Project 4 Start Here
Transcript
You have been hired by Greiblock Credit Union (GCU), a $5 billion financial services firm as a cybersecurity consultant. Based on your forensic expertise, they have contracted with you to develop a comprehensive incident response and business continuity plan for their organization.
There are four steps to this project. Your deliverable to GCU will consist of reviewing and synthesizing the analysis described in Steps 1–3 and, in Step 4, concluding by developing techniques that your manager, Yvonne, can share with the organization to ensure preparedness to handle any future network intrusions.
When you submit your project, your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.
- 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
- 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
- 1.4: Tailor communications to the audience.
- 1.5: Use sentence structure appropriate to the task, message and audience.
- 1.6: Follow conventions of Standard Written English.
- 1.7: Create neat and professional looking documents appropriate for the project or presentation.
- 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
- 2.2: Locate and access sufficient information to investigate the issue or problem.
- 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
- 2.4: Consider and analyze information in context to the issue or problem.
- 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
- 5.2: Utilize Project Management principles in an investigation.
- 5.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging.
- 5.5: Apply risk management principles to an investigation.
- 6.1: Perform report creation, affidavit creation, and preparation to testify.
- 6.2: Demonstrate ability to investigate mobile technology.
- 6.3: Use forensic tools for investigation of multimedia technologies.
- 6.4: Demonstrate the ability to gather file system evidence.
- 6.5: Demonstrate the ability to perform forensic examination of the Windows Registry.
- 6.6: Perform malware analysis.
- 6.7: Access encrypted data or process data and systems that have been subjected to anti-forensics techniques.
- 6.9: Employ ethics throughout the forensic investigation process.
- 8.1: Employ ethics when planning and conducting forensic investigations, and when testifying in court.
- 8.2: Incorporate international issues including culture and foreign language to plans for investigations.
- 8.3: Create technical documentation associated with forensic investigations.
- 8.4: Explain the professional. credentials, including certification, important for an expert witness in digital forensics.
- 8.5: Incorporate Human Factors/Psychology.
- 9.7: Evaluate Embedded Computers.
Now that you have an idea of the task ahead, click on Step 1 to get started.
Step 1: Define Relevant Organizational Policies and Procedures
It is important for all organizations to have a solid set of cybersecurity policies, procedures, and metrics in place related to cybersecurity.
In this step, you will write a set of standards, policies, and guidelines for Greiblock Credit Union (GCU) to address the following areas:
- dynamic vulnerability assessment,
- intrusion detection and prevention (IDS/IPS) systems
- incident response
Policy components should include the critical aspects of each area in measurable terms, as well as the role various technologies play in executing the policy and procedure strategy.
Use the Organizational Policies and Procedures template to submit your work to Yvonne (your instructor), who will distribute it to GCU for feedback.
In the next step, you will further develop the policies and procedures by adding a readiness response plan to describe how the organization will forensically investigate a security breach in the future.
13 hours ago
Step 2: Write a Response Readiness Plan
Yvonne reports that the GCU Board of Directors was impressed with the ideas for policies and procedures you developed in the previous step. They have requested that you proceed with preparing a response readiness plan to help them implement more effective security practices within their organization.
The goal of this plan is to provide a detailed investigation project plan for the organization to follow so that they are prepared to conduct a digital forensic investigation in the event of a security breach. Forensic readiness plans must address the requirements for forensically investigating a security breach while balancing the need for business continuity and rapid return to normalcy within the organization.
Reference and incorporate the lab analysis conducted in Project 1 for this course as you develop these plans. Recall from your previous work on network analysis that you used Wireshark to analyze PCAP files to investigate network protocols associated with a network attack. Justification for the policies and procedures you recommend should start from the network forensics analysis you submitted for Project 1.
While conducting the security breach digital forensics, packet analysis was used to acquire information on the incident, as well as to determine whether the incident may require you to analyze many types of media including audio, pictures, and videos. Mobile device forensics, file system forensics, visual analysis forensics, and/or cloud GIS forensics may be required.
The scope of areas to be addressed in this forensic readiness plan will be determined by the analysis completed on forensic data relevant to the attack; the process of identifying the attacker, compromised server, and service; the exploited vulnerability; and the data that was breached. Compromises can originate from a variety of sources, including malware, hacking, and insider activity. Responders often have little information about an incident at the outset, so a methodical, patterned approach that includes looking for artifacts in likely locations can help build a more complete picture of what has occurred. This approach can also determine the direction the response takes, which individuals to involve, and the urgency of the effort.
Your response readiness plan should discuss the major systems within the organization, such as materials requirements planning, distribution, finance, and intellectual property/document management. Outline a forensic investigative response approach for suspected security breaches of or unauthorized access to each of those four major systems, as well as steps to take in the event of a catastrophic failure of each system. Response approaches should involve people, equipment, tools/technologies, and other considerations.
Include a priority classification for the various aspect of the systems involved in the breach or failure, as well as a sequenced staging plan for when and how systems will be brought back online as part of the business continuity effort. Identify key forensic artifacts, evidence handling and preservation, chain of custody procedures, and techniques for preparing for court and potential legal pursuit. The strategies for handling digital artifacts must ensure evidence is preserved in a state that can provide proper attribution of the security breach or catastrophic failure.
Use the Response Readiness Plan template to write your plan and submit it with the dropbox below so Yvonne (your instructor) can pass it along to the GCU representative for review.
In the next step, you will continue your work to create a forensic response and investigation plan to educate the GCU board of directors on malware and provide recommendations for hardening the GCU infrastructure.
Submission for Project 4: Write a Response Readiness Plan
13 hours ago
Step 3: Write a Forensic Response and Investigation Plan
The GCU board has reviewed your response readiness plan and heard reports from business managers on the impacts of a network attack.
Based on the information you provided, the managers of the GCU branches identified the consequences from the recent network attack, including the stoppage of workflow and ability to meet customer requests, a stoppage in communications (e-mail and web requests), and the loss of business credibility and public confidence. They are concerned that legal expenses may be incurred as part of the damage mitigation for this incident. Alarmed at the magnitude of these impacts, the board of directors asks you to report on how this attack may have happened, so the organization can do everything within its power to prevent similar attacks in the future.
The use of computers and electronic devices to aid in the commission of crimes has seen explosive year-over-year growth. The risk/reward potential for criminals in this environment is high compared to many other types of crimes. One tool of choice for criminals is malware, whether for theft of personal information, computing resources, or other forms of mischief. Most organizations cease their effort once they have removed a malware threat or removed an infection. The trend in malware is toward memory-resident payloads, often with little or no footprint beyond active memory, creating a complex situation where a minor slip-up can ruin any chance at proper analysis. Obtaining malware artifacts from the wild is an elite skill that very few people possess, particularly when it is memory-based.
Malware forensics uses digital forensic tools and techniques, including using imaging programs to analyze compromised resources, the application of imaging and verification procedures on user accounts, and using e-mail forensics and encryption forensics to answer key questions. Organizations that outsource the storage of large volumes of data may require cloud/GIS forensics and/or analysis of third party applications when bring-your-own-device (BYOD) practices are in effect.
The forensic response and investigation plan should apply best practices in digital forensics to guide the GCU leadership in effectively responding to a future incident. Your goal in constructing this plan is to go much further than your original analysis and explain in detail how to perform a full malware analysis of the incident.
Use the Forensic Response and Investigation Plan template to draft your report, and submit it in the dropbox below so Yvonne (your instructor) can pass it along to the client for review. Then go to the next step: submitting the final incident response and a business continuity plan to the client.
Submission for Project 4: Write a Forensic Response and Investigation Plan
13 hours ago
Step 4: Submit the Final Incident Response and Business Continuity Plan
In previous steps, you’ve provided the GCU executives with useful information and recommendations to improve their cybersecurity. Now it’s time to synthesize your three reports into a final comprehensive plan that supports incident response and business continuity.
Whereas the purpose of an incident response plan is to detail how the organization will identify, detect, mitigate, respond to, and recover from cyberincidents, the goal of a business continuity plan is to document the procedures that will be used to keep a business operational to the extent possible during a time of crisis—that is, to provide continuity of service so the organization can return to normal as quickly as possible.
Now you will prepare a written report that analyzes how to preserve as much information as possible for the incident response team while minimizing adverse effects on business continuity efforts. If the crisis was the result of some sort of cyberincident, the business continuity efforts should incorporate the needs of the incident response team in a complementary fashion. The goals of incident response may be somewhat counter to that, as determining the cause of an incident can delay business continuity efforts.
To develop your plan, refer to the GCU Incident Response and Business Continuity Plan Requirements to learn about your client’s specific needs. The plan should flow smoothly as you discuss network and malware attacks, best practices in digital forensics, rules of evidence, search and seizure, a detailed investigation project plan, and business effectiveness in the face of threat vectors.
Use the Final Incident Response and Business Continuity Plan template to create your final deliverable for the client. Then submit it into the Assignment folder for Project 4: Final Incident Response and Business Continuity Plan.
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them in your work.
- 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
- 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
- 1.4: Tailor communications to the audience.
- 1.5: Use sentence structure appropriate to the task, message and audience.
- 1.6: Follow conventions of Standard Written English.
- 1.7: Create neat and professional looking documents appropriate for the project or presentation.
- 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
- 2.2: Locate and access sufficient information to investigate the issue or problem.
- 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
- 2.4: Consider and analyze information in context to the issue or problem.
- 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
- 5.2: Utilize Project Management principles in an investigation.
- 5.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging.
- 5.5: Apply risk management principles to an investigation.
- 6.1: Perform report creation, affidavit creation, and preparation to testify.
- 6.2: Demonstrate ability to investigate mobile technology.
- 6.3: Use forensic tools for investigation of multimedia technologies.
- 6.4: Demonstrate the ability to gather file system evidence.
- 6.5: Demonstrate the ability to perform forensic examination of the Windows Registry.
- 6.6: Perform malware analysis.
- 6.7: Access encrypted data or process data and systems that have been subjected to anti-forensics techniques.
- 6.9: Employ ethics throughout the forensic investigation process.
- 8.1: Employ ethics when planning and conducting forensic investigations, and when testifying in court.
- 8.2: Incorporate international issues including culture and foreign language to plans for investigations.
- 8.3: Create technical documentation associated with forensic investigations.
- 8.4: Explain the professional. credentials, including certification, important for an expert witness in digital forensics.
- 8.5: Incorporate Human Factors/Psychology.
- 9.7: Evaluate Embedded Computers.
Submission for Project 4: Submit the Final Incident Response and Business Continuity Plan
13 hours ago
Please use google chrome
Vdi.umuc.edu
Username: efreeman13
Pass: [email protected]
under Lab,
Login: StudentFirst
13 hours ago
Fundamentals of an Incident Response Plan
Posted Feb 15, 2020 12:00 AM
Cyber threats such as ransomware, DDOS, and data thefts are continuing to evolve and become harder to detect every day. According to the Gemalto Breach Index Report, the first half of 2017 there were 918 breaches in comparison to 815 breaches for the whole year of 2016. Cyber incidents are increasing at an alarming rate. It is not a matter of will you be breached but when will you be breached. Will you be prepared when that cyber breach happens? Does an incident response plan exist in your organization?
WHAT IS AN INCIDENT RESPONSE PLAN?
An incident response (IR) plan is a set of written documents that provide instructions on what needs to happen when there is a confirmed cyber incident. Incident response plans may differ for each organization, but they traditionally carry the same elements. A computer security incident response team (CSIRT) must be created to follow the instructions within the incident response plan. A CSIRT can consist of members of these departments: IT, Security, Legal, Marketing, and Upper Management. In many cases, the CSIRT can include and outsourced forensic investigation firm.
REQUIREMENTS FOR AN INCIDENT RESPONSE PLAN
There are six necessary steps and requirements that must be included in an incident response plan according to the SAN Institute:
• Preparation: This phase prepares IT, staff, how to handle potential cyber incidents in the event one does occur.
• Identification: This phase determines when an event is a security incident.
• Containment: If a security event has been determined, containment is required to limit the damage and isolating the infected system to prevent additional damages.
• Eradication: Once the incident has been identified, contained, evidence collected and cause determined, the security threat needs to be eradicated from the system.
• Recovery: After the system has been cleaned of the threat, the system must be put back into production.
• Post Mortem: A post-mortem analysis needs to be completed documenting the incident, conducting an analysis of the incident, and learning from the incident to improve future incident response.
These six basic steps are just the fundamentals of any incident response plan. Each incident response plan can vary per organization and can contain more or fewer instructions. To improve on this IR plan, it is recommended that a communication phase should be included. Depending on the severity of the security incident, upper management, legal team, and stakeholders will need to be notified. The communication phase should come right after the identification phase. The severity of a security incident will determine whether further escalation is warranted, but at the very least, there is some form of communication to members of the CSIRT keeping them apprised of the situation.
BUSINESS CONTINUITY INCLUSION
Many organizations have a business continuity plan that deals with traditional threats such as man-made or natural disasters. As cyber threats continue to threaten businesses, should we consider having cyber threats be included in a business continuity plan? Data breaches might not threaten a business operation, but Denial of Service attacks and Ransomware have the potential to shut down the business. In the past year alone, Ransomware has shut down hospitals and the shipping giant Maersk, costing them hundreds of millions of dollars. Business continuity plans should be augmented to include a business impact analysis on cyber threats and add in the incident response plan. The incident response plan and business continuity plan will complement each other in addressing cyber incidents. Not all cyber incidents will trigger the need to activate a business continuity plan but at the very least, having it available will prepare a company in the event a cyber incident does affect its business operations.
If your organization already has an incident response plan, I recommend reviewing it and updating it to make sure the information is up to date. If your organization does not have an incident response plan, you should start work on creating it. You never know when you may need it but having one available will help your organization through a cyber crisis. You do not want to be scrambling to figure things out when that happens.
Project 4 Step 1
Posted Feb 8, 2020 12:00 AM
Project 4 – Let us define Policies and Procedures and what the assignment is asking –
The assignment is asking you to create 3 different sets of Policy and Procedures – in this case for:
- dynamic vulnerability assessment
- intrusion detection and prevention (IDS/IPS) systems
- incident response
What’s the difference between policies and procedures?
Policies and procedures go hand-in-hand to clarify what your organization wants to do and how to do it.
Policies
Policies are clear, simple statements of how your organization intends to conduct its services, actions or business. They provide a set of guiding principles to help with decision making.
Policies don’t need to be long or complicated – a couple of sentences may be all you need for each policy area.
Procedures
Procedures describe how each policy will be put into action in your organization. Each procedure should outline:
Who will do what
What steps they need to take
Which forms or documents to use.
Procedures might just be a few bullet points or instructions. Sometimes they work well as forms, checklists, instructions or flowcharts.
Policies and their accompanying procedures will vary between workplaces because they reflect the values, approaches, and commitments of a specific organization and its culture. But they share the same role in guiding your organization.
Each Policy needs to have the following:
Overview – An explanation of why the policy is important
Purpose – What is the goal of the policy?
Scope – Who has to obey the policy
Policy – The policy itself
Enforcement (or Compliance) – How will the policy be enforced? What happens when you don’t follow the policy?
Metrics – Measurement of whether the policy is effective or not.
Procedure (A Separate Document)
Procedure – is a stand-alone document showing how to implement the policy. What does the reader/employee have to do to accomplish what is set out in the policy? The procedure should reference the policy it is supporting.
Attached are two examples – a policy example and a procedure example.
password_construction_guidelines.pdf
ProcedureExample.pdf