-Describe the nature of the event:
A highly technical interference was discovered in the organization's financial reports that rounds off several stealthy methods which puts the company at great risk. This discovery was as a result of an audit carried out by professionals on a routine basis. They noticed that many paychecks which had been doctored were made to a particular person. In a bid to notify the right personnel through mail, the mails were intercepted and fraudulent communications were between the auditor and the attacker. Through this the attacker then gained access to a lot of financial records and altered them; adding the name of the president and that of others in order to deduct money from theirs to add to their own paycheck. However the IT personnel was able to dictate that an internal system had done a middle man attack through an internal internet Protocol address, whereby all traffic meant for a particular location was sent to another system unknowingly. The suspect didn't have the right access control central reporting systems, authentication controls, and a lack of host based intrusion prevention systems.
These controls and systems are actually meant to act as guide against this kind of attack and save the company several hours of labor costs.

-Who should be notified?
In cases like this, the top hierarchy should be alerted and kept informed of the casewhen any move is made becauseeverything stops at their table. The Computer Emergency Response Team or the Emergency Management Team should also be informed. They have the expertise to deal with s cases like this and have knowledge the right processes and procedures needed in locating the cause, the immediate response needed, and analyze thelessons the case has brought up in report. Every company must have a Forensics Investigator (FI) full time or look for method to hire one. An FI has the expertise to review the systems used in the attack,regardless of sources or destinations, doing an in depth analysis of the image of the systems, label items, makes sure a chain of custody is completed correctly and use the right MD5 or SHA signatures required to guarantee that evidence is not altered in any way. This is vital when charging the suspect to court, if data is not collatedproperlythe evidence may be inadmissible in court and the suspect could go scot free.
The Damage Assessment Team should be informed to do an assessment and to access the usability of the equipment and network, as the suspect could have installed a logic bombs or inflicted damage than what was originally identified. The Recovery Coordination Team to ensure that internal alerts are done, and that activities and communications that happens between the right parties. The Corporate Communications Team will be required to guarantee the right message is sent to important stake holders of the company. The Site Restoration Team service might be required due to the equipment being confiscated during the duration of the investigation. More equipment may be required, because the FI will likely confiscate hardware because they would have to do a Forensics Analysis on the systems that were involved. The System Restoration Team should be in place to ensure that operating systems, software applications and databases will need to be restored and they will be vital in monitoring these operations at a different site if it is necessary. Also the coordination of acquiring, installation, and testing will need to occur with their supervision. The Technical Support Team will be needed to aid in the restoration of data communications, operating systems, applications and configurations. Human Resources Support Team, that includes legal counsel, they will need to be involved in case the company seeks to take the suspect to court. Lastly, external law enforcement agencies may be needed to assist in the investigation and the prosecution.
-Outline how the incident could be contained:
The bestmethod to contain this case is to make plans for its occurrence before hand. In some cases this means doing things that are not conventional and making plans for things that you might not envisage. Putting in place a well documented Emergency Response Plan will help to minimize the amount of time and the amount of damage that is inflicted on the systems affected. Also, an ERP will have developed the policies and procedures for containing the incident. A Crisis Management (CM) Team would put their efforts into reacting to critical situations, which in this case will entail reacting to the event and dealing with those systems affected by the event. Traditional CM encompasses Response, Tangible and Intangible situations, and Recovering from an event. CM members now place more emphasis on a few different aspects to include recovery management. In CM two activities are conducted, first facing the situation and second, dealing with the impacts of the crisis so that damage is reduced. Also, an effective Incident Management Plan will seek for ways to manage control activities of a crisis. The technical parts on containing the current crisis would include: when the issues is identifieda trouble ticket would have been designed and added into the central management system. Doing this would guarantee thatmonitoring and recording was done which could have stopped the email tampering that was carried out. Once a criminal activityisnoted a host based firewall rule must have been created to stop the computer from communicating with any other system, the suspects accounts must then locked, the release of PKI digital signatures must beinstalled to guarantee that the incessantpilfering and altering of emails are stopped. Isolation rules has to be installed on the switch from where the attack is coming from. All of these moves would have contained the suspect and stopmorefraud and loss from happening.
-Discuss how the factor that caused the incident could be removed:
Firtsly a host base security system and the applicarion of host based firewall could have stopped workstation to workstation communication which would thenstop the attacker from altering an internal workstation which was used for snooping. Also, using encryption from hosts such as a FIPS 140-2 compliant encryption would have stopped the suspect from double crossing information from clear text which they could dictate and alter. Furthermore, putting in place solid confirmation into human resource server could have stopped the attacker from gainingentry into the server. Plus, with the right access controls and Role Based access it would have mitigated the extent of damage caused. At best, the suspect would have been stopped as a resultof proper access controls and Role Based access, the suspect would have only inflicted minimal damage. Implementing VLAN centric firewalls or Intrusion Prevention System would have stopped the spoofing attack. Firewalls have the capability to stop systems aliento their networks from cloning internal addresses. Intrusion Prevention Systems also have certain pattern of detecting spoofing attacks as far as someone is checking those events if the suspect wasapprehended. PKI encryption and digital signatures implemented in email would have stooped the suspect from checkin and altering incoming and outgoing emails.
-Describe how the system could be restored to normal business practice:
In order to have a good restoration plan, funding and management support is needed. The recovery plan is importantin an insurance policy for a business, which needsfull attention and maintenance so as to guarantee that it is ready for use when it is called upon. The company could have also put in place a project team whose responsibility would be tocarry out testing of cases similar to the case they were compelled to handle, in other words they would have already created the right processes and ruleswhich is needed to start operations in the conventional manner. Restoration is a critical part of all recovery strategies; however there are many parts of the restoration program which can only be dictated when the entire extent of the event had been collated. There are many contingent plans that can be put in place which will greatly minimize the time and result of the attack. To participate in this they would have to get appropriatepersonnel in place to analyze the damage. With a good recovery assessment, decisions could be made on if personnel should be relocated or work in a different duty location. If the tools which was confiscated is of high value and can't be replaced immediately, the option of salvaging should be look into. Essentially, this is using what is at hand and making it work, until the right tools can be procured, delivered, tested and implemented. Also, the company could have contracted with a restoration company, who as expertise in restoring operations from disasters for a minimal retainer fee. The company would get its data on the server restored, if an effective backup plan is in place, which includes replication backups to a different site. This would help the company, once they salvaged parts together or were able purchase new equipment, to pull the data from their restoration site and have it put together in the new systems. During restoration, different teams have important roles that must be implemented. The Crisis Management Team can be asked to be part of the restoration process which may include external personnel. The Damage Assessment Team, during their preliminary assessment, would be the best people to provide the best feedback on the time required to recover. The Recovery Coordination Team would be called upon to guarantee orgainzation of all communications between users and technical personnel. The team would also have the duty of coordinating all recovery activities. Lastly, the Site Restoration Team would be included in the recovery process as they would ensure if any of the systems can be restored. Finally, a compilation of the lessons gotten from this procedure has to be put together to ensure that right after the event, all the different parts can be put together. This method would explain what the actual situation was and what systems was touched, the extent of the damage, and ways to stopsomething like this in the future.
- Explain how the system could be verified as operational:
The authorization needed to declare the network as operational once again, must include operational testing to guarantee the system's parts work as they usually do. Also, additional security has to be put in place to guarantee that the issue does not happen again. Anti-virus scans and must be put in place to dictate if the suspect fixed in any other malicious software in the company network, along with assessing all data related with the financial data to make sure all information no information was altered. Once data has been certified okay then the systems would have determined that it's no longer has malware or unauthorized entry points. The possible vulnerable points should also be looked into in the existing systems. Furthermore, an outsourced agency can be paid to do an assessment to check and identify vulnerable points which the internal bodies didn't dictate. Once this is done alongside a data integrity process and methods. Once the network has been tested and all the systems are up and running then it can be certified okay.
-Identify areas that were not addressed by the IT staff’s response to the incident
Different partswhich were not assessed in the IT staff’s response to the intrusion. The IT Staff’s incident response plan is basically included only as aquick fix, as it doesn't cover underlying faults that would have been included in their response. Also security controls could have been put in place to guarantee that an incident of a similar nature doesn't happen again.
. This includes carrying out a ticketing system through which personnel that dictate unusual activities could report such items. Depending on the kind and specifics provided, an incident response plan could have been put in place to hastenly track down the main cause of the incident and take needed actions to mitigate the damage. Additional process and procedures could be implemented within their response plan to make sure that the right teams and management are included in the response and recovery. Role Based Access controls could have been implemented to guarantee that only authorized personnel with the right credentials are able to implement the server. This would have mitigated the suspect’s capability to gain access the server without right credentials. Implementing an IDS in front of the server’s VLAN in promiscuous mode would have allow the company’s security team to detect in near real time any move to interfere with the system and the spoofing. Also, a Host Based IPs with the addition of a Host Based firewall would have been able to stop the interference. The addition of a firewall placed inthe VLAN would have been able stop the spoofing of systems on other VLANs from simulating that they were on the same network as the central system. ACL rules would have been able to stop the system from accessing the server from the system that it was hacked from. Mail security should have been put in place in the response plan to include the encryption and digital signing of emails. Lastly, creating a data of all traffic coming into and out of the server would have enabled the security team to dictate a new system accessing the server. No First Responders Evidence Disk (FRED) were done nor was Forensics personnel notified.
-compile the other attacks mentioned in this case that were not noticed by the organization. Describe the feature of the attacks not noticed by the organization
The first hacks were not dictated by the IT Staff, which inevitably led to the compromise and altering of accounts and paychecks, neither was the differencein the employee’s base salary or the president’s records dictatedquickly. It took an audit before it was identified. Had this been an external intruder the suspect would have gotten away with the crime. Furthermore no detection of the suspect moving around the system was detected or prevented which enabled them to locate where the data store on the system was. Lastly, act of Social Engineering that happened whereby the suspect communicated and deceived the auditor who believed they were authorized and required additional accesses into the system went undetected or stopped.
-Describe how these additional attacks can be prevented in the future
The first hacks could have been noticed and stooped had the IT Staff been trained in detecting intrusions and had implemented Network Based IDS’s and Host Based IPs. File Integrity Monitoring of the internal files could be done whereby any files modified or changed would be identified and reported on to a central location. Audits should also be carried out more often, as this would ensure that an “error” does not go on for days or months without ever being flagged. Doing audits more frequently, would have helped detect the suspect much sooner. Social Engineering detection and awareness program should be made available and compulsory. Had personnel been trained on the aspects of Social Engineering the auditor may have been able to detect that they were a target. Finally, using proper authentication before giving out additional access should be looked into, it could be a face to face authentication or additional identifiers that could have been asked to verify if the user are authentic.
- Recommend a recovery procedure to restore the computer systems back to their original state prior to such attacks
Having a well structured strategy which creates policy, guidance, process and procedures would aid in the quick restoration of the computer systems to their former state. Along with having the proper teams in place to ensure all key aspects of recovery and emergency response are don. Planning would help ease the recovery process by having simulated and exercised similar events. The steps of recovery could have been refined so that the recovery process is seamless. Definedmotives for each team are required so that there are no personnel over stepping into other department's boundaries. This could cause data to be convoluted and efforts duplicated. Personnel should also have defined roles and responsibilities to ensure the authorized steps are accomplished accurately and timely. Vulnerability scanning and Anti-Virus protection has to be done to ensure that all vulnerabilities are identified and re mediated would help in restoring the system to their original state. Finally, ensuring data replication was occurring from the main server to an off site server would allow the team, through logging, and forensics to identify when the intrusion originally happened. Having this data would have helped the Staff to pull the data from the backups up to the point from which the intrusion happened. This would help to ensure that not all data was lost and stored in evidence and would bring the systems backup to their former state.