FVEY(Canada) – CI Sector(Avisitel)
In Project 3, your team is focused on preventing future incursions into the network and developing a business continuity plan to be deployed in case a breach occurs. There are 14 steps to be completed by the team, with the project culminating in the production of a video and forensics report that summarizes the lessons learned from the recent network breach. This project should take 14 days to complete. After reading the scenario below, proceed to Step 1 where you will establish your team agreement plan.
Before the summit, each nation set up its own secure comms network. As summit events began, your team responded to anomalous network activity that was detected on your agency’s server.
Now, to make matters worse, the next day you awaken to the news that summit attendees are unable to get access to the confidential summit data needed for the conference. All of the computer screens show a pop-up message that says:
“Your Computer has been involved in Child Porn Activity!!! and has been locked down by the FBI and the Justice Department. Unless you pay the sum of $500 (FIVE HUNDRED DOLLARS)—in Bitcoin you will be arrested immediately! You have 48 hours to pay up via email – firstname.lastname@example.org.”
Your CISO has called an emergency meeting with your team. She begins to speak to the group.
“We’ve just been hit with the Reveton ransom attack, which pretends to be a warning from a country’s law enforcement agency. It locks you out of your PC and threatens criminal proceedings within 48 hours based upon very serious offenses. The message informs you that you can avoid prosecution by paying a fine to the attackers via Bitcoin. Based on the time of the incident, we believe that a single threat actor or group is responsible. This person or group is still unidentified.”
The CISO continues to brief you on the attack, confirming that no further information is known about the file, permissions, or tools used. Currently, systems show no signs of infection or additional malicious indicators.
The attendees at the summit are divided on what should be done. Some of them want to pay the money—it’s a small sum to be holding up the proceedings. However, cyber insiders know that once you pay a ransom, you set a precedent for further attacks since you appear vulnerable.
In addition, you want to know how the attackers were able to infiltrate the system and plant the malware. What current protections are in place for systems at the summit? What methods and procedures are your team employing in response to the current attack? What is the plan if protections fall short? These are the questions pouring in from leadership, down to your CISO—and now, to you.
Your CISO continues: “I need your team to provide a series of reports that will track this incident from start to recovery. Risk management briefings. Forensic reports. Situational reports. I need it all. They’ll all come in handy when it’s time to debrief our nation’s leaders.”
it’s time to take a step back and take a look at all the processes that led to the ransomware attack. How did the malware get here? Is the supply chain safe? Who was the vendor and how was the vendor vetted?
As a cyber professional, you know that high-profile cyberattacks that cripple the supply chains of prominent companies show that the point of entry for hackers is often through the weakest link in the supply chain.
That’s why it’s important to take a look at your team’s software, the supply chain, and the development processes—all components in a business continuity plan (BCP). Ensuring appropriate security controls are implemented and integrated in the system development life cycle and included in the comprehensive BCP is a critical step in finding out what happened, why it happened, and how you can keep it from happening again.
This BCP will be used to help the CISO identify current systems and timelines that will be used to bring systems back online and review the sequence of events that occur during BCP operations.
Begin this step by identifying the specific software assurance needs and expectations of the organization. The needs and expectations that you identify in this step will be used in the Software Development Life Cycle Assessment. For a refresher, refer to this information on software development security.
In this step, you will research and analyze issues in supply chain risk management(SCRM) in order to make informed decisions in the future regarding the selection of products. Identify the supply chain risks and challenges for your organization. Next, conduct research to determine other options that are available for consideration. The vulnerabilities and alternatives that you identify in this step will be used in the Software Development Life Cycle Assessment, which you will submit in the next step.
Research and analyze the processes used by your organization’s software development life cycle (SDLC). After you identify the existing processes, research alternatives that could be considered for optimization of security and efficiency. The processes and alternatives that you identify in this step will also be used in the Software Development Life Cycle Assessment, which will be part of the BCP that you will submit in a future step. You will assess the life cycle of software development in the next step.
Your research and analysis during the previous step should have prepared your team to evaluate and develop a five-page Software Development Life Cycle Assessment in this step.You will consider the organization’s software development life cycle, from sourcing through implementation. Discuss risks identified in the supply chain and life cycle. Evaluate alternative processes and products. Conclude with recommendations for improving the security, efficiency, and cost-effectiveness of the SDLC with a look at avoiding future breaches.
Business Continuity Plan
Be sure to do the following:
- Describe basic models and methodologies of the software development life cycle.
- Identify a development methodology that fits your organization and explain why.
- Describe the phases of the software life cycle.
- List and discuss the security principles you would need to consider and explain how you would apply them throughout the software life cycle.
- Describe the elements of a maturity model.
Your designated team member should submit the software development life cycle assessment for review and feedback. This assessment will be included in your Cyber Operations and Risk Management Briefing, which you will develop later in the project. You will also use this work to create a software development matrix, which you will complete in the next step as part of the BCP.
Now that you have completed an assessment of the software development life cycle, you will research open source, commercial, and internally developed software methodologies available to the organization to fulfill future software assurance needs and expectations. You will use this information to develop your one-page Software Development Matrix, a component of the BCP.
Using this software development matrix template, develop and submit a matrix that compares and contrasts open-source, commercial, and internally developed software development methodologies. Evaluate each alternative to help inform your final recommendation. Consider cost, software assurance needs and expectations, software assurance objectives, and a software assurance coding and development plan. This matrix will provide options to be considered for evaluation of maintenance in the next step and will also be used in your final project briefing, with a look at improving the process for the future.
Your designated team member should submit the matrix for review and feedback. In addition to the BCP, the matrix will be included in the cyber operations and risk management briefing, which you develop later in the project. At this point, you should have several of the components of the BCP to submit in the next step of the project.
To help ease the concerns of the CISO and other executive officials tied into cyber operations, the chief technology officer (CTO) is asking for processes and procedures regarding exposed systems. You created a security baseline of your nation team’s systems in Project 1, and that is a necessary part of determining mission priorities and identifying critical systems in the event of a cyber incident. You’ve also completed several steps that will provide an assessment of the software life cycle and development, including a development matrix.
Now, as a team, and in accordance with your team agreement, you will create an eight- to 10-page Business Continuity Plan (BCP) that addresses the mission needs and systems for recovery of the whole enterprise in the face of a cyberattack event. This BCP will be used to help the CISO identify current systems and timelines that will be used to bring systems back online and the sequence of events that occur during BCP operations. Make sure that all citations are in proper APA format.
Refer to the following documents to assist you in creating the final portion of the BCP:
- Your team’s security baseline from Project 1
- Contingency Planning Guide for Federal Information Systemsfor examples of what to include in your BCP
- Best Practices for Creating a BCP
Consider and include the following as you develop your BCP:
- The BCP should include the software development life cycle assessment and the software development matrix you completed in prior steps.
- The BCP should describe the normal operation standards, practices, and procedures for operating systems, including critical systems. Develop standard operating procedures based on what the team identifies as the most critical to least critical to continue business operations. Included in the standard operating procedures and best security engineeringpractices should be operating system fundamentals, operating system security, management of patches, and operating system protections.
- All partner nations at the summit have maintained that there will possibly be the use of an ad-hoc wireless network. The nations’ CISOs will have to determine differences between rogue access pointsand authorized service set identifiers (SSID) and authorized access points. These considerations will have to be included in the BCP.
- Limit the scope to communications systems.
- The BCP should be tailored to recover from a ransomware attack. Include leadership decision-making options for payouts, such as Bitcoin, which uses block-chain technology. Based on the recent outbreaks of ransomware attacks, identify key components of the given topology and describe how a ransomware incident would be contained or identified if an event occurred inside the given topology. What are the network security threatsfor a ransomware attack? Include these vectors as scenarios in the BCP and address remediation paths.
- The BCP should also include an incident responseplan, IR response flow for DDoS, malware, insider threats—in case of a need to execute the plan, documentation will be used for identified parties to follow to ensure proper communication channels and flow of information/triggers are understood so breakdown does not occur.