Following his meeting with the vice president of human resources, Brian returned to his department and turned his attention to important IT projects. At the top of his list, he was setting up a...


Following his meeting with the vice president of human resources, Brian returned to his department and turned his attention to important IT projects. At the top of his list, he was setting up a virtual private network (VPN) to help the Cenartech sales staff obtain remote access to client information. The client information resided on databases maintained by the staff in the firm’s business office, so the VPN terminated in Cenartech’s financial systems network. Brian had to customize the restrictive firewall rules on this network to support the operation of the VPN. With his focus on completing the VPN project on schedule, several weeks went by during which Brian had no time to analyze log files. During this period, he also received no complaints from employees about account lockouts. Part of the complexity of the VPN project was that the laptops of most members of the sales staff did not have an installed capability for remote management. An IT employee had developed a scripted installation that could run from a CD, but when Brian had sent this to a couple of the salespeople, they had complained that it failed to work. As a result, several of the installation CDs that the IT staffer had created lay unused on a stack on a table in the IT department. Brian had to wait until each member of the sales staff came to the company’s headquarters in order to physically access their laptops and install the VPN client. As Brian began to deploy the VPN clients and send the salespeople back into the field with their updated laptops, he also began to monitor security logs again. He was surprised to find a greater number of incoming VPN connection attempts than he had expected. When he followed up some of the originating IP addresses, he also found that a number of the connections originated from a local cable Internet Service Provider (ISP). He had expected most of the connections from more distant locales, because the salespeople provisioned with the VPN client were all from other regions of the country. Brian ran more log analyses and found that after a brief lull two weeks earlier, that the failed log-in attempts had begun again. Further, he found that while some of the attempted log-ins had again occurred from the engineering cluster around lunchtime, other failed attempts had occurred during the VPN authentication process, mostly after hours, and mostly from IP addresses originating with the local ISP. Given the recurrence of the original problem, plus the new issues that had arisen with the VPN, Brian requested another meeting with Jim and reported the problems he had seen. This time, Jim got very serious and said, “I’ll go back down there to engineering and read them the riot act. We’ll definitely get this issue cleaned up. You can leave it to me.” Brian felt reassured that Jim was taking the issue more seriously now, and he returned to his projects. A month went by without incident, but one morning around 7:00 AM, Brian received a frantic call from an accountant whose habit was to arrive at work early. The accountant reported that although she could log in to the network, none of her applications would work. Brian rushed into work and found utter chaos. Several database tables had become corrupted, a large number of files had been deleted, and application configurations had been tampered with. Looking at the datestamps on some of the corrupted files, Brian concluded that much of the damage had occurred late the previous evening. He quickly restored a number of files from backups in order to get key users back up and running. Then he organized his IT staff to get to work on restoring everyone else who had been affected. Fortunately, Brian’s attention to standardizing backup procedures and related disaster recovery capabilities meant that his staff had the knowledge and resources to restore almost everything that had been lost and to accomplish this restoration relatively quickly. The whole process of repairing the damage took about a week, and during this time, Brian collected as much forensic data as he could. Several important findings emerged. First, he found that user accounts existed on some of the financial systems for employees who no longer worked with the firm. Further, these accounts had extensive histories of recent activity from workstations all over the business office. When Brian chatted “off the record” with some of the individuals who worked in the business office (recall that the official policy was that Brian was supposed to address such matters through HR first), he found that many ofthe employees shared the use of archaic, still-active accounts. When previous employees had left the firm’s business office several years ago, they had given their username and password information to their colleagues for the sake of convenience, so that the employees who remained could access the departing person’s files and applications. Previously, no one had disabled the user accounts of these departed employees. Now, however, Brian backed up all of the files that remained in these archaic accounts and then he disabled them. Next, Brian traced the damage to a connection that had occurred through the VPN. The originating IP address showed that the connection was not from a local ISP, nor was it from an ISP in a locale where any of the company’s salespeople lived. The account that the attacker had used to disrupt the operations in the business office had used one of the “shared” accounts of a departed employee as mentioned above. Additional analysis of the log files showed that the attacker had used the same archaic account through the VPN in the same timeframe to try to gain access to engineering systems, but the firewalls between the different networks had prevented the attacker from connecting. Related, three weeks earlier the same archaic account had been accessed at lunchtime from within the engineering cluster. In the aftermath of the attack, Brian met with every member of Cenartech’s senior management, and he realized that his job was on the line. He explained everything that he had ascertained about the attacks, and he tried not to sound defensive when describing his existing security measures and what he knew about how they had been circumvented. Brian realized that, with their limited understanding of the technology involved, most of the senior managers seemed to lay blame for the attack on Brian’s deployment of the VPN. When Brian met with Jim, and they reviewed the situation together, Jim resolved to interview personally each member of the accounting department and the engineering department to see if anyone had further information that would shed light on the attack.



Dec 05, 2021
SOLUTION.PDF

Get Answer To This Question

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here