Post Event Evaluation of How the Organization’s IT Staff Responded to the Attack
Describe the Nature of the Incident
Spoofing attack enabled the employee to pretend to be the real user of the human resource system. In this spoofing attack, the employee created a misleading context, in order to make an inappropriate security relevant decision (Khosrowpour, 2002). The employee did this by spoofing an IP address, in order to eavesdrop on the network. The spoofing attack was used by the employee to pretend that he was the legitimate user of the human resource system to change his payroll details of his salary. Khosrowpour (2002) noted that the attacker in this form of attack intercepted and deliberately identified where the data was stored and modified. As a result, the employee made changes and received two paychecks with the new amount.
The prime goal of the spoofing attack was to establish a connection that allowed the employee to gain root access to the host and to create a backdoor entry path into the organization’s human resource system (Paquet, 2009). Through IP spoofing, the attacker gained unauthorized access to the human resource system and sent messages to the system with an IP address that indicated the message was coming from a trusted host.
Identify Who Needs to be Notified Based on the Type and Severity of the Incident
The chief information officer is the right person to be notified of the incident. This is because the network security of the company had been compromised two times, and this called for the senior management to demand a risk assessment and management report. The chief information officer should write a report geared towards finding out the possible areas, which had security holes allowing the employee to enter or interfere with the company’s human resource system. The chief information officer should be notified, because the network security is a dominant concern amid information technology professionals and senior management of the organization. The chief information officer and the network administrator must include a stipulation for examining the network periodically to review its vulnerabilities.
Outline How the Incident Could be Contained
To address challenges of the attack, Das, Kant & Zhang (2012) proposed an efficient and securekey management framework (SEKM) for distributed environments. SKEM will enable the network administrator to build a public key infrastructure (PKI) by means of applying an underlying multicast server group and secret sharing scheme. In a secure and efficient key management framework, the server group creates the view of certification authority (CA) and provides the certificate update services for all nodes, including servers (Das, Kant & Zhang, 2012). In order to solve the spoofing attack problem, the management should introduce the concept of public key cryptography. This will enable each person to get a pair of keys; public and private ones. Through this, need for a sender and receiver to share the secret information is eliminated.
The organization can implement IEEE 802.11 which has been designed with help of extremely limited management capabilities, using up to four static, long-term, key, shared by all the stations on the LAN (Das, Kant & Zhang, 2012). This design will make it difficult for the attacker to revoke access fully from previously authorized hosts. In this context, a host should be revoked when it is no longer associated with the access network point. More importantly, it should be revoked, when it can no longer decrypt and eavesdrop traffic generated by other hosts in the local area network.
Discuss How the Factor that Caused the Incident Could be Removed
To remove the spoofing attack, the organization should move the network security and its risk assessment from the initial functional concern to a core part of the overall business strategy of the firm. Jones & Ashenden (2005) say that the company’s “local area network presents a substantial risk because it does not address the wider issues of protecting information in the environments through which it flows across the information network” (p. 9). Among the network security threats that the organization faces, there are trapping attacks, monitoring activities, intrusions attacks, identification, authentication, access control, availability, privacy, integrity, accountability and non-repudiation.
Describe How the System Could be Restored to Normal Business Practice.
Human resource systems performance parameters are mainly set to an acceptable compromise between security and usability. Cole (2011) says that the post attack step is to restore the compromised system to its original state. The first step is to remove files that were used in the penetration testing process. Secondly, the administrator revert any network setting changes to their original values. Cole (2011) says that in the process, network cards in promiscuous mode or ARP poisoning from sniffing needs to be corrected. Finally, the registry setting or any other system configuration that were changed during the attack process should be fixed (Cole, 2011).
Explain How the System Could be Verified as Operational
After the system is restored, it is necessary to ascertain that the system is operational. Cole (2011) says that the operation of the human resource system can be verified by developing a detailed test plan that provides for complete test coverage of the system. The network management and system administrator should establish an orderly schedule of events. The team should determine the expected output and perform a test run against the anticipated outputs. Cole (2011) says that the verification process should be done against a written record of test inputs. During the process, the team must exercise system limits and abnormal inputs.
Perform a Follow-up of the Post Event Evaluation
Identify Areas that Were not Addressed by the IT Staff’s Response to the Incident
The Information technology staff has not addressed the network security threats, which include the basic implementations done by organizations, in order to achieve some level of security to their systems. Some of this network security threats include basic integrity and confidentiality attacks. Fung (2004) says that confidentiality and integrity security technologies ensure that the content of a message is not visible to persons other than the intended or authorized recipients. There are some security technologies which provide competitive advantages to the organization. Security technologies have evolved from being basic, enhanced to integrated technologies (Fung, 2004). An example of enhanced security technology which provides competitive advantage is a digital signature which is used for implementing the source non-repudiation, as digital signature is built on the top of hashing algorithms used mostly for implementing confidentiality (Fung, 2004). Integrity and confidentiality ensures that the organization is assured that its information is safe.
Other Attacks Mentioned in the Scenario That Were not Noticed by the Organization
Password attack occurred, but it was not mentioned in the scenario. Paquet (2009) says that password attacks can be implemented using several methods, including brute-force attack, Trojan horse programs, key loggers and packet sniffers. The employee used password attack to gain access to the human resource system. Usually, password attacks refer to repeated attempts of identifying password, user account, or both (Paquet, 2009). It is necessary to note that, since the human resource system had sufficient privileges, the employee created a back door for the future access, without concerns for any password and status changes to the compromised user account. Through password attack, the employee was able to lower the salaries of the president of the company and several other employees, and then to include the salary difference in his own paycheck.
Describe the Nature of the Attacks not Noticed by the Organization
Integrity attack occurred in the organization. Integrity violations can occur when the employee changes salaries of the president of the company and several other employees, and then include the salary difference in his own paycheck without proper authorization. Paquet (2009) says that the attacker has permission to write the sensitive data and change or delete it. In case of this organization, the HR department did not detect such changes, until it was too late, when the changes had already resulted in tangible loss. This is the most serious threat to the organization because of difficulty while detecting changes, and possible cascading results of late detection (Paquet, 2009).
How these Additional Attacks Can be Prevented in the Future
The organization should use authentication security technologies to counter password and integrity attacks. Authentication ensures that only users who have permission can access particular information (Fung, 2004). This type of security technology uses Encapsulating Security Payload (ESP), packet filtering techniques, and user id and password authentication methods. Fung (2004) says that message integrity technologies also provide competitive advantage, because they ensure that data from sender to the receiver is the same. A message integrity technology maintains the originality of the information on transit. Message integrity technologies encompass protocols, such as generic routing encapsulation (GRE), point-to-point tunneling protocol and Layer 2 VPNs such as FR and ATM VPNS.
The recent trend is that instead of simply responding once an organization’s network security has been compromised, companies should move towards the real time proactive monitoring of its operations by using tools of intrusion detection that can assist administrators in spot unusual or illegal activities on the network (Evans, 2003). This means that the firm is able to detect activities that would have gone off unnoticed, which can be easily detected when they are in progress, and be easily blocked or their actions reported to security enterprise administrators. The extranets have to ensure that security will not be compromised. In the company, the extranet security ensures that passwords and identities’ are encrypted, while being sent through the network.
Recovery Procedure to Restore the Computer Systems
Restoring the system to its original condition is the most significant step that should be taken by the organization. Restoration means removing programs the employee placed on the computer and cleaning up any altered data files. To restore the system, there are three main options which include repair during continued operation, restoration from backup tapes and reinstallation from the original installation media (Bidgoli, 2004). Bidgoli (2004) further says that the organization should reinstall the human resource system and other program files from the last clean back tape. While restoring the human resource system to its original state, it is necessary to know when the attack begins. To achieve this, the restoration of program files from backup tapes requires the system to be taken offline at least temporarily.
In conclusion, the management of the company should realize that globalization brings about tremendous opportunities, and therefore, the need for competitive security technologies should be implemented, in order to counter security threats. The firm’s network security should start with an evaluation of the known risks, threats, and then the associated impacts. Security professionals must understand, implement and operate effectively enhanced security technologies to ensure the business continuity in the firm.