Vous êtes sur la page 1sur 22

INCIDENT SCENARIOS

IT GOVERNANCE

MAY 31, 2018


ESCOM-IPN
GONZÁLEZ HERNÁNDEZ FAVIO EMMANUEL
INCIDENT SCENARIOS

Contents
SCENARIO 1 ......................................................................................................................................... 2
ERRADICATION – SOLUTIONS.......................................................................................................... 3
POST INCIDENT ................................................................................................................................ 3
SCENARIO 2 ......................................................................................................................................... 4
Analysis............................................................................................................................................ 4
Scenario 3: Stolen Documents ............................................................................................................ 6
Scenario ........................................................................................................................................... 6
Analysis............................................................................................................................................ 6
Scenario 6: Unauthorized Access to Payroll Records .......................................................................... 8
Analysis............................................................................................................................................ 8
Erradication - Solutions ................................................................................................................... 9
Post incident.................................................................................................................................. 10
Scenario 7: Disappearing Host .......................................................................................................... 10
Analysis.......................................................................................................................................... 10
Post-Incident ................................................................................................................................. 12
General Questions:........................................................................................................................ 12
Scenario 8: Telecommuting Compromise ......................................................................................... 13
Analysis.......................................................................................................................................... 13
Detection and Analisys .................................................................................................................. 14
Post Incident.................................................................................................................................. 16
Scenario 9: Anonymus Threat ........................................................................................................... 18
Analysis.......................................................................................................................................... 18
Detection and Analysis .................................................................................................................. 18
Post Incident.................................................................................................................................. 19
General Questions ......................................................................................................................... 20

pg. 1
INCIDENT SCENARIOS

SCENARIO 1
Case: Altered DB.
Analysis
Would the organization consider this activity to be an incident?
Yes, an attack is considered an incident
If so, which of the organization’s policies does this activity violate?
If there are sensible information the privacy policies would be violated
What measures are in place to attempt to prevent this type of incident from
occurring or to limit its impact?
Simulating an attack to find vulnerabilities or defects in the system,
employing white hat hackers.
What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
The IDPMs, can implement an alarm, and the team of IT department can
take measures to reduce the impact.
What indicators of the incident might the organization detect? Which indicators
would cause someone to think that an incident might have occurred?
Traffic Data in the network
Integrity of files
What additional tools might be needed to detect this particular incident?
Use different DB systems or implement a security protocol in the IT
department
How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
Using security tools certified by the international organizations and validate
incident severity to get better results.
To which people and groups within the organization would the team report the
incident?
For the IT department and project managers.
How would the team prioritize the handling of this incident?
With the impact level that it had, for example, if the system continuing
functioning, or the information isn’t necessary to the system functions.

pg. 2
INCIDENT SCENARIOS

ERRADICATION – SOLUTIONS
What strategy should the organization take to contain the incident? Why is this
strategy preferable to others? And Why?
Using the back-up of the DB, while the original DB is being analyzed,
monitor the event of the system without advice the personnel and in this way
the attacker can be identified
What could happen if the incident were not contained? Did it got
contained/controled?
Can exist a information theft, or continuing the modifies to the DB
Which personnel would be involved in the containment, eradication, and/or recovery
processes?
The response team, or the DB management team, or in an extreme case,
some ethical hackers team
What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?
Everything that could had been reported: date, personnel, network flow, if an
extra event has happened, if a data by the attacker was forgotten or put in
the host, and should stay as a report in a document, for a future need

POST INCIDENT
Who would attend the lessons learned meeting regarding this incident?
All the personnel involucrate: managers, DB managers, response team,
executives, ethical hackers team
What could be done to prevent similar incidents from occurring in the future?
Count with a response process and the correct documentation of the
incident, if it happened; and make a simulation, to check if the vulnerability
was closed or controlled
What could be done to improve detection of similar incidents?
Implement software, like firewalls or antivirus, and increment the system
vigilance
What is the future strategy to take?
keep monitored the BD, and implements software to make safely the host

pg. 3
INCIDENT SCENARIOS

SCENARIO 2
What is a worm?
A worm is a program with the capacity of reproduce itself, this program can
travel across the network using bash or shell commands.
Scenario
One week ago, three computers were infected by a worm, it arrives by e-mail
with dangerous links or even attached files.

Analysis
Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?
Yes it is and it would violate the policy in which it talks about not opening e-
mails in the computers of the company
What measures are in place to attempt to prevent this type of incident from
occurring or to limit its impact?

-Have an effective antivirus and that is updating to date.


-Have the Windows firewall activated or the firewall that incorporates our
security application.
-Perform a safe and prudent navigation, trying to avoid pages with dubious
reputation.
-Avoid running files that we do not trust 100%, this includes the attachments
that we receive by email.
-Avoid installing illegal applications or key generators because there are
some legal consequences.
What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
The personnel who violates security policies, previous computer attacks and
knowledge of computer attacks even outside the company.
What indicators of the incident might the organization detect? Which indicators
would cause someone to think that an incident might have occurred?
Unusual behavior, slowdown and errors in system processes.
What additional tools might be needed to detect this particular incident?
Run routine tests, hire personnel in charge of an immediate response only to
cyber attack.

pg. 4
INCIDENT SCENARIOS

How would the team prioritize the handling of this incident?


By Protecting secret and confidential information, other information, such as
scientific data, about property or the managerial scope, information from
their environment.
And last, but not least, protecting hardware against attack. This includes
protecting against the loss or modification of system files and against
physical damage to the hardware. Damage to the systems can result in a
cost of activity time.
ERRADICATION – SOLUTIONS
What strategy should the organization take to contain the incident? Why is this
strategy preferable to others? And Why?
Keeping up to date with operating systems and all other software patches and
updates will help reduce the risk due to newly discovered vulnerabilities,
because it’s the only way to prevent a future attack.
What could happen if the incident were not contained? Did it got contained/controled
?
The computer equipment would be practically useless and the information
would be lost.
Which personnel would be involved in the containment, eradication, and/or recovery
processes?
Operational and IT staff
What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?
Recovery of lost information and system tests, by recovered files, databases,
etc./It can be stored in an indicent file of the organization and it should be
retained at least one year.

pg. 5
INCIDENT SCENARIOS

Scenario 3: Stolen Documents


Scenario
Last week a supervisor discovers that an employee has recently downloaded
thousands of pages of confidential Company billing and financial information, and e-
mailed it to her personal e-mail address. Upon further investigation, the supervisor
discovers that the employee has asked other employees to also send Company
documents to her personal e-mail address.

Analysis
Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?
Yes, it is and it would violate the privacy policy of information security and
even the privacy agreement
What measures are in place to attempt to prevent this type of incident from occurring
or to limit its impact?
Secure the electronics
Do not visit forbidden pages
Do constant psychological tests
What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
Processes identical to ours in other companies
leakage
Low performance by staff
What indicators of the incident might the organization detect? Which indicators would
cause someone to think that an incident might have occurred?
Unusual behavior, low performance by personnel, smooth information leaks
What additional tools might be needed to detect this particular incident?
Psychological examinations to the personnel
How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
Analyze where the leakage of information comes from, once detected, if it is
by the staff, apply the corresponding sanction, if it is external, check the
system.

pg. 6
INCIDENT SCENARIOS

To which people and groups within the organization would the team report the
incident?
To all staff to avoid recidivism and also operating staff, even subcontracted
personnel.
How would the team prioritize the handling of this incident?
The staff should review the information that was taken and determine whether
the information was already publically available or whether it contains
Company confidential or trade secret information.
ERRADICATION - SOLUTIONS
What strategy should the organization take to contain the incident? Why is this
strategy preferable to others? And Why?
The Company should involve its internal IT Security department or an
outside IT security/forensic specialist to assess and remedy the data breach
What could happen if the incident were not contained? Did it got contained/controled
?
Which personnel would be involved in the containment, eradication, and/or
recovery processes?
We could lose the trust of our customers, the personnel that can be involved, could
be all the personnel, but specially, subcontrated personnel and operating personnel.
What sources of evidence, if any, should the organization acquire? How would
the evidence be acquired? Where would it be stored? How long should it be
retained?
Leakage of information, evidence can be acquired by tracking the source of the
information leak and the evidence should be recorded for life, so that it remains in
the file of the person who leaked it.
POST INCIDENT
Who would attend the lessons learned meeting regarding this incident?
Operational, IT and management personnel, high management staff
What could be done to prevent similar incidents from occurring in the future?
The common case of information leaks is ‘Whistleblowing’, some
recomendations are:
Listen to the Whistleblower, Do Not Overpromise and Conduct a Fair
Investigation

pg. 7
INCIDENT SCENARIOS

What could be done to improve detection of similar incidents?


The Company should probe the extent of the personal transfers, transfers
from others, and whether the employee has disclosed the documents to third
parties.
What is the future strategy to take?
Analyze similar behaviors and activate prevention alerts every time that this
is repeated

Scenario 6: Unauthorized Access to Payroll Records


On a Wednesday evening, the organization’s physical security team receives a call
from a payroll administrator who saw an unknown person leave her office, run
down the hallway, and exit the building. The administrator had left her workstation
unlocked and unattended for only a few minutes. The payroll program is still logged
in and on the main menu, as it was when she left it, but the administrator notices
that the mouse appears to have been moved. The incident response team has
been asked to acquire evidence related to the incident and to determine what
actions were performed.

Analysis

Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?
Yes, this activity is an incident, the information issues are always a security
problem, in this case, the info of the employees are personal info, so, there
is a big security problem
What measures are in place to attempt to prevent this type of incident from
occurring or to limit its impact?
access control and security cameras
What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
yes, having a control on the door of the building, having an excellent control
of access the organization can prevent this happening
What indicators of the incident might the organization detect? Which indicators
would cause someone to think that an incident might have occurred?
the mouse evidence shows us that something happen, the question is, what
happen?

pg. 8
INCIDENT SCENARIOS

What additional tools might be needed to detect this particular incident?


the additional tools may be a software and hardware to control access and
security cameras, to have evidence if there is an intruder
How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
the analysis will content the impact level, calculated using a framework, to
know which will be the priority of the issue
To which people and groups within the organization would the team report the
incident?
if the impact is high, the issue will be showed to the high range of the
organization, if we have low impacto only to the supervisor of the area, and
the administrator involved
How would the team prioritize the handling of this incident?
seen the impact level, and comparing with the other security issues, if this is not t
he only one

Erradication - Solutions
What strategy should the organization take to contain the incident? Why is this
strategy preferable to others? And Why?
The strategy may be the recognition of the impact level to make it priority or
not, after that recognize the people involved, and the data involved, to take
legal action
What could happen if the incident were not contained? Did it got
contained/controled?
if that happen we must see how much it will afect the organization to make a
strategy to to minimize damage as much as possible
Which personnel would be involved in the containment, eradication, and/or
recovery processes?
The risk control team, and the departament involved
What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?
the evidence will keep save only if it is useful to an investigation or legal
action, if is useless it must be deleted

pg. 9
INCIDENT SCENARIOS

Post incident
Who would attend the lessons learned meeting regarding this incident?
People that handle information of the organization
What could be done to prevent similar incidents from occurring in the future?
Make conscience of the impact of the bad handeling of info, also restructure
the security protocols
What could be done to improve detection of similar incidents?
Having more security personal, and having a better access control
What is the future strategy to take?
Beef up the access control, make conscience of the culture of blocking
computers if you are not there, and register if any employee is using a
device that is not of him

Scenario 7: Disappearing Host


On a Thursday afternoon, a network intrusion detection sensor records vulnerability
scanning activity directed at internal hosts that is being generated by an internal IP
address. Because the intrusion detection analyst is unaware of any authorized,
scheduled vulnerability scanning activity, she reports the activity to the incident
response team. When the team begins the analysis, it discovers that the activity has
stopped and that there is no longer a host using the IP address.

Analysis
Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?
Yes, because that activity was not scheduled.
What measures are in place to attempt to prevent this type of incident from occurring
or to limit its impact?
Have a plan before notifying the incident team in order to gain time and detect
the activity on time.
What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
The IDPSs or SIEMs.
No, because these precursors act when the activity is occurring.

pg. 10
INCIDENT SCENARIOS

What indicators of the incident might the organization detect? Which indicators would
cause someone to think that an incident might have occurred?
Unusual behavior, network flows, Information on new vulnerabilities and
exploits
What additional tools might be needed to detect this particular incident?
Create an incident response policy, Select people with appropriate skills for
the incident response team, Host Security, using Incident Databases.
How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
The activity coming from the host is not being done by anyone authorized.
Person in charge of the monitoring of system anomalies and vulnerabilities

To which people and groups within the organization would the team report the
incident?
To those in charge of monitoring the activity and the area
How would the team prioritize the handling of this incident?
Depending on the information that could be affected in the equipment or
equipment, information Impact of the Incident.
Erradication - Solutions
What strategy should the organization take to contain the incident? Why is
this strategy preferable to others? And Why?
What could happen if the incident were not contained? Did it got contained/controled
?
There could be information leakage, even a spread
Which personnel would be involved in the containment, eradication, and/or recovery
processes?
Network managers
What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?
Secure storage facility, removable media.
180 days.

pg. 11
INCIDENT SCENARIOS

Post-Incident
Who would attend the lessons learned meeting regarding this incident?
Those in charge of each area of the organization, in order to facilitate the
process, they would be in charge of transmitting.
What could be done to prevent similar incidents from occurring in the future?
Have a meeting talking about the summary of the problem, the process to
recover the DNS server functionality and problems during the process of
recovery and eradication.
What could be done to improve detection of similar incidents?
The organization needs to be cleverer and think beyond what is actually being
implemented. Having a intelligent monitoring control and security of critical
infrastructure systems using technologies such as artificial intelligence,
machine learning, pattern detection can leave the organization one step
further of detection of incidents.
What is the future strategy to take?
Stays updated, otherwise the strategy must be updated.
Which other vectors are considered to be taken as a major risk?
Improper usage of information.

General Questions:
How many people and organizations got involved in this incident? All the
organization is affected by the attack, the hosts are very important to the org
To which external parties would the team report the incident? When would
each report occur? How would each report be made? What information would
you report or not report, and why? The info that we must report may be only
shared if is necessary, also, only to the people whose interests were involved
What other communications with external parties may occur?
just the necessaries ones
What tools and resources would the team use in handling this incident?
software to control and register the IPs that accesses to system
What aspects of the handling would have been different if the incident had occurred
at a different day and time (on-hours versus off-hours)?
It only means that the attack is from someone that knows a lot of the company

pg. 12
INCIDENT SCENARIOS

It means that the attack is from someone that have abilities to hack, maybe someone
paid by the competence

Scenario 8: Telecommuting Compromise


On a Saturday night, network intrusion detection software records an inbound
connection originating from a watchlist IP address. The intrusion detection analyst
determines that the connection is being made to the organization’s VPN server and
contacts the incident response team. The team reviews the intrusion detection,
firewall, and VPN server logs and identifies the user ID that was authenticated for
the session and the name of the user associated with the user ID.

Analysis
Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?
Yes, due to the fact that the IP adress belongs to a known attacker (beacuse it was
already in the watchlist) so it has to be an attack which is considered as an incident.

What measures are in place to attempt to prevent this type of incident from occurring
or to limit its impact?
User Awareness and Training: Users should be made aware of policies and
procedures regarding appropriate use of networks, systems, and applications.
Applicable lessons learned from previous incidents should also be shared
with users so they can see how their actions could affect the organization.
Improving user awareness regarding incidents should reduce the frequency
of incidents. IT staff should be trained so that they can maintain their
networks, systems, and applications in accordance with the organization’s
security standards.
Network Security. The network perimeter should be configured to deny all
activity that is not expressly permitted. This includes securing all connection
points, such as virtual private networks (VPNs) and dedicated connections to
other organizations.
Host Security. All hosts should be hardened appropriately using standard
configurations. In addition to keeping each host properly patched, hosts
should be configured to follow the principle of least privilege—granting users
only the privileges necessary for performing their authorized tasks. Hosts
should have auditing enabled and should log significant security-related
events. The security of hosts and their configurations should be continuously
monitored.

pg. 13
INCIDENT SCENARIOS

Detection and Analisys


What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
The IP adress detected by the incident response team was already in the
watchlist, so it has to exist a record associated with that IP, and the record can
be use to take action before the attacker acts.
What indicators of the incident might the organization detect? Which indicators would
cause someone to think that an incident might have occurred?
One of the indicators could posible be people from within the organization,
specifically people who works with the owner od the ID who gave the
authentication to the IP of the attacker. It was posible for someone to notice some
strange behavior and on the other hand maybe a Network flows which is a
particular communication session occurring between hosts. And the last one
could be Operating system, service and application logs that allows you to
monitor what accounts were accessed and what actions were performed.
What additional tools might be needed to detect this particular incident?
IDPS products, which use attack signatures to identify malicious activity; the
signatures must be kept up to date so that the newest attacks can be detected,
also, IDPS software often produces alerts that indicate malicious activity is
occurring.
How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
The incident response team has already one ID user related to the incident, so,
by verifying the actions executed by this user, it will be very likely to check if the
authentication to the attacker was gave it or not. And the personnel involved in
this process should be the incident response team and the user associated with
the ID user.
To which people and groups within the organization would the team report the
incident?
 CIO
 Local information security officer
 Server owner
 Human resources
It involves various departments because the one who gave the authentication
was an employee, even when the IP address was on the watchlist and it could
be more, depending of what was the last attack realized by the attacker related.
How would the team prioritize the handling of this incident?

pg. 14
INCIDENT SCENARIOS

The attack hasn’t ocurrered yet, so it depends of the record that the team has
related to the attacker, probably is looking for something related to that.
Erradication - Solutions
What strategy should the organization take to contain the incident? Why is this
strategy preferable to others? And Why?
The best way to act in this incident would be redirect the attacker to a sandbox
(a form of containment) so that they can monitor the attacker’s activity to gather
additional evidence. This could be posible because the attack was detected in
time, before the attacker acts.
What could happen if the incident were not contained? Did it got
contained/controled?
The possibilities are a lot, but the most probable cases are
Identity impersonation
Modification and deletion of information
or, as mentioned, something similar to the previous attack related to the attacker.
Which personnel would be involved in the containment, eradication, and/or recovery
processes?
The incident response team
The server owner
The local information security officer

What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?

The sources of evidence could be:


Indicators related to the incident
Other incidents related to this incident
Actions taken by all incident handlers on this incident
And if it is possible that the attacker will be prosecuted, evidence may need to be
retained until all legal actions have been completed. Furthermore, evidence that
seems insignificant now may become more important in the future. For example,
if an attacker is able to use knowledge gathered in one attack to perform a more

pg. 15
INCIDENT SCENARIOS

severe attack later, evidence from the first attack may be key to explaining how
the second attack was accomplished, as happened in this case.

Post Incident
Who would attend the lessons learned meeting regarding this incident?
Employees who have access to server authentication and those who control
them.
What could be done to prevent similar incidents from occurring in the future?
The use of IDPS products, which use attack signatures to identify malicious
activity.
What is the future strategy to take?
The future strategy must be based in the information obtained from the actions
that were taken (redirecting the attacker to a sandbox).
General Questions:
How many people and organitazions got involved in this incident?
The persons involved in this incident were the attacker the ID user owner, the
inciden response team,
To which external parties would the team report the incident? When would each
report occur? How would each report be made? What information would you report
or not report, and why?
The information obtained from the first attack and the attempt of attack , the
incident response team should report the incident to the US-CERT (United
States Computer Emergency Readiness Team) beacuse in this way the US-
CERT analyzes the information to identify trends and indicators of attacks
related to the IP address from the watchlist.

What tools and resources would the team use in handling this incident?
The use of IDPS systems and the redirecting the attacker to a sandbox.
What aspects of the handling would have been different if the incident had occurred
at a different day and time (on-hours versus off-hours)?
Probably the attacker would have acted against the company before being
stoped, because the alert would not have been detected in time by the teams
involved.

pg. 16
INCIDENT SCENARIOS

Specific Questions
What should the team’s next step be (e.g., calling the user at home, disabling the
user ID, disconnecting the VPN session)? Why should this step be performed first?
What step should be performed second?
First, the user should be questioned about the intentions of the attack,
because in this way they will be able to act with greater security and reinforce
the points that are necessary to avoid the attack at all costs, and the next step
shoul be disabling the user ID, so the user Will no be able to do that again,
and if it is necessary to dismiss the employee.
How would the handling of this incident differ if the external IP address belonged to
an open proxy?
The handling of this incident should be considered as an action to take
immediately, since basically anyone can access through the open proxy, and
would incur many more people and departments than were previously taken
into account. It would not be necessary to resort to the record first, because
the first action should be to close that access before anything happens.

How would the handling of this incident differ if the ID had been used to initiate VPN
connections from several external IP addresses without the knowledge of the user?
The network intrusion detection software still records an inbound connection
originating from a watchlist IP address, even when the user had no knowledge
of what was happening, so the actions should be the same because the alert
would have reached to the intrusion detection analyst
Suppose that the user installed antivirus software and determined that the Trojan
horse had included a keystroke logger. How would this affect the handling of the
incident? How would this affect the handling of the incident if the user were a system
administrator? How would this affect the handling of the incident if the user were a
high-ranking executive in the organization?
Probably confidential information would be exposed through the capture of
what is entered through the keyboard, so the first action to take, before those
mentioned above, would be the uninstallation of the antivirus and the
disinfection of the computer of any element that puts the process that is going
to be taken against the attacker at risk, since it could detect what are the
measures that are taken to counteract him and evade them.

pg. 17
INCIDENT SCENARIOS

Scenario 9: Anonymus Threat


On a Thursday afternoon, the organization’s physical security team receives a call
from an IT manager, reporting that two of her employees just received anonymous
threats against the organization’s systems. Based on an investigation, the physical
security team believes that the threats should be taken seriously and notifies the
appropriate internal teams, including the incident response team, of the threats.
Case: The attack of the website of the company

Analysis
Would the organization consider this activity to be an incident? If so, which of the
organization’s policies does this activity violate?
Yes, it should be considered as an incident, because there is a threat
involved, which means it will be a possible attack.
What measures are in place to attempt to prevent this type of incident from occurring
or to limit its impact?
The principal solution to limit its impact is to have backups of servers where
the website is hosted and to keep a constant monitoring in purpose to verified
if there isn’t a damaged.

Detection and Analysis


What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
The threats, since someone who wants to damage the company first wants to
tell them so they know about their action (even anonymously)
What indicators of the incident might the organization detect? Which indicators would
cause someone to think that an incident might have occurred?
For this particular case, the company would realize very quickly, either
because they check it themselves or through customer reports.
What additional tools might be needed to detect this particular incident?
For physical security, have someone to constantly review the page and for logically
or digitally, it could be the same but using software.
How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
The team could first try to identify if the cause of the problem works for the
same company, knowing that, the solution that can be given to the problem is
different.

pg. 18
INCIDENT SCENARIOS

To which people and groups within the organization would the team report the
incident?
First I think that they should fix the problem and try to raise the page again,
once it is achieved, it will be possible to notify the managers of it, since time
is of the essence to solve these problems.
How would the team prioritize the handling of this incident?
As answered in the question above, the main thing is the management of the
problem in time limit, it must be fast and efficient, in order to have the problem
the shortest time.
Erradication - Solutions
What strategy should the organization take to contain the incident? Why is this
strategy preferable to others? And Why?
It is known that computer crimes exist and will exist forever, since it is a way
of expressing oneself and having less risk of being trapped, the only thing that
can be done is having a team specially dedicated to recover the page when it
is damaged.
What could happen if the incident were not contained? Did it got contained/controled
?
The main thing is to know about the page that is damaged, since it is not the
same one that is pure information to another that is finance.
Which personnel would be involved in the containment, eradication, and/or recovery
processes?
In the three processes should be web developers, since they are those who
know the source code of the page.
What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?
They could hire a system to record the screens of the server and in this way
to know what type of errors are displayed and thus discard many possibilities.

Post Incident
Who would attend the lessons learned meeting regarding this incident?
All, since it is something that affects all the advertising of the company, in
addition to its privacy management.

pg. 19
INCIDENT SCENARIOS

What could be done to prevent similar incidents from occurring in the future?
We can avoid it with more security and with copies of servers, so you should
throw many and not just one if you want to damage the website.
What could be done to improve detection of similar incidents?
First, these types of attacks must be viewed in a certain way, and that is an
inversely proportional relationship, to more attacks, less exposed are left as
you learn from each of them.
What is the future strategy to take?
Have a recording system of server screens to keep records of those that may
end up being evidence of the crime.
Which other vectors are considered to be taken as a major risk?
I think that something greater could be the loss of classified information.

General Questions
How many people and organizations got involved in this incident?
Senior management, the IT manager, database providers (with restricted
information), and finally, users that were involved in oder to raising awareness
about information management and training them in this topic.
To which external parties would the team report the incident? When would each
report occur? How would each report be made? What information would you report
or not report, and why? Which measures did you take for this report?
It would be reported in the event of theft of secret and confidential information.
It would be reported to the cyber police. In another situation, it is preferable
not to report this information, as disclosure may put a greater risk to the
already threatened company. Someone with access to the third party's
information could become aware of our issues, because we do not control the
access protocols of the external parties.
What other communications with external parties may occur?
They can be continuously asked for information about the security
mechanisms used by the software (in the case of suppliers). Otherwise,
communication with third parties will be restricted.
What tools and resources would the team use in handling this incident?
The access verification resource will be used, by means of scripts, to identify
access patterns to the company data, and if necessary to identify deviations
from it.

pg. 20
INCIDENT SCENARIOS

What aspects of the handling would have been different if the incident had occurred
at a different day and time (on-hours versus off-hours)?
Since it is an anonymous threat, the actions in this case would have been the
same since it is about preventing an incident and minimizing the risk of
unauthorized access.
What aspects of the handling would have been different if the incident had occurred
at a different physical location (onsite versus offsite)?
In this case it was assumed that the threat was external, but if the anonymous
threat had been detected inside the company, then actions to review access
and communication logs would have been necessary with higher priority. It
should be relatively easy to identify the origin of such an anonymous threat if
it occurred indoors. In the case of the threat that occurs from outside, it is
necessary to investigate the incident, identify the sources of threat, and if
necessary, proceed legally to mitigate it.

pg. 21