FXT Task 1, task 2, task 3 Originality Checking
Describe the nature of the incident:
This is a man-made attack to the organization caused by the employee through hacking the organizations system and gaining unauthorized access to computers by sending messages with an IP address indicating that the message is coming from a trusted host (spoofing). The employee (attacker) manages to intercept the messages sent to the employees by the auditor and crafts fake messages from the individuals the original messages were sent to (phishing).
Identify who should be notified based on the type and severity of the incident.
The Human Resource manager needs to be notified. This is because the HR is responsible for all the activities and financial pay raise for all the employees in the organization. More over given that the employee hacked the human resource system; the manager should be notified of the same to confirm the validity of the changes in the employees’ payment reports.
Outline how the incident can be contained
Use of intrusion detection and prevention systems.
Intrusion is an attack on information asset in which the instigator attempts to gain entry into a system or disrupt the normal operation of the system with a intension to do harm or gain access to restricted information. Therefore intrusion detectors and preventers ofsystems detect an attempt on system intrusion and deter the intrusion from occurring by triggering an alert.
Use of Host Based intrusion detection systems which resides on a particular computer or server and monitors the status of key system files and detect when an intruder creates, modifies or deletes monitored files. This works in the principle of configuration and change in management which records the size, location and attributes of system files. They trigger an alert when a file attribute changes, a new file is created or the existing file is deleted.
Use of firewalls:
This is a system designed to protect a private network from things that come into and go out of the network. Their basic protocol dictates that they must examine each piece of data that lives and enters the network and if anything does not fit the safety criteria it is blocked. Firewall uses a method of packet filtering to examine the header information of data packets that come into the network; packet filtering restricts information based on the internet protocol (IP) source and destination address.
Discuss how the factor that caused the incident could be removed
The factor that caused the intrusion into the system is due to lack of lack of authentication and encryption controls. This can be removed by:
Incorporating access controls which are methods by which systems determine whether and how to admit a user into a trusted area of an organization; They include Mandatory Access Control (MACs), Nondiscretionary controls and discretionary access controls(DACs).
Use of identifications which is a mechanism whereby an unverified entity that seeks access to a resource proposes a label by which they are known to the system. They include concatenating elements-department codes, random numbers or special characters to make them unique.
Use of authentication which is aprocess of validating a supplicant supported identity. Authentication seeks several things from the supplicant for example; what the supplicant knows like password and passphrase; something the supplicant has like smart card, synchronous tokens or asynchronous tokens; something a supplicant is which mostly relies on the individual character.
Use of authorizations which is the matching of an authenticated entity to a list of information assets and corresponding access levels. Authorization can be handled in three ways; Authorization for each authenticated user, authorization for members of a group and authorization across multiple systems.
Accountability. This ensures that all actions on a system authorized or unauthorized can be attributed to an authenticated identity. This can be accomplished by means of system logs and database journals, and auditing of these records.
Describe how the system could be restored to normal business practice.
The system can be restored to normal business practice through contingency planning where the planning is conducted by the organization to prepare for, react to and recover from events that threaten the security of information and information assets in the organization and subsequent restoration to normal modes of business operation. Here incident response planning is done where the planning process is associated with identification, classification, response recovery from the disaster, and the total cost of restoration identification. Thereafter business continuity planning is carried which ensures that critical business functions continue.
Explain how the system could be verified as operational.
The organization should identify the loop holes that the attacker used to intrude into the system network and subject them to through testing to ensure that they are functional. The critical functions of the system are verified to be functional. The IT staff also subject the system to the conditions that initially compromised it and ensure that they have been rectified.
Perform a follow-up of the post-event evaluation by doing the following: 1. Identify areas that were not addressed by the IT staff’s response to the incident.
The ability of the employee or the attacker being able to intercept the communications like emails and crafting a fake response was not addressed by the IT Staff.
Outline the other attacks mentioned in the scenario that were not noticed by the organization.
Phishing – this is an attempt to gain personal financial from an individual usually by posing as a legitimate entity. This is evident when the employee is successfully able to intercept the email messages and craft a fare response from the individuals the original e-mails were sent to.
a) Describe the nature of the attack not noticed by the organization
White-collar crime Edward Sutherland (1939) refers it to be a crime committed by a person of respectability and of high social status in the course of his or her occupation. This is evident when the editor and the employee exchange emails back and forth until he gains permission for some other financial records.
b) Describe how the additional attacks can be prevented in the future
While phishing techniques are getting more sophisticated, there are more things that can be done to avoid phishing.
Check the email carefully- a phishing email may claim to come from a legitimate company or host. The links sent to individuals may lead to privacy policy of a legitimate company or some irrelevant pages.
Never enter financial or personal information. Most of the phishing mails direct one to pages where entries for financial or personal information are required hence the network user should not make confidential entries through the links provided in the email.
Protection through software. Antispyware and firewall should be used to prevent phishing attack and users should update their programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antispyware software scans every file which comes through the internet to a computer. This helps prevent Damage to the system
To prevent against white collar crimes the organization can implement the following procedures:
Create a policy where board or committee approval is necessary to ensure that the employees follow by the policy and if any violates the policy legal actions are taken against them.
Ensure that the employees get pay rise to prevent them from forcing the payment rises for themselves.
Recommend a recovery procedure to restore the computer system back to their original state prior to such attacks.
Once the incident has been contained, and system control regained, incident recovery can begin.
The Incident Recovery team must assess the full extent of the damage in order to determine what must be done to restore the systems.
The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets is called incident damage assessment.
Those who document the damage must be trained to collect and preserve evidence, in case the incident is part of a crime or results in a civil action.
Once the extent of the damage has been determined, the recovery process begins:
· Identify the vulnerabilities that allowed the incident to occur and spread. Resolve them.
· Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace or upgrade them.
· Evaluate monitoring capabilities (if present). Improve detection and reporting methods, or install new monitoring capabilities.
· Restore the data from backups.
· Continuously monitor the system.
· Restore the confidence of the members of the organization’s communities of interest.
Reference
1. Principles of Information security, 4Th Edition Michael e. Whitman Ph. D, CISM, CISSP
Herbert J. Mattord
2. Phishing.org