Competencies

---

427.1.5Responding to Attacks and Special Circumstances

The graduate identifies, evaluates, and applies network response procedures for attacks with special circumstances.

427.1.7Continued Assessments During a Disaster

The graduate assesses needs, threats, and solutions prior to and during a network disaster.

Scenario

---

Anemployee hacked into the human resource records system at theemployee’s place of business and changed the employee’s base salary rateto obtain a pay raise. The employee did this by spoofing an IP addressin order to eavesdrop on the network. Once the employee identified wherethe data was stored and how to modify it, the employee made the changesand received two paychecks with the new amount.

Fortunately,an auditor happened to discover the error. The auditor sent an e-mailto several individuals within the organization to let them know therewas a potential problem with the employee’s paycheck. However, theemployee was able to intercept the message and craft fake responses fromthe individuals the original e-mail was sent to. The employee and theauditor exchanged e-mails back and forth until the employee was soongiven access permissions for some other financial records. With this newinformation, the employee was able to lower the salaries of thepresident of the company and several other employees and then to includethe salary difference in the employee’s own paycheck.

TheIT staff determined that the spoofing that occurred that allowed theemployee to gain access to the human resources system was caused by alack of authentication and encryption controls. As such, a local rootcertificate authority was installed to implement a public keyinfrastructure (PKI) in which all communication to the human resourcesystem required a certificate. This would encrypt network traffic to andfrom the human resources system and prevent eavesdropping. It wouldalso properly authenticate the host to prevent spoofing.

Requirements

---

1. Performa postevent evaluation of how the organization’s IT staff responded tothe attack described in the scenario by doing the following:
   1. Describe the series of malicious events that led up to the incident.
   2. Identify who needs to be notified based on the type and severity of the incident.
   3. Outline how the incident could be contained.
   4. Discuss how the factor that caused the incident could be eradicated.
   5. Discuss how the system could be recovered to return to normal business practice.
      1. Explain how the system could be verified as operational.
2. Perform a follow-up of the postevent evaluation by doing the following:
   1. Identify areas that were not addressed by the IT staff’s response to the incident.
   2. Identify the other attacks mentioned in the scenario that were not noticed by the organization.
      1. Describe the type and severity of the attacks not noticed by the organization.
      2. Describe how these additional attacks can be prevented in the future.
   3. Recommend a recovery procedure to restore the computer systems back to a fully operational state.
3. When you use sources, include all in-text citations and references in APA format.

Rubric

---

Articulation of Response:Clarity, organization, mechanics

Not Evident The candidate provides unsatisfactory articulation of response.

Approaching Competency The candidate provides weak articulation of response.

Competent The candidate provides adequate articulation of response.

A1:Nature of the Incident

Not Evident The candidate does not provide an appropriate description of the series of malicious events that led up to the incident.

Approaching Competency Not applicable.

Competent The candidate provides an appropriate description of the series of malicious events that led up to the incident.

A2:Notification

Not Evident The candidate does not accurately identify who needs to be notified based on the type and severity of the incident.

Approaching Competency Not applicable.

Competent The candidate accurately identifies who needs to be notified based on the type and severity of the incident.

A3:Containment

Not Evident The candidate does not outline how the incident could be contained.

Approaching Competency The candidate outlines, with insufficient detail, how the incident could be contained.

Competent The candidate outlines, with sufficient detail, how the incident could be contained.

A4:Factor Removal

Not Evident The candidate does not provide a logical discussion of how the factor that caused the incident could be eradicated.

Approaching Competency Thecandidate provides a logical discussion, with insufficient detail, ofhow the factor that caused the incident could be eradicated.

Competent Thecandidate provides a logical discussion, with sufficient detail, of howthe factor that caused the incident could be eradicated.

A5:System Restoration

Not Evident The candidate does not provide a logical discussion of how the system could be recovered to return to normal business practice.

Approaching Competency Thecandidate provides a logical discussion, with insufficient detail, ofhow the system could be recovered to return to normal business practice.

Competent Thecandidate provides a logical discussion, with sufficient detail, of howthe system could be recovered to return to normal business practice.

A5a:System Verification

Not Evident The candidate does not provide a logical explanation of how the system could be verified as operational.

Approaching Competency The candidate provides a logical explanation, with insufficient detail, of how the system could be verified as operational.

Competent The candidate provides a logical explanation, with sufficient detail, of how the system could be verified as operational.

B1:Unaddressed Areas

Not Evident The candidate does not accurately identify areas that were not addressed by the IT staff’s response to the incident.

Approaching Competency Not applicable.

Competent The candidate accurately identifies areas that were not addressed by the IT staff’s response to the incident.

B2:Other Attacks

Not Evident Thecandidate does not accurately identify the other attacks mentioned inthe scenario that were not noticed by the organization.

Approaching Competency Not applicable.

Competent The candidate accurately identifies the other attacks mentioned in the scenario that were not noticed by the organization.

B2a:Type and Severity of Other Attacks

Not Evident Thecandidate does not provide an appropriate description of the type andseverity of the attacks not noticed by the organization.

Approaching Competency Thecandidate provides an appropriate description, with insufficientdetail, of the type and severity of the attacks not noticed by theorganization.

Competent Thecandidate provides an appropriate description, with sufficient detail,of the type and severity of the attacks not noticed by the organization.

B2b:Prevention

Not Evident The candidate does not provide an appropriate description of how the additional attacks can be prevented in the future.

Approaching Competency Thecandidate provides an appropriate description, with insufficientdetail, of how the additional attacks can be prevented in the future.

Competent Thecandidate provides an appropriate description, with sufficient detail,of how the additional attacks can be prevented in the future.

B3:Recommendation

Not Evident Thecandidate does not provide an appropriate recommendation of a recoveryprocedure to restore the computer systems back to a fully operationalstate.

Approaching Competency Thecandidate provides an appropriate recommendation, with insufficientsupport, of a recovery procedure to restore the computer systems back toa fully operational state.

Competent Thecandidate provides an appropriate recommendation, with sufficientsupport, of a recovery procedure to restore the computer systems back toa fully operational state.

C:Sources

Not Evident

Thesubmission does not include both in-text citations and a reference listfor sources that are quoted, paraphrased, or summarized.

Approaching Competency

Thesubmission includes in-text citations for sources that are quoted,paraphrased, or summarized and a reference list; however, the citationsor reference list is incomplete or inaccurate.

Competent

Thesubmission includes in-text citations for sources that are properlyquoted, paraphrased, or summarized and a reference list that accuratelyidentifies the author, date, title, and source location as available. Orthe candidate does not use sources.

Task 2–Formatting

Word document or PDF Suggested length 8 -10 pages double spacedParaphrase o No more that 30% unoriginal workTurnitin No more than a combined total of 30% of a submission can be directly quoted or closely paraphrased from sources, even if cited correctly. APA Format o APA Formatting and Style Guidehttps://owl.english.purdue.edu/owl/resource/560/01/Note: When using sources to support ideas and elements in a paper or project, the submission MUST include APA formatted in-text citations with a corresponding reference list for any direct quotes or paraphrasing. It is not necessary to list sources that were consulted if they have not been quoted or paraphrased in the text of the paper or project.4. Task 2–Task Technical Details The purpose of the presentation is to perform a post-event evaluation.While working on this task, you may feel like you are being asked the same questions multiple times. Be sure to review the rubric for each task prompt to assure you are answering the criteria required for each task prompt.**Be sure to write your responses tailored around this specific scenario.Responses should not be generalized.A. Perform a post-event evaluation of how the organization’s IT staff responded to the attack described in the scenario by doing the following:1. Describe the nature of the incident.Describe in detail the nature of the incident and the events that occurred to create the incident and during the incident.You will need to refer back to the scenario to detail all events that led up to along with the actually incident.2. Identify who needs to be notified based on the type and severity of the incident.Please write your responses tailored to the scenario.Chapter 6 -Operational Risk Management The Definitive Handbook of Business Continuity Management, Third Edition Premier Readings Please review the incident notification section in the following NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide3. Outline how the incident could be contained

Please write your responses tailored to the scenario. Do not confuse containment with mitigation. Please review the containment section in the following NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide Section 3.3.1You will need to discuss containment strategies as reactive measures to the specific incident within the scenario. 4. Discuss how the factor that caused the incident could be removed.Please write your responses tailored to the scenario.iPremier Readings Please review the NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide This will depend on your response to A3. Consider discussing defense-in-depth strategy as it relates to the scenario and the points you made for A3.5. Describe how the system could be restored to normal business practice.Review the NIST document for assistance by searching the key term “restore”: NIST 800-61Computer Security Incident Handling Guidei Premier Readings Discuss how data, applications, and other services affected by the incident have been returned to normal operations.a. Explain how the system could be verified as operational.Discuss the testing methodology you used to verify the systems are operational.iPremier Readings B. Perform a follow-up of the post-event evaluation by doing the following:1. Identify areas that were not addressed by the IT staff’s response to the incident.As part of the“follow-up” of the post-event evaluation, review the scenario in detail and identify the areas that were not addressed in the response to the incident.2. Outline the other attacks mentioned in the scenario that were not noticed by the organization.a. Describe the nature of the attacks not noticed by the organization.b. Describe how these additional attacks can be prevented in the future.Discuss the events of the incident that were not noticed by the IT staff’s response to the incident. Discuss in detail the measures that can be taken to prevent these types of attacks in the future.3. Recommend a recovery procedure to restore the computer systems back to their original state prior to such attacks.Please review the recovery section in the following NIST document for assistance: NIST 800-61Computer Security Incident Handling Guide Premier Readings C. When you use sources, include all in-text citations and references in APA format.