task 2 postevent evaluation

Competencies


427.1.5Responding to Attacks and Special Circumstances

The graduate identifies, evaluates, and applies network response procedures for attacks with special circumstances.

427.1.7Continued Assessments During a Disaster

The graduate assesses needs, threats, and solutions prior to and during a network disaster.

Scenario


An employee hacked into the human resource records system at the employee’s place of business and changed the employee’s base salary rate to obtain a pay raise. The employee did this by spoofing an IP address in order to eavesdrop on the network. Once the employee identified where the data was stored and how to modify it, the employee made the changes and received two paychecks with the new amount.

Fortunately, an auditor happened to discover the error. The auditor sent an e-mail to several individuals within the organization to let them know there was a potential problem with the employee’s paycheck. However, the employee was able to intercept the message and craft fake responses from the individuals the original e-mail was sent to. The employee and the auditor exchanged e-mails back and forth until the employee was soon given access permissions for some other financial records. With this new information, the employee was able to lower the salaries of the president of the company and several other employees and then to include the salary difference in the employee’s own paycheck.

The IT staff determined that the spoofing that occurred that allowed the employee to gain access to the human resources system was caused by a lack of authentication and encryption controls. As such, a local root certificate authority was installed to implement a public key infrastructure (PKI) in which all communication to the human resource system required a certificate. This would encrypt network traffic to and from the human resources system and prevent eavesdropping. It would also properly authenticate the host to prevent spoofing.

Requirements


  1. Perform a postevent evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following:
    1. Describe the series of malicious events that led up to the incident.
    2. Identify who needs to be notified based on the type and severity of the incident.
    3. Outline how the incident could be contained.
    4. Discuss how the factor that caused the incident could be eradicated.
    5. Discuss how the system could be recovered to return to normal business practice.
      1. Explain how the system could be verified as operational.
  2. Perform a follow-up of the postevent evaluation by doing the following:
    1. Identify areas that were not addressed by the IT staff’s response to the incident.
    2. Identify the other attacks mentioned in the scenario that were not noticed by the organization.
      1. Describe the type and severity of the attacks not noticed by the organization.
      2. Describe how these additional attacks can be prevented in the future.
    3. Recommend a recovery procedure to restore the computer systems back to a fully operational state.
  3. When you use sources, include all in-text citations and references in APA format.

Rubric


Articulation of Response:Clarity, organization, mechanics

Not Evident

The candidate provides unsatisfactory articulation of response.

Approaching Competency

The candidate provides weak articulation of response.

Competent

The candidate provides adequate articulation of response.

A1:Nature of the Incident

Not Evident

The candidate does not provide an appropriate description of the series of malicious events that led up to the incident.

Approaching Competency

Not applicable.

Competent

The candidate provides an appropriate description of the series of malicious events that led up to the incident.

A2:Notification

Not Evident

The candidate does not accurately identify who needs to be notified based on the type and severity of the incident.

Approaching Competency

Not applicable.

Competent

The candidate accurately identifies who needs to be notified based on the type and severity of the incident.

A3:Containment

Not Evident

The candidate does not outline how the incident could be contained.

Approaching Competency

The candidate outlines, with insufficient detail, how the incident could be contained.

Competent

The candidate outlines, with sufficient detail, how the incident could be contained.

A4:Factor Removal

Not Evident

The candidate does not provide a logical discussion of how the factor that caused the incident could be eradicated.

Approaching Competency

The candidate provides a logical discussion, with insufficient detail, of how the factor that caused the incident could be eradicated.

Competent

The candidate provides a logical discussion, with sufficient detail, of how the factor that caused the incident could be eradicated.

A5:System Restoration

Not Evident

The candidate does not provide a logical discussion of how the system could be recovered to return to normal business practice.

Approaching Competency

The candidate provides a logical discussion, with insufficient detail, of how the system could be recovered to return to normal business practice.

Competent

The candidate provides a logical discussion, with sufficient detail, of how the system could be recovered to return to normal business practice.

A5a:System Verification

Not Evident

The candidate does not provide a logical explanation of how the system could be verified as operational.

Approaching Competency

The candidate provides a logical explanation, with insufficient detail, of how the system could be verified as operational.

Competent

The candidate provides a logical explanation, with sufficient detail, of how the system could be verified as operational.

B1:Unaddressed Areas

Not Evident

The candidate does not accurately identify areas that were not addressed by the IT staff’s response to the incident.

Approaching Competency

Not applicable.

Competent

The candidate accurately identifies areas that were not addressed by the IT staff’s response to the incident.

B2:Other Attacks

Not Evident

The candidate does not accurately identify the other attacks mentioned in the scenario that were not noticed by the organization.

Approaching Competency

Not applicable.

Competent

The candidate accurately identifies the other attacks mentioned in the scenario that were not noticed by the organization.

B2a:Type and Severity of Other Attacks

Not Evident

The candidate does not provide an appropriate description of the type and severity of the attacks not noticed by the organization.

Approaching Competency

The candidate provides an appropriate description, with insufficient detail, of the type and severity of the attacks not noticed by the organization.

Competent

The candidate provides an appropriate description, with sufficient detail, of the type and severity of the attacks not noticed by the organization.

B2b:Prevention

Not Evident

The candidate does not provide an appropriate description of how the additional attacks can be prevented in the future.

Approaching Competency

The candidate provides an appropriate description, with insufficient detail, of how the additional attacks can be prevented in the future.

Competent

The candidate provides an appropriate description, with sufficient detail, of how the additional attacks can be prevented in the future.

B3:Recommendation

Not Evident

The candidate does not provide an appropriate recommendation of a recovery procedure to restore the computer systems back to a fully operational state.

Approaching Competency

The candidate provides an appropriate recommendation, with insufficient support, of a recovery procedure to restore the computer systems back to a fully operational state.

Competent

The candidate provides an appropriate recommendation, with sufficient support, of a recovery procedure to restore the computer systems back to a fully operational state.

C:Sources

Not Evident

The submission does not include both in-text citations and a reference list for sources that are quoted, paraphrased, or summarized.

Approaching Competency

The submission includes in-text citations for sources that are quoted, paraphrased, or summarized and a reference list; however, the citations or reference list is incomplete or inaccurate.

Competent

The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available. Or the candidate does not use sources.

Task 2–Formatting

Word document or PDF Suggested length 8 -10 pages double spacedParaphrase o No more that 30% unoriginal workTurnitin No more than a combined total of 30% of a submission can be directly quoted or closely paraphrased from sources, even if cited correctly. APA Format o APA Formatting and Style Guidehttps://owl.english.purdue.edu/owl/resource/560/01/Note: When using sources to support ideas and elements in a paper or project, the submission MUST include APA formatted in-text citations with a corresponding reference list for any direct quotes or paraphrasing. It is not necessary to list sources that were consulted if they have not been quoted or paraphrased in the text of the paper or project.4. Task 2–Task Technical Details The purpose of the presentation is to perform a post-event evaluation.While working on this task, you may feel like you are being asked the same questions multiple times. Be sure to review the rubric for each task prompt to assure you are answering the criteria required for each task prompt.**Be sure to write your responses tailored around this specific scenario.Responses should not be generalized.A. Perform a post-event evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following:1. Describe the nature of the incident.Describe in detail the nature of the incident and the events that occurred to create the incident and during the incident.You will need to refer back to the scenario to detail all events that led up to along with the actually incident.2. Identify who needs to be notified based on the type and severity of the incident.Please write your responses tailored to the scenario.Chapter 6 -Operational Risk Management The Definitive Handbook of Business Continuity Management, Third Edition Premier Readings Please review the incident notification section in the following NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide3. Outline how the incident could be contained

Please write your responses tailored to the scenario. Do not confuse containment with mitigation. Please review the containment section in the following NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide Section 3.3.1You will need to discuss containment strategies as reactive measures to the specific incident within the scenario. 4. Discuss how the factor that caused the incident could be removed.Please write your responses tailored to the scenario.iPremier Readings Please review the NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide This will depend on your response to A3. Consider discussing defense-in-depth strategy as it relates to the scenario and the points you made for A3.5. Describe how the system could be restored to normal business practice.Review the NIST document for assistance by searching the key term “restore”: NIST 800-61Computer Security Incident Handling Guidei Premier Readings Discuss how data, applications, and other services affected by the incident have been returned to normal operations.a. Explain how the system could be verified as operational.Discuss the testing methodology you used to verify the systems are operational.iPremier Readings B. Perform a follow-up of the post-event evaluation by doing the following:1. Identify areas that were not addressed by the IT staff’s response to the incident.As part of the“follow-up” of the post-event evaluation, review the scenario in detail and identify the areas that were not addressed in the response to the incident.2. Outline the other attacks mentioned in the scenario that were not noticed by the organization.a. Describe the nature of the attacks not noticed by the organization.b. Describe how these additional attacks can be prevented in the future.Discuss the events of the incident that were not noticed by the IT staff’s response to the incident. Discuss in detail the measures that can be taken to prevent these types of attacks in the future.3. Recommend a recovery procedure to restore the computer systems back to their original state prior to such attacks.Please review the recovery section in the following NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide Premier Readings C. When you use sources, include all in-text citations and references in APA format.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.