Importance of Incident Response - cj-2k/Cybersecurity- GitHub Wiki

Incident Analysis and Response Charles Brooks 6/16/2024

A. How could an attack on IT infrastructure be successful?

Risk Management is nonexistent. An attack on Azumer Water was successful due to many known risks and vulnerabilities that were not addressed with any pre-existing security controls or risk management plan. Instead, the risk at hand was left to a reactionary approach. Operational, compensating, preventative, and even risk transference options were available to address the known threats and risks that faced the company and could have prevented an attack or reduced its effectiveness. However, Maria, the IT manager, knowingly opted to accept the presence of threats and risk fully.

Backups and Disaster Recovery Having no backups or disaster recovery plan represents a persistent vulnerability, total data loss, and a loss of business continuity in the event of an attack or natural event such as an earthquake or severe weather. "..Attacks frequently compromise personal and business data, and it is critical to respond quickly and effectively.." (NIST 800-61). There is no way to perform the recommended incident response process(contain, eradicate, and recover) if there is no recovery option in the first place. If there had been backups, then the attack could've still occurred, but its success or impact would've been negligible, and it would be something the business could recover from as a part of a response plan.

Preventative controls are lacking, such as email security and firewall controls. Conveniently, personal email is a part of the company structure. However, company communications should never involve personal email. Instead, a dedicated company email domain with trusted senders behind a firewall or proxy that closely inspects outside communications would be much more effective as a security measure. Thus, the email that ultimately compromised the company systems should've been subject to more security scrutiny. The "deferred" configuration of the firewall also doesn't help the situation. A properly configured firewall, email security tools, and training would prevent or complicate the spread or scope of such an attack.

Not having security training. John needed to be trained in preventative information security. An untrained employee is an inside threat. All it takes is one person in charge of sensitive data to click something they shouldn't, which can lead to an attack.

B. The importance of an alternative storage option for restoring backups in the event of comprimise

Claim 1: Availability - No backups in the event of compromise Explanation: NIST publication 800-53r, Security and Privacy Controls for Information Systems and Organizations, recommends an ALTERNATE STORAGE SITE: "Control: a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site." (NIST 800 53).
If a backup option was available, as NIST 800-53 advised, a rollback after containing the attack would address the incident by maintaining availability. Claim 2: Availability, Integrity and Confidentiality - Email payload "Malware present on an employee's laptop may be sending out email without the employee's knowledge ...An employee (or intruder) may configure and operate a mail server without authorization.." (NIST 800-177). Since the attacker's email was clicked, data servers have disappeared, denying their use without a backup solution(Availability). In addition, the attacker has access to employee data, indicated by the phishing emails sent to personal email addresses. (Confidentiality). Finally, there was a malicious payload in the link John clicked that led him to a blank page (a trojan, malware, remote code execution) that included the ability to view, delete, or change the data stored on the server, specifically volunteers' data, which compromises the confidentiality, integrity, and availability of company operations and PII.

C. How can a Federal company fail to be in compliance with FISMA? Since this NGO receives federal grant money, as a part of FEMA, it must adhere to FISMA. According to FISMA Metrics, the company is considered an Ad Hoc, or Level 1 maturity level, which is unacceptable. Level 4, or Managed and Measurable, would represent an adequate level of security according to FISMA. The Azumer Water organization has not "defined its policies, procedures, and processes for developing and maintaining a comprehensive and accurate inventory of its information systems and system interconnections [or] established a privacy program and related plans, policies, and procedures as appropriate for the protection of PII collected, used, maintained, shared, and disposed of by information systems [or implemented], roles and responsibilities for the effective implementation of the organization's privacy program.." (FISMA). D. Recommend immediate steps to mitigate the impact of the incident, using specific examples from the case study to justify how these steps would mitigate the impact. Implementing company-wide backup solutions and disaster recovery in the event of an attack, nature event, or any other incident that disrupts the availability of the company, so that business impact is mitigated. The implementation of a Secure Email Gateway, or SEG. An email gateway in the cloud or as a part of the company network's DMZ can prevent a user from ever seeing a malicious email, whether it's spam or a phishing attempt from a known attacker in the first place. Implementing operational security controls or training. Training John, who is in charge of a lot of employee data, would be a solid first step. With security-focused, hygienic practices around clicking emails and links, the email incident could be avoided or expressly mitigated. Committing to finishing the firewall settings that were "deferred". A firewall, or preventative security measure, could have indirectly prevented the server data deletion. We don't know precisely what specific attack occurred, but given the steps required to delete such a large amount of data, we can assume remote access through an unsecured port is a possible attack vector. This port could've been blocked with the firewall active and configured.

E. How does established incident response plan protect a company?

An incident response plan would have presented many opportunities to pre-eliminate a threat. A formal response plan includes: Preparation: Maria could've prepared in the event of an attack, using some of the controls I've suggested. Having a reactionary approach with no reactions in place isn't ideal. Security controls, safe configuration, acknowledgment and appropriate preparation for known threats are all ways that the attack could have been addressed beforehand and would benefit Azumer Water going forward Identification: Through security training, and open intelligence; the attack could have been identified beforehand. There were known attacks against the company already from a hacktivist group. By knowing who was attacking and how they tend to attack, the company would've been much better equipped and would benefit from knowing the potential vectors of attack. Containment: Containing the attack could have gone much more smoothly with proper plans in place. By limiting the attack to John's email or even limiting the attack to the network DMZ with the proper controls, the situation would've never escalated, and if it did, the scale would've been limited significantly. Eradication and Recovery: Eradication and recovery, which would include the suggested backup/rollback system, would've mitigated the effects of deleted or disrupted operations from an attack or a natural event. Lessons Learned: by learning this lesson and going back through the response cycle, we could easily identify, contain, and be trained on the attacks that could present themselves to the company and address them more appropriately, aiding in preventing future attacks.

Part II: Risk Assessment and Management

F. Discuss two processes to increase information assurance levels within the organization and bring Azumer Water into compliance with the violated federal regulation identified in part C.

According to FISMA, "Encryption of data at rest • Encryption of data in transit • Limitation of transfer to removable media • Sanitization of digital media prior to disposal or reuse" (FISMA) are all ways the company could increase security assurance and bring them to compliance with the federal act. The organization can "develop a privacy program for the protection of personally identifiable information (PII) that is collected, used, maintained, shared, and disposed of by information systems" (FISMA) to also come into compliance. The organization can also address privileged users such as John, with "periodic review and adjustment of privileged user accounts and permissions, inventorying and validating the scope and number of privileged accounts, and ensuring that privileged user account activities are logged and periodically reviewed" (FISMA).

G. Recommend technical solutions to counter the remaining effects of the attack in the case study and to prevent future attacks. Firewall configuration. Using domain email accounts instead of personal email accounts. Using a stronger standard such as Enterprise WPA3, and avoiding the use of WEP. Cloud Backup solutions. Secure Email Gateways.

Recommended organizational structure for IT and security management:

There should be a separation of responsibilities as follows:

Administrator > Directors > Analysts> Volunteer management > Volunteers worker

This should directly mitigate most incidents and provide accountability and governance to guide IT asset management and security issues. Information Technology Administrator - The manager of all the other directors ensures the other directors are doing their job and manages the inventory of assets - reports to the CEO or leader of Azumer Water. Security director - ensures all security teams are properly managed and implementing controls decided by governance, also acts as the data controller - Reports to head IT administrator. Governance and compliance director- ensures compliance with federal and local regulations but reports to the head IT administrator. Governance, security, and IT analysts - Carry out the work decided by their respective directors. Volunteer management - Ex. John Smith. John Smith, volunteer lead, should report to a respective director when facing a given issue and should manage the volunteer's work but not manage their data nor decide or implement security controls or manage any IT asset, only limited to managing employee productivity. Volunteer workers - Follow the instructions given by the respective IT management, including conditional employment training from the analysts, and perform volunteer work.

I Describe your risk management approach for Azumer Water based on the likelihood, severity, and impact categorization of two risks in the case study.

Hacktivists represent a significant and likely threat. The hacktivists do not agree with the company mission. The attackers can attack the supply chain physically; and have already done so.Further Preventative management options should be implemented, higher levels of operation controls and management can also be implemented.

An open access network with identified external threats that also had no audit trails. This is also an easy way to not be in compliance in terms of protecting data. Simply configuring the firewall would constitute a preventative control that would manage this risk.

J. Sources:

Cloudflare. "Secure Email Gateway (SEG)." Cloudflare, Accessed 13 June 2024.

Cybersecurity and Infrastructure Security Agency. FY 2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Metrics. CISA, May 2024, Accessed 13 June 2024.

Cichonski, Paul, et al. Computer Security Incident Handling Guide. National Institute of Standards and Technology, 2012. Accessed 16 June 2024.

National Institute of Standards and Technology. Security and Privacy Controls for Information Systems and Organizations. NIST Special Publication 800-53 Revision 5, September 2020. NIST, Accessed 13 June 2024.