CASE ACTIVITY

Case Learning Objectives:

*Identify an incident.

 Classify an incident according to its severity.

 Identify the roles and responsibilities in an incident response team.

 Identify the steps an organization should take to contain and recover from an incident.

 Recommend measures to prevent similar incidents from occurring in the future.

 Recommend actions to improve the detection of similar events.

Case Scenario

On Thursday morning, John, an XYZ university employee, noticed a warning message on his computer
saying that the system has been attacked by a worm Win32.VB. Even though the antivirus software was
present in the system, the software failed to detect the new worm because it was not updated to the
latest version. When John tried to open his e-mail, he experienced a slow internet connection. He
noticed there were some unusual file names in the disk. John immediately informed his friend Bob, who
was also an XYZ employee, of the problem. Bob checked his computer in his office and experienced the
same problem as John. John and Bob checked several computers in the laboratories, and found that
Win32.VB worm had infected many other computers in the laboratory. They contacted the system
administrator of the XYZ University. The system administrator checked the computers in the laboratory
and reported the incident to the incident response team. The system administrator also checked the
computers in other laboratories. As a result of the worm attack the activities in the XYZ University
laboratory were suspended for a day, which caused a great inconvenience.

Do:

1. Would the organization consider this activity as an incident? Justify your answer
Yes, for the worm virus has caused a great inconvenience towards the computers in the XYZ
University laboratory which prompted them to suspend their activities due to unusual files
being made and slow internet connection caused by the worm virus.
2. What’s the severity level of the above-mentioned incident
The severity level would be level 2 for even though the computer system is not down, the
virus worm has infected the systems of the computers and has caused them to suspend their
activities due to unusual activities brought by the virus.
3. Who or what groups will be involved in the situation?
The incident response team shall be involved in the situation along with the Technical
Department or IT Support Team in regards to the said incident.
4. Suggest measures to contain and recover from the incident.
 The administrator must update the antivirus software and run a full scan on the computer to
remove and determine the harmful worm from the system.
5. Suggest measures to prevent similar incidents from occurring in the future
Antivirus software must be updated regularly and provide countermeasures to prevent such
incidents from occurring in the future such as password protection, firewall and other forms of
countermeasures to prevent unauthorized access and detection of viruses.
6. Suggest actions to improve the detection of similar events.
Antivirus softwares must be up-to-date regularly to improve the detection of similar events
and reduce the harmful effects of viruses such as worms in the system.