Assignment:
Internal Threats/Insider Threats Scenarios
The Quick Fix
SCENARIO 1: Joe, your network administrator, is overworked and underpaid. His bags are packed and ready for a family vacation to Disney World when he is tasked with deploying a critical patch. To make his flight, Joe quickly builds an installation file for the patch and deploys it before leaving for his trip. Next, Sue, the on-call service desk technician, begins receiving calls that nobody can log in. It turns out that no testing was done for the recently installed critical patch.
What is your response?
Discussion questions
• What is Sue's response in this scenario?
a. Does or should your on-call technician have the expertise to handle this incident? If not, are there defined escalation processes?
• Does or should your organization have a formal change control policy?
a. Should employees be trained on proper change control?
b. Does or should your organization have disciplinary procedures in place for when an employee fails to follow established policies?
• Does or should your organization have the ability to "roll back" patches in the event of unanticipated negative impacts?
An Unsecure Location
SCENARIO 2: An employee within your organization reports to you that an unanticipated shipment was received from a charitable organization consisting of 500 new laptops and 1,000 tablets and the Information Technology Department placed them in a building that has been the subject of several burglaries. The building is in an area surrounded by brush and poor to lighting due to burned out lights. No one was supposed to use the building until conditions were changed. It is 10:00 am Monday morning, you are the Head of Security and start a three-hour business meeting at 11:00 am.
What is your response?
Discussion questions
• Who within the organization would you need to notify?
• How should your department handle this problem?
a. Short-term
b. Long-term
• How can you prevent this from occurring again?
A Malware Infection
SCENARIO 3: An employee within your Research Department used the company's digital camera for business purposes. While doing so, he/she took a scenic photograph that he/she then loaded onto their personal computer by inserting the SD card. The SD card was infected with malware while connected to the employee's personal computer. When re-inserted into a company machine, it infected the organization's system with the same malware.
What is your response?
As the Head of Research, you have learned that five servers were infected before they were isolated through an automated process. The systems will disrupt operations in one critical department after eight hours. There is an existing contract with a cyber incident response company as well as internal company forensic resources.
Discussion questions:
• Who within the organization would you need to notify?
• How should an organization identify and respond to malware infecting your system through this vector?
a. What is the process for identifying the infection vector?
• What other devices could present similar threats?
• What should management do?
• How can you prevent this from occurring again?
a. Should your organization have training and policies in place to prevent this?
b. Should policies apply to all storage devices?
c. Should employees be prevented from using external drives?
Financial Break-in
SCENARIO 4: A routine financial audit reveals that several people receiving paychecks are not, and have never been, on payroll. A system review indicates they were added to the payroll approximately one month prior, at the same time, via a computer in the financial department.
What is your response?
You confirm the computer in the payroll department was used to make the additions. Approximately two weeks prior to the addition of the new personnel, there was a physical break-into the finance department in which several laptops without sensitive data were taken.
Further review indicates that all employees are paying a new "fee" of $20 each paycheck and that money is being siphoned to an offshore bank account. Having this additional information, how do you proceed?
Discussion Questions:
• What actions should you take after the initial break in?
• Should you audit your physical security system?
• Who would/should be notified?
• How would you assess the damages associated with the break in?
• Should find out what credentials may have been stored on the laptop?
• How would you notify your employees of the incident?
a. Should the company compensate the employees?
• How do you contain the incident?
4 pages