ENTERPRISE CONTINUITY PLANNING
Responding to Attacks and Special Circumstances
Continued Assessments During a Disaster

By Charles Paddock
FXT2 – Task 2
November 5th, 2012

A. Perform a post event evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following:

1. Describe the nature of the incident.

The nature of the incident was that an internal employee successfully hacked into the human resources, payroll and electronic mail systems. The employee was then able to manipulate payroll data, intercept emails and impersonate staff through electronic means. There were a number of techniques used in this attack such as network eavesdropping, IP spoofing, social engineering, man in the middle, and escalation of access privileges. All of these types of attacks are consistent with an experienced hacker who knew what he was after. The incident was only discover because of an auditor reviewing the records and noticed the changes. When the auditor notified management of the discrepancies via email his emails were intercepted and the hacker negotiated higher access privileges by posing as management and IT Staff. 2. Identify who needs to be notified based on the type and severity of the incident.

The first call should be to the Security and IT teams to secretly verify the attack and prevent further escalation. In the case where you believe we have been hacked and you do not know the extent of the attack you should always have face to face meetings or phone conversations and this should not be done through email. Secondly, for this type of attack I would expect that the key departmental heads need to be notified. These department heads would be from Legal, Human Resources, Security and IT. There should be well defined major outage plan, emergency response team and security incident