COLLEGE OF COMPUTER STUDIES

IT0007
(Information Assurance & Security 2)

EXERCISE

7
INCIDENT HANDLING

Student Name /
Group Name:
Name Role
Members (if Group):

Section:

Professor:
a. PROGRAM OUTCOME/S (PO) ADDRESSED BY THE LABORATORY EXERCISE
 Apply knowledge through the use of current techniques and tools necessary for the IT
profession. [PO: G]

b. COURSE LEARNING OUTCOME/S (CLO)ADDRESSED BY THE LABORATORY

EXERCISE
 Perform a vulnerability analysis of a system and explain how design, implementation, and
installation of hardware and software contribute to vulnerabilities of the organization.
[CLO: 2]

c. INTENDED LEARNING OUTCOME/S (ILO) OF THE LABORATORY EXERCISE

At the end of this exercise, students must be able to:
 Discuss and explain how devices and services are used to enhance network security.
 Discuss and explain how networks are attacked and various types of threats and
attacks.

d. BACKGROUND INFORMATION
 Nearly every “secure” system that is used today can be vulnerable to some type of
cyberattack.

e. GRADING SYSTEM/ RUBRIC

Trait (Excellent) (Good) (Fair) (Poor)
Able to identify Able to identify Able to identify only Unable to
correctly all input correctly all input one input or output identify any
Requirement and output and and output (22-14pts) input and output
Specification(30pts) provide alternative. (25-17pts) (20-11pts)
(28-20pts)

Able to apply Able to apply Able to identify Unable to

required data type required data type required data type or identify required
Data type(20pts) or data structure or data structure data structure but data type
and produce correct and produce does apply correctly (9-11pts)
results (18-20pts) partially correct (12-14pts)
results (15-17pts)
 The program works The program The program The program
and meets all works and meets produces correct produce s
specifications. all specifications. results but does not incorrect results
Input
Does exception al Does some display correctly (9-11pts)
Validation(20pts)
checking for errors checking for errors Does not check for
and out-of- range and out of range errors and out of
data (18-20pts) data (15-17pts) range data (12-14pts)
Unable to run Able to run Able to run program Able to run
program (10pts) program but have correctly without any program
Free from syntax, logic error (8-9pts) logic error and correctly without
logic, and runtime display inappropriate any logic error
errors (10pts) output (6-7pts) and display
appropriate
output (5pts)
The program was The program was The program was The program
delivered on time delivered after 5 delivered after 10 was delivered
(10pts) minutes from the minutes from the after 15 (or
Delivery (10pts)
time required. (8- time required. (6- more) minutes
9pts) 7pts) from the time
required. (5pts)
Use of Comments Specific purpose is Specific purpose is Purpose is noted for No comments
(10pts) noted for each noted for each each function. (6- included. (5pts)
function, control function and 7pts)
structure, input control structure.
requirements, and (8-9pts)
output results.
(10pts)

f. LABORATORY ACTIVITY
INSTRUCTIONS

Background / Scenario

Computer security incident response has become a vital part of any organization. The process for
handling a security incident can be complicated and involve many different groups. An organization must
have standards for responding to incidents in the form of policies, procedures, and checklists. To properly
respond to a security incident, the security analyst must be trained to understand what to do and must also
follow all of the guidelines outlined by the organization. There are many resources available to help
organizations create and maintain a computer incident response handling policy, but the NIST Special
Publication 800-61 is specifically called by the CCNA CyberOps SECOPS exam topics. This publication
can be found here:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Scenario 1: Worm and Distributed Denial of Service (DDoS) Agent Infestation

Study the following scenario and discuss and determine the incident response handling questions that
should be asked at each stage of the incident response process. Consider the details of the organization
and the CSIRC when formulating your questions.

This scenario is about a small, family-owned investment firm. The organization has only one location and
less than 100 employees. On a Tuesday morning, a new worm is released; it spreads itself through
removable media, and it can copy itself to open Windows shares. When the worm infects a host, it installs
a DDoS agent.

It was several hours after the worm started to spread before antivirus signatures became available. The
organization had already incurred widespread infections. The investment firm has hired a small team of
security experts who often use the diamond model of security
incident handling.

Preparation:

Scan first the system to check whether there are any malware and then start if there are no malware, and
also do some background check or research about the different kinds of viruses or malware to learn how
they work and what its consequences.

Detection and Analysis:

Make sure that there is an antivirus protection on all the 100 computers and make sure that their software
and hardware is up to date. Advise the employees to update them if necessary.

Containment, Eradication, and Recovery:

Detect which computers were infected and make sure that there were no other computers infected and
affected. Recover the affected computers by finding and identifying the cause and fix them.

Post-Incident Activity:

The employees should know how to detect, contain and eradicate if this situation happens in the case that
there is no available IT personnel to tend to their problems.

Scenario 2: Unauthorized Access to Payroll Records

Study the following scenario. Discuss and determine the incident response handling questions that should
be asked at each stage of the incident response process. Consider the details of the organization and the
CSIRC when formulating your questions.

This scenario is about a mid-sized hospital with multiple satellite offices and medical services. The
organization has dozens of locations employing more than 5000 employees. Because of the size of the
organization, they have adopted a CSIRC model with distributed incident response teams. They also have
a coordinating team that watches over the CSIRTs and helps them to communicate with each other.

On a Wednesday evening, the organization’s physical security team receives a call from a payroll
administrator who saw an unknown person leave her office, run down the hallway, and exit the building.
The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll
program is still logged in and on the main menu, as it was when she left it, but the administrator notices
that the mouse appears to have been moved. The incident response team has been asked to acquire
evidence related to the incident and to determine what actions were performed.

The security teams practice the kill chain model, and they understand how to use the VERIS database. For
an extra layer of protection, they have partially outsourced staffing to an MSSP for 24/7 monitoring.

Preparation:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Detection and Analysis:

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Containment, Eradication, and Recovery:

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
_____________________________________________________________________________________

Post-Incident Activity:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________