Reference no: EM133233464

Assignment:

Opening Scenario

Osbert Rimorr had released a potent malware attack into the wild. It was simple bad luck that Osbert's worm took over the primary HAL mail server. From there, it quickly infected every system in the company. As the worm copied itself over and over again, the servers at HAL quickly stopped doing their assigned tasks and spent all their resources copying the worm to every computer they could reach.

It was nearing dawn when Susan Carter, the third-shift help-desk supervisor, was informed of the attack, first by the technicians in the network operations center and then by the application support team. Once she heard what was happening, Susan wasted no time. She directed the application support team to shut down the mail server, then she initiated the incident response plan by calling the help-desk supervisor to activate the call tree.

Susan called Paul Alexander, the HAL incident commander on call, to advise him of the incident.

Paul answered after taking a sip of his second cup of coffee.

"Good morning. What's up, Susan?" Paul asked.

"We're down," Susan replied. "All systems. All networks. It looks like a worm that just bogs everything down. No data exfiltration that we can see, just a massive denial of service through consumption of systems resources, and it's everywhere," Susan said, sounding worried.

"Okay," Paul replied. He opened the cover on his tablet, tapped on the browser, and then on the tab for the dashboard that would show him every system and its current status. "Let me see ..." The screen stayed frozen. "Oh, wait, all networks are down! Okay, start to assemble all the facts you can. I guess the containment options didn't pan out very well; it's time for recovery operations. Work the IR plan with the CSIRT. I'll be at the SOC as soon as I can."

"Okay, we'll start getting what we know together," said Susan.

The IR plan worked as expected and the CSIRT assembled quickly. While the worm was good, HAL's IR team was better. They quickly identified the threat, isolated the malware by severing the connections between infected systems, and disrupted its spread.

System by system, the CSIRT brought each infected computer up-they isolated it in a controlled environment, wiped the system clean, and re-installed the applications and available data from backup. Fortunately for HAL, the CISO's insistence on near-real-time data backups paid off. Within two hours, every system had been scrubbed, reset, and was available for business, with only a few hours of lost data. Considering the fact that the worm hit almost every system in the company, the loss was negligible.

"We were lucky this time," Susan said, handing Paul his fourth cup of coffee since he arrived. "What's next?"

"I'd rather be lucky than good any day," Paul responded, "but in this case, the team was lucky and good. Next we formalize our recovery, try to figure out how this happened with the incident forensics team, start the after-action processes, and prepare to brief the bosses."

Closing Scenario

After a very long morning, HAL's servers and client systems were fully functional, verified, and back online, with minimal downtime and loss of data. The CSIRT had been able to get a copy of the worm early in the process, for reverse engineering and research purposes. A brief e-mail was sent to explain what had happened and to let everybody know that things were now back to normal.

On the afternoon of the incident, Paul had a meeting with Sheila Wentworth and Jorge Hernandez, both from the legal department. They wanted a briefing on what had occurred in order to assess potential liability issues for the company. After the three of them assembled in the conference room and exchanged pleasantries, Sheila got down to business and started questioning Paul.

"Paul, what in the world happened? I thought we had firewalls in place to prevent stuff like this from attacking our network! How could you let this happen?"

Still focused on his active day responding to the incident, he resisted the urge to start yelling at Sheila over the implied accusation. He took a deep breath, composed himself, and said, "Let's begin at the top, shall we?"

Discussion Questions

1. Was the CSIRT response appropriate, given the circumstances? On what do you base your position?
2. Was Paul being unjustly accused of allowing the incident to happen? On what do you base your position?
3. Was there anything else Paul could have done to prevent the incident? On what do you base your position?

Ethical Decision Making

Suppose the forensic investigation at HAL was able to backtrack the worm attack and found that the worm first appeared in the special projects lab at Osbert's university. The team reaches out to the university and is given access to lab-door access records that identify Osbert. Almost at once, they realize that Osbert is a close friend of one of the forensic team members.

1. How does the team approach this aspect of the investigation to get the best results and to avoid conflicts of interest?
2. Can the team access Osbert's personal devices to examine them? Under what constraints? How might the team accomplish this legally?
3. During the investigation and forensic effort in response to the worm outbreak, you are examining a hard drive and find "love letters" between two employees of the organization who are not married to each other. This activity is not illegal, and it is not related to the worm attack.
4. Do you report it in the investigation?
5. Suppose the examiner is friends with the spouse of one of the lovers, and the examiner shows the friend evidence of the affair. Would that be ethical behavior? Why or why not?