As noted in the original evaluation, several areas need to be addressed: Climate/culture of the organization Employee training for social engineering attacks Positive identification of employees when granting role-based access Vulnerabilities within and without the network, specifically to snifters and eavesdropping The ease with which the employee changed his pay rate, indicating a single system used for HRS profiles rather than segregated duties & systems The PKZIP that was installed only addressed the HRS system, rather than the entire organization Honestly, the whole environment at this company needs a complete evaluation and overhaul! .

Outline the other attacks mentioned in the scenario that were not noticed by the organization. Social Engineering Sniffing/Eavesdropping Unauthorized Privilege Escalation Network Penetration Spoofing a. Describe the nature of the attacks not noticed by the organization. By “the nature of the attacks” I interpret this to mean the source of the attacks, or the skillet required to carry out the attacks.I believe this employee was tenured based on their ability to: Hack into the HRS system Successfully intercept the email from audit to the other individuals Successfully impersonate the individuals the email from audit was sent to Successfully identify the company president and other employees whose pay records were modified Successfully eliminate evidence of the attack, indicated y two paycheck cycles going by before audit caught the error Knowing which access to acquire in order to modify other payroll records Taken holistically, this indicates an employee who knew the organization and the company’s network quite well.

This employee knew basic network attack tactics, and the checks and balances that would occur after changing the pay records. The employee must have known that by changing the company president’s pay record, they would eventually be caught. This, to me, indicates that the attack was of a personal nature. This could be either disgruntled senior IT resource, or another senior employee with intermediate to advanced training in network security.

B. Describe how these additional attacks can be prevented in the future.I’ll bring this over from the post-event evaluation. Recommendations: Immediately provide training for company IT personnel, especially administrators and network security personnel. Training should cover basic system vulnerabilities and remedies. Advanced training should be scheduled for a future date, but no later than 1 80 days from the date of the incident. While IT is undergoing review and training, a network security firm should be contracted and set in-place to assess the network and identify vulnerabilities.

A penetration test may be in order. Hardware should be purchased and installed that will support authentication protocols, perhaps to include implementing smart cards or tokens for employees. Role-based access should be implemented, with policies that will ensure positive identification of employees being placed into roles. HRS can ensure that enforcement mechanisms are in-place to ensure that policy violations are scourged. Applications should be assessed and installed that will encrypt internal emails, such as the PKZIP mentioned in the narrative. Sing smart cards and tokens can provide for authenticity of the sender (digital signatures, etc). System flags can be set by IT for HRS that will send alerts to key personnel if there are pay/information changes in the HRS system that are out-of-cycle or unusual.

This is not an all-inclusive list, this is a basic starting point that can help prevent network-specific vulnerabilities such as the one described in the narrative. 3. Recommend a recovery procedure to restore the computer systems back to their Original state prior to such attacks.According to the narrative, the only changes that were made to the computer system were the modification of payroll records, and unauthorized access was granted to one specific employee who was impersonating other employees. HRS can correct the payroll records, A system scan can be executed that should identify how the emails were intercepted by looking for unknown services or Pips, The Help Desk can revoke all accesses granted to the employee, The Help Desk can revoke accesses ranted to the employees who were impersonated.These steps can be taken as a more precise method of restoring the modified data. If the company is smaller in size, and perhaps if the majority of employees are off for a three day weekend or holiday, a system restore to a prior iteration could be executed on specific systems/applications. I would not recommend performing a restore on the entire network and its sub-components.

This would delete data that will be critical to law enforcement should the company pursue criminal charges against the employee.