Information Gathering

What is information about University systems sensitive?

a.  University has a lot of vital information within their systems. Their systems have information about users, students, and vendors which could be sold for money. There can also be special projects that are a top secret which if stolen, could cost the University millions. Information on future prospects and where they are going to expand can cause problems also. As if the information falls into competitor’s hands, they can jump and gain the upper hand.

What data would be useful to aggressors?

a.      Data that aggressors could use as leverage is information about the infrastructure that the university offers. This could include server, hardware, and user information. As this information can be used to penetrate the infrastructure and assist in siphoning information from the university. The information will assist the hacker to see possible vulnerabilities. They can use this to create backdoors that they can later use to access systems when needed.

Of that data, what data can be protected?

a.      All data can be protected if the business is able to budget to cover that vulnerability. Having sensitive data floating around the network it should be encrypted to keep it protected. It should be recommended to the company to have a system in place. This will help if the network were to be penetrated as hackers might not be able to crack the encryption as easily and give up. This is one stage to make sure the data stays private and internal. The next items are to make sure all systems are up to date so there is not much vulnerability that could be easily exploited. This will help to build a barrier around the network. The University wants to protect data such as employee, student, and special project information.   

How can you prevent social engineering?

a.      The best way to prevent social engineering is by offering training regularly to users. The reason why training is important is it offers employees a better understanding as to they have to be careful when they have conversations with other people. The next item that should be discussed is how hackers can try to steal information via email. Show them examples of phishing emails and how to examine if they are fake or authentic.    

Consider the following questions:

1.        What is information about University systems sensitive?

2.       What data would be useful to aggressors?

3.       Of that data, what data can be protected?

4.      How can you prevent social engineering?

As has many organizations learned how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. The Proper incident response should be an integral part of any overall security policy and risk mitigation strategy.

There are clearly direct benefits in responding to security incidents. The value of forming a security incident response team with explicit team member roles is a must do, as well as how to define a security incident response plan.

To successfully respond to incidents, you need to:

·         Minimize the number and severity of security incidents.

·         Assemble the core Computer Security Incident Response Team (CSIRT).

·         Define an incident response plan.

·         Contain the damage and minimize risks.

Minimizing the Number and Severity of Security Incidents

• Clearly, establish and enforce all policies and procedures.
• Gain management support for security policies and incident handling.
• Routinely assess vulnerabilities in your environment. Assessments should be done by a security specialist with the appropriate clearance to perform these actions.
• Routinely check all computer systems and network devices to ensure that they have all of the latest patches installed.
• Establish security training programs for both IT staff and end users. Knowing that the largest vulnerability in any system is the inexperienced user.
• Post security banners that remind users of their responsibilities and restrictions, along with a warning of potential prosecution for violation. These banners make it easier to collect evidence and prosecute attackers.
• Develop, implement, and enforce a policy requiring strong passwords.
• Routinely monitor and analyze network traffic and system performance.
• Routinely check all logs and logging mechanisms, including operating system event logs, application specific logs and intrusion detection system logs.
• Verify the back-up and restore procedures. The administrator should be aware of where backups are maintained, who can access them, and your procedures for data restoration and system recovery. Create a Computer Security Incident Response Team (CSIRT) to deal with security incidents.

Assembling the Core Computer Security Incident Response Team

Assembling a team before an incident occurs is very important to your organization and will positively influence how incidents are handled. A successful team will:

• Monitor systems for security breaches.
• Serve as a central communication point, both to receive reports of security incidents and to disseminate vital information to appropriate entities about the incident.
• Document and catalog security incidents.
• Promote security awareness within the company to help prevent incidents from occurring in your organization.
• Support system and network auditing through processes such as vulnerability assessment and penetration testing.
• Learn about new vulnerabilities and attack strategies employed by attackers.
• Research new software patches.
• Analyze and develop new technologies for minimizing security vulnerabilities and risks.
• Continually hone and update current systems and procedures.

Defining an Incident Response Plan

All members of your IT environment should be aware of what to do in the event of an incident. The CSIRT will perform most actions in response to an incident, but all levels of the IT staff should be aware of how to report incidents internally. End users should report suspicious activity to the IT staff directly or through a help desk rather than directly to the CSIRT.

To instigate a successful incident response plan, you should:

• Make an initial assessment.
• Communicate the incident.
• Contain the damage and minimize the risk.
• Identify the type and severity of the compromise.
• Protect evidence.
• Notify external agencies if appropriate.
• Recover systems.
• Compile and organize incident documentation.
• Assess incident damage and cost.
• Review the response and update policies.

These steps are not purely sequential. But, they happen throughout the incident. Just like, documentation starts at the very beginning and continues throughout the entire life cycle of the incident; communication also happens throughout the entire incident.

Containing the Damage and Minimizing the Risks

By acting quickly to reduce the actual and potential effects of an attack, you can make the difference between a minor and a major one. The exact response will depend on your organization and the nature of the attack that you face. However, the following priorities are suggested as a starting point:

1. Protect human life and people's safety. This should, of course, always be your first priority.
2. Protect classified and sensitive data. As part of your planning for incident response, you should clearly define which data is classified and which is sensitive. This will enable you to prioritize your responses in protecting the data.
3. Protect other data, including proprietary, scientific, and managerial data. Other data in your environment might still be of great value. You should act to protect the most valuable data first before moving on to other, less useful, data.
4. Protect hardware and software against attack. This includes protecting against loss or alteration of system files and physical damage to hardware. Damage to systems can result in costly downtime.
5. Minimize disruption of computing resources (including processes). Although uptime is very important in most environments, keeping systems up during an attack might result in greater problems later on. For this reason, minimizing disruption of computing resources should generally be a relatively low priority.

There are a number of measures that the administrator can take to contain the damage and minimize the risk to your environment. At a minimum, you should: