1- Case Study

Securing Software, Data and Endpoints

Peter O'day, Manager, technical and Communications, needs you to update the anti-virus tool being used
for both network and host-based malware detection. What are your key considerations related to
selecting and implementing the 'best' tool for your organization? (At least 5 key considerations required)

There are several key considerations to take into account when selecting and implementing an anti-virus tool for
an organization:

Compatibility: It is important to ensure that the tool is compatible with the organization's existing systems and
infrastructure, including hardware, operating systems, and any other software that may be in use.

Effectiveness: The tool should be able to effectively detect and remove a wide range of malware, including both
network- and host-based threats. This may involve evaluating the tool's ability to detect zero-day threats and its
overall success rate in detecting and removing malware.

Ease of use: The tool should be easy for users to understand and use, with a user-friendly interface and clear
instructions for performing tasks such as scanning for malware and removing infected files.

Performance impact: The tool should not significantly impact the performance of the organization's systems or
network. This may involve evaluating the tool's resource usage and its impact on network speed and bandwidth.

Cost: The tool should be cost-effective, with a price point that is reasonable for the organization's budget and the
value it provides. This may involve comparing the cost of the tool with that of other available options and
considering any ongoing costs, such as subscription fees.

What are the ways to prevent and mitigate the threat of Ransomware?

Answer:

There are several steps that organizations and individuals can take to prevent and mitigate the threat of
ransomware:

Keep software and operating systems up to date: Installing updates and patches as they become available can
help protect against vulnerabilities that could be exploited by ransomware.

Use antivirus and anti-malware software: Installing and maintaining up-to-date antivirus and anti-malware
software can help detect and block ransomware before it can infect a system.

Back up data regularly: Regularly backing up data and storing the backups offline or in a secure location can help
ensure that important data is not lost in the event of a ransomware attack.

Be cautious about opening email attachments and links: Ransomware is often spread through email attachments
or links, so it is important to be cautious about opening attachments or clicking on links from unknown sources.

Enable firewalls: Configuring and enabling firewalls can help prevent unauthorized access to systems and
networks.

Use strong, unique passwords: Using strong, unique passwords for all accounts can help prevent unauthorized
access to systems and networks.

Use caution when downloading software: Only download software from reputable sources and be cautious about
downloading software from unfamiliar websites.
Educate users: Providing users with training on how to identify and prevent ransomware attacks can help reduce
the risk of successful attacks.

The staff in the finance want to work from home. What steps should be taken to permit teleworking for
employees with access to sensitive data?

Match the malware to their correct descriptions:

1. Virus - Also known as wormhole

2. Trojan - Infects by attaching to another entity

3. Logic Bomb - TCP-based

4. Ransomware - Hidden in a game

5. APT - Exploits a software vulnerability

6. SMURF attack - Waits for a time or event

7. SYN Flood - State-or criminal-organization sponsored

8. Fragmentation attacks - Based on ICMP

9. Backdoor - IP - based

10. Worm - Encrypts data

What steps should be taken in regard to patch management?

2- Incident Detection and Response Case Study

Andrea Worth, Manager, Finance has just asked you whether you have conducted a risk assessment on
the Finance systems (payroll, accounts receivable, accounts payable, email, etc.). What is the difference
between IT risk and business risk?

IT risk refers to the potential for technology-related issues to disrupt business operations or cause financial loss.
This can include risks such as data breaches, system failures, or cybersecurity threats. IT risk management
involves identifying and addressing these potential issues in order to minimize their impact on the organization.

Business risk, on the other hand, refers to the potential for events or circumstances to negatively impact an
organization's ability to achieve its objectives. This can include risks such as market changes, competition, or
regulatory changes. Business risk management involves identifying and addressing these potential issues in
order to minimize their impact on the organization's goals.

In general, IT risk is a type of business risk that is specific to technology and its use within an organization. It is
important for organizations to assess both IT risk and business risk in order to ensure the smooth operation of
their technology systems and the overall success of the business.

List some of the threats to an IT system that supports Finance.

There are many potential threats to an IT system that supports finance, including:

Cybersecurity threats: These can include malware, ransomware, phishing attacks, and other types of
cyberattacks that can compromise the security and confidentiality of financial data.

System failures: Hardware or software failures can disrupt the operation of the IT system and potentially lead to
data loss or corruption.

Data breaches: Unauthorized access to financial data could result in the theft of sensitive information or the
unauthorized modification of financial records.

Human error: Accidental deletion or modification of financial data by employees can lead to errors in financial
records or reports.

Physical disasters: Natural disasters or other physical events (e.g., fires, floods) could damage the IT system or
disrupt its operation, potentially leading to data loss or corruption.

Regulatory compliance: The IT system may need to comply with various financial regulations, such as the
Payment Card Industry Data Security Standard (PCI DSS) or the Sarbanes-Oxley Act. Failure to comply with
these regulations could result in financial penalties or other consequences.

What are the reasons to implement separation of duties and how can this be done?

Separation of duties is a security control that is implemented to reduce the risk of errors or fraud by ensuring that
no single individual has complete control over a financial transaction. This is achieved by dividing the tasks
involved in a transaction among multiple individuals, so that no one person has the ability to complete the
transaction on their own.

There are several reasons to implement separation of duties:

To reduce the risk of errors: By dividing tasks among multiple individuals, the risk of errors or mistakes is
reduced, as each individual is only responsible for a specific part of the process.

To reduce the risk of fraud: Separation of duties can help to prevent fraud by ensuring that no single individual
has the ability to complete a financial transaction without the oversight of others.

To improve efficiency: Separation of duties can help to streamline processes and improve efficiency, as
individuals are only responsible for specific tasks and do not need to be involved in the entire process.
To meet regulatory requirements: In some cases, separation of duties may be required by law or industry
regulations, such as the Sarbanes-Oxley Act or the Payment Card Industry Data Security Standard (PCI DSS).

To implement separation of duties, organizations can assign different tasks in a financial transaction to different
individuals or groups of individuals. For example, one group might be responsible for entering financial data into
the system, while another group is responsible for reviewing and approving the data. It is important to ensure that
individuals or groups are not able to bypass the separation of duties controls that have been put in place.

XYZ Network Solutions has asked you to set up an incident response program that will work together with the
help desk and information security department. What should be the first few steps in creating an incident
response program?

Answer:

The first few steps in creating an incident response program should include:

Identify the purpose and scope of the program: Determine the goals and objectives of the program, as well as the
types of incidents it will cover (e.g., cybersecurity breaches, system failures, natural disasters).

Establish a team and assign roles: Identify the individuals who will be responsible for responding to incidents and
assign specific roles and responsibilities to each team member.

Develop policies and procedures: Create detailed policies and procedures that outline the steps to be taken in
response to different types of incidents. These should include procedures for communication, escalation, and
decision-making.

Establish communication channels: Determine the methods of communication that will be used during an incident
(e.g., email, phone, in-person meetings) and ensure that all team members have the necessary contact
information.

Conduct training and drills: Provide training to all team members on the policies and procedures of the incident
response program and conduct regular drills to test the effectiveness of the program.

Review and update the program regularly: Regularly review and update the incident response program to ensure
that it is effective and up-to-date. This may involve reviewing the policies and procedures, conducting additional
training, or making changes based on lessons learned from previous incidents.
What is the first priority and first steps to be taken when an incident is detected?

ANSWER:

THE FIRST PRIORITY WHEN AN INCIDENT IS DETECTED IS TO ENSURE THE SAFETY AND SECURITY
OF INDIVIDUALS AND TO MINIMIZE THE IMPACT OF THE INCIDENT. THE FIRST STEPS TO BE TAKEN
WILL DEPEND ON THE SPECIFIC TYPE OF INCIDENT THAT HAS OCCURRED. IN GENERAL, HOWEVER,
THE FIRST STEPS SHOULD INCLUDE THE FOLLOWING:

ASSESS THE SITUATION: GATHER AS MUCH INFORMATION AS POSSIBLE ABOUT THE INCIDENT,
INCLUDING THE TYPE OF INCIDENT, THE EXTENT OF THE DAMAGE OR IMPACT, AND ANY POTENTIAL
RISKS OR HAZARDS.

ACTIVATE THE INCIDENT RESPONSE TEAM: IF AN INCIDENT RESPONSE TEAM HAS BEEN
ESTABLISHED, ACTIVATE THE TEAM AND BEGIN IMPLEMENTING THE POLICIES AND PROCEDURES
OUTLINED IN THE INCIDENT RESPONSE PLAN.

CONTAIN THE INCIDENT: TAKE STEPS TO PREVENT THE INCIDENT FROM SPREADING OR
ESCALATING, SUCH AS DISCONNECTING AFFECTED SYSTEMS FROM THE NETWORK OR SHUTTING
DOWN EQUIPMENT.

COMMUNICATE WITH RELEVANT PARTIES: INFORM RELEVANT PARTIES OF THE INCIDENT, INCLUDING
MANAGEMENT, EMPLOYEES, CUSTOMERS, AND ANY OTHER STAKEHOLDERS WHO MAY BE
AFFECTED.

BEGIN THE RECOVERY PROCESS: ONCE THE INCIDENT HAS BEEN CONTAINED, BEGIN TAKING STEPS
TO RECOVER FROM THE INCIDENT AND RESTORE NORMAL OPERATIONS. THIS MAY INVOLVE
REPAIRING DAMAGED EQUIPMENT, RESTORING DATA FROM BACKUPS, OR TAKING OTHER
CORRECTIVE ACTIONS.

How can an organization ensure that lessons are identified following an incident and that they are carried
out as ‘lessons learned’?

There are several steps that an organization can take to ensure that lessons are identified
following an incident and that they are carried out as "lessons learned":
Conduct a thorough review of the incident: After the incident has been resolved, conduct a
thorough review of the incident to identify any lessons that can be learned. This may involve
analyzing the causes of the incident, evaluating the response, and identifying any areas for
improvement.

Involve relevant stakeholders: Involve relevant stakeholders in the review process, including
individuals who were directly involved in responding to the incident and those who were
affected by it. This can help to ensure that all relevant perspectives are taken into account.

Document the lessons learned: Document the lessons learned from the incident, including any
recommendations for improvement.
Communicate the lessons learned: Share the lessons learned from the incident with relevant
parties, including management, employees, and any other stakeholders who may be affected.
Implement corrective actions: Based on the lessons learned, implement corrective actions to
prevent similar incidents from occurring in the future. This may involve updating policies and
procedures, providing additional training, or making changes to systems or processes.
Monitor and review the effectiveness of corrective actions: Regularly monitor and review the
effectiveness of the corrective actions taken to ensure that they are having the desired effect.
This may involve conducting follow-up reviews or audits to assess the effectiveness of the
actions taken.