lost Profits |
|
|
Public Relations/Reputation |
|
|
Victim Notification |
|
|
Credit Monitoring |
|
|
Legal Costs |
|
|
PCI & Regulatory Fines/Assessments |
|
|
Other _________________________ |
|
|
Additional Entry |
|
|
Total Costs |
|
15 – Vendor Incident Support
|
Vendor Type |
1 Difficult to Source |
2 Hostile / Combative |
3 Not Knowledgeable |
4 Indifferent / Unhelpful |
5 Cooperative |
6 Reasonably Helpful |
7 Actively Helpful |
|
Telco |
|
|
|
|
|
|
|
|
IaaS Provider |
|
|
|
|
|
|
|
|
Business Services Partner |
|
|
|
|
|
|
|
|
Merchandise Supplier |
|
|
|
|
|
|
|
|
Business App Provider / Host |
|
|
|
|
|
|
|
|
POS System Provider |
|
|
|
|
|
|
|
|
Utility (power, HVAC, etc.) |
|
|
|
|
|
|
|
|
Forensic |
|
|
|
|
|
|
|
|
Software |
|
|
|
|
|
|
|
|
Hardware |
|
|
|
|
|
|
|
|
Insurer |
|
|
|
|
|
|
|
|
Additional Entry . . . |
|
|
|
|
|
|
|
If you filed an insurance claim, was it accepted or denied?
|
☐ Accepted |
☐ Denied |
16 – Related Events
Has your organization experienced any recent events that may be related to the incident? Check all that apply: ☐ New Data Host (IaaS or SaaS Provider) ☐ New Software/Application Provider ☐ Corporate Merger/ Acquisition ☐ Corporate Lay-Offs / Downsizing ☐ Seasonal / Cyclical Event ☐ Geopolitical / Regional Event ☐ Disgruntled Employee(s)/Strike ☐ Industry Sector-Wide Attacks ☐ New Product Release/Pre-Release ☐ Recent Event/Bad Publicity (e.g., Environmental Impact, Scandal) ☐ New Corporate Policy Release (i.e., with Social/Economic Implications) ☐ Natural Disasters ☐ Operation / Campaign ☐ C-Suite Level Public Remarks Additional Entry . . .
