INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
Most small to medium health care organizations do not have the capability to address cyber incidents within the organization. Those that do are poorly trained and ill equipped. These health care organizations are subject to various laws that address privacy concerns, proper handling of financial information, and Personally Identifiable Information. Currently an IT staff handles responses to these incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper1 will use the proven Incident Command System model used in emergency services to show any sized agency can have an adequate CIRT.
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
Social engineering is a major threat to organizations as more and more companies digitize operations and increase connectivity through the internet. After defining social engineering and the problems it presents, this study offers a critical review of existing protection measures, tools, and policies for organizations to combat cyber security social engineering. Through a systematic review of recent studies published on the subject, our analysis identifies the need to provide training for employees to ensure they understand the risks of social engineering and how best to avoid becoming a victim. Protection measures include awareness programs, training of non-technical staff members, new security networks, software usage, and security protocols to address social engineering threats.
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...Hansa Edirisinghe
This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary objective of this study is therefore to understand the concept of Ethical Hacking. - By Hansa Edirisinghe
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
Most small to medium health care organizations do not have the capability to address cyber incidents within the organization. Those that do are poorly trained and ill equipped. These health care organizations are subject to various laws that address privacy concerns, proper handling of financial information, and Personally Identifiable Information. Currently an IT staff handles responses to these incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper1 will use the proven Incident Command System model used in emergency services to show any sized agency can have an adequate CIRT.
Contemporary Cyber Security Social Engineering Solutions, Measures, Policies,...CSCJournals
Social engineering is a major threat to organizations as more and more companies digitize operations and increase connectivity through the internet. After defining social engineering and the problems it presents, this study offers a critical review of existing protection measures, tools, and policies for organizations to combat cyber security social engineering. Through a systematic review of recent studies published on the subject, our analysis identifies the need to provide training for employees to ensure they understand the risks of social engineering and how best to avoid becoming a victim. Protection measures include awareness programs, training of non-technical staff members, new security networks, software usage, and security protocols to address social engineering threats.
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...Hansa Edirisinghe
This report discuses the employment of ethical hacking through a disciplined, systematic analysis as a way of reviewing and strengthening the security of information systems. The preliminary objective of this study is therefore to understand the concept of Ethical Hacking. - By Hansa Edirisinghe
Toward Automated Reduction of Human Errors based on Cognitive AnalysisSherif Zahran
Following the immense development of cyber society where various activities including e-commerce take place,
the demands for security is rapidly growing. Among major
causes of security flaws is human error, which is unintentionally
caused by humans. To cope with that, we intend to build
a human error database that automatically develops further.
We conducted a survey on human factors and concluded that
the root causes of human errors are related to the internal
mental processes, and the cognitive-psychological methodology
is a feasible for the estimation of them. Based on that this
paper proposes a framework that consists of data collection
methods and data structure. It also explores the usability of
the data by presenting use cases of human error prevention
and incident handling.
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
Data is one of the most important assets an organisation has since it denes each organisations unique- ness.It
includes data on members and prospects, their inter- ests and purchases, your events, speakers, your content,
social media, press, your staff, budget, strategic plan, and much more. As organizations open their doors to
employees, part- ners, customers and suppliers to provide deeper access to sensitive information, the risk
sassociated with business increase. Now, more than ever, within creasing threats of cyber terrorism, cor- porate
governance issues, fraud, and identity theft, the need for securing corporate information has become paramount.
Informa- tion theft is not just about external hackers and unauthorized external users stealing your data, it is also
about managing internal employees and even contractors who may be working within your organization for
short periods of time. Adding to the challenge of securing information is the increasing push for corporate
governance and adherence to legislative or regulatory requirements. Failure to comply and provide privacy,
audit and internal controls could result in penalties ranging from large nes to jail terms. Non-compliance can
result in not only potential implications for executives, but also possible threats to the viability of a corporation.
Insiders too represent a sign cant risk to data security. The task of detecting malicious insiders is very
challenging as the methods of deception become more and more sophisticated. There are various solutions
present to avoid data leakage. Data leakage detection, prevention (DLPM) and monitoring solutions became an
inherent component of the organizations security suite.DLP solutions monitors sensitive data when at rest, in
motion, or in use and enforce the organizational data protection policy.These solutions focus mainly on the data
and its sensitivity level, and on preventing it from reaching an unauthorized person. They ignore the fact that an
insider is gradually exposed to more and more sensitive data,to which she is authorized to access. Such data
may cause great damage to the organization when leaked or misused. Data can be leaked via emails, instant
messaging, le transfer etc. This research is focusing on email data leakage monitoring, detection and
prevention. It is proposed to be carried out in two phases: leakage detection through mining and prevention
through encryption of email content.
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
Healthcare Information Technology (IT) has made great advances over the past few years and while these advances have enable healthcare professionals to provide higher quality healthcare to a larger number of individuals it also provides the criminal element more opportunities to access sensitive information, such as patient protected health information (PHI) and Personal identification Information (PII). Having an Information Assurance (IA) programallows for the protection of information and information systems andensures the organization is in compliance with all requires regulations, laws and directive is essential. While most organizations have such a policy in place, often it is inadequate to ensure the proper protection to prevent security breaches. The increase of data breaches in the last few years demonstrates the importance of an effective IA program. To ensure an effective IA policy, the
policy must manage the operational risk, including identifying risks, assessment and mitigation of identified risks and ongoing monitoring to ensure compliance.
If anything became clear this past year when it comes to cyber security, it’s that no one is immune from a successful attack. While a certain flow of news-making breaches are to be expected, this past year was more of a waterfall than a trickle. In addition to the many retailers that were breached, there was healthcare, eCommerce, government agencies, and well-known tech companies and financial services brands that are household names.
This HP playbook is designed to close the disconnect between how senior leadership at most enterprises are currently prepared to publically respond to a serious data breach and what they actually need to know and have in place to be successful.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...IOSR Journals
Technical solutions, introduced by policies and implantations are essential requirements of an
information security program. Advanced technologies such as intrusion detection and prevention system (IDPS)
and analysis tools have become prominent in the network environment while they involve with organizations to
enhance the security of their information assets. Scanning and analyzing tools to pinpoint vulnerabilities, holes
in security components, unsecured aspects of the network and deploying of IDPS technology are highlighted.
An Empirical Study on the Security Measurements of Websites of Jordanian Publ...CSCJournals
Most of the Jordanian universities’ inquiries systems, i.e. educational, financial, administrative, and research systems are accessible through their campus networks. As such, they are vulnerable to security breaches that may compromise confidential information and expose the universities to losses and other risks. At Jordanian universities, security is critical to the physical network, computer operating systems, and application programs and each area has its own set of security issues and risks. This paper presents a comparative study on the security systems at the Jordanian universities from the viewpoint of prevention and intrusion detection. Robustness testing techniques are used to assess the security and robustness of the universities’ online services. In this paper, the analysis concentrates on the distribution of vulnerability categories and identifies the mistakes that lead to a severe type of vulnerability. The distribution of vulnerabilities can be used to avoid security flaws and mistakes.
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
Increasingly, all kinds of organizations and institutions are adopting the E-business model to conduct their
activities and provide E-Services for their customers. In the process, whether they know it or not, those
organizations are also opening themselves up to the risk of information security breaches. Therefore
protecting an organization’s ICT infrastructure, IT systems, and Data is a vital issue that is often
underestimated. Research has shown that one of the most significant threats to information security comes
not from external attack but rather from the system's users, because they are familiar with the
infrastructure and have access to its resources, but may be unaware of the risks. Moreover, using only
technological solutions to protect an organization’s assets is not enough; there is a need to consider the
human factor by raising users’ security awareness. Our contribution to this problem is to propose an
Information Security Awareness Program that aims at raising and maintaining the level of users’ security
awareness. This paper puts forward a general model for an information security awareness program and
describes how it could be incorporated into an organization’s website through the process of development
life cycle.
Malicious Insiders examines the role that insider play in sabotage, industrial espionage and fraud. We also examine how taking proactive steps reduces these risks.
Healthcares Vulnerability to Ransomware AttacksResearch questioSusanaFurman449
Healthcare's Vulnerability to Ransomware Attacks
Research question: To what extent is the healthcare system vulnerable to ransomware attacks?
This research aims to explain how the healthcare sector can become vulnerable to ransomware attacks. It will also discuss how the ransomware topic can influence practice. Methods and relevance for computer nursing to secure health information technology will be reviewed. Ransomware is a cyber-attack form that can damage a company and its IT infrastructure. A ransomware attack is a criminal cyber-attack using malware or software that blackmails a company to gain a money lift from its systems (Slayton, 2018). The software can delete personal data from computer systems except when a payment is made, and the cyber attacker provides the decryption key for unlocking the system. Many types of ransomware are available, and Intel Corp's McAfee Labs predict that these attacks will continue and their prevalence will increase. Comment by Mary Lind: nursing makes no sense here Comment by Mary Lind: what do you mean by form? Comment by Mary Lind: what is a money lift? Comment by Mary Lind: what software - the ransomware can delete anythign
This study examines the motivation of healthcare professionals to use theoretical protection theory (PMT) and deterrence theory to adopt security measures against ransomware attacks in a hospital setting (Rogers, 1975). These include perceived severe threats and perceived fear-mediated vulnerability. Misfitting rewards and reaction costs both have an important negative impact on motivation for protection. Effectiveness as a major coping factor is demonstrated. The results help to utilize fear and PMT in ransomware threats to influence protection motivation for healthcare devices. Comment by Mary Lind: for computers users in the hospital.
Target population
This research targets healthcare professionals, patients, and the general population because of the constant vulnerability of healthcare systems to ransomware attacks.
Methodology
In this research, we analyze the Healthcare's Vulnerability to Ransomware Attacks using quantitative research. Research involves healthcare professionals, patients, and the general population. The research will also review the safeguards that healthcare system users have implemented. Data will be analyzed via the Variance Analysis (ANOVA) various hypotheses that arise in the course of the research.
Findings
This makes the medical industry extremely sensitive to this criminal cyber-attack like ransomware due to advances in technology and extensive use of electronic medical documents. Many hospitals, such as Erie County Medical Center, have recently been affected by ransomware (ECMC). In April 2017, ECMC was affected by a ranking attack that shut down its IT systems after refusing to pay $30,000 to unlock it. Following the attack, they were obliged to return to the paper charts and maintained power outage operations by introducing urgent plans. Ransomwar ...
Toward Automated Reduction of Human Errors based on Cognitive AnalysisSherif Zahran
Following the immense development of cyber society where various activities including e-commerce take place,
the demands for security is rapidly growing. Among major
causes of security flaws is human error, which is unintentionally
caused by humans. To cope with that, we intend to build
a human error database that automatically develops further.
We conducted a survey on human factors and concluded that
the root causes of human errors are related to the internal
mental processes, and the cognitive-psychological methodology
is a feasible for the estimation of them. Based on that this
paper proposes a framework that consists of data collection
methods and data structure. It also explores the usability of
the data by presenting use cases of human error prevention
and incident handling.
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
Data is one of the most important assets an organisation has since it denes each organisations unique- ness.It
includes data on members and prospects, their inter- ests and purchases, your events, speakers, your content,
social media, press, your staff, budget, strategic plan, and much more. As organizations open their doors to
employees, part- ners, customers and suppliers to provide deeper access to sensitive information, the risk
sassociated with business increase. Now, more than ever, within creasing threats of cyber terrorism, cor- porate
governance issues, fraud, and identity theft, the need for securing corporate information has become paramount.
Informa- tion theft is not just about external hackers and unauthorized external users stealing your data, it is also
about managing internal employees and even contractors who may be working within your organization for
short periods of time. Adding to the challenge of securing information is the increasing push for corporate
governance and adherence to legislative or regulatory requirements. Failure to comply and provide privacy,
audit and internal controls could result in penalties ranging from large nes to jail terms. Non-compliance can
result in not only potential implications for executives, but also possible threats to the viability of a corporation.
Insiders too represent a sign cant risk to data security. The task of detecting malicious insiders is very
challenging as the methods of deception become more and more sophisticated. There are various solutions
present to avoid data leakage. Data leakage detection, prevention (DLPM) and monitoring solutions became an
inherent component of the organizations security suite.DLP solutions monitors sensitive data when at rest, in
motion, or in use and enforce the organizational data protection policy.These solutions focus mainly on the data
and its sensitivity level, and on preventing it from reaching an unauthorized person. They ignore the fact that an
insider is gradually exposed to more and more sensitive data,to which she is authorized to access. Such data
may cause great damage to the organization when leaked or misused. Data can be leaked via emails, instant
messaging, le transfer etc. This research is focusing on email data leakage monitoring, detection and
prevention. It is proposed to be carried out in two phases: leakage detection through mining and prevention
through encryption of email content.
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
Healthcare Information Technology (IT) has made great advances over the past few years and while these advances have enable healthcare professionals to provide higher quality healthcare to a larger number of individuals it also provides the criminal element more opportunities to access sensitive information, such as patient protected health information (PHI) and Personal identification Information (PII). Having an Information Assurance (IA) programallows for the protection of information and information systems andensures the organization is in compliance with all requires regulations, laws and directive is essential. While most organizations have such a policy in place, often it is inadequate to ensure the proper protection to prevent security breaches. The increase of data breaches in the last few years demonstrates the importance of an effective IA program. To ensure an effective IA policy, the
policy must manage the operational risk, including identifying risks, assessment and mitigation of identified risks and ongoing monitoring to ensure compliance.
If anything became clear this past year when it comes to cyber security, it’s that no one is immune from a successful attack. While a certain flow of news-making breaches are to be expected, this past year was more of a waterfall than a trickle. In addition to the many retailers that were breached, there was healthcare, eCommerce, government agencies, and well-known tech companies and financial services brands that are household names.
This HP playbook is designed to close the disconnect between how senior leadership at most enterprises are currently prepared to publically respond to a serious data breach and what they actually need to know and have in place to be successful.
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
"This study aim sat identifying the current countermeasures used in protecting the Electronic Healthcare Record and how employees share their knowledge about the existence Electronic Healthcare Record security as well as countermeasures used in mitigating the threats and data breaches in healthcare organizations. A case study of Aminu Kano Teaching Hospital, Nigeria was used and qualitative research method was adopted where purposive and stratified random sampling was used. This led to construction of eleven relevant questions to four categories of staff. A conceptual frame work was proposed to quid the study and the findings we reevaluated using the proposed frame work. There sults revealed that there is lack of knowledge sharing among employees and some factors were found to be the resistance factors, this include educational background, behavior, low security awareness, personality differences and lack of management commitment. On the other hand, deterrent, preventive and organizational actions were partially practiced as countermeasures used to mitigate the threats and vulnerability of data breaches of Electronic Healthcare Records in Aminu Kano Teaching Hospital in Nigeria. Attahiru Saminu, CLN ""Electronic Healthcare Record Security and Management in Healthcare Organizations"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Special Issue | International Conference on Advanced Engineering and Information Technology , November 2018, URL: https://www.ijtsrd.com/papers/ijtsrd19124.pdf
Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/19124/electronic-healthcare-record-security-and-management-in-healthcare-organizations/attahiru-saminu-cln"
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...IOSR Journals
Technical solutions, introduced by policies and implantations are essential requirements of an
information security program. Advanced technologies such as intrusion detection and prevention system (IDPS)
and analysis tools have become prominent in the network environment while they involve with organizations to
enhance the security of their information assets. Scanning and analyzing tools to pinpoint vulnerabilities, holes
in security components, unsecured aspects of the network and deploying of IDPS technology are highlighted.
An Empirical Study on the Security Measurements of Websites of Jordanian Publ...CSCJournals
Most of the Jordanian universities’ inquiries systems, i.e. educational, financial, administrative, and research systems are accessible through their campus networks. As such, they are vulnerable to security breaches that may compromise confidential information and expose the universities to losses and other risks. At Jordanian universities, security is critical to the physical network, computer operating systems, and application programs and each area has its own set of security issues and risks. This paper presents a comparative study on the security systems at the Jordanian universities from the viewpoint of prevention and intrusion detection. Robustness testing techniques are used to assess the security and robustness of the universities’ online services. In this paper, the analysis concentrates on the distribution of vulnerability categories and identifies the mistakes that lead to a severe type of vulnerability. The distribution of vulnerabilities can be used to avoid security flaws and mistakes.
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
Increasingly, all kinds of organizations and institutions are adopting the E-business model to conduct their
activities and provide E-Services for their customers. In the process, whether they know it or not, those
organizations are also opening themselves up to the risk of information security breaches. Therefore
protecting an organization’s ICT infrastructure, IT systems, and Data is a vital issue that is often
underestimated. Research has shown that one of the most significant threats to information security comes
not from external attack but rather from the system's users, because they are familiar with the
infrastructure and have access to its resources, but may be unaware of the risks. Moreover, using only
technological solutions to protect an organization’s assets is not enough; there is a need to consider the
human factor by raising users’ security awareness. Our contribution to this problem is to propose an
Information Security Awareness Program that aims at raising and maintaining the level of users’ security
awareness. This paper puts forward a general model for an information security awareness program and
describes how it could be incorporated into an organization’s website through the process of development
life cycle.
Malicious Insiders examines the role that insider play in sabotage, industrial espionage and fraud. We also examine how taking proactive steps reduces these risks.
Healthcares Vulnerability to Ransomware AttacksResearch questioSusanaFurman449
Healthcare's Vulnerability to Ransomware Attacks
Research question: To what extent is the healthcare system vulnerable to ransomware attacks?
This research aims to explain how the healthcare sector can become vulnerable to ransomware attacks. It will also discuss how the ransomware topic can influence practice. Methods and relevance for computer nursing to secure health information technology will be reviewed. Ransomware is a cyber-attack form that can damage a company and its IT infrastructure. A ransomware attack is a criminal cyber-attack using malware or software that blackmails a company to gain a money lift from its systems (Slayton, 2018). The software can delete personal data from computer systems except when a payment is made, and the cyber attacker provides the decryption key for unlocking the system. Many types of ransomware are available, and Intel Corp's McAfee Labs predict that these attacks will continue and their prevalence will increase. Comment by Mary Lind: nursing makes no sense here Comment by Mary Lind: what do you mean by form? Comment by Mary Lind: what is a money lift? Comment by Mary Lind: what software - the ransomware can delete anythign
This study examines the motivation of healthcare professionals to use theoretical protection theory (PMT) and deterrence theory to adopt security measures against ransomware attacks in a hospital setting (Rogers, 1975). These include perceived severe threats and perceived fear-mediated vulnerability. Misfitting rewards and reaction costs both have an important negative impact on motivation for protection. Effectiveness as a major coping factor is demonstrated. The results help to utilize fear and PMT in ransomware threats to influence protection motivation for healthcare devices. Comment by Mary Lind: for computers users in the hospital.
Target population
This research targets healthcare professionals, patients, and the general population because of the constant vulnerability of healthcare systems to ransomware attacks.
Methodology
In this research, we analyze the Healthcare's Vulnerability to Ransomware Attacks using quantitative research. Research involves healthcare professionals, patients, and the general population. The research will also review the safeguards that healthcare system users have implemented. Data will be analyzed via the Variance Analysis (ANOVA) various hypotheses that arise in the course of the research.
Findings
This makes the medical industry extremely sensitive to this criminal cyber-attack like ransomware due to advances in technology and extensive use of electronic medical documents. Many hospitals, such as Erie County Medical Center, have recently been affected by ransomware (ECMC). In April 2017, ECMC was affected by a ranking attack that shut down its IT systems after refusing to pay $30,000 to unlock it. Following the attack, they were obliged to return to the paper charts and maintained power outage operations by introducing urgent plans. Ransomwar ...
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
Identity Theft Response
You have successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects.
The CEO says to you, "The Incident Response Plan will be our company's action plan to recover should the 'worst' occur. In our case, the 'worst' would be a breach of the company's security that could occur through the theft of customers' personally identifiable information, possibly through an individual's mobile device. Such a breach could compromise the integrity of the financial institution's data."
The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.”
“Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?”
You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts. Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light.
The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
Identity theft is becoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft.
As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization.
Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.Competencies
Your work will be evaluated using the competencies listed below.
· 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas.
· 2.2: Locate and access sufficient information to investigate the issue or problem.
· 8.4: Design an enterprise cybersecurity incident response plan.
Project 2: Identity Theft Response
Step 1: Identify Potential PII Attacks
Since this project will require an enterprise cybersecurity incident response plan with ...
Running Head: INFORMATION SECURITY VULNERABILITY 2
Information Security Vulnerability
Introduction
The most important part of any business or organization information is the security infrastructure. All information big or small, sensitive or insensitive must be protected by some degree of information security. "Navigating the multitude of existing security standards, including dedicated standards for information security and frameworks for controlling the implementation of IT, presents a challenge to organizations. Adding to the challenge is the increase in activities of terrorist groups and organized criminal syndicates” (Sipior & Ward, 2008).
Threats and Vulnerabilities
Threats and vulnerabilities are a common occurrence in regards to computer security. Computer networks that are flawed and weak are vulnerable to be exploited. The exploitation of computer networks can be done by terrorist, hackers, and an organizations or business on employee. "Inexperience, improper training, and the making of incorrect assumptions are just a few things that can cause these misadventures" (Whitman & Mattord, 2009, p. 42).
Problem Statement:
What is the protocol if an organization or business most critical information is leaked or hacked that can cause grave damage to an organization, business, or customers account information? What would be the financial situation to recover from such attack with the network? The following questions are a few questions that top management must have in information security policies.
It is most likely that any organization or business profits would decrease and the reputation of each would change. With that comes the legality responsibility of the organization or business. Owning up to a security breach within an organization or business can be detrimental to the overall health of finances throughout the organization or business as well as notifying all parties involved in the breach. Having coverage such as insurance to protect the organization or business is a must and also a great deal to protect the reputation, assets, and continue functioning overall. "Although every state breach notification law covers businesses, there are differences regarding coverage of other entities such as government agencies and third-party storage providers, as well as differences regarding the information each law defines as 'personal'" (Shaw, 2010).
Relevance and Significance:
There will always be some type of glitch with in a computer network that may deter the system from being fully secured unless the computer is not being used. Information security program goals is to deliver a level of security platforms that supports the organization or business security infrastructure at its best by meeting all requirements set forth through the policy and controls and keeping the bad guys out.
Key Concepts
Confidentiality, integrity, and availability are the largest threats of sensitive information. The need to know must be .
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Classmate 1Cybersecurity risk can be characterized as the ris.docxbartholomeocoombs
Classmate 1:
Cybersecurity risk can be characterized as the risk emerging from pernicious electronic or Non-electronic occasions influencing information innovation assets of firms, regularly bringing about the disturbance of business and budgetary misfortune. The significance of cybersecurity has become in the course of the most recent couple of decades with the fast development of electronic gadgets and the web (Biener, Eling, and Wirfs, 2015). Physical items where information and information were utilized to be put away, for example, records, floppy plates, and tapes are not, at this point utilized and practically all individuals store their own and work information electronically now.
Information is put away in a confined private system at work while at home individuals store their private information, for example, photographs, messages, and so on in their messages or even or cloud administrations, for instance, the Apple cloud where Apple iPhone clients will have their information continually upheld. This individual information may contain by and by recognizable information too, for example, the information that can be contained in an individual driver's permit, for example, date of birth, address (Fazlida, and Said, 2015). For the assailants, PII information is truly significant and thus they target global organizations where they could get this PII information effectively which can be connected with the client's record and their installment information.
We see a great deal of cyber-assault happening to global organizations, for example, Target and Home-stop along these lines. From a mechanical standpoint, firms regularly share associated risks and vulnerabilities of being penetrated together because of the use of normal security advances and the availability of PC systems. In the above articulation, we can see that all organizations have risks and vulnerabilities in their system which should be appropriately redesigned and checked to be made sure about. We additionally observe government databases being hacked from remote nationals to pick up the necessary information or PII of assets they are quick to acquire (Biener, Eling, and Wirfs, 2015). In this manner, we can say that cybersecurity isn't only a business danger yet, in addition, a matter of national security.
As an IT administrator, there are a few different ways I would attempt to deal with the IT risks inside my organization (Pei-Yu, Kataria, and Krishnan, 2011):
1. I would initially do a constant risk evaluation and distinguish the risks which are generally essential and touchy to the organization and make a rundown of basic resources, recognized risks, and future potential risks that would be tended to. The prioritizations of these risks are significant and likewise to include the administration about this.
2. The risk proprietors can possess the organized risks and work with the group to relieve these risks and record it. The most noteworthy risks are to be killed first.
Systems Thinking on a National Level, Part 2Drew David.docxperryk1
Systems Thinking on a National Level, Part 2
Drew Davidson, Eric Sinclair Banyon, Shady Navarro, Shalamar Santana, Ziomara Pagan, & Stephanie Jean Coute
MHA/505
February 11, 2019
Rachael Kehoe
Running head: SYSTEMS THINKING ON A NATIONAL LEVEL, PART 2
1
SYSTEMS THINKING ON A NATIONAL LEVEL, PART 2
10
Systems Thinking on a National Level, Part 2
Cybersecurity breaches in the Healthcare industry pose a significant threat to those organizations. According to Gordon et al., cybersecurity breaches not only affect the patient’s information but it can also affect the organization's creditability (2017). When an organization creditability comes into question due to a cybersecurity breach, that organization may lose customers due to the fear of their information not being appropriately protected. In Healthcare it is crucial that we understand the impact of cybersecurity breaches. Most of the major hospital in the United States are using electronic medical records (EMR). A lot of hackers are using phishing methods to trick hospital and breaching their security protocol by tricking staff members into disclosing sensitive and personal information (Winder, 2014). Therefore, the following will discuss way cyber security breaches happen in the healthcare industry and way to prevent them from happening in the future.
Cyber Security Breach Diagram
Malicious and Non-Malicious
Cyber security breaches in healthcare can happen in several different ways. These different types of breaches can either be malicious or non-malicious. A malicious cyber security breech in healthcare, is when an individual or individuals purposely hacked into and attack or gain unauthorized access to members PII. Unauthorized access (such as hacking) to protected healthcare systems is the result of malicious behavior, things like holding the system ransom or stealing private information are acts of malicious behavior (Katz, 2018). Penetrating a system manually and disabling the systems defenses or by downloading software programs are other types of malicious behavior. Hacking is a malicious behavior, but just because the system is hack doesn’t necessarily mean any personal information is compromised. A number malicious cyber security breach may not be done intentionally but can cause just as many issues as a malicious cyber security breech. When data is unintentionally left exposed to an authorized access it is a non-malicious behavior. Cyber security breaches in healthcare can be the result of employee error or negligence. In healthcare malicious behavior is a portion of the inflow of cyber security breaches and non-malicious behavior is the portion of the outflow of a cyber security breech.
Eavesdropping
As a group, we have identified a multitude of cybersecurity breaches that are growing concerns amongst the healthcare providers and companies that offer their services to the community. Another one of these concerns’ hails in the form of eavesdropping. Eavesdropping is a d.
How to secure information systemsSolutionAnswerInformation.pdfrohit219406
How to secure information systems?
Solution
Answer:
Information security:
Information security, sometimes shortened to InfoSec, is the practice of halting unauthorized
access, use, revelation, disordering, modification, investigation, recording or destruction of
information. It is a general term that can be used regardless of the form the data may take (e.g.
electronic, physical).
Since the advent of the internet and increased expansion of computer based technology in
today\'s corporations, information security breaches have increased at an alarming rate. While
businesses take a more cautious approach to how they handle IT security threats, these are
becoming increasingly complex and sophisticated. Denial-of-service attacks, software tampering
(e.g. Trojan horses and computer viruses) and social engineering techniques (e.g. phishing) are
some examples becoming prevalent. While we often times hear of the more widely publicized
embezzlement, money laundering, burglary and bribery statistics, data has shown that companies
have seen greater losses from losses attributed to information security breaches.
One of the most effective ways to prevent criminals from accessing and compromising
confidential company information is to implement an effective information security plan and
properly train firm employees accessing the system. Additionally, companies should implement
a dynamic and independent third party auditor to frequently test the adequacy of their security
system. Lastly, key responsibilities within the information security chain should be segregated
and rotated frequently. If companies follow these three basic tenets, they will be one step closer
to the effective security of their information.
Threats to Information Systems:
Information security threats come in many different forms. Some of the most common threats
today are software attacks, theft of intellectual property, identity theft, theft of equipment or
information, sabotage, and information infiltration Some of the most prevalent types of data
infiltration include input manipulation, program manipulation, data input manipulation, data
stealing, and outright sabotage. The most frequent type associated with this form of fraud is
manipulation of the data. The reason for this most common is because the criminal requires the
less amount of skill.
Most people have experienced software attacks of some sort. Viruses, worms, phishing
attacks, and Trojan horses are a few common examples of software attacks. Governments,
military, corporations, financial institutions, hospitals and private businesses amass a great deal
of confidential information about their employees, customers, products, research and financial
status. Most of this information is now collected, processed and stored on electronic computers
and transmitted across networks to other computers.
Implementing a Information Security System:
With so many different ways and so much potential for breaches to information security
systems.
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INF.docxbagotjesusa
SECURITY AND SAFETY OF THE POWER GRID AND ITS RELATED COMPUTER INFORMATION SYSTEMS 1
Security and safety of the power grid and its related computer information systems
Name of the student:
Name of the institution:
There have been increased use and application of information and communication technologies in most of critical infrastructures and departments of the government. They have proved to be fundamentally significant in helping the various departments to carry out their daily activities with a lot of ease and proficiency. However, these systems have also opened quite a considerable unforeseen opportunity both positive and negative. The infrastructures have become highly efficient and flexible and this has been very beneficial to the people. On the other hand, there have been persistent problems with cybercrimes and hackers who have outsmarted the government and the set securities protocols every now and then. This has made the state lose billions of dollars in a theft of its secrets and high-level information. In this case, it is right to analyze all the general impacts that can be put in place to prevent cybercrimes as well as threats. It is hence important to validate all the necessary measures that need to be put in place in every organization. The paper will hence give recommendations that can help the named organization solve the issues mentioned.
To address this issue, proper precautions needs to be put in place. The government has to demonstrate preparedness in combating this crime both in terms of systems put in place and also the legal jurisprudence (Higgins, 2016). The US power grid system is an interconnected system that is made up of power generation, transmissions software, and its distribution with a capacity to bring down the whole economy if not well protected. The nation's department of defense (DoD) is one of the most critical and sensitive institutions that can paralyze the state if tampered with by unscrupulous individuals. The situation is even worse if there is an advanced persistent threat (APT) against computers and software that operates the western interconnection power grid. This needs an urgent measure to remove the threat immediately and avoid its reoccurrence. We recommend the following security and safety of the power grid and its related computer information systems are taken by the concerned departments:
a. Creation of a special branch that is specifically dedicated to cyber security
It is high time for the government to come up with a special branch of the military personnel that will be dedicated to fighting cybercrimes (Higgins, 2016). Its main function will be to detect cybercrime activities, to develop mechanisms to prevent cybercrimes, apprehend, arrest and align cyber criminals in a court of law.
b. Creation of special court to determine cybercrime cases
Security and safety of the power grid and its related computer information systems and those crimes associated w.
Intro to Information AssuranceModule 3Chaston Carter0417.docxnormanibarber20063
Intro to Information Assurance
Module 3
Chaston Carter
04/17/17
Target Corporation
Target has had many ethical challenges over the years but one of the biggest ones they have encountered was the a credit and debit card data breach thought to have exceed ed $700 million which was the biggest retail hacking in U.S. history to date. While this is serious, what is even more serious is that Target had clear warning signs that hacking was occurring, but due to the lack of action the hacking continued within the organization. It was estimated that close to 70 million people had their personal data stolen. That information consisted of names, mailing addresses, phone numbers and email addresses. Not only was it personal information shared , but a-lot of people encountered unauthorized, charges on their credit card or debit card. The organization was shocked at the amount of people that were affected by this recent attack.
I had only 10 days to implement changes to its security policies, to prevent this from happening again. The ultimate goal was to come up with quick solutions to solve this problem. My first goal was to develop a written information security program, which would ultimately document potential security risk. Since the confidentiality of the customers information is a important key factor. The goal of the whole credit breach is to prevent customers information from getting stolen . We can start by eliminating the problem, by offering security training to current workers, this would not only educate them but they would learn the importance of safeguarding personal information , and it will allow them to learn when to be alert to potential threats. To insure integrity in the organization a system must be put in place to detect any changes in data that might cause the server to crash when making a purchase, or interfere when a customers makes a purchase at a target store.
To Ensure Availability in Target Corporation , we would maintain all certain possible customers information, to prevent any data from being lost, data could be store in a isolated protected location. One of the main issues with the credit cards hacked in the breach was that when the cards were swiped the magnetic strip on the back contained unchanging data. Whoever accessed the data got ahold of information necessary to make purchases. Which eventually made traditional cards prime targets for counterfeiters. The problem with Target corporation is that they had no real structure on how to be alerted when there was suspicious activity in a customers account. The main objective for this information assurance plan is to develop an alerting system that will alert a middle man when there is suspicious, or unusual activity in a customers account.
Even Though , target already had current policies in place, six months prior to hackers
getting into their security system . They had beg.
System Dynamics Based Insider Threats ModelingIJNSA Journal
Insider threat has been recognized as one of the most dangerous security threats and become a much more complex issue. Insider threat is resulted from the legitimate users abusing their privileges and cause tremendous damage or losses. Not always being friends, insiders can be main threats to the organization. Currently, there is no equivalent prevention solution for insider threat to an intrution prevention system or vulnerability scanner. From the survey of literature of insider threat studies, we conclude that the system dynamics (SD) is an effective tool to analyze the root causes of insider threat incidents and evaluate mitigation strategies from people, process, and technology perspectives. A generized case based SD model can be tailored and applied to analyze and evaluate specific insider threat incidents. We
present a well known insider threat incident of Taiwan and tailor the generized case based SD model to analyze it. The simulation results indicate that the risk of insider threats can be reduced and the probability of detecting insider threats can be increased.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
Ijnsa050201
1. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
INCIDENT RESPONSE PLAN FOR A
SMALL TO MEDIUM SIZED HOSPITAL
Charles DeVoe1 and Syed (Shawon) M. Rahman, Ph.D.2
1
Capella University, Minneapolis, USA
cdevoejr@capellauniversity.edu
2
Computer Science Faculty, University of Hawaii-Hilo, Hilo, USA
and Adjunct Faculty, Capella University, Minneapolis, USA
SRahman@Hawaii.edu
ABSTRACT
Most small to medium health care organizations do not have the capability to address cyber incidents
within the organization. Those that do are poorly trained and ill equipped. These health care
organizations are subject to various laws that address privacy concerns, proper handling of financial
information, and Personally Identifiable Information. Currently an IT staff handles responses to these
incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team
is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the
purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper1 will use
the proven Incident Command System model used in emergency services to show any sized agency can
have an adequate CIRT.
KEYWORDS
Incident Response, Cyber Incidents, Incident Response Team, HIPAA, HITECH Act
1 Introduction
Many small to medium health care organizations often fail to see the need for a Computer
Incident Response Team (CIRT) or feel they do not have the resources needed to implement one.
This paper will address the need and justification for a CIRT as well as explain how to implement
one with limited resources. First there will be a discussion considering the legal implications
which also addresses the ethical needs for protecting patient information including Personally
Identifiable Information (PII). Subsequent to this a brief overview of the Incident Response
process will be given. The following sections will describe the methodology, the Emergency
Services Incident Command System (ICS), followed by an adaption of the ICS to the CIRT. The
paper ends with a discussion of the skill set required by CIRT members and the tools they will
need.
1
This work is partially supported by EPSCoR award EPS-0903833 from the National Science
Foundation (NSF) to the University of Hawaii, USA
DOI : 10.5121/ijnsa.2013.5201 1
2. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
It is important to recognize that no institution is exempt from attack or compromise. In January
of 2012 the Multi-State Information Sharing and Analysis Center (MS-ISAC) published its list of
emerging trends and threats for 2012 [ HYPERLINK l "Pel12" 1 ]. The MS-ISAC lists the
following emerging trends and threats:
• Mobile devices and Applications – The use of mobile devices and applications continue
to grow. As they grow so do the attacks and the attack vectors.
• Hacktivism – Attacks carried out by activist to send a political or social message. Groups
include Anonymous and Lulz.
• Search Engine Optimization (SEO) Poisoning - Cyber criminals will take advantage of
the 24-hour news cycle to target visitors searching on the most popular keywords or sites
and infect users via sites designed to look like legitimate news services, Twitter feeds,
Facebook posts/emails, LinkedIn updates, YouTube video comments, and forum
conversations. We expect cyber criminals to take advantages of notable news events such
as the London Olympics, U.S. presidential elections, and Mayan calendar predictions.
• Social Engineering - The use of rogue anti-virus to entice users into clicking on malicious
links, fake registry cleanup, fake speed improvement software, and fake back-up software
mimicking popular personal cloud services.
• Advanced Persistent Threat - a long-term pattern of targeted hacking attacks using
subversive and stealthy means to gain continual, persistent exfiltration of intellectual
capital.
• Spear Phishing Attacks – These attacks are targeted at particular individual and appear to
be legitimate emails. This attacks are typically conducted by a person seeking financial
gain, trade secrets or sensitive information
Each and every one of these threats has a human element to it. Humans unlike machines, do
make mistakes, are prone to errors, and can be coerced into giving out information that is
personal in nature or proprietary. Given all of this, there is no reason to believe that the number
of incidents will decline; in fact, given the ever increasing sophistication of the hackers it is
believed the number of incidents will increase 1].
In April of 2011 it was reported that since 2009, 10.8 million people have been affected by data
breaches according to The U.S. Department of Health and Human Services. These breaches
occurred in 265 separate incidents [ HYPERLINK l "How11" 2 ]. Incidents include things like
loss of equipment, improperly handling obsolete data, attack from a hacker, phishing, social
engineering, and infection via email or visiting a malicious web site. Once an incident occurs it is
critical that it be handled properly to determine the extent of the problem and to minimize the
impact.
The Information Technology (IT) group will typically focus on making the system operational
again. That is, they will rebuild the system, clean the system to remove the infection, restore the
system from backup, block the attacking vector, or a combination of these. There is much more
that is needed to properly handle, the incident and ensuing investigation; forensic data is required
to determine what data if any was taken, by whom, and how. Obtaining the evidence allows the
organization to determine what entities have been affected. Additionally, it addresses if there is
the need for personnel actions, if law enforcement should be involved, or both. This information
can then be used by the organization to patch holes; change polices; or fix the problem.
2
3. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
For these reasons a dedicated Cyber Incident Response Team (CIRT) is needed to properly
respond to incidents and gather evidence. A CIRT focuses on six functions Preparation,
Identification, Containment, Eradication, Recovery, and Follow Up 3]. These functions will
assure a systematic and appropriate response enabling a rapid and thorough recovery, minimizing
the loss of data and downtime. Following proper procedures will preserve system data such that
a forensic analysis can be done. This analysis will provide details of how, when, where, and
what. Knowing this the organization can prevent future incidents over the same attack vector and
detect evidence to support personnel and legal actions. This data is also necessary to support
reporting requirements to individuals as well as regulatory agencies. It is imperative that senior
management supports the effort and provides proper authority to operate the CIRT.
1.1 Background of the Study
Most health care organizations have implemented and installed preventive measures that include
firewalls at the border, Intrusion Protection System (IPS), host based Intrusion Detection System
(IDS), anti-virus software, WEB content filtering (i.e. WebSense), and switched networks
(segmenting functional groups). End users have been trained in proper procedure and the
safeguarding of information. Strong, effective, policies have been developed to protect
information. Even with all of this protection, breaches, infections, and human errors will still
happen. Equipment is lost, stolen, or misplaced. Anti-virus software only detects 50% of all
viruses and is vendor dependent [ HYPERLINK l "Vir12" 4 ]. New viruses are constantly being
developed and old ones are modified to avoid detection. Not only must the hospital protect
corporate data and systems, it must also protect industrial control systems, and the physical access
electronic. Even the best protection plans can be breached.
When an incident is discovered in the current system an ad hoc response is executed. System
administrators and technicians who are untrained in incident response will first attempt to get the
system operational before attempting to preserve evidence or determine the extent of the breach.
2 Legal and Ethical Implications
While many laws apply to computer crimes special attention must be given to the rights and
protections of the individual when responding to an incident. Of primary concern here are the 4th
amendment protections of the U.S. Constitution, the Computer Fraud and Abuse Act, and the
Electronic Communications Privacy Act. Each incident should be approached form the point of
view that a crime has been committed; this provides the highest level of diligence and assures
proper evidence gathering. It is imperative that the rights of the individual be protected so as to
not violate due process.
Additionally, the responder must be aware of their responsibilities and limits; one could actually
face criminal or civil penalties or legal action if proper procedures are not followed. This section
will address these concerns. The content in this section is not meant to be an exhaustive
examination of the legal issues, it is meant to bring awareness about the laws involved.
2.1 HIPAA
The hospital is a covered entity under the HIPAA privacy rule. As such the Protected Health
Information (PHI) of patients must be safeguarded and handled appropriately. Improperly
3
4. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
handing this information creates an incident. PHI is any information that relates to the person’s
past, present and future health condition, the care received, or anything to do with payments.
Employment records are exempt 5]. There are no restrictions on de-identified information.
In general the data may be used and released to the individual; for treatment, payment, and health
care operations; for the public interest and benefit; and limited data sets where the PHI has been
removed. In the case of the public interest or benefit, PHI may be released to law enforcement;
workers compensation; when there is a serious threat to health and safety; Health oversight
activities; Victims of abuse neglect or domestic violence; and for Public Health Activities [
HYPERLINK l "HIP09" 6 ] . PHI is not to be used for marketing or any other unauthorized
purpose.
2.2 HITECH Act
The HITECH Act was implemented as part of the American Recovery and Reinvestment Act of
2009. Under this act HIPAA was strengthened to include fines, and a data breach notification 7].
In order to determine if a breach actually occurred the Hospital must perform an investigation to
determine what data may have been breached. Civil Penalties are listed in Table 1:
Table 1 – List of HITECH Civil Penalties [ HYPERLINK l "HIP09" 6 ]
Violation category Each violation All such violations of an identical
provision in a calendar year
Did Not Know $100–$50,000 $1,500,000
Reasonable Cause $1,000– $1,500,000
$50,000
Willful Neglect—Corrected $10,000– $1,500,000
$50,000
Willful Neglect—Not $50,000 $1,500,000
Corrected
2.3 Amendment IV
The right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon
probable cause, supported by oath or affirmation, and particularly describing the place to be
searched, and the persons or things to be seized.
The fourth amendment protections only apply in cases where law enforcement or the government
are involved 8]. Government involvement includes actions performed on behalf of a government
representative. As an example of this, a system administrator can view the files on a server of a
user and there are no fourth amendment protections. However, if a member of law enforcement
asks the same administrator to view those files the administrator is now working at the direction
of law enforcement and fourth amendment protections apply. In this case a search warrant is
required.
4
5. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
It should also be noted that there are no Fourth Amendment protections in all cases where the
government is involved. For there to be a fourth amendment issue there must first be a
reasonable expectation of privacy. In Katz v. United States, 389 U.S. 347 (1967), the Supreme
Court held that the Fourth amendment protects people not places. Justice Stewart issuing the
majority opinion stated: "What a person knowingly exposes to the public, even in his own home
or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as
private, even in an area accessible to the public, may be constitutionally protected." [
HYPERLINK l "Joh67" 9 ] There are also no fourth amendment protections for items that
are in plain view.
In the age of high technology with enhanced viewing capabilities the question of using thermal
imaging devices, highly sensitive listening systems, Satellite imagery, etc. have come into
question. In KYLLO V. UNITED STATES 10] Kyllo held that the use of a thermal imaging
camera to detect heat emanating from the home was a violation of the fourth amendment. In this
case Agent William Elliott used an infrared camera from the public street to scan the residence to
detect the use if high intensity lights in an indoor marijuana growing operation. The government
argued that the camera only measured the IR coming from the part of the structure that was in
plain view and thus did not violate any rights. However, the justices applied Katz to this ruling
stating, “We rejected such a mechanical interpretation of the Fourth Amendment in Katz, where
the eavesdropping device picked up only sound waves that reached the exterior of the phone
booth. “ In concluding Justice Scalia stated “Where, as here, the Government uses a device that
is not in general public use, to explore details of the home that would previously have been
unknowable without physical intrusion, the surveillance is a “search” and is presumptively
unreasonable without a warrant.”
Interestingly in DOW CHEMICAL CO. v. UNITED STATES [ HYPERLINK l "Bur86" 11 ]
the courts found that the use of aerial photography was acceptable: The Court notes that EPA did
not use "some unique sensory device that, for example, could penetrate the walls of buildings and
record conversations." Nor did EPA use "satellite technology" or another type of "equipment not
generally available to the public."
For the incident responder at this company fourth amendment rights are not of much concern
unless law enforcement or the government are involved. In those cases it the responder needs to
be aware of these restrictions and assure that law enforcement is acting appropriately. It is
imperative that the employees react appropriately to request from law enforcement; should there
be questions or issues the request should be forwarded to the legal department and senior
management.
2.4 Computer Fraud and Abuse Act
This is the first law specifically targeting computers and computer systems. The law targets
systems under direct control of a federal entity, financial institution, or computers involved in
commerce. This law made it a crime to gain unauthorized access to computer system to gain
information concerning national security, financial records, or information from any agency
within United States government. Originally passed in 1984 this law has seen several revisions.
5
6. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
The Computer Fraud and Abuse Act (CFAA) covers crimes where the perpetrator has
“knowingly accessed a computer without authorization or exceeding authorized access,” 12]. It is
generally accepted that without authorization pertains to outsiders (hackers) while exceeding
authorized access applies to insiders. The CFAA covers seven areas:
• obtaining national security information
• compromising confidentiality
• trespassing in a government computer
• accessing to defraud and obtain value
• damaging a computer or information
• trafficking in passwords
• threatening to damage a computer
The incident responder needs to be highly cognizant and fully aware if this law for two reasons.
The responder must assure that they do not break the law by exceeding their authority or
authorized access. Secondly, the responder must be able to identify potential acts of criminal
activity.
2.5 Electronic Communications Privacy Act
2.5.1 THE ELECTRONIC COMMUNICATIONS PRIVACY ACT
This law deals with the “Interception and disclosure of wire, oral, or electronic communications”
as stated in 18 U.S.C. § 2510-22 (Title I) (United States Code: Title 18,CHAPTER 119); Title I
of this law prohibits the interception of electronic communications. It also prohibits the use and
manufacture of devices intended to intercept electronic communications. However as with most
laws there are exceptions; the law provides Internet Service Providers (ISP) with the authority to
intercept communications “in the normal course of his employment while engaged in any activity
which is a necessary incident to the rendition of his service”. This law also provides procedures
for law enforcement in the event that surveillance of electronic communications is required. It
also prohibits the use of illegally obtained information as evidence. This law was originally
passed in 1986.
2.5.2 STORED COMMUNICATIONS ACT
18 U.S.C. § 2701-12 (Title II) covers “Stored wire and electronic communications and
transactional records access” (United States Code: Title 18, CHAPTER 121). This law addresses
unauthorized access (including privilege escalation) for users who “…obtains, alters, or prevents
authorized access to a wire or electronic communication while it is in electronic storage”. This
law also has exceptions allowing the owner of the system for maintenance, backups, and other
needed services. Of interest in this section is that if the owner the system finds evidence of “…an
emergency involving danger of death or serious physical injury to any person” or in cases of child
exploitation. This law was originally passed in 1986.
2.6 Security Breach Notification
According to The National Council of State Legislatures “Forty-six states, the District of
Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation
6
7. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
requiring notification of security breaches involving personal information.” [ HYPERLINK l
"Nat12" 13 ]. The importance here is that the organization must determine what data was
breached and whom notification must go to. It is in the best interest of the organization to keep
the number of notifications minimal to reduce cost and maintain a good reputation.
3 Cyber Incident Defined
NIST Special Publication 800-61 states, “A computer security incident is a violation or imminent
threat of violation of computer security policies, acceptable use policies, or standard computer
security practices.” For the purposes of this plan an incident will also be defined as any illegal
activity involving Hospital computers, data or both. This definition assumes that adequate
polices are in place to protect the intellectual property of the organization; the PII of employees,
customers, and partners; and Protected Health Information (PHI) of patients.
Incidents are created when events are triggered that give an indication of an adverse action.
Events are things like IDS signature triggers, anti-virus detection, firewall detecting a host going
to a known malicious domain, a phishing email is opened, or a firewall blocking a connection
attempt. Even something like a “slow computer” is an event. Not all events produce incidents
some are simply false positives. An example would be a web filter blocking certain content on a
web page. For example, a user visits a legitimate site like cnn.com; on that page are various
advertisements and links that redirect the user to other web sites. If the browser attempts to pre-
fetch the links and resolve them it may appear an end user attempted to access an unauthorized
web site. In reality, the user did no such thing.
Incidents can occur at random times and there can be multiple incidents occurring at the same
time. The complexity of the incident can also vary as can the duration. A simple virus infection
may only require cleaning the host while a data breach or discovery of illegal activity may take an
extensive investigation and lengthy remediation. Finally, it is entirely possible to have multiple
incidents that are all connected and interrelated. As can be seen, the response to the incident may
vary in size, scope, and necessary resources. The incident response team needs the ability to
maintain control and grow as the incident grows.
In addition to the typical cyber incident (i.e. hacking, malware, data loss) there are also the
response to physical attacks. These include things like theft, fire, flood, building collapse, bomb
threats, etc.
4 Incident Response Procedure
When responding to an incident it is important to only tell people who have a need to know about
the incident. It is possible that an insider is violating law or policy. Allowing them to know they
are being watched or investigated gives them the opportunity to destroy valuable evidence.
Throughout the process take good notes.
4.1 Preparation
In the preparation phase user expectations are set, as well as assuring system administrators are
properly prepared. This is also the place where polices are set for the IRT to include the scope,
7
8. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
responsibilities, when to call executives management and when to call law enforcement. This
plan in fact is part of the preparation phase.
As part of the preparation it is imperative that a logon warning banner be placed on all systems.
This banner not only sets the expectation that end users will be monitored but it also serves notice
that there is no expectation of privacy. By so doing, it makes the task of analyzing events much
easier as it removes the need to get approvals from senior management.
Also addressed here is the need to notify law enforcement and when. There are times when Law
enforcement must be notified, for example when there is a serious safety or life threat to the
general public, in cases of child pornography, in cases of potential abuse to name a few. There
are also reasons not to involve law enforcement. In so doing the organization loses control of the
case; in fact there are now two cases with different objectives. The organization wishes to get
systems back on line and operational while law enforcement wishes to gather evidence and
prosecute a crime. In this case, the hospital also risks equipment seizure by the authorities.
Finally, it may be desirable not to report the issue to eliminate negative publicity.
Policy must also be developed for critical systems such that there are regular backups. This will
allow for restoration of the system should a compromise occur.
4.2 Identification
The goal here is to examine the events, analyze them, and determine if there is an incident. As
mentioned previously, not all events are incidents. Examples of this are phishing emails that are
not opened, a user on a Linux system surfing to a web site with a known windows exploit, and a
large increase in ftp traffic that is authorized.
4.3 Containment
The purpose of this phase is to eliminate further damage. There is the short term goal and the
long term goal. In the short term the desire is to stop communications with the hacker, botnet, or
other external entity. Additionally, the system needs to be isolated to stop the spread of the virus
or malware. Some methods of doing this are to unplug the network cable, disable the switch port,
put in ACLs on routers or firewalls, and as a last resort unplug the power. Unplugging the system
is not advised as this results in the loss of critical data and evidence concerning the running state
of the system. Most importantly, try to keep a low profile, do not let the attacker now that you
have discovered their activity.
Also at this time make a system image to include the file system, and memory. When performing
forensic analysis later always use a copy of these images. Keep the original pristine for evidence
purposes. Take pictures of the area and the current state of the screen.
Long term containment involves applying patches to the affected system and other similar
systems. Consider changing passwords and adding firewall rules. Remove any accounts that
were used by the attacker and shutdown hacker processes. Subsequent to these actions the virus
or malware must be eradicated.
8
9. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
4.4 Eradication
During eradication the system is cleaned and attacker artifacts are removed. This is where the
forensic analysis will help. If the malware can be identified a simple search on the internet will
reveal the characteristics of the malware. It may be necessary to use a VM or sand box to run the
malware and observe what it is doing.
Find the most recent clean backup to restore the system. This backup should also be checked for
the presence of the malware or attacker. If a rootkit was installed this will modify the operating
system itself, in this case reformat the hard drive and reinstall the operating system. Once the
system is restored perform a vulnerability scan using Nessus and patch all vulnerabilities.
4.5 Recovery
Prior to putting the system back into production check the operation of the system against the test
plan and baseline documentation. This should be done by the system administrator and the owner
of the system. The owner of the system makes the final decision on putting the system back into
production. Once in production monitor the system closely and check carefully for signs of re-
compromise.
4.6 Follow Up
In the follow up phase the lessons learned are documented. A report is generated detailing how
the attacker got in, what was done, how the issue was found, and what was done to fix it. It
should also include recommendations to prevent future attacks by the same method.
4.7 Seven Deadly Sins
1. Failure to report or ask for help
2. Incomplete or nonexistent notes
3. Mishandling or destroying Evidence
4. Failure to create working images
5. Failure to contain or eradicate
6. Failure to prevent re-infection
7. Failure to apply lessons learned.
5 Methodology
Responding to cyber incidents is much like responding to a fire or medical emergency. In all
cases the first responders must assess the situation, determine what resources may be needed,
evaluate the severity of the situation, determine a strategy and tactics, and finally assure safe
operations. The fire and emergency services have been responding to emergencies for many
decades and have developed very good procedures and methods for doing so. The fire service
uses an Incident Command System (ICS), which is proven and can be easily adapted for use in
cyber incident response. The ICS is designed to handle incidents of all sizes and complexity and
can grow and shrink as the incident grows and shrinks.
9
10. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
5.1 The Incident Command System (ICS)
The fire service has a well-designed and proven system that is used for responding to various
incidents. Cyber incidents can be thought of as fires within computer systems and networks. As
such, it is a simple task to adapt the ICS to cyber incidents.
The ICS was developed in the 1970’s in response to several catastrophic fires in the urban
interface in California 14]. This system is designed to allow inter-agency operation for incidents
small to large and complex. The ICS is based on following 14 management characteristics that
provide strength and efficiency to the total system [ HYPERLINK l "FEM12" 15 ].
• Common Terminology – Assures that all participants are using the proper
terminology for incident response and required resources.
• Modular Organization – This allows for a compartmentalized approach that allows
resources or functions to be brought in based on the complexity and severity of the
incident.
• Management by Objectives – Establishes all-encompassing objectives and goals
• Incident Action Planning – Provides a centralized approach to the planning of the
response to the incident as well as setting priorities.
• Manageable Span of Control - Span of control defines how many people (or things)
each individual can manage. The typical range is 3 to 7 with 5 being optimal.
• Incident Facilities and Locations – Numerous and varied facilities may be needed for
incident, these include command posts, staging areas, rest areas, etc.
• Comprehensive Resource Management – This means to maintain a comprehensive
view of resource utilization. Resources in this case include equipment and personnel.
• Integrated Communications – Establishes a common communication system to
address the equipment, systems, and protocols necessary to achieve integrated voice
and data communications.
• Establishment and Transfer of Command – In the beginning of any incident
command (who is n charge?) must be established. As the incident grows it may be
necessary to transfer the command, this requires a briefing that includes the current
status, the plan, and other important information
• Chain of Command and Unity of Command – The chain of command assures that
subordinates report to supervisors. The concept actually comes form the military
where it is not desirable to have privates reporting to generals.
• Unified Command – This is a concept that allows various agencies and entities with
different functional, geographical and legal authority to work together.
• Accountability – This is management of personnel and resources involved in the
incident.
• Dispatch/Deployment – Personnel and resources only respond when requested.
• Information and Intelligence Management – This is the process of gathering,
analyzing, assessing, sharing, and managing incident-related information and
intelligence.
The incident command sections are defined as follows 15]:
• Command – Incident Commander (IC), Public Information Officer, Liaison Officer
10
11. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
• Operations – Manages the tactical operations
• Planning – Resources, Situation, Documentation (Understanding the situation,
establish Priorities, and Strategy)
• Logistics – Communication, Food, Supply, Facilities
• Finance/Administration – Procurement, Compensations, Claims, Cost
• Intelligence/Investigations – Post incident investigation or intelligence gathering.
Not all components of the ICS are invoked at every emergency incident. Each component is
invoked as needed. It is possible that the incident commander will also be the operations chief,
planning chief, logistics chief, and finance chief. To show how this works the following
scenarios are provided.
Scenario 1 – The incident is a small shed (10 ‘ x 10’) on fire with no other structures, vehicles, or
combustibles nearby. A 5-man team with one truck arrives; the ranking officer (Lieutenant)
assesses the scene. This officer assumes the role of incident commander (Command) and
develops a plan for fighting the fire (Planning). He then directs the subordinates on the tactical
operations for extinguishing the fire (Operations).
Scenario 2 – A large two family home in a remote location is on fire. The first arriving officer
(Lieutenant) takes command of the incident and establishes a command post. He notes the
structure is 50% involved and that additional resources will be required. The incident
commander (IC) calls for additional teams to be deployed. As the teams arrive a higher-ranking
officer (Captain) takes over the command. In so doing he is briefed by the lieutenant before
assuming command. The lieutenant is then reassigned to the operations section where he will
lead an attack team. Other teams are assembled to supply water, and provide support for the
operations. As this is a lengthy incident, the logistics section is established to provide
refreshments and food.
No two emergencies are alike; it is possible that the emergency incident may also require law
enforcement, hazardous materials or environmental experts, medical, heavy construction, or any
other numerous resources. It should be noted that even if a chief is called in by captain or
lieutenant the chief does not have to take over control of the incident. The chief can act in an
advisory role. As can be seen, this model allows for the expansion and inclusion of these
resources as needed. Additionally, recognizing the potential need for these resources allows for
pre-planning and establishing contacts.
5.2 Converting the ICS to Cyber Space
To convert the ICS from the fire service to the cyber world is a relatively straightforward process.
Of the 14 management principles 3 are modified slightly
• Incident Facilities and Locations – When responding to cyber incidents the need for a
well-known command post, staging areas, rest areas, etc. are not needed. However, there
is a need for secured workspaces, forensics labs, and other such facilities. Additionally, it
is critical that a primary incident responder be assigned.
• Integrated Communications – A communication system may or may not be required
depending on the type of incident and the sensitivity of the data. The plan should
however address the need for multiple communication mediums. That is, if the system
11
12. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
under attack is the phone systems or the email system there needs to be another means of
communication available. This is also dependent upon the size of the geographic area
covered.
• Dispatch/Deployment – It may be necessary to send incident responders to outreach
locations or remote sites. In this case there must be control of who is sent where, with
what resources and mission assignments.
As with the management functions the sections are very straightforward as well. In this section
the various roles will be spelled out as they pertain to cyber incident response.
Command – The Incident Commander (IC) is responsible for managing the incident from start to
finish. Transfer of authority for a multi-day incident is not required. The individual responsible
for the response will be available 24 X 7, however they are not required to be on site at all times.
The Public Information Officer will be utilized only on breaches that involve outside agencies or
the public. The Liaison Officer is typically not utilized. The function of this officer is to
facilitate communications between agencies and leverage outside resources. The liaison officer
may be needed in cases where law enforcement is required or coordination between partner
organizations is required.
• Operations – Manages the tactical operations
• Planning – Resources, Situation, Documentation (Understanding the situation, establish
Priorities, and Strategy)
• Logistics – Communication, Food, Supply, Facilities
• Finance/Administration – Procurement, Compensations, Claims, Cost
• Intelligence/Investigations – Post incident investigation or intelligence gathering.
•
To consider how this works in the realm of cyber incidents examine the following scenarios.
Scenario 1: The corporate anti-virus console has detected a piece of malware on an end users
computer. The system administrator notifies the IRT who sends a member of the team out to
investigate. The responder finds the malware, examines the system for compromise, and
determines if further action is required. He reports back to the manger who concurs. The system
is then cleaned by the IT department and reinstalled.
Scenario 2: While reviewing log files the network administrator notices that one workstation is
downloading a large amount of data to an external IP address. The incident response team gets
the log files and begins analyzing them. They find that the files are being sent to a personal
Roadrunner account. This could now be an indication of a policy violation or illegal activity. To
assure the investigation is handled properly the legal department is activated along with HR
department. The CEO is informed of the downloads and based on the size they could potentially
contain sensitive information. As the team continues to dig the find that one of the people in the
engineering department is downloading facility information so that he can work on this at home.
While not illegal, this is a violation of policy and will be handled by the supervisor and HR.
Scenario 3: This scenario is the same as the previous only this time the employee is a clerk who
is downloading patient PPI. The PPI includes names, Social Security numbers, addresses, billing
information (to include credit card numbers) and treatments. In this case not only has corporate
policy been violated but laws may also have been broken. Addressing this incident requires that
12
13. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Legal, HR, Finance, facility security, and senior management be involved. Senior managers may
decide to call in law enforcement to assure that data and evidence are collected and gathered in
accordance with proper procedures. As the investigation progresses it is determined that the
employee is taking the data and selling to identify thieves. This now constitutes a data breach,
which requires the Public Information officer involvement. In a coordinated effort the employee
will be arrested, accounts will be disabled, facility access removed, and the employee will be
fired. Subsequently, press releases will be written and affected end users will be notified of the
breach by the Public Information office. In this incident the CEO will be called in and will take
over control. In so doing the ISO well have a meeting with the CEO who will be briefed on the
status and the plan. The ISO will then focus on remediation and forensics while the CEO directs
others in preparing the legal, HR, and Public Information responses.
Using the above three scenarios one can easily see how the incident response can grow and be
managed in an orderly fashion. It should be noted that even though the CEO is called into an
incident the CEO does not have to take over control of the incident. His function could be an
advisory one. In the case of all serious incidents the CEO should be notified. One should also
consider the situation where there are multiple incidents occurring at the same time. Using this
model a unified command post is established with individual teams reporting back. Again, the
system can grow as needed.
6 Incident Response Team
6.1 IRT Member Skills
Incident Responders should hold at least one reputable forensics certification available from
organizations like SANS, GIAC Certified Forensics Analyst (GCFA), or International
Association of Computer Investigative Specialist (IACIS) Certified Forensic Computer Examiner
(CFCE). In the opinion of the author, the independent certifications are better than the ones
offered up by vendors like EnCase.
6.2 Lab
When building an incident response laboratory one needs to assure that the facility is secure and
only used by authorized individuals. All investigations should be treated as if they will be used
for the enforcement of a crime. The key is to remember the need to know rule, thus restricting
investigators to knowledge of only their own investigations. Some things to consider are:
• Locking evidence cabinets.
• Locking room
• TEMPEST Certified – Not necessary, but nice to have. In this regard it may be
advantageous to implement some of the features to make the investigative room
more secure.
• Workstations with ample work space (approximately 150 sq. ft.)
• Limited view of workstation screen.
• Budgeting for additional systems each year to maintain compatibility with
hardware and software advancements
• An inventory of Operating Systems to include old and obsolete systems.
• Regulated Access.
13
14. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
There should be adequate numbers of forensics workstations. It is recommended that the
Forensic Recovery of Evidence Device (FRED) from Digital Intelligence be used as the forensic
workstation. More information can be found at http://www.digitalintelligence.com/products/fred/.
Figure 2 depicts an image of the FRED. As can be seen this is not a typical workstation and has
many features needed to perform a forensics investigation. In Addition to the FRED the system
also needs a copy of Forensic Tool Kit (FTK) for performing the investigations and analysis. The
FRED cost $6,000 and FTK for one year is $4,000.
Figure 1 Forensic Recovery of Evidence Device [ HYPERLINK l "Dig12" 16 ] (FRED)
6.3 Jump Kit
The Jump Kit contains the tools and utilities needed to respond to an incident. The jump kit
should be stored in a small suitcase or backpack and it should contain the following equipment:
Table 2 Jump Kit Contents
Item Cost Purpose
Traveler's Choice Rome 29 in. $90 Used to hold and transport Jump Kit
Hardshell Spinner Suitcase Equipment
Dell Latitude E6220 $800 Laptop to be used for Data Gathering and
analysis tools
Cat 6 Network cables (including $50
crossover)
Cisco 2960CG-8TC-L Gigabit $700 Used to allow sniffing of the network activity.
Switch with sfp Fiber uplink
Peripheral cables—USB, Firewire, $100 Used to connect to various devices and
parallel, serial, console provide data transfers.
BackTrack Live DVD $0 Contains a clean version of Linux with many
pre-installed analysis and forensic tools
Notebooks, pens, pencils $50 Notebooks should have numbered pages.
14
15. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Item Cost Purpose
Camera $100 Used to photograph area and state of the
computer upon arrival.
1 Terabyte Hard Drive $120 Used to get forensic images.
UltraBlock eSATA IDE-SATA $400 Used during the acquisition of an image to
Write Blocker prevent writing to the original hard disk.
Flashlight $20
Screwdrivers, Pliers, small $100 Used to open cases and systems. May be
Wrenches needed for disconnecting or removing system.
Call List A list with the names and contact information
of all Team Members, Additional Resources,
and outside contacts.
In addition to this the kit shall also have a Corporate Credit Card with $5,000 limit.
6.4 Recommend Software tools.
a) Linux/Unix tools
• R-Linux
• BackTrack
• dd command
• SleuthKit
• WireShark
b) Windows Tools
• VMWare Player
• ProDiscover
• Hex Edit
• WireShark
• steghide
• stegdetect
• Sawmill
• FINALeMAIL
6.5 Additional Resources
6.5.1 HUMAN RESOURCES.
The HR department should be involved in cases of policy violation, illegal activity, or both.
15
16. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
6.5.2 FINANCE
Will be used in the event resources, supplies, or equipment must be purchased
6.5.3 LEGAL
The Legal department should be contacted and involved in cases of data breach, illegal activity,
and when legal questions arise.
6.5.4 CEO
It is imperative that the CEO be involved in major incidents; CAT 1, CAT 2, and CAT 3 from
Table 2. These incidents have a severe impact on the operation and reputation of the organization
as well as legal and personnel implications.
6.5.5 PHYSICAL SECURITY
Physical Security needs to be involved for cases of theft, unauthorized physical access, and cases
where employees are to be escorted off the premises.
6.5.6 PUBLIC RELATIONS
Public relations must get involved when there will be a press release or breach notifications.
6.5.7 LAW ENFORCEMENT
In the event that there is evidence of a crime the agency should have law enforcement contacts
documented. Law enforcement should only be brought in by the legal department or the CEO;
unless the crime involves those individuals.
7 Initial Reporting.
When reporting an incident the following information is required. Sample form in Appendix
• Point of contact information including name, telephone, and email address
• Incident Category Type (e.g., CAT 1, CAT 2, etc., see table)
• Incident date and time
• Source IP, port, and protocol (If Known)
• Destination IP, port, and protocol (If Known)
• Location of the system(s) involved in the incident
• Method used to identify the incident (e.g., IDS, audit log analysis, system administrator,
end-user complaint)
• Description of the Incident.
8 Classifying and Prioritizing Incidents
i. The US-CERT lists that reporting categories for US Agencies along with reporting time
requirements [17]. A category 1 incident carries the highest priority while a category 6
carries the lowest priority. It is useful to use these categories as a guide to assigning
16
17. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
urgency remembering this is just a guideline. These categories are listed and described in
table 3. It should be noted that for purposes of this organization CAT 3 and CAT 4 have
been exchanged.
Table 3 Incident Categories
Category Name Description
CAT 1 Unauthorized In this category an individual gains logical or physical access
Access without permission to a federal agency network, system,
application, data, or other resource
CAT 2 Denial of An attack that successfully prevents or impairs the normal
Service (DoS) authorized functionality of networks, systems or applications by
exhausting resources. This activity includes being the victim or
participating in the DoS
CAT 3 Improper A person violates acceptable computing use policies.
Usage
CAT 4 Malicious Successful installation of malicious software (e.g., virus, worm,
Code Trojan horse, or other code-based malicious entity) that infects an
operating system or application.
CAT 5 Scans/Probes/ This category includes any activity that seeks to access or identify
Attempted a computer, open ports, protocols, service, or any combination for
Access later exploit. This activity does not directly result in a compromise
or denial of service
CAT 6 Investigation Unconfirmed incidents that are potentially malicious or
anomalous activity deemed by the reporting entity to warrant
further review.
Table 4 prioritizes the various systems and identities the risk. Criticality is a measure of the
importance to the operation of the hospital. Risk is a measure of how susceptible the system is.
Table 4 – System Criticality
System Function Criticalit Risk
y
Email Used for internal communications between staff. low high
External communications to vendors and partners.
PPI and PHI are not authorized using email. The
email server is located in the DMZ and is running as a
bastion host. The only services ports open are port 25
Patient Care The patient care system includes patient check in, as high low
well as all data pertaining to treatments. This
includes scheduled services (i.e. X-Ray, Physical
therapy, Lab, etc), prescribed medications, special
instructions. Medications
Finance and The Finance and accounting systems interface with medium medium
Accounting numerous insurance companies as well as the credit
card processing facility
17
18. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
System Function Criticalit Risk
y
Human Human Resources systems contain the information on low low
Resources all employees including their PPI, training,
qualifications, work schedules.
Public Web The Public Web server only provides basic low medium
Server information about the hospital and its services. There
is no sensitive information on this system – the
system does not process payments
Facilities The facilities engineering system monitors and high low
controls the environmental systems within the
hospital. It also monitors fuel levels, generator status,
and levels of oxygen in the storage tanks. It is not
connected to he internet, there is a dial up system for
remote management.
Desk Top Desktop systems are in use by ordinary users who medium high
may not recognize the risk or attempted attack.
Typically, an attack on a desktop system will enable
an attacker to gain access to other resources.
Using tables 3 and 4 as a guide the analysts can now score incidents. Start by assigning values as
follows high=1, medium=2, low =3; CAT 1=1, CAT 2=2, etc. Criticality to the operation is of
more importance than the risk or exposure. To obtain the score for the incident use the formula
score = CAT + (2 x Criticality) + risk. These scores can then be used as a guide in prioritizing
incidents.
9 Conclusion
An incident response team is vital to the operation of any organization. The organization does
not necessarily need all of the capabilities for a complete response, but it should know where to
turn for help when an incident occurs. Realizing that a cyber-incident is actually a cyber-
emergency, one can then apply the proven techniques of emergency response and emergency
management to the cyber incident.
The Incident Command System (ICS) has been in use in the Emergency services field since the
1970’s . This model can be easily adapted to cyber incidents to allow a proper response to any
size incident. The major emphasis must be on planning, this allows the organization to determine
its abilities and limitations as well as identify additional resources that may be needed. Proper
planning will allow the organization to respond rapidly, properly, and provide for the proper
mitigation and analysis. The time to plan is before the incident, not during.
18
19. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
10 References
[1] William F Pelgrin. (2012, January) Center for Internet Security. [Online].
http://msisac.cisecurity.org/newsletters/2012-01.cfm
[2] Howard Anderson. (2011, April) Gov Info Security. [Online].
http://www.govinfosecurity.com/articles.php?art_id=3576&opg=1
[3] Karen Scarfone, Tim Grance, and Kelly Masone. (2008, March) National Institute of Standards and
Technology.
[4] Virus Total. (2012, June) Virus Total. [Online]. https://www.virustotal.com/statistics/
[5] HHS - Office for Civil Rights. (2003, May) U.S. Department of Health and Human Services.
[Online]. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
[6] HIPAA Administrative Simplification, October 2009.
[7] HIPAA Survival Guide. (2012) hipaasurvivalguide.com. [Online].
http://www.hipaasurvivalguide.com/hitech-act-summary.php
[8] Jonathan Marks. (2012) FindLaw.com. [Online]. http://criminal.findlaw.com/criminal-rights/when-
the-fourth-amendment-applies.html
[9] John Stewart. (1967, October) Cornell Law School - Legal Information Institute. [Online].
http://www.law.cornell.edu/supct/html/historics/USSC_CR_0389_0347_ZO.html
[10] Antonin Scalia. (2001, June) Cornell Law School - Legal Information Institute. [Online].
http://www.law.cornell.edu/supct/html/99-8508.ZO.html
[11] Warren Burger. (1986, May) Findlaw.com. [Online].
http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=case&court=us&vol=476&invol=227
[12] Cornell University Legal Information Institute. [Online].
http://www.law.cornell.edu/uscode/text/18/1030
[13] National Conference of State Legislatures. (2012, December) National Conference of State
Legislatures. [Online]. http://www.ncsl.org/issues-research/telecom/security-breach-notification-
laws.aspx
[14] FEMA. (2008, May) FEMA training Materials. [Online].
http://www.training.fema.gov/EMIWeb/IS/ICSResource/assets/reviewMaterials.pdf
[15] FEMA. (2012) www.fema.gov. [Online]. http://www.fema.gov/emergency/nims/ICSpopup.htm
[16] Digital Intelligence. (2012, December) Digital Intelligence. [Online].
http://www.digitalintelligence.com/products/fred/
[17] US-CERT. (2012) US-CERT. [Online]. http://www.us-cert.gov/government-users/reporting-
requirements.html
[18] Jaikumar Vijayan. (2012, March) ComputerWorld.com. [Online].
http://www.computerworld.com/s/article/9225170/Tennessee_insurer_to_pay_1.5_million_for_breac
h_related_violations
[19] Moira J West-Brown et al. (2003, April) US-CERT. [Online]. http://www.cert.org/archive/pdf/csirt-
handbook.pdf
19
20. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Author
Charles DeVoe is a CERT analyst with the Center for Internet Security, MS-ISAC
division. Charles has a Masters of information Security from Capella University and a
Bachelor of Science in Electrical Engineering from Union college, Schenectady NY.
Current interest are information security, incident response, malware analysis, mobile
device forensics, and computer systems forensics
Dr. Syed (Shawon) M. Rahman is an assistant professor in the Department of
Computer Science and Engineering at the University of Hawaii-Hilo and an adjunct
faculty of School of Business and Information Technology at the Capella University. Dr.
Rahman’s research interests include software engineerin g education, data visualization,
information assurance and security, web accessibility, software testing and quality
assurance. He has published more than 85 peer-reviewed papers. He is a member of
many professional organizations including ACM, ASEE, ASQ, IEEE, and UPE.
20