Expert answer:Week 8 assignment
Expert answer:Open this item from the Assignments menu to view the rubric and download the attached detailed assignment description.The required template for the Incident Report is provided on the last page of the assignment description file.After submitting your file to Turn It In for originality checking, attach it here and submit for grading.
csia_310_final_project___incident_response_exercise.docx
Unformatted Attachment Preview
CSIA 310: Cybersecurity Processes & Technologies
Final Project: Incident Response Exercise & Report
Your Task
You have been assigned to work incident clean-up as part of the Sifers-Grayson Blue Team. Your
task is to assist in analyzing and documenting the incident described below. The Blue Team has already
created a set of enterprise architecture diagrams (see figures 1-4) to help with your analysis of the
incident and preparation of the incident report as required by the company’s contracts with the federal
government. After completing their penetration tests, the Red Team provided Sifers-Grayson executives
with a diagram showing their analysis of the threat environment and potential weaknesses in the
company’s security posture for the R&D DevOps Lab (see figure 5).
Your Deliverable
Complete and submit the Incident Report form found at the end of this file. Consult the “Notes
to Students” for additional directions regarding completion of the form.
Overview of the Incident
Sifers-Grayson hired a cybersecurity consulting firm to help it meet the security requirements of
a contract with a federal agency. The consulting firm’s Red Team conducted a penetration test and was
able to gain access to the engineering center’s R&D servers by hacking into the enterprise network
through an unprotected network connection (see figure 2). The Red Team proceeded to exfiltrate files
from those servers and managed to steal 100% of the design documents and source code for the AX10
Drone System. The Red Team also reported that it had stolen passwords for 20% of the employee logins
using keylogging software installed on USB keys that were left on the lunch table in the headquarters
building employee lounge (see Figure 3). The Red Team also noted that the Sifers-Grayson employees
were quite friendly and talkative as they opened the RFID controlled doors for the “new folks” on the
engineering staff (who were actually Red Teamers).
The Red Team continued its efforts to penetrate the enterprise and used a stolen login to install
malware over the network onto a workstation connected to a PROM burner in the R&D DevOps lab (See
Figure 3). This malware made its way onto a PROM that was then installed in an AX10-a test vehicle
undergoing flight trials at the Sifers-Grayson test range (See Figures 1 and 4). The malware “phoned
home” to the Red Team over a cellular connection to the R&D center. The Red Team took control of the
test vehicle and flew it from the test range to a safe landing in the parking lot at Sifers-Grayson
headquarters.
Background
Sifers-Grayson is a family owned business headquartered in Grayson County, Kentucky, USA. The
company’s physical address is 1555 Pine Knob Trail, Pine Knob, KY 42721. The president of the company
is Ira John Sifers, III. He is the great-grandson of one of the company’s founders and is also the head of
the engineering department. The chief operating officer is Michael Coles, Jr. who is Ira John’s great
nephew. Mary Beth Sifers is the chief financial officer and also serves as the head of personnel for the
company.
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
Recent contracts with the Departments of Defense and Homeland Security have imposed
additional security requirements upon the company and its R&D DevOps and SCADA labs operations.
The company is now required to comply with NIST Special Publication 800-171 Protecting Controlled
Unclassified Information in Nonfederal Information Systems and Organizations. The company must also
comply with provisions of the Defense Federal Acquisition Regulations (DFARS) including section 252204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. These requirements
are designed to ensure that sensitive technical information, provided by the federal government and
stored on computer systems in the Sifers-Grayson R&D DevOps and SCADA labs, is protected from
unauthorized disclosure. This information includes software designs and source code. The contract
requirements also mandate that Sifers-Grayson report cyber incidents to the federal government in a
timely manner.
SCADA Lab
The SCADA lab was originally setup in 1974. It has been upgraded and rehabbed several times
since then. The most recent hardware and software upgrades were completed three years ago after the
lab was hit with a ransomware attack that exploited several Windows XP vulnerabilities. At that time,
the engineering and design workstations were upgraded to Windows 8.1 professional. A second
successful ransomware attack occurred three months ago. The company paid the ransom in both cases
because the lab did not have file backups that it could use to recover the damaged files (in the first case)
and did not have system backups that it could use to rebuild the system hard drives (in the second case).
The SCADA Lab is locked into using Windows 8.1. The planned transition to Windows 10 is on
indefinite hold due to technical problems encountered during previous attempts to modify required
software applications to work under the new version of the operating system. This means that an
incident response and recovery capability for the lab must support the Windows 8.1 operating system
and its utilities.
R&D DevOps Lab
The R&D DevOps Lab was built in 2010 and is used to develop, integrate, test, support, and
maintain software and firmware (software embedded in chips) for the company’s robots, drones, and
non-SCADA industrial control systems product lines. The workstations in this lab are running Windows
10 and are configured to receive security updates per Microsoft’s monthly schedule.
Enterprise IT Operations
The company uses a combination of Windows 10 workstations and laptops as the foundation of
its enterprise IT capabilities. The servers in the data center and the engineering R&D center are built
upon Windows Server 2012.
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
Issues Summary:
1. Newly won government contracts now require compliance with DFARS §252.204-7008, 7009,
and 7012
– http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm
– http://www.acq.osd.mil/se/docs/DFARS-guide.pdf
2. Derivative requirements include:
– Implementation of and compliance with NIST SP 800-171 Protecting Controlled
Unclassified Information in Nonfederal Information Systems and Organizations
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
– Compliance with DFARS 252.239-7009 Representation of Use of Cloud Computing and
7010 Cloud Computing Services (see
http://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.htm)
3. Additional Contractual Requirements for Lab Operations include:
– Incident Response per NIST SP-800-61 (Computer Security Incident Handling Guide)
– SCADA Security per NIST SP 800-82 (Guide to Industrial Control Systems Security)
– Software / Systems Development Lifecycle (SDLC) Security per NIST SP 800-64 (Security
Considerations in the System Development Life Cycle)
– Configuration Management per NIST SP 800-128 (Guide for Security-Focused
Configuration Management of Information Systems)
Notes to Students:
1. Your final deliverable should be professionally formatted and should not exceed 10 pages. The
goal is to be clear and concise in your reporting of your analysis of this incident.
2. You may include annotated diagrams if necessary to illustrate your analysis and/or make your
point(s). You may use the figures in this assignment as the foundation for diagrams in your final
report (no citations required).
3. Use the NIST Incident Handling Process (see Table 1) to guide your incident analysis.
4. You may assume that the company has implemented one or more of the IT products that you
recommended in your Case Studies for this course. You may also assume that the company is
using the incident response guidance documents that you wrote for your labs and that the
associated operating systems utilities are in use (e.g. you can assume that system backups are
being made, etc.).
5. DOCUMENT YOUR ASSUMPTIONS about people, processes, and technologies as if they were
fact. But, don’t change any of the factual information provided in the incident report from the
Red Team.
6. Use the incident report form that appears at the end of this file. Copy it to a new MS Word
document. After you perform your incident analysis, fill in the required information, attach the
file to your assignment folder entry, and submit it for grading as your final project.
7. For section 1 of the form, use your own name but provide reasonable but fictitious information
for the remaining fields.
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
8. For section 2 of the form, assign IP addresses in the following ranges to any servers,
workstations, or network connections that you need to discuss.
a. R&D Center 10.10.150.0/24
b. Test Range 10.10.148.0/24
c. Corporate Headquarters 10.10.155.0/24
9. For sections 2, 3, and 5, you should use and interpret information provided in this file (Overview,
Background, Issues Summary). You may use a judicious amount of creativity, if necessary, to fill
in any missing information.
10. For section 4 of the form you may provide a fictitious cost estimate based upon $100 per hour
for IT staff to perform “clean-up” activities. Reasonable estimates are probably in the range of
150 to 300 person hours. What’s important is that you document how you arrived at your cost
estimate.
11. Discuss the contract requirements and derivative requirements for cybersecurity at SifersGrayson in 3 to 5 paragraphs under “Section 6 General Comments.”
Words for the Wise …
Do not let “perfection” be a barrier to completing this assignment. It’s more
importation to be on-time and provide SOME analysis in a professional format
than to find and document every single possible vulnerability.
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
Figure 1. Overview of Sifers-Grayson Enterprise IT Architecture
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
Figure 2. Combined Network and Systems Views:
Sifers-Grayson Headquarters, R&D Center, and Data Center
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
Figure 3. Combined Network and Systems View for Sifers-Grayson R&D DevOps Lab
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
Figure 4. Combined Communications and Systems Views for Sifers-Grayson Test Range
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
Figure 5. Threat Landscape for Sifers-Grayson R&D DevOps Lab
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
NIST Incident Handling Checklist by Phase
Detection and Analysis
1.
Determine whether an incident has occurred
1.1
Analyze the precursors and indicators
1.2
Look for correlating information
1.3
Perform research (e.g., search engines, knowledge base)
1.4
As soon as the handler believes an incident has occurred, begin documenting the
investigation and gathering evidence
2.
Prioritize handling the incident based on the relevant factors (functional impact,
information impact, recoverability effort, etc.)
3.
Report the incident to the appropriate internal personnel and external organizations
Containment, Eradication, and Recovery
4.
Acquire, preserve, secure, and document evidence
5.
Contain the incident
6.
Eradicate the incident
6.1
Identify and mitigate all vulnerabilities that were exploited
6.2
Remove malware, inappropriate materials, and other components
6.3
If more affected hosts are discovered (e.g., new malware infections), repeat the
Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then
contain (5) and eradicate (6) the incident for them
7.
Recover from the incident
7.1
Return affected systems to an operationally ready state
7.2
Confirm that the affected systems are functioning normally
7.3
If necessary, implement additional monitoring to look for future related activity
Post-Incident Activity
8.
Create a follow-up report
9.
Hold a lessons learned meeting (mandatory for major incidents, optional otherwise)
Source: NIST SP 800-61r2
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide
(NIST SP 800-62 rev. 2). http://dx.doi.org/10.6028/NIST.SP.800-61r2
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
CSIA 310: Cybersecurity Processes & Technologies
1. Contact Information for the Incident Reporter and Handler
– Name
– Role
– Organizational unit (e.g., agency, department, division, team) and affiliation
– Email address
– Phone number
– Location (e.g., mailing address, office room number)
2. Incident Details
– Status change date/timestamps (including time zone): when the incident started, when the
incident was discovered/detected, when the incident was reported, when the incident was
resolved/ended, etc.
– Physical location of the incident (e.g., city, state)
– Current status of the incident (e.g., ongoing attack)
– Source/cause of the incident (if known), including hostnames and IP addresses
– Description of the incident (e.g., how it was detected, what occurred)
– Description of affected resources (e.g., networks, hosts, applications, data), including systems’
hostnames, IP addresses, and function
– If known, incident category, vectors of attack associated with the incident, and indicators
related to the incident (traffic patterns, registry keys, etc.)
– Prioritization factors (functional impact, information impact, recoverability, etc.)
– Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption)
– Response actions performed (e.g., shut off host, disconnected host from network)
– Other organizations contacted (e.g., software vendor)
3. Cause of the Incident (e.g., misconfigured application, unpatched host)
4. Cost of the Incident
5. Business Impact of the Incident
6. General Comments
Copyright ©2017 by University of Maryland University College. All Rights Reserved.
…
Purchase answer to see full
attachment
How it works
- Paste your instructions in the instructions box. You can also attach an instructions file
- Select the writer category, deadline, education level and review the instructions
- Make a payment for the order to be assignment to a writer
- Download the paper after the writer uploads it
Will the writer plagiarize my essay?
You will get a plagiarism-free paper and you can get an originality report upon request.
Is this service safe?
All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades