retake esp sonali task 2
TASK 2
Sonali Paul
Jassal
LongStaff Marketing Solutions
Contents
Draft Questions:
Hello, I’m Sonali and I am your IT support Technician, I have been
notified about some of issues you are currently facing
therefore I would like to know more about
your organisation and about these following areas: current setup, attack
details, network and system access, security measures, data protection and
backup and lastly, details about post-attack and staff awareness.
Current Setup-
1. How many staff are currently in your organisation?
2. How many devices such as laptop,
desktops do your organisation have? Could you talk me through your
infrastructure?
3. Do you have plans to expand?
If so, what are they?
Attack Details-
I have been informed that you have encountered a recent
malware attack, could you confirm if that is that correct?
1. Could you provide some details of the malware
attacks on the NAS drive?
2. How was the attack
detected? Was there a system
in place to detect this?
3. Were there specific vulnerabilities that were exploited by the attackers to gain access to
the NAS?
4. *Firewall- Could you tell me about the firewall and how it works, in terms
of the rules and about the outbound
and inbound traffic? Is it configured securely? Do you get any alerts on suspicious activity?
Network and System
Access-
1. What user access controls
are currently in place for the NAS and how are
permissions assigned to staff?
2. Are there
any remote access restrictions in place to access the NAS and how
does it make sure its secure?
3. Were there any unauthorised accounts or unusual
login attempts identified in the firewall or system logs during the
attack?
Security measures-
1. What security
measures were in place on the NAS before the attack?
(E.g any antivirus software, IDS
systems)
2. Are software
updates and patches
regularly applied on the NAS and other
systems? If so, how regular?
3. Is there multi-factor authentication implemented for accessing the NAS?
If not why not?
Data Protection and backup-
1. Were the deleted files backed up, if so, how frequently are the backups performed?
Following on that question, where are the backups stored?
2. What encryption method are used to
protect personal information stored on the NAS?
3. How do you ensure
sensitive company data such as client records
or employees’ information is kept safe and protected?
Post-Attack and Staff
Awareness-
1. Did you have a mitigation process
or strategy after the
incident. If so, could you briefly
tell me what It was?
2. Are staff aware on how to report any incidents?
Do you have a system in place for this? Are there any policies
for this?
3. Do employees
receive regular cybersecurity training such as recognising
phishing attempts?
Email to Line Manager:
|
FROM: SONALI PAUL
JASSAL- IT SUPPORT TEHCNICIAN |
|
|
TO: LINE MANAGER |
CC/BC: |
SUBJECT: Summary
of the meeting with IT Manager
Dear line Manager,
I hope this
email find you well. I recently attended a meeting with the IT Manager
regarding the current infrastructure and the
recent malware attack
that occurred to gain
a deeper understanding. Therefore, in this email I will be discussing about the
topics that were covered in the meeting.
Firstly, I
wanted to find out a bit more about the organisation and how to operates.
Therefore, my first question was: How many staff are currently in your
organisation? The answer provided was-we have 25 employees, 10 which
are office based and 15 are provided with laptops to work at home
if agreed with management. This shows that the company have enough devices
provided for everyone and are able to connect
to work at home or in the office.
My second
question was- How many devices such as laptop,
desktops do your organisation
have? Could you talk me through your infrastructure?
The answer was
we have 15 laptops which are for remote
users and they connect to the VPN ,10 desktops, a SOHO router, a
NAS drive where all the client information is stored. This shows they are
clearly lacking good secure network infrastructure as they are using a SOHO
router which is used for more small homes and offices, However, as they are growing it is vital for them to
upgrade and have a better router that is more fit to their needs but also for their intensive marketing programs
Then, I moved onto the details
of the attacks to discover why it has occurred and whether it was due to the
vulnerabilities that were present in the organisation.
My first question
for this was- Could you provide
some details of the malware
attack on the NAS drive?
The answer given
was- The NAS was hacked
and several important files were deleted
which included Personally
identifiable information (PII) and it related in losing two long
term clients
Key Issues-
This is a big impact as this malware attacks have clearly lost their reputation as a business
and will take a lot of reassurance
and building the brand again to make their company be reliable.
Furthermore, the NAS drive being hacked shows there was clearly a vulnerability in place that make it easy for the hackers to
exploit this and use It to their advantage
My second question
was- How was the attack
detected? Was there a system
in place to detect this?
The answer provided
was- There was nothing in place
to detect the attack, but we only found out when we had seen the
several files deleted and missing.
My follow
up question was, would you like a solution in place to detect
these types of issues?
The answer
stated was that yes that is something they would like to implement Key issues-There is clearly an issue highlighted as there was no system
in place to
detect the
cyberattacks, which meant no one in the company was aware. Therefore, the malware attack could have ended up a lot
worse than it was. Consequently, I would recommend implementing an IDS or IPS in place that will definitely help the company
be aware of anything
that happens which can help in reducing the impact but also
is a good mitigation strategy in order to reduce the amount of
cyberattacks
My third question was-What
do you have in place
in term of security? The
answer stated- We have a SOHO router with a built-in firewall
Key issues-A
SOHO router with a built-in firewall has quite basic features and can lack
advanced threat protection. Furthermore, the router may not receive frequent
updates which leave them open to any new malware if it is outdated. Also, the router
is designed for usually 1-10 users and that may lead to complications with more devices
or complex setups.
My fourth question was- Could you tell me about the firewall and how it works in terms
of rules and about the outbound and inbound traffic?
The answer
provided was- I’m not too sure about how the firewall is configured and I have not reviewed the security. But I’m
not sure which ports are blocked or not and I do
not get any alerts on any suspicious activity.
Key issue-
They are clearly
not aware on how the firewall is configured which is a big
threat as I was informed that the attack was external and this could be reason
as allowing access on inbound traffic that is not necessary is an issue.
After this I moved
onto finding out more about
the network and system access.
My first question
was- What user access controls
are currently in place for the
NAS and how are permissions assigned
to staff?
The response
given was-The users control to the NAS drive thought the shared administrative account
and all staff have shared
access and can install any software
they would like.
Key issues-
This is a concern as it is going to lead to all staff making unauthorised
changes and modify anything they like
and without a way of tracing the individuals it can
be hard as an to keep track and log what has been done. Furthermore, an
employee might install something malicious or a malicious software, which will
affect the entire network and will cause many disruptions but also leave the
organisation suffering financially and reputationally
My second
question was- Are there
any remote access restrictions in place to access
the NAS and how does it make sure its secure?
The reply
given was- All remote users connect
to the NAS drive through a VPN have a
username and password to access.
I then asked, is the
username and password quite generic
or strong?
The answer
given was- its not as secure, the username is LMSAdmin and the password is password with special
characters and numbers.
Key issues-
The problem is that they have tried to make it secure by adding a VPN however the account username and
password is not secure at all and that is a
weakness which
can leave the remote users quite easily
experiencing a cyberattack but also disrupting the whole network.
Next, I moved onto the security
measures that were placed at that current
time and assessing whether
they were suitable or not according to the organisation.
My first
question was- What security measures
were in place on the NAS before the
attack? (E.g., any antivirus software, IDS systems)
The input received was- No, nothing
in place just a firewall
built in the SOHO router. Key Issues-This is a problem as it
showing they are weak In some areas regarding security which needs to be solved
immediately to reduce the risk of experiencing another cyber incident again.
My second
question was- Are software
updates and patches regularly applied on the NAS and other systems? If so, how
regular?
The answer
provided was-The NAS Is Linux based but I cannot
confirm anything about the updates
Key issues- They are clearly
not aware of the backups,
which will definitely needed to be
implemented to keep a copy of files and data
in case of an incident were to occur. Then I asked about the VPN and
whether if it was up to date
The answer provided
was- The VPN is on a Windows
Server 2019 and we
believe it is quite outdated.
After this I moved onto data protection and backups.
My first
question was- Were the deleted files backed up, if so, how frequently are the backups
performed?
Following on that question,
where are the backups stored?
The answer stated was- There’s no backups in place and it’s
not frequent
Key Issues-
There is no backup, therefore this means that if all files were deleted, for
example in this case several have been deleted.it means that they cannot
be restored and all the data has been lost. Therefore, if there was a backup
in place there would a
copy of the documents.
Ultimately, I
moved onto finding more about Post attack and staff awareness. The Key
information I found was that staff aren’t aware much of how to report
incidents or any of
the latest information. They’re only required to do an induction session which
only included 3 videos totalling to 2 hours.
To conclude,
form my finding
from the interview
with the IT Manager, it has led me to realise that:
·
There is lack of training
·
Lack of backups
·
Outdated operating system
·
Weak passwords
·
Generic, weak passwords
·
No role-based access controls
·
Shared admin accounts
I hope this is
useful, Thank you for your time.
Email to Managing
Director
|
|
FROM: SONALI PAUL
JASSAL- IT SUPPORT TEHCNICIAN |
|
|
|
|
TO: MANAGING DIRECTOR |
CC/BC: |
|
|
SUBJECT: Summary of meeting with
IT manager. Dear HR, from
my findings from
the interview with
the IT Manager, it has led me to realise that: · ·
There is a lack of security controls ·
A lack of knowledge in mitigation and security overall ·
Less focus on regular maintenance ·
Training needs to be carried
on a regular basis ·
Operating systems aren’t
standardised ·
Lack of Knowledge in this area. ·
There Is a lack of security controls as employees are sharing admin
passwords ·
There is no role-based access
control in place No Role Based
Access Furthermore, as employees
have full admin access, there are allowed to install software without any
permission needed. This is a concern as it is going to lead to all staff making
unauthorised changes and
modify anything they
like and without a way of tracing the individuals it can be hard as an to keep track and log
what has been done. Furthermore, an employee might install something
malicious or a malicious software, which will affect the entire network and
will cause many disruptions but also leave the organisation suffering
financially and reputationally. Maintenance There is generally less
focus on regular maintenance and making
sure everything is looked after, which poses a big risk as security vulnerabilities
will keep growing and they may not be aware of anything that might be a
danger to the company. Employee training Having only one session of training on the induction and only
password safety and basics is clearly not enough as technology is rapidly
advancing and so are threats, therefore everyone in the company should be fully
aware on the
latest threats but
also should know how to effectively mitigate it if it were to happen No detection or alert systems Not having a system
in place can put the business at risk of threats as it can lead to system failures, security breaches
all going unnoticed and can cause data loss, financial damage without anyone
knowing I hope
this is a clear overview. Thank you for your Time |
|||
Comments
Post a Comment