Professional Documents
Culture Documents
A. Introduction
This vulnerability and its exploitation within the Psinuvia network were discovered through additional scanning
and analysis of the network, including additional deeper depth scans not normally performed during routine
network monitoring and analysis. This request was made by the Psinuvia Board of Directors because of recent
media attention to reports of similar exploits to other businesses across the county and their associated internet
presence.
B. Scan Summary
Scan results yielded numerous vulnerabilities on several systems within the Psinuvia network. The host that
was compromised is assigned IP Address 172.20.1.131; a total of 106 vulnerabilities were found on this
system, with 4 being considered “Serious” and another 32 noted as “High”.
Additional analysis and evaluation of scan data uncovered a compromise on the above-mentioned host through
the unpatched Apache Web Server with a combination of SQL Injection and Cross-site scripting attacks.
Also observed were several potential attacks on the host 172.20.1.129. SSH and an additional Apache Web
Server are running on this system. Noted in the Alarms report are several Brute Force attempts through the
SSH service; numerous other attacks were directed at this host, as the total number of attacks is 3,690.
Additional analysis is needed to determine the extent of the intrusion into this host.
Basic Assessment
C. Detailed Analysis
1. Performed an NMAP scan of the internal network to identify open ports, and the services available
through those open ports across all devices on the network.
2. Performed a Vulnerability Scan with AlienVault OSSIM.
3. Identified vulnerabilities on several machines on the network, with the most severe being on the Host at
172.20.1.131.
4. Retrieved an Alarms Report, also from AlienVault OSSIM.
5. Identified the most exploited vulnerability on the network –SQL Injection attempts.
6. Combined the pieces of information from all applicable scans to determine, indeed that the Host at
172.20.1.131 was the target, and victim, of exploitation due to its outdated PHP instance, and outdated
Apache HTTP server instance. These out-of-date services are not updated with the most current
security fixes, thereby leaving them open to active exploitation.
D. Scan Response
After initial analysis of the scan results and the large number of SQL Injection attempts, the Security Manager
and the Incident Response Team were notified, as per policy, by email with an initial report of the incident
attached.
Following this initial notification, the Web Team was activated to begin preparing remediation updates to the
affected services.
Event Level: High – a consensus was formed by the team initially investigating the incident to classify this
event as a Level: High event. This is mostly due to the nature of the data contained on the affected system –
business-sensitive – and its role as a public-facing production server.
The incident will be escalated, as per policy to the Chief Technology Officer, Chief Information Security Officer,
Director of Security Operations, and the Legal Department.
The initial response must be completed within 2 hours. Continuing updates must be made hourly until services
are restored.
E. Remediation
Given the affected host’s role as a public-facing server, the best initial response is to disconnect the host from
the network but leave the system running. This, unfortunately, will render the Company’s internet present
unavailable temporarily while remediation occurs on the system. Disconnecting the system from the network
removes the possibility that intrusions can recur or continue; leaving the system running will serve to preserve
any temporary evidence of the attacker and their methods. Given the nature of the affected system, it may be
best to produce a clone of the machine, examine any latent temporary evidence that may remain on the
primary system, remediate the vulnerabilities on the existing production machine and place it back in service as
soon as appropriate. Further examination of the cloned system can be performed to determine what, if any,
data was exfiltrated from the system.
F. Recommendations
Administrative Controls: Technical Controls:
Implement regularly scheduled Cybersecurity training Deploy a Web Application Firewall where appropriate,
for employees – quarterly topics to keep employees providing an additional layer of protection against
thinking about cybersecurity. attacks
Increase vulnerability scanning frequency; Implement encryption for all data – especially when at
concurrently increasing the frequency at which rest, and in transit.
updates are provisioned to servers – better
managing and mitigating vulnerabilities