Comm 1116 Take-home Incident Report Assignment 10%

You work for International Computing Machines (ICM), a network consulting firm
which sets up and maintains networks for mid-sized and large companies and
institutions. You are their Network Security Analyst in Vancouver. One morning the
ICM Associate Director of Network Security, Darren Hasselhoff, comes into your
office to talk to you. The conversation is as follows:

Darren: Pack your bags, you’re flying to Victoria.

You: Are you kidding me?

Darren: Nope. Well, you won’t have time to pack, because you’ve already been
booked to fly out on the Helijet in an hour, at twelve o’clock.

You: The Helijet! What’s happening in Victoria that I need to take a helicopter
over there? Isn’t that expensive?

Darren: You bet: $428 for a return ticket, plus taxes. And you might have to stay
there overnight if the problem can’t be fixed right away. Maybe longer if
necessary. The problem is at the government offices in the Department of
Human Services. The DHS. They say they’re under attack!

You: Attack? Who’s attacking them? And why?

Darren: They don’t know. Could be anybody. All they know is a bunch of their
computers seem to have been compromised from outside. Their Network
Administrator, Sissy Hofferer, reported finding some malware in at least
one computer, and when she ran the security protocol she got some
super-high data feed readings from the network interface cards on a
bunch of computers, as if someone outside the company somewhere on
the internet was downloading a lot of company data.

You: Wow. The DHS must have reams of confidential data on millions of
people. Everything from Social Insurance Numbers to tax records.

Darren: Exactly. That’s why they’re freaking out over there, and that’s why we
need to send you over by helicopter.

You: Do they know what information was downloaded?

Darren: No clue. All they know is that a lot of computers were compromised. Sissy
just found out all this at about 10:30 this morning, and she took all the
compromised computers offline right away, but the damage may already
have been done. Then she called us right after that.

1
You: That’s weird; all those computers are protected by Norton Symantec anti-
virus and firewall. The hackers must have found some new bug or exploit
to get past Norton like that.

Darren: Well, that’s what you’ll need to find out. Better get going for the Helijet!

You take the twelve o’clock Helijet from downtown Vancouver to downtown Victoria.
The sky is clear, and visibility is good all the way across the Georgia Straight. The
flight takes only 35 minutes. You catch a cab to the DHS; it cost $20 (tip included),
so you put it on your company credit card — like everything else you need to pay
for in Victoria. When you get to the DHS offices, you talk to Sissy Hofferer:

Sissy: This morning one of our office managers was browsing websites and got a
warning from Norton about some malware detected, so he called me to
ask me about it. I thought it wasn’t a big deal, then I ran the security
protocol, and it flagged thirteen of our new computers as having a lot of
data being downloaded out onto the net. We have so much sensitive data
on these computers. I couldn’t even tell what was taken or where it was
going, so whoever was doing it knew how to cover their tracks. We’re all
very upset about it.

You: What did Norton tell you about the malware? And how much data was
downloaded?

Sissy: Norton said it detected two malware objects in the Explorer browser
cache. Both objects were inert, and both were quarantined and deleted.
Norton said they were Threat Level One. I’m not sure how much data was
downloaded. The scan results seem inconsistent.

You: Well Threat Level One is the least serious level, not the most. It means
the network wasn’t compromised. Also, because Norton blocked any
malware activity, I suspect this malware may be unrelated to your
network breach and data theft. I better take a look at those computers.

You spend the rest of the day trying to find what information was downloaded from
the affected computers, and how, but you can’t find anything. Your forensic scans
don’t show any large downloads having taken place from outside. It doesn’t seem
like anyone has penetrated the Norton firewall and compromised these computers.

Finally, at 9:00 pm you give up and go to the hotel across the street. It costs $145
(plus taxes) to stay overnight, and your dinner costs $20 (tip and tax included).
You get a good night’s sleep and a hearty breakfast at Tim Hortons ($8.99 plus
taxes, no tip). As you’re walking back to the DHS in the morning, an idea occurs to
you, so you try it out as soon as you get inside. You discover a solution to your
problem. You call your boss at 9:45 am and tell him about it:

You: I solved our problem.

2
Darren: That’s great, I knew you could do it! What did you do?

You: I kept getting high data output readings from the network cards, but
other scans didn’t support those readings, so I swapped out the network
card on one of the compromised computers. I swapped it with a network
card from a computer that I knew was secure. Sure enough, the
compromised computer suddenly gave the same readings as a secure
computer. And the secure computer suddenly started showing unusual
amounts of data going out.

Darren: It’s the network cards!

You: That’s right, it’s the network interface cards. They’re the problem.

Darren: What did you do?

You: I figured it’s some kind of firmware glitch on the cards that produces
faulty I/O readings, so I got a technician to start swapping out the cards.
All thirteen cards with problems are part of the rollout of twenty new
computers that we installed two months ago at the DHS. The other seven
computers seem fine, but I’m having those cards swapped too. There
definitely seems to be some kind of factory defect going on with these
cards, so I won’t take any chances. I called our supplier to deliver some
replacement cards immediately, and they’ll be here by ten this morning.

Darren: They’re not going to charge us, are they?

You: No, it’s a straight exchange, no charge. They know that these cards have
caused a problem and they’re very apologetic.

Darren: So it’s all solved! Great work. When are you coming back?

You: I’m catching the eleven o’clock Helijet back. Sissy Hofferer can take care
of getting these computers fixed and back online. She’s very good; she
just made a natural mistake when she assumed a security breach, and it’s
safer to assume the worst.

Darren: Absolutely. And the money we spent getting you over there was well
spent. It could have cost us lots more. But you better write up an incident
report when you get back here. The new Director of Network Security,
Maddy Schickelgruber, is going to want a full report.

You: OK, I’m on it like a cheap suit.

Write the incident report. Don’t copy the language used above; much of it consists of casual
conversation and may contain errors.

3
Due date: Sunday, March 22, 11:30 pm.

Use Word or PDF file format, but I only provide feedback in

Upload to D2L folder (lecture page). The folder will close

Use the following filename protocol:

Firstname Lastname Set.docx