Incident Response & Contingency PlanningCase Journal

Incident Response and Contingency Planning Journal

Incident Response and Contingency Planning Journal

By

Brittany M Gilstrap

ITEC 4341-01

Fall 2011

Macon State College

Incident Response and Contingency Planning Journal 1

Journal Entries for Week One 08/22/11 to 08/28/11

Journal Entry One:

There is an incident in which someone on the inside of HAL is trying to get inside e-mail

server by using several different accounts, but is failing to do so (Whitman & Mattord, 2007).

There are multiple attacks, and even though they are using a proxy, and recently moved their

servers into the DMZ, the question is who is creating such a disturbance, why are they trying to

get into the e-mail server, and how are the attempting this incident (Whitman & Mattord, 2007).

This would qualify as a deliberate act of trespass because it is an attempt by an unauthorized

employee for informational access in the e-mail server (Whitman & Mattord, 2007). Risk

identification would be to plan out this process, the system components being threatened is the e-

mail server which could contain confidential information, depending on how critical this

information is, it is an important asset to the company, and should be protected (Whitman &

Mattord, 2007). Identifying the treat is in internal personnel trying to break into the e-mail server

using other people’s log in information, but failing to get through (Whitman & Mattord, 2007).

Lastly, in risk identification, the vulnerable assets are the e-mails on this server that could

potentially be read by prying eyes that are not allowed to see, and possibly threatening critical

information about business operations (Whitman & Mattord, 2007). Next is to do a risk

assessment, and to determine how to value the assets on this e-mail server, it would depend on

how highly critical the information is that is being stored there (Whitman & Mattord, 2007).

There is a high likelihood of attack on the vulnerabilities because it is already in place that

someone is trying to get into this e-mail server, and apparently is using others e-mail accounts to

try to hack in, but is unable to (Whitman & Mattord, 2007). In the end, there will need to be a


decision on risk control to decide what the best route is to protect the server, and to protect these

accounts (Whitman & Mattord, 2007).

Journal Entry Two:

The first question asks who Paul should invite to this meeting to discuss this incident

(Whitman & Mattord, 2007). Obviously Paul will be bringing himself, Amanda whose account

was being used to try to access the e-mail server, and because she is Paul’s boss (Whitman &

Mattord, 2007). Jonathon is the senior systems administrator who recognized these many failed

attempts at being able to get through the proxy, and Paul also asked him to grab Tina who is the

senior network administrator (Whitman & Mattord, 2007). I believe that Richard Xavier, chief

operations officer, William Freund, manager of systems, and Roberta Briscoe, manager of

corporation security, should be present because it did ask for senior personnel to be at this

meeting, and their fields each give them some insight on what to do, and how to approach this

incident (Whitman & Mattord, 2007). Richard would be able to provide potential directions to

follow in this incident, and help to plan for a recovery afterwards to better train employs, and put

policies in place to protect against this kind of incident. William would be able to provide

information on the systems within the organization, and how such an attempt could have

manifested. Roberta would be able to provide information on security needs within the

organization, and would be able to point them in the right direction for protecting the e-mail

server from this attack.

Journal Entry Three:

The second question asks what other information Paul and his team can use to track down

this incident (Whitman & Mattord, 2007). For Paul and his team to track down this incident, it


would be most beneficial to see all the accounts in which the personnel was using to hack into

the e-mail server, also it would help to get all the IP addresses of the computers being used in

this attack, so that they can identify possibly which personnel is making this attack. Also, they

could install software on any IP addresses that show up, so that the computer can track all user

activity, and they would be able to review the personnel in the process of attacking. They could

also possibly find potential giveaways from what the personnel uses the computer for, such as:

social networking, personal interests, etc. They may be able to find out who is causing the

incident.

Journal Entries for Week Two 08/29/11 to 09/04/11

Journal Entry One:

There are twelve categories of threats facing information security, and the most recent top

threats listed in the Computer Security Institute’s Computer Crime and Security Survey fall into

the most of the twelve categories, but not all (Richardson, 2011). First, act of human error or

failure is an accident of the user by deleting files on the desktop, deleting files on the server,

releasing important information, modification of files, and unauthorized software installations,

but there were no threats found in the survey for this category (Whitman & Mattord, 2007).

Second, compromise of intellectual property consists of piracy, information leaks outside of

policy, and violation of copyright material (Whitman & Mattord, 2007), from the survey “insider

abuse of internet access or email (pornography, pirated software, etc.) falls within this category

(Richardson, 2011). Third, deliberate acts of trespass consists of unauthorized access of logical

and physical counterparts of an organization (Whitman & Mattord, 2007), from the survey “theft

or unauthorized to intellectual property/PII/PHI due to mobile device theft/loss and all other


causes, password sniffing, system penetration by an outsider, unauthorized access or privilege

escalation by insider, exploit of wireless network/DNS server/user’s social network profile/client

web browser/public facing website”, fall within this category (Richardson, 2011). Fourth,

deliberate acts of information extortion consist of blackmailing for assets (Whitman & Mattord,

2007), from the survey “extortion or blackmail associated with threat of attack or release of

stolen data”, falls within this category (Richardson, 2011). Fifth, deliberate acts of sabotage or

vandalism consist of modification or destruction of information or physical assets (Whitman &

Mattord, 2007), from the survey “website defacement and instant messenger abuse”, fall within

this category (Richardson, 2011). Sixth, deliberate acts of theft consist of stealing assets from an

organization (Whitman & Mattord, 2007), from the survey “financial fraud and laptop or mobile

device theft or loss”, fall within this category (Richardson, 2011). Seventh, deliberate software

attacks consist of phishing, email viruses, viruses, worms, malicious coding, DoS, and DDoS,

from the survey “malware infection, bots/zombies within the organization, DoS, and fraudulently

represented as sender of phishing messages”, fall within this category (Richardson, 2011).

Eighth, forces of nature consists of threats from hurricanes, tornadoes, fire, floods, ESD,

humidity, dust, mudslide, solar flare, and earthquake, there were no threats from the survey that

would have been listed in this category (Whitman & Mattord, 2007). Ninth, quality of service

deviations from service providers consist of power blackouts, surges, spikes, sags, and network

outages, there were no threats from the survey that would have been listed in this category

(Whitman & Mattord, 2007). Tenth, technical hardware failures or errors consist of device

failures or defects; there were no threats from the survey that would have been listed in this

category (Whitman & Mattord, 2007). Eleventh, technical software failures or errors consist of

bugs or coding problems and trapdoors, there were no threats from the survey that would have


been listed in this category (Whitman & Mattord, 2007). Twelfth, technological obsolescence

consist of outdated technology, there were no threats from the survey that would have been listed

in this category (Whitman & Mattord, 2007).

Journal Entry Two:

Reviewing the 2010-2011 Computer Crime and Security Survey, there is a lot of great

information that supports the importance of security against these threats. After the previous

threats were established, there are ways that were implemented to prevent or fix these threats,

which is the most important thing to do, fix any security problems. The top most implemented

action taken after a threat was to patch any software vulnerabilities, this is very important

because security flaws in software can cause major problems, and can potentially leave a

backdoor open for anyone to get into your system (Richardson, 2011). Next few actions that are

taken after threats: patched hardware, additional security installed, forensics investigation,

awareness training, and policy changes (Richardson, 2011). Two reasons why people did not

report these incidents to enforcement is because they did not believe that enforcement could help

or that the incident was not major enough to need to report (Richardson, 2011). The top eleven

security technologies used for protection that is over a 50% rating, starting from the highest

percentage is: anti-virus, firewall, anti-spyware, VPN, patch management, encryption of data

being transferred, IDS, encryption of data being stored, URL filtering, application firewall, and

intrusion prevent system (Richardson, 2011). The top five ways to evaluate security include from

most to least: internal audits, automated tools, web monitoring, external audits, and internal

penetration testing (Richardson, 2011). These are all important statistics that could help an

organization see what areas they may need to focus in to fix their security problems or how they

can measure the protection they’re really getting out of their security tools.



An important matter that organizations should use to better protect themselves from the

potential threat of an attack is to do a business impact analysis which would determine how bad

of an impact an attack would be for an organization (Whitman & Mattord, 2007). This helps with

planning for threats allowing you to prioritize what would be most important to deal with first

over others that may just be an annoyance than a real threat (Whitman & Mattord, 2007). The

first step is to identify threats to the organization and prioritize them, and then a business unit

analysis determines how different parts of the organization would be affected by treats (Whitman

& Mattord, 2007). Next, scenarios should be developed to establish how a threat would be

handled in a real situation listing information such as: possible vulnerabilities, threat agent,

activities related to the attack, assets in trouble, and follow ups (Whitman & Mattord, 2007).

Next, a potential damage assessment should be done, and this helps identify a worse, best, and

most likely scenario for an attack including what would happen, the risk with it, the cost to the

organization, and probability of it spreading (Whitman & Mattord, 2007). Lastly, a subordinate

plan classification will use the different plans drawn together to establish the aftermath of a

scenario (Whitman & Mattord, 2007).

Journal Entries for Week Three 09/05/11 to 09/11/11

Journal Entry One:

Scripted attacks are not as bad as live attacks because they are set up to do whatever the

script says, so it will continuously be doing the same thing over and over. This would be more of

an annoyance than anything, but it makes it a lot worse when a live person is doing the attacks

because it would be for a more rewarding gain like stealing information than just being


annoying. A live person attempting these attacks would be able to adapt to whatever defenses the

organization throws up in its path which is what was happening in the scenario. They were

blocking out the ports it was using, which if this was a scripted attack then it would have stopped

this incident, but it didn’t (Whitman & Mattord, 2007). Paul decided to view the logs of the

network, and found out that it was using a certain range of addresses, so they blocked this range

to prevent this attacker from getting into the system (Whitman & Mattord, 2007). It is very

important to take incidents like this as serious even when it may not pose a serious threat in the

end because you never know how dangerous it is until something catastrophic happens that could

jeopardize important business assets, and possibly put the company in some trouble. Never

underestimate an attack no matter how simple it may seem because it could cost you more than

you reckon.

Journal Entry Two:

This live attack was more of an annoyance than it was a real incident because attacker

was performing the same attack over and over which eventually led him to being found out, and

blocked from getting through (Whitman & Mattord, 2007). It would have been more of an

incident if he was hiding his ports so that they wouldn’t be found out, if he used more

sophisticated strategies to get through, and if he used a different range of ports that were not so

easily blocked out by the range Paul had used (Whitman & Mattord, 2007). Had he used a port

scanner to find a weakness in the defenses, and used that to exploit the system, I think he

would’ve had better chances of getting through (Whitman & Mattord, 2007). Regardless an

annoyance or real incident, they should both be treated seriously because you never really know

what could possibly happen, and it is better to be overprotective of your assets than risk them.



The importance of the chapter that correlates to this case study is how to prepare,

organize, and prevent incidents from occurring (Whitman & Mattord, 2007). This is typically

done by the security incident response team (SIRT) which “is a set of policies, procedures,

technologies, people, and data necessary to prevent, detect, react, and recover from an incident

that could potentially damage the organization’s information” (Whitman & Mattord, 2007).

There are three different ways of making up these SIRTs: centralized is one group maintaining

the whole organization, distributed is several teams split up into different portions of the

organization, and coordinating is a advice team that helps the others teams out without managing

over them (Whitman & Mattord, 2007). The company should probably have a distributed SIRT

set up to maintain the different portions of the organization, so that if problems arise in this large

company, there are enough teams to handle it (Whitman & Mattord, 2007). These should be

inside employees from the IT department doing these SIRTs, I don’t believe that outsourcing is

necessary because it does not seem they are suffering too bad to maintain their own incidents

(Whitman & Mattord, 2007). Services that are offered by SIRT include: reactive

(alerts/warnings, incident/vulnerability/artifact handling), proactive (audits, announcements,

maintenance, intrusion detection systems, and configuration), and security management (risk

analysis, evaluation/certification, business continuity/disaster recovery planning, and training)

(Whitman & Mattord, 2007). These are all very important services that will come in handy to

better prepare the organization for incidents, and the SIRT will definitely be beneficial to the

improvement of incident response and contingency planning (Whitman & Mattord, 2007).


Journal Entries for Week Four 09/12/11 to 09/18/11

Journal Entry One:

This case study consists of a new way to protect the organization from security threats

that firewalls, intrusion detection systems, and scanners are doing, but this can be a pretty costly

expense for the company because of yearly subscription fees, and hardware costs (Whitman &

Mattord, 2007). JJ had mentioned a better way to save money, and protect the company the same

way that all these technologies had that he learned from a meeting at another company (Whitman

& Mattord, 2007). His approach was to use open source software which would save a lot of

money in the long run, but could prove costly up front because they would either have to hire

someone who is trained for this software or send their own employees off for training (Whitman

& Mattord, 2007). It is important for companies to try to save as much money as possible

because they do have to cover very large costs, but they shouldn’t cut money in a very important

part of the company because securing the systems from any attacks should be top priority

(Whitman & Mattord, 2007). It could prove to be more costly if this newer approach doesn’t

work as well as they think because an attack could cost the company its business if it were too

catastrophic, and did more damage than repairable. Management would need to weigh the option

of sticking with what they have because they know it works or trade it out for the new open

source approach to see if it can cover what the other approach was doing, and save them the

expected amount of money (Whitman & Mattord, 2007).

Journal Entry Two:

JJ suggested that the intrusion detection system should be dropped from being network-

based to being host-based instead; Paul agrees that this will be a great idea, and asks for


technology to be found for this suggestion (Whitman & Mattord, 2007). Easily enough, a host-

based intrusion detection system would be the solution because rather than it being placed on the

network, and monitoring everything over the network (network-based IDS), it actually is placed

on one host, and only monitors everything happening on that host (Whitman & Mattord, 2007).

HIDS basically monitors any alterations, deletions, or creations in the system files and system

configuration of the host computer (Whitman & Mattord, 2007). “The HIDS triggers an alert or

alarm when one of the following changes occurs: file attributes change, new files are created, or

existing files are deleted” (Whitman & Mattord, 2007). The HIDS can determine if an attack is

going to happen, if it has happened, or is going on, and can tell if it was successful at its attempt,

but fortunately keeps its own log file of everything that has happened to better identify what

happened (Whitman & Mattord, 2007). The advantages to implementing HIDS is specific to the

host computer that it is on, so it is capable of detecting things on that host that slipped by a

NIDS, not affected by switched networks, and by comparing audit files to the current files, the

HID can detect problems (Whitman & Mattord, 2007). The disadvantages of implementing

HIDS is that it takes a lot more managing because it resides on each host rather than a whole

network, unable to defend against direct attacks or operating system targeted attacks, only

capable of monitoring that one sole device, vulnerable to DOS, requires large amounts of storage

for audit logs, and reduction in performance of the host computer (Whitman & Mattord, 2007). I

think host-based IDS would be beneficial to implement because it does solely target that host

computer, and can protect it better than just a network wide IDS that could have things slip

through if there is a lot of traffic over the network (Whitman & Mattord, 2007). The only reason

I would not suggest doing a host-based IDS is that it does require a lot of additional attention to

each host with this software because it isn’t watching over the whole network, just whichever


devices you decide to install it on, so if problems arise, you may have to go to each computer to

determine the problem (Whitman & Mattord, 2007).


JJ is looking for more information on open source software, and training for it, so I found

a company that offers both OpenLogic.com. “OpenLogic provides enterprises with open source

support, scanning, provisioning and governance solutions to safely and efficiently leverage open

source software. OpenLogic gives enterprises the choice, confidence, and control necessary to

mitigate open source risks while maximizing cost savings” (OpenLogic, Inc., 2011). OpenLogic

provides open source software packages with support in developer or production options

(OpenLogic, Inc., 2011). The developer support is offered with more than 500 Linux packages,

but only supports during business hours (five days a week, twelve hours each) with a four hour

response, and can work through phone, email, or online support (OpenLogic, Inc., 2011). The

production support is offered with more than 500 Linux packages, and supports all day every day

with a one hour response, and can work through phone, email, or online support (OpenLogic,

Inc., 2011). For all packages, OpenLogic offers updates for all bugs or security vulnerabilities to

keep software up to date, and keep your systems protected (OpenLogic, Inc., 2011). One of the

great aspects of this open source option is that it does offer training depending on the package,

for example: open source build and test tools range from two to ten days per each subtopic, and

open source clustering lasts three days, but also offers package training for: apache HTTP server,

application framework/servers, databases, Java, PHP, and web services (OpenLogic, Inc., 2011).

I would recommend this HAL because it is open source as they wanted, it does focus packages

around Linux, it offers training for particular packages, and I think this would be a beneficial in

their search for open source software (OpenLogic, Inc., 2011).


Journal Entries for Week Five 09/19/11 to 09/25/11

Journal Entry One:

The Fourth Amendment states “the right of the people to be secure in their persons,

houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and

no warrants shall issue, but upon probable cause, supported by the Oath or affirmation, and

particularly describing the place to be searched, and the persons or things to be seized”

(Whitman & Mattord, 2007). The Fourth Amendment is very important to a company because

you never know when a disaster could happen that an employee caused, you have to wonder how

the best way is to prove it, and that is through the legal use of search warrants (Whitman &

Mattord, 2007).

Journal Entry Two:

The Fourth Amendment may protect against unlawful searches and seizures without a

warrant, but there are ways to get around this, there are seven exceptions to the Fourth

Amendment, they include: “consent, plain view, exigent circumstance, inventory search, border

search, international issues, and search incident to a lawful arrest” (Whitman & Mattord, 2007).

The two most prominent exceptions are consent and plain view; consent states that the person of

interest allows for law enforcement to search their personal belongings without refusal, and plain

view states that an item is observable without having to change anything in the environment to

have access to it (Whitman & Mattord, 2007). Now two problems arise with consent, if consent

is given how much consent is truly given to search the environment or just a small piece of it,

and the other refers to who can actually give consent to search something (Whitman & Mattord,

2007). This relates to the class material because you may need to search an employee’s


computer, and you need to know the best way to do that, even if you have to follow one of these

exceptions to do it.


It is rough determining what is pushing passed the limit, and what isn’t whether they

require a warrant or just probable cause to search someone (Whitman & Mattord, 2007). The

1976 Copyright Act was created to help protect not only physical property, but intellectual

property as well (Whitman & Mattord, 2007). Though it may be a person’s property, if they are

at work, and they decide to store their personal information on a computer leased to them

through the company, then they are set to stand by the polices of the company because it is the

company’s property (Whitman & Mattord, 2007). The Electronic Communications Privacy Act

of 1986 states the regulation of wire, electronic, and oral interceptions, this includes: disclosure,

distribution, possession, confiscation, authorization, and reports of these interceptions (Whitman

& Mattord, 2007). The Privacy Protection Act of 1980 states that journalists do not have to

forfeit their work to law enforcement until it is published for the public to view (Whitman &

Mattord, 2007).

Journal Entries for Week Six 09/26/11 to 10/02/11

Journal Entry One:

Due to the anthrax scare the mailroom had, there are other catastrophes that could take

place in the mailroom that could cause problems for company (Whitman & Mattord, 2007). I

think the next obvious scare in the mailroom that is related to the anthrax scare would be a

package with a bomb inside, that could cost many lives, or even disrupt business for a very long

time (Whitman & Mattord, 2007). Another catastrophe that could possibly happen is the mailing


of an electronic device such as a jump drive that someone may put in their computer, and it starts

infecting the system, then the network, putting everything at risk of being compromised

(Whitman & Mattord, 2007). Business operations need to be careful in order to protect human

lives, but also the company itself because a catastrophe could put the business out for weeks or

months, maybe even forever depending on how drastic it is (Whitman & Mattord, 2007).

Journal Entry Two:

I believe the most important goal when planning for the resumption of critical business

functions at an alternate site for four weeks would be to plan to be back at the primary site as

soon as possible, and only take what is absolutely necessary for work with them to the alternate

because it is not a long term standing (Whitman & Mattord, 2007). If instead it lasted for thirty

weeks, I would suggest just focusing on maintaining business to the utmost, and taking

everything that you can easily enough, so that it is readily available in case you need it (Whitman

& Mattord, 2007). With it being such a long time, the business continuity plan would be used to

help keep everything flowing smoothly because it helps with business functions for long periods

of time, and would work concurrently with the disaster recovery plan (Whitman & Mattord,

2007). For devices you are unable to move off-site there is the option to do remote journaling

where it would transfer data from the primary site to the off-site, so that it is still available

(Whitman & Mattord, 2007).


The contingency planning management team (CPMT) is normally involved with setting

up alternate sites in the case of a disaster, and they generally focus on the cost that is acceptable

for what has happened (Whitman & Mattord, 2007). There are five sites that are capable of


supporting a company at an alternate, and there are three agreements that can also be considered

(Whitman & Mattord, 2007). If cost is a big deal then the CPMT would go with a cold site which

would have long term setup time, but does not have hardware or telecommunications (Whitman

& Mattord, 2007). If cost isn’t too important then a warm or hot site would be used; a warm site

would offer partial hardware and telecommunications for a medium setup of time, and a hot site

would offer full hardware and telecommunications, and a short setup time (Whitman & Mattord,

2007). If cost just doesn’t matter at all then the CPMT could choose to go with mobile or

mirrored sites which are costly; a mobile site is hardware, telecommunications, and setup time

dependent, so it would need to be researched if they are capable of making this mobile, and a

mirrored site would have full hardware and telecommunications, with no setup time because it is

already setup (Whitman & Mattord, 2007). Three agreements that a company can decide on are

timeshare, service bureaus, and mutual agreements where a company basically signs a contract

with another business, and in different manners, they offer portions or full facility space to take

in a company that has suffered from a disaster (Whitman & Mattord, 2007). Subject area experts

are just that, experts in their particular fields that can decide what is best for their field and what

all they will need to make it possible to continue work in their field (Whitman & Mattord, 2007).

Summary:

Some of the most important findings covered in these case studies relate directly to the

overall objective of this class: risk management, business impact analysis, incident response

plan, disaster recovery plan, business continuity plan, and the threats that make these very

important pieces of any business (Whitman & Mattord, 2007).


The main goal of all of this is to protect the confidentiality, integrity, and availability of

information in an organization (Whitman & Mattord, 2007). There are twelve threat categories

(previously listed in a journal entry) that threaten the CIA of information, and this is the most

important asset in the company (Whitman & Mattord, 2007).

Risk management protects the CIA of information by finding the vulnerabilities

threatening information systems, and a thorough plan to follow for mitigating these risks

(Whitman & Mattord, 2007). Risk management uses risk identification, risk control, and risk

assessment in handling risks threatening the information systems (Whitman & Mattord, 2007).

A business impact analysis is beneficial to help assess what different risks can pose to the

company’s day to day business, whether one threat doesn’t do anything to disrupt business, but

another one could threaten the livelihood of the business (Whitman & Mattord, 2007). This

prioritization of threats help to identify what is the worst risk to the company that should be

taken care of before something that is not as risky (Whitman & Mattord, 2007).

The incident response plan is the next step taken when a threat actually attacks an

organization; this plan helps to identify what it is, and what should be done to manage the threat

at the time it is attacking (Whitman & Mattord, 2007). The incident response plan “focuses on

intelligence gathering, information analysis, coordinated decision making, and urgent actions”

(Whitman & Mattord, 2007). The disaster recovery plan helps with recovering the business from

any disaster that strikes, and this can be beneficial in lowering the chances of loss (Whitman &

Mattord, 2007).

The disaster recovery plan “focuses on preparations completed before and actions taken

after the incident” (Whitman & Mattord, 2007). Lastly, the business continuity plan helps


identify ways to continue business at alternates for long periods of time until business can run at

the primary site (Whitman & Mattord, 2007).

In conclusion, these are all very important pieces in taking care of the business to protect

it from threats, and to plan for actions to take if there is a disaster that threatens the livelihood of

a company (Whitman & Mattord, 2007).


Reference

OpenLogic, Inc. (2011). Openlogic: Helping enterprises use open source software. Retrieved

from http://www.openlogic.com/index.php.

Richardson, Robert. (2011). 2010/2011 computer crime and security survey. New York, NY:

Computer Security Institute. Retrieved from http://gocsi.com/survey.

Whitman, M. E., & Mattord, H. J. (2007). Principles of incident response and disaster recovery.

Boston, MA: Course Technology, Cengage Learning.

Documents

Incident Response & Contingency PlanningCase Journal