Description
Summary:
ABC Company is a manufacturing company that produces new technology that sells online directly to customers and retailers.The system they use is a core transactional Enterprise Resource Planning system called NEDS.NEDS is similar to many core systems that provide integrated applications on a common platform for financials, managing materials, sales distribution, and production planning (similar to Oracle or SAP).NEDS is located in the Netherlands, while ABC Company is located in Florence, Kentucky.On June 15, 2016, James Hurd (ABC’s Global Security Director) was notified that NEDSwas burglarized during business hours involving individuals stealing equipment including blackberries, iPhones, laptops and hard drives.Local police were notified and the incident was reported on that date.A police report only included identification of specific hardware that was stolen and several bicycles.
The burglary notification that was mailed was sent to a branch office of ABC Company in Mexico.James Hurd was notified by the Mexico office via email which included an attached electronic version of the burglary notification and police report on June 20, 2016. James Hurd recognized that the incident actually occurred 5 days earlier.
The letter contained the following information about the incident:
- The incident occurred in the application area that provides customapplication development and reporting for the ABC Company.
- The area that was impacted involved “potential data” used for sales analysis.Data from the ABC Company had been placed on laptops while some diagnostics were being carried out.
- Compromised data could have included customer or retailer information from 2002-2014 consisting of names, address, bank account data or credit card numbers, SKU product numbers, descriptions, quantities, Purchase Order numbers, and purchase price.
You (your team) are James Hurd and need to respond to this incident by taking action immediately.
You will need to complete the following:
- Develop an Incident Response Policy for ABC Company that will be used as your reference for your evaluation of this potential data incident(this is an attachment that should be included in your paper and referenced in your presentation).
- Upon developing ABC Company’s Incident Response Policy, evaluate the incident described above:
- Summarize the data incident and potential level of risk, include why?
- Upon identifying thetypes of data that could potentially be impacted and what laws/regulations could be in violation of non-compliance if this data was breached
- Develop your action plan to evaluate this data incident (include your rationale for why the steps were necessary)
- Describe how the Incident Response Policy supported your actions
- Identify any issues that made the evaluation more difficult
- Identify areas of future risk mitigation actions should a similar incident occur (look at the gaps or issues with this scenario)
- Close the incident (NOTE: The outcome of the incident did not surface any major risks or data breach to the company but it took the evaluation to get to this conclusion)
This presentation must be support by the research paper.
Please note the following criteria:
Research paper:
- Research Paper must be in APA Style
- Research Paper must have at least 10-15references of which 2 must be peer reviewed works/articles (note your book can be included as a reference)
- Must be at least 10-15 double-spaced pages
- The Policy will be an Attachment and not count toward the 5 Page requirement
- Graphs, illustrations and spreadsheets are allowed, but will not count toward the 5 Page requirement
Grading criteria will include the following as this (Residency Activities) represents 60% of your grade:
Presentation will be 100 points and based on the following:
Completeness of the Topic (Policy, Processes, Action, Conclusion)
Presentation Delivery
Alignment of policy
Paper will be 100 points:
Explanation & Answer
Attached.
Running head: INCIDENT RESPONSE REPORT
Incident Response Report
Student’s name:
Institutional Affiliation:
1
INCIDENT RESPONSE REPORT
2
Summary of the Incident
On 20th June, 2016, we received a notification from NEDS’ headquarters in Amsterdam
that their facilities had been burglarized, and certain hardware stolen. ABC Company is in business
partnership with NEDS, in which ABC uses NEDS systems for enterprise resource planning
including the management of the lifecycle of technological products, supply and chain
management, processing of sales order, Client Relationship Management, Human resource
Management and Online Sales. NEDS on the other hand provided external system support, and
web-hosting services. This notification was sent to ABC offices in Mexico City via email, and
promptly forwarded to us at the ABC headquarters in Kentucky.
A breach of NEDS systems, which is the backbone of ABC operations, would paralyze the
sensitive operations of the company. This is based on the partnership between these two
companies, where NEDS provides the software and web-hosting services of key enterprise
recourse planning. As such, and in accordance with the company’s Incidence Response Policy, we
sought to determine if the burglary be a potential breach to our systems.
From the details provided by NEDS in their letter, the department, within 3 hours,
determined to what extent the company’s system were exposed. The department gathered that the
following were in danger:
•
NEDs custom application and reporting for ABC company
•
Sales analysis data
INCIDENT RESPONSE REPORT
•
3
The customer and retailer information for the 2002-2004 period could have
been compromised. The details that may have been stolen include names, addresses, bank
accounts, credit card numbers and purchase orders.
This information is not only sensitive to our customers, and retailers, but to the company
also, especially given that some retailers have not yet cleared the balance on the credit purchases
of ABC goods from the company. Loss or compromise to such data could therefore lead to
financial losses to the company.
Action Plan
Having been satisfied that the potential risks needed to be explored, and based on the
incidence response policy, the following action plan was drawn, adopted and implemented.
Step 1. Gather more information
Call the head of Cybersecurity’s department at NEDS and seek clarification on the
following:
1.
Any leads on the suspects, and the status of the investigations. There would
be no need of proceeding to the next stage in case the suspects have already been
apprehended and all the stolen items accounted for. Also, the leads may help the company
to determine the motive of the burglars, and any known ties to malicious cyber-attack
groups
2.
The types of hard drives and laptops stolen, their nature, their memory
space, RAM, and any security features, any recent security updates. This will help the team
INCIDENT RESPONSE REPORT
4
to determine the relative level of safety of the devises, and whether it is possible that they
have already been hacked, now that 5 days have gone since the burglary occurred.
3.
The kind of information stored on the hard drives and laptops that were
stolen. This will help the team to narrow down on the specific areas of the system that are
vulnerable. (Dobran, 2019)
4.
The login details of the laptops, and other equipment stolen.
Step 2. Constitution of a Response Team
1.
Constitute a 5 member team of cybersecurity experts, request the sales
department to provide two representatives, and the legal department 2 representatives.
This, according to Bakertility.com (2017), brings together all those affected so as to
contribute to a quick solution of the problem
2.
Explain to the team what the problem is, and the nature of the attacks, if
any, that may be expected.
3.
Also explain to the sales department representatives the kind of information
and advice that will be needed from them that is the weight of the information that may be
vulnerable and how it will affect the company the sales operations. (Olcott, 2017)
4.
The legal department representatives will analyze the breach to consider any
possible legal suites that could be brought up against the perpetrators and their associates
in case there are attacks that severely damage the reputation of the company.
Step 3. Analysis
INCIDENT RESPONSE REPORT
1.
5
Analyze the information received from NEDS above and determine the
most exposed details in the system.
2.
Analyze the systems that may be affected, and the extent of any potential
damages. ABC Company’s may be targeted in through
1)
DDoS attack
2)
Unauthorized access or attempted access
3)
Theft of data
4)
Deletion of data and supporting systems
3.
Rate the severity in case of any attack, working on a worst case scenario.
This should be done after gathering all the necessary information regarding the vulnerable
parts of the system.
Step 4. Communication to the relevant parties
1.
Before embarking on the next steps for containment, write to the affected
business sections, warning of a potential breach, and recommend the stopping of certain
processes for twelve hours pending a determination of the extent of the exposure. This is
preventive, meant to lessen any damage in case of a full blown attack. (Ramsac,2018)
2.
The affected sections, in which operations are to be temporarily suspended,
and information backed up mostly affects sales and custom applications.
All the
information regarding sales analysis, customers and retailors should be promptly backed
up.
INCIDENT RESPONSE REPORT
3.
6
Also, depending on the analysis done in step three above, the team may
recommend that the custom-application system be temporarily taken off-line, for at most
12 hours, or as soon as it is possible to ascertain that the system is safe.
At this point however, it would not be unnecessary to inform any externally affected
stakeholders, such as customers and retailors. This is meant to stop unnecessary panic.
Step 5. Containment
The team will embark on the necessary steps towards containment. These are
1.
Plugging off from the network, the custom-applications, and the relevant
sections that contain sales analysis reports, and customer and retailor data
2.
Connecting to the network remotely and retrieving any information that is
considered to be too sensitive, or too exposed
3.
Determine if the data is adequately backed up
4.
Change the log in details i.e. usernames and passwords to the system and
immediately notify the users of this change
5.
At this point, it would be important to determine if the system is safe. If
safe, the disabled parts will be allowed to run, and the communication sent to the relevant
parties. If not safe, the team may proceed to the next step. However, access may be allowed,
under close supervision, if the system can run despite any interference, or if access to the
system is likely to identify the attacker or give more clues about them, in case the attack is
underway. (Swinson& Lim, 2015)
INCIDENT RESPONSE REPORT
6.
7
All the relevant evidence gathered at this point needs to be properly kept,
with the help of the legal representatives.
7.
Senior management also need to be notified at this point of any status,
progress or key decisions
Step 6: Eradication
1.
The aim of this step is to completely secure the system, and lock out any
potential entry routes that could be used by the attacker. The following steps may be taken,
depending on necessity:
2.
Eradication of the components of the security breach. This may include
deleting user accounts, scanning for any malware, among others
3.
Reinforce the network system by improving its defenses to the highest
levels necessary,
4.
The team will need to conduct a thorough vulnerability test to pick out any
loopholes, or gaps that may a malicious attacker, or malware, may exploit.
5.
The results from the vulnerability report will be needed to determine
whether the more preventive measures need to be taken.
6.
Keep the senior management and any relevant parties apprised of the
situation
Step 7 Recovery.
INCIDENT RESPONSE REPORT
8
At this stage, the team will seek to restore access, and bring all operations to normal by
doing the following:
1.
Restore the system from back up, change any password, replace any
affected files, reinstall necessary security patches and if necessary, rebuild the system
2.
Determine if the system was changed, and restore it to where it was
3.
Bring back online all the systems that had been taken off-line, and let them
resume normal operations
4.
Document, in detail, all the information, and the right steps taken
5.
Inform the management that everything is okay, and determine the total
costs incurred, if any.
Step 7: Post Incident Analysis
This is the point in which everyone needs to be apprised of what happened.
The committee will agree whether a communication needs to be sent out to the affected
stakeholders, and the nature of such information. If yes, the information will need to be detailed
but concise.
The committee, with the advice from legal representatives, and depending on any
reputational damage to the firm, or possible law-suits from those who have been affected, will also
deci...
Review
Review
