Contact Details
Incident Details
Status change (including time zone). Sifers-Grayson security defense system could not detect nor inform about the time the attack happened. However, the IT staff managed to detect the system attack due to the abnormally slow speed on the system attributed to high traffic. Additionally, malfunctioning of the company’s drones became a red flag for system attack. After tracing, the IT staff found that the IP address, 11.143.135.4, was unauthorized.
Cause of the Incident
Cyberattacks are a common threat to many businesses. As Romanosky (2016) elucidates, there are different vulnerabilities, such as failure to update security systems that may increase the susceptibility to attacks, such as brute force attack and phishing. In Sifers-Grayson case, the attacks resulted from an overall lack of network security, improper device security, and unsecure access points. Lack of a proper systems security system created an avenue for attackers to gain access to the secure part of the system. Besides, the fact that the company has not put in place a bring your own device policy, which restricts the use of external devices in the corporate network, has increased the vulnerability for installation of malwares and viruses into the system. Furthermore, allowing unauthorized persons into secure areas within the company may have increased the possibility of physical hacking.
Cost of the Incident
Currently, the team has not managed to determine the total cost attributed to the security breach. However, Sifers-Grayson considers the documentation and coding for the AX10 as priceless. Moreover, the cost of any other damaged equipment is yet to be totaled. Other associated costs include the cleanup time and cost required by the IT staff to bring the security to a good security standing is 200 hours at $100 per hour. This makes cleanup cost approximately $20,000.
Impact of the Incidence on the Business
The attack incidence had some detrimental effect on the company’s overall reputation and its informational resources. Nonetheless, it is a necessary trigger for Sifers-Grayson to adopt best security practices to ensure any possible future threats are mitigated.
General Comments
The test made it possible to identify the system vulnerabilities at Sifers-Grayson. The section below details about the incident, key issues analysis, and the appropriate tools the company should utilize to secure the network system.
Background Overview
Analysis of software vulnerability is an integral element for ensuring companies maintain high security within their systems. At Sifers-Grayson, the company hired an external player to perform its network security test. As Barabanov et al. (2018) inform, this type of testing is performed to test the compliance with national and corporate standards of technical specifications. The test comprised of several network penetration tests and reporting of any vulnerabilities found. After extensive penetration tests, the Red Team managed to penetrate Sifers-Grayson network and revealed various security loopholes. For instance, the Red Team managed to steal information from the R&D data centers and the SCADA Lab. Notably, the two centers hold secret and classified information pertaining the company’s contract with different government agencies and private entities. With such information being held by a malicious party, the organization might suffer a big blow, such as termination of contract by the government entities. Moreover, the contract parameters hold that adequate protection of classified information. Additionally, Sifers-Grayson should store any non-classified information with a non-federal information security organization. However, violation of these terms may attract contract termination or heavy fines. The worst case scenario would be a termination of contract since it would be challenging for other companies to enter into contract with the Sifers-Grayson. Hence, the Blue Team will utilize the information provided by the Red Team to determine the best recommendations and best tools appropriate to safeguard the company’s data.
Incident Analysis
Sifers-Grayson case study reveals that the company’s network topology incorporated two wired connections, copper cabling and fiber optic connection, both of which are connected to the R&D department and a wireless connection protected through a Wireless Access Point. These connections have a protective firewall to prevent external threats. However, the test performed by the Red Team indicated vulnerabilities in both the external and internal environment security since they managed to hack the enterprise network, steal all employees’ passwords through USB devices, and took confidential files from the company’s servers.
A noteworthy factor worth considering is that Sifers-Grayson contracts entails government agencies that place utmost security as a prime factor. In this case, Sifers-Grayson needs to embrace WPA2 encryption for its wireless network combined with an encryption protection, such as AES. According to Abishu et al. (2017), adopting these options ensures that its wireless connection is reinforced with a strong security system. Furthermore, Abishu et al. (2017) informs that AES and WPA2 offer strong protection and are hard for hackers to bypass.
A company should consider precursors and indicators as elemental factors when handling an incidence. Importantly, precursors show the probability of an incidence occurring in the future. Indicators, on the other hand, provide details about incidences in progress or those that have already happened. The precursors to the Sifers-Grayson scenario could be the log files from the server pointing to the system vulnerability. While precursors are elemental in incidence prevention, a major challenge is understanding which precursors should fit certain incidences.
An important security measure to help boost Sifers-Grayson security system is an active directory. Sifers-Grayson can take advantages of installing Windows Active Directory, which plays a vital role in assigning of system resources based on user level. For instance, an administrator can set different groups and assign them different access privileges (Sharad et al., 2019). That way, it becomes impossible for employees to access resources they are not authorized to access in the system.
Another benefit of using an active directory in Sifers-Grayson is an active directory management services. An ADRMS operates both as a security checker for both organizational employees and intruders (Microsoft, 2016). The ADRMS limits access to company’s documents, emails, files, and webpages, using an encryption system. If a user does not have the right code, it becomes impossible to access those files.
During the post attack conducted by the Red Team, the employees were found to be a weak link in the systems security. For instance, their use of unrecognized devices and plugging them into the corporate system allowed the test team to access all employees’ login details. However, the company can solve this issue through various approaches. First, the company can perform an extensive company-wide training about system security and the importance of the employees taking their role responsibly. The training would enlighten on the dangers of using unrecognized devices in the company’s network. Moreover, the training would also detail the dangers of downloading any suspicious files, as well as enlightening them on how to detect malicious activities, such as phishing schemes. By conducting an intensive training on the employees, it would ensure that employees are at par with the company security needs.
Containment, Eradication, and Recovery (C.E.R)
There are different alternatives that Sifers-Grayson can utilize to acquire, preserve, secure, and document the evidence from the incidence. Upon handling the incidence, the company should also use a backup system to reinforce its informational system, as well as to avoid any loss or modification of data. In this case, Sifers-Grayson should rely both on offline and online backup system. Considerably, Sifers-Grayson had encountered two ransomware attacks. These would have prompted the company on the need to take appropriate precautionary measures.
Another additional approach to prevent future attacks is by implementing an intrusion prevention system (IPS) and an intrusion detection system (IDS). Accordion to Bhaksh et al. (2019), an IDS is essential in determining whether there are any looming threats within the corporate network by continuously monitoring the network traffic. The continuous surveillance of the system helps to report any event of an anomaly in the network system. Sifers-Grayson should adopt a hybrid IDS to help monitor both its network and its host systems. The threats identified by an IDS include denial of service, viruses, equipment failure, and distributed denial-of-service attacks (Bakhsh et al., 2019). Upon detection, an IDS-IPS system prevents an attack and highlights the system administrator of the malicious activity for appropriate action. In our case, if Sifers-Grayson had installed an IDS-IPS system, the IT Staff would have received an early warning about the intrusion attempt. Additionally, they would also receive the attempts by the Red Team to hack into the system during the test phase. As Granjal and Pedroso (2018) elucidates, the IDS-IPS would have logged all the activities and also blocked installation of malware into the system.
Post-Incident Activity
Follow-Up Activity
The company needs to perform thorough and regular checks on its information system to ensure it is fully functional. Appropriate actions that the IT department needs to take include regular updates on the servers, backups, and logging of system data. By taking these measures, the company will have consolidated its security to ensure that malicious activities do not reach the company’s servers.
Additionally, the firm needs to keep updated about emerging security threats so as to understand how to identify and manage them. One way to ensure that it remains ahead in this arena is by dedicating ample resources to the network security and investing heavily in any network security applications. Moreover, it needs to regularly train its IT staff and other employees regarding information systems security. Some of the activities that the IT staff need to become fully conversant with include: monitoring systems for malicious activities, reviewing documentations to ensure its consistent with appropriate incidence handling standards, regular system updates and attending to server notifications, and performing post-mortem on any affected systems in case of an incidence. An important lesson to learn from Sifers-Grayson in the corporate world is the reality of cyber-attacks. Unless an organization takes appropriate precautionary measures, there is a high risk of sustaining huge losses and terminating important relations with other companies.
References
Bakhsh, S. T., Alghamdi, S., Alsemmeari, R. A., & Hassan, S. R. (2019). An adaptive intrusion detection and prevention system for Internet of Things. International Journal of Distributed Sensor Networks. https://doi.org/10.1177/1550147719888109
Barabanov, A. V., Markov, A. S., & Tsirlov, V. L. (2018). Statistics of software vulnerability detection in certification testing. Journal of Physics: Conference Series, 1015. https://doi.org/10.1088/1742-6596/1015/4/042033
Granjal, J. & Pedroso, A. (2018). An intrusion detection and prevention framework for internet-integrated CoAP WSN. Security and Communications Network, 2018, Article ID 1753897. https://doi.org/10.1155/2018/1753897
Microsoft. (2016, August 31). Active directory rights management services overview. Retrieved from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831364(v=ws.11)
Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121-135. https://doi.org/10.1093/cybsec/tyw001
Sharad, S., Singh, A., Divyanshu, & Rai, A. (2019). Research paper on active directory. International Research of Engineering and Technology, 6(4), 3579-3582. https://www.irjet.net/archives/V6/i4/IRJET-V6I4761.pdf
