An auditor happen to discover an error in the human resource system that allowed an employee to hack into the company human resources record systems and change their base salary rate an received a pay raise on two paycheck. The employee was able to eavesdrop on the network using IP spoofing technique to hijack a trusted host on the network and hide their identity in the process. The technique allowed the hijacker to steal and alter sensitive data such as payroll records .
The employee also monitor the email traffic about the incident, to use the man-in-middle attack an intercept the auditor email to several individuals at the company explaining what had happen. During the man-in-middle attack, he was able to impersonate the individuals the auditor had email and gain additional access to the financial records from the auditor. With the new permission from the auditor, the employee was able to lower the salaries of the company president and several other employees and transfer those differences into his paycheck.
Once the incident was discover, the auditor should follow the incident response plan and inform the incident response team of the breached in person or on a conference call with all the team members to minimize additional loss or theft of the information. Allowing the response team time to start the start the investigation and obtain enough information to determine an appropriate response to this incident. Using either of these two methods could have prevented the man-in-the-attack used by the hacker to intercept and impersonate the other company employees and gain additional access to the financial records.
As a member of the incident response team, the Network manager and his staff will perform the LAN network test using MITAM attack tools like Packet Creator, Ettercap, Dsniff or Cain e Abel to determine the magnitude of the intrusion and start containment by investigating the incident to collect all the data. Also part of the incident response team, the HR manager and Controller will follow the incident response plan to determine what financial and personal information change in the payroll system and notify legal department and senior management with accurate information from the report.
The legal department as part of the incident response team will advise the senior management, if the law enforcement is notify of the criminal act on the company network and systems. If required the public affairs office with handle all of the communication with the media according the incident response plan and policies . Using the MITAM attack tools like Packet Creator, Ettercap, Dsniff or Cain e Abel the IT department will isolate the network if possible where the breach occurred, to reduce any further damage to preserve forensic evident on the HR systems and financial records with images or backup files.
The IT staff will collect the affect systems log entries and saved for forensic evidence for the investigation against the hacker. The employee that did the hack account will be disabling. The HR and financial systems passwords reset will happen on the affected systems the employee access during the incident. All computer and servers anti-virus and malware programs will scan the computers for virus or malware, and updates with the latest OS patches and security fixes to fix any exploit.
Using stronger encryption protocols, in the network between clients and server will encrypt the data exchange between the client and servers on all communication. The IT staffs implement a root certificate authority as part of the public key infrastructure (PKI) in which all communication to the HR system required a certificate. This will encrypt network traffic to and from the HR system to prevent future eavesdropping or man-in-the-middle attack.
This will also properly authenticate the host, to prevent spoofing; this type of digital certificate will create verification during authentication. Ensuring all computer and server on the network has the latest OS security, patches and virus/malware definition and scan. The IT department will incorporate intrusion detection software on the LAN to check for vulnerabilities in the network. After finding the corrupt files and saving the evidence for legal, the IT staff will change the root password on the HR system before allowing user access to the system it back into production system.
If possible, the IT staff will restore the files using shadow copy on the HR file system, which will have copies of all the files changes or from the nightly backup. The data from the live systems will be the backup to the test server environment, where a continual test is perform to determine if any new issue are discover. After the data is, verify and sign off on by the incident response team, the company can resume live operations. The HR department and financial department will verify the data and inform the incident response team of their finding.
Prior to allow others access to the system, the IT staff will perform a system backup and verification, then move that tape or file replication to and external device. Once the incident response team check off the system restoration as being operation and verify, the system will come back online. Once users are allow access to the HR system, they will prompt to reset their password when login onto the HR system . Nightly backup will resume as usually on the server to ensure the data is backup.
The area not address by the IT staff was social engineering and following the incident response plan, which provide the procedures the employees should follow when they are addressing an incident like this. The auditor should not use email communication with the several individuals because a man-in-the-middle attack could occur. Instead, a phone call should have been placed to incident response team and explain what was found and request the company implement their incident response plan.
The auditor should be train about the social engineering method because he gave out additional access to the hacker using email communications. The company will need to retain all employees about social engineering methods used by hackers to gain information they require to do further damage to systems and the importance of a following the incident response plan to the fullest. The other attack that was mention in the scenario, but not notice by the organization was social engineering and man-in-the-middle attack.
The hacker was able to intercept the email communication between the auditor and several individuals and create fake response with the auditor until he was able to gain additional permission to the financial records systems using the man-in-the-middle attack. The social engineering allows the hacker to persuade the auditor to give him the permission he did not originally have to the financial records by impersonating the other individuals, which allowed him to change the lower the salary of the company president and several other employees.
Because the email system did not include any authentication protocol, the hacker was able to send the fake emails to the auditor. The nature of social engineering is to persuade another individual to give them information; they should not have access to. IP spoofing allowed the hacker to intercept the email communication from the auditor to other individuals in the company and create fake email response to prevent him from being caught.
Again, thus impersonating the other employee allow him to gain further access to the financial system to make changes on the salaries of the president and other employee’s and transfer the money into his account. In order to prevent future attacks like social engineering is through training. All employees will be required to take a social engineering course and the HR department will document the entire employee training regardless of their position in the company. The company will also provide email training on how to determine if someone is trying to use social engineering on the employee to gain information they should not have.
During the training the company procedures and policy will address what can happen when these policies are violate . The company could consider using honey spot server, which would have a fake email server and other application server, in which a hacker will think they are on the live systems, but will really be on a fake systems and have alarms setup to inform the IT staff of any intrusion. To prevent spoofing, the IT staff can set up email authentication using signed and secure email message format.
This encryption method will allow the sender encrypt the message with the receiver public key. The receiver will use the sender public key to verify the message and use his or her own private key to decrypt the message. The recovery procedures to restore the computer systems back to their original state prior to the attack will require the administrators restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents.
Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security (e. g. , firewall rulesets, boundary router access control lists). Higher levels of system logging or network monitoring are often part of the recovery process. Once a resource is successfully attacked, it is often attacked again, or other resources within the organization are attacked in a similar manner.
Eradication and recovery should be done in a phased approach so that remediation steps are prioritized. For large-scale incidents, recovery may take months; the intent of the early phases should be to increase the overall security with relatively quick (days to weeks) high value changes to prevent future incidents. The later phases should focus on longer-term changes (e. g. , infrastructure changes) and ongoing work to keep the enterprise as secure as possible (Cichonski, Millar, Grance, & Scarfone, 2012, p. 37).