School Projects
Project Two – Incident Analysis Brief: Tailgating at Financial Institution
Overview/What Happened and When
Recently an employee who works in the payroll department returned from a coffee break only to find a suspicious-looking person rush out of her office. The suspicious person was carrying a backpack and ran out through an adjacent emergency exit door. The person was also carrying a strange electronic device in hand. The payroll employees file cabinet was also left open and there was a significant number of folders missing from the file cabinet. Her workstation was also turned sideways, and her USB headset was unplugged.
After the incident, there has been some strange behavior such as payroll reports containing inaccurate information. Another serious effect is the organization’s payroll software application is suffering from abnormal disruptions that last anywhere from a few minutes to several hours.
Implications
This recent security breach brings to attention that there are weaknesses in the companies’ security policies, physical controls, incident response, and disaster recovery plans. Companies not adhering to the CIA triad of security design principles of Confidentiality, Integrity, and Availability will have many consequences to loss of business continuity. Confidentiality is the biggest loss in this recent incident. In the case above Loss of confidentiality can result in lost customers, identity theft of employees, employees bank accounts being compromised and significant financial loss to the company. This data breach could also lead to heavy fines due to non-compliance or violations for PCI-DSS standards. For example, keeping credit card information on paper in unlocked or unsecured cabinets is a violation (Baykara, 2020).
Employees may sue an employer for breach of duty and negligence for failing to follow industry standards for protecting their data. (Commerce and Trade Act, 2017)
If any customers data was compromised during the breach, the greatest overall negative impact of this breach is the violation of the Gramm-Leach-Bliley-Act (GBLA). Gramm-Leach-Bliley-Act compliance is mandatory for all U.S organizations selling financial products or services. GBLA compliance requires that an information security policy is designed to ensure confidentiality, integrity, and availability of customer records. Financial Institutions are to protect customer records from cyber-attacks; and protect against unauthorized access or use of customer records or information that could result in harm to the customer (Federal Trade Commission, 2002).
Objective
Confidentiality involves the measures to keep an organization’s systems and data private by controlling and preventing unauthorized access. Ensure the company is prepared to respond and prevent both Physical Security Incidents and Cyber Security Incidents. Below are the required controls for incident handling, monitoring, reporting, and data loss prevention (DLP), and revamp the data backup plan. The goal is to ensure that confidentiality is maintained within the company by improving security controls both physically and within the information systems.
Recommendations
Locks on file cabinets, review security cameras, review emergency exits, enable automatic signing out due to inactivity, and enact a signing-out policy anytime employees are away from their computers. Review the data backup system, backup schedules, and develop plans for additional recovery options and restore points for restoring or rolling back systems from multiple data backup solutions along with multiple data backups completed to prepare for business continuation (BCP) after the next/future incident or data breach.
It appears that since the system was acting funny there are no proper data backup and recovery plans/controls in place. Nightly backups could have prevented the payroll issues after the attack by rolling back or restoring from a known good backup. Tailgating is a serious vulnerability in any company, with substantial cybersecurity and physical security implications. Restoring the systems to a working good state (before the attack) could have avoided these issues. Emergency exits should be tested to see if they can be accessed from the outside.
Recommended Security Controls
Two principles of security of the OWASP developer guide that could have helped this situation the most are Complete Mediation and Fail-Safe Defaults. Below is a summary of these two security controls, and why each is important.
Complete Mediation
Complete mediation reduces the risk of unauthorized access because of changing circumstances or evolving threats. The concept of complete mediation requires that all access to objects be verified to confirm that they are allowed (Principles of Security, OWASP). An example is using a key card to access restricted doors and requiring multifactor authentication.
- Implement controls blocking unknown USB storage devices and require disk encryption for both mobile devices and removable storage devices (NIST MP-4, MP-5).
- Locked doors with Vestibules (man traps) – Key card access (NIST PE.3/PE-3.8)
- Locked file cabinets (NIST PE.3).
- Review existing security cameras to be installed or upgraded.
Fail Safe Defaults
The security principle of the Fail Safe Defaults aims to maintain confidentiality when an inaccuracy is detected. These error conditions may be a result of an attack or may be due to design or implementation failures, in any case, the system/applications should default to a secure state rather than an unsafe state. All recommended checkpoints refer to the most current NIST Framework SP 800-53 Rev. 5.
- Automatic user log-off of systems due to a period of inactivity.
- Implementing doors that lock by default/fail-closed during power outages.
- Nightly immutable backups are performed, maintained, and tested (NIST PR. IP-4).
- Security Awareness Training, with an emphasis on tailgating tactics (NIST AT-2, PM-13).
- Install advanced endpoint protection with endpoint detection and response (EDR) along with data access, and data change/file integrity monitoring.
- Hire a third-party vendor (professional hacker) to conduct a network/system security risk assessment and social engineering/physical security penetration test.
Summarize Solutions and Impacts
For this specific incident involving the integrity of the Payroll System, the IT team will need to work with the Payroll Staff and perform a full payroll system recovery from a backup that was completed on a date and time before the last known good Payroll System Report or shortly thereafter as applicable. Once the restoration of the Payroll System is successfully completed the Payroll Department will need to validate the restored system by creating a new system report that is a 100% match/same report results of the previous/last known good Payroll System Report.
Conclusion of the single most important change
The single most important lesson to be learned from an incident (or change in thinking) is the fundamental understanding that senior management must develop a clear understanding of the required security controls (NIST Framework) to protect mission-critical information systems. Collaborate with IT professionals to develop a plan to implement and maintain security controls across the organization (all departments and locations). The plan must include an annual budget that includes building a team of information security professionals that will collaborate with senior management to develop and implement information security policies and adequate resources to implement and maintain cybersecurity controls.
Information Technology Departments can utilize the list of security controls provided in the NIST Framework to support the development of a baseline of security controls to secure information systems. The baseline security control framework for a successful information security program will include operational, technical, management standards, and guidelines for protecting company assets (information and systems), and maintaining confidentiality, integrity, and availability.
The maturity of the information security program and cybersecurity effectiveness needs to be validated by third-party risk assessments/penetration testing on at least a semi-annual basis or every 12-24 months.
Citations
Baykara, S. (2020, April 7). PCI DSS Requirements. PCI DSS GUIDE. https://pcidssguide.com/pci-dss-requirements/
Commerce and Trade Act Title 15 U.S.C. §6801 (2017)
Federal Trade Commission. (2002, July 2). How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act. Federal Trade Commission. https://www.ftc.gov/business-guidance/resources/how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act
OWASP Developer Guide | Principles of Security | OWASP Foundation. (n.d.). Owasp.org. https://owasp.org/www-project-developer-guide/draft/04-foundations/03-security-principles