Running head: CYBERSECURITY INCIDENT REPORT FORM

Sifers-Grayson Cybersecurity Incident Report Form

Adam R. Stoker

CSIA 310

University of Maryland Global Campus

September 15th, 2020

CYBERSECURITY INCIDENT REPORT FORM
2

SIFERS-GRAYSON CYBERSECURITY INCIDENT REPORT FORM

1. Contact Information for the Incident Reporter and Handler
– Adam R. Stoker
– Cybersecurity Analyst
– Nofsinger Consulting, LLC
– adam.stoker@nofsinger.com
– 066-806-7431
– 1890 Star Shoot Pkwy
Ste 170 Box 1982
Lexington, KY 40509
2. Incident Details
– Status change date/timestamps (including time zone): when the incident started, when
the incident was discovered/detected, when the incident was reported, when the incident
was resolved/ended, etc.
– Physical location of the incident: 1555 Pine Knob Trail, Pine Knob, KY 42721
– Current status of the incident: The incident has ended.
– Source/cause of the incident: unauthorized access to the R&D servers by an unknown
hostname and IP address.
– Description of the incident: Attackers accessed the network and the facility and stole
passwords, logins, files, and installed malware. The incident went undetected by Sifers-
Grayson staff.
– Description of affected resources: The R&D servers (IP 10.10.135.3/4) were
compromised and 100% of the design documents and source code for the AX10 Drone
System was stolen, programming workstation (IP 10.10.135.10) was used to install
malware onto an AX10-a test vehicle, test vehicle (IP 10.10.145.8) was stolen from the
test range.
– If known, incident category, vectors of attack associated with the incident, and
indicators related to the incident: Attackers hacked into the enterprise network through an
unprotected network connection, gained access to the facility through social engineering,
and planted USB keys with malware installed.
– Prioritization factors: Loss of the source code for the drone system and the AX10-a test
vehicle was the primary impact. The test vehicle may be recovered but the documents
and source code has been exposed.
– Mitigating factors: There is a single firewall but it was unable to detect the intrusion.
There are two system administrators responsible for the Data Center.
CYBERSECURITY INCIDENT REPORT FORM
3

– Response actions performed: There was no effective incident response due to the lack
of a centralized team for network incidents and computer security incidents. (e.g., shut
off host, disconnected host from network)
– Other organizations contacted: No other organizations were contacted.

3. Cause of the Incident: The single firewall does not provide adequate protection and was
misconfigured. The lack of intrusion detection and anti-malware software did not block
the unauthorized USB keys and was unable to detect the malware. Employees were
careless with physical access security.

4. Cost of the Incident: The loss of the drone system source code and test equipment cost
Sifers-Grayson $1.2 million in research and development cost and loss of potential
contracts. The recovery efforts to scan all devices, reimage affected workstations, and
restore servers from backups will take approximately 274 person hours at $100 per hour,
totaling $27,400.

5. Business Impact of the Incident: The financial loss as a result of the incident would be
significant. Business operations would be halted or severely limited during the attack and
recovery. If news was spread of the successful attack due to the company’s negligence,
the reputation of Sifers-Grayson would be negatively impacted.

6. General Comments:

Sifers-Grayson’s customer base is made up of manufacturing firms, utility companies,

U.S. Department of Defense, and U.S. Department of Homeland Security. The
government contracts require compliance with DFARS252.204-7008, 7009, and 7012.
The derivative requirements include DFARS requirements for cloud computing and NIST
guidance for incident response, SCADA security, software/system development lifecycle
security, and configuration management.