Uploaded by jpsonline

ITI581 Case Study Information

advertisement
ITI581 Cybersecurity Fundamentals
Security Incident Case Study Information
The following information is provided to allow you to investigate a specific set of circumstances
around a recent incident in a corporate network and should be used in conjunction with detailed
information provided for the Cyberattack on the next page.
Background
You are an IT Security Consultant who has been engaged by the management team at CricTech, a
wearable technology company, to review their systems after a recent cybersecurity attack.
As part of the terms of your engagement you must perform two key evaluative tasks to help CricTech
improve their cybersecurity profile.
1. Evaluate how best to review the company IT operations and the security environment to
determine how security can be improved (Assessment 1: Case Study Part 1).
2. Evaluate and propose general security best practice approaches that help them to deliver
the improvements you discuss in Assessment 1: Case Study Part 1 (Assessment 2: Case Study
Part 2).
In initial discussions with the management team you have noted the following issues:
1. No documented DR/BCP plan.
2. No formal Incident Response Team, or Incident Response Plan.
3. Insufficient documentation of the current system.
a. A basic network diagram exists and is shown below.
4. No understanding of the normal operating characteristics of the network and IT systems.
5. No established security culture or awareness program.
Details of the recent cyberattack against CricTech.
Adverse impact to the cyberattack on the CricTech network was first noticed late on Thursday
afternoon four weeks prior to your initial meeting with the management team.
Initial forensic investigation, performed by a well-respected forensic investigator, completed postattack found that the attacker used a brute force attack to gain access to a decommissioned Windows
2003 server that was still connected to the DMZ segment of the network. The attacker used
information present on this server to gain access to the backup server, also in the DMZ, and with some
experimentation, gain accessed to the internal server farm by reappropriating the backup software
communication channels. This approach was able to bypass the internal facing firewall because of the
apparent legitimacy of the communications channel.
Once access to the internal server was gained the attacker was able to elevate their privileges to
Administrator level due to a weak password policy implementation. This then enabled them to install
ransomware on one of the servers in the farm. This server then distributed the ransomware to the
other servers in the farm as well as all connected desktops, laptops and some tablet devices. The
ransomware was a new variant that the forensic investigator had never seen before and encrypted all
data on infected systems although some access to the operating systems was still possible.
Some time ago an IT consultant put into place a Cloud provisioned backup system to perform a nightly
full backup of all servers. There was a significant problem with this system that had been causing
backups to fail for a period of 12 weeks but, unfortunately, this was only discovered after the
cyberattack. The attacker also deleted all backups stored on the backup server located in the DMZ.
Fortunately, on the Monday immediately prior to the attack, as part of transition activities for an
upgrade project for the product database system, a full copy of the product, customer and research
and development databases were copied to the transition vendor. Although this was much better than
losing 12 weeks worth of data, 3-4 days of data was completely lost. This was estimated to be
approximately 1.5 TB of data. The company also incurred significant costs in having to reinstall, rebuild
and restore the server farm, and desktop, operating environments.
Insurance
The company did not contact their insurer having declined the additional cybersecurity insurance,
offered to them a few weeks prior.
Costs
Analysis showed that having only a local instance of the product, customer and research and
development databases contributed greatly to the $3.5 million restoration cost. It meant the
reinstallation of the databases could not be done without significant input from the database
developer and the IT integrator. Other costs incurred $105,000 in staff overtime and $10,000 in
notifying clients of the attack. Including forensic investigation costs of $36,000, and some other sundry
expenses, the total cost of the cyberattack was almost $4 million. This represents approximately 2
years profit based on the past 10 years of operation.
Timeline
Thursday
evening.
Attacker gained access to the decommissioned server followed shortly by access to
the server farm and, within hours, the ransomware infection of all devices. Staff
discover that all local backups have been deleted and the cloud-based backup hasn’t
been working for months without giving any notification to either the Cloud service
provider or the company.
Friday
After initial investigation confirmed the scale of the attack police were contacted and
communications were established with the attacker. A ransom of $1,500,000 was
requested but, on advice from the police, management decided not to pay it.
Subsequent communication with the attacker was not productive.
Saturday
The company elect to use the images of the databases provided to the transition
vendor to attempt a rebuild of the servers. The company also elect to rebuild all local
desktops and laptops from scratch.
Sunday
Monday
Tuesday
Images of infected servers made and stored for subsequent investigation. Server
rebuild, desktop rebuild, installation of database software and restore of databases.
Wednesday
Limited access to databases and normal system functions.
Thursday
onwards.
Back to full operational status. Forensic investigator attends to investigate based on
logs available on firewalls, network devices and images made of infected servers.
CURRENT
Preventative measures to address the weakness in security exposed by the incident.
Network Diagram
The following diagram gives a general overview of the network architecture.
Download