Incident Response Discovery and Mitigation
International Produce, a fictional packing company of canned fruits and vegetables, is headquartered in Boston, Massachusetts, and ships products to more than 40 countries. In addition to the headquarters, International Produce owns 12 regional distribution centers.
Each distribution center uses RFID tracking to ship and inventory product as it is received and then distributed for local shipping. In addition to the shipping and receiving functions, the distribution centers house accounting, human resources, and payroll staff who hire, fire, pay, and manage the day-to-day running of the distribution center.
International Produce has a layered approach to management of the data that it collects and stores. RFID data that is generated by the warehouse is sent directly to servers located in the Boston headquarters as part of a highly sophisticated enterprise resource planning (ERP) system.
This system has modules that would make this centralization possible for the personnel-related tasks, but the implementation of the RFID tracking component was so painful and so expensive that the senior management has opted to continue with the practice of leaving those activities to local managers.
These local office networks are designed as individual LANs; however, at the end of each day, the office manager for each distribution center hooks the network to a local Internet service provider and uploads the day's data collection to the headquarters in Boston. These local office managers hire local IT support to purchase and maintain the small number of devices and applications required to support the office. The RFID tracking software is off limits to local support and is managed only by corporate troubleshooters who have the task of traveling to any trouble spots and fixing them.
The network management service that International Produce hired to monitor activity on their global WAN sees an increase in the number of packets coming through the network between the distribution center in Mongolia and the Boston office. The international nature of the business created a norm of traffic bursts appearing at all hours of the day and night, so this increase in traffic was not perceived as problematic until it was noticed that the traffic was not coming from Mongolia to Boston but was instead traveling from Boston to Mongolia.
The CIO of International Produce lives in your neighborhood and was recently chatting with you at the local National Night Out celebration where you shared details of your professional resumes. International Produce, as a privately owned company, has no regulatory requirements that would have made incident response planning a priority.
As such, when the CIO got the call from the network management service that something unusual appeared to be going on, your recent meeting where he learned you were an incident response consultant leapt to his mind and he called to ask if you are willing to take on the task to determine what it is that his IT staff should do in response to this situation.
Use the study materials and any research necessary to fill in knowledge gaps. Write a 2-3 page paper that covers the following:
• How would you go about figuring out what resources are available to help you solve this situation?
• What steps would you want to take in order to properly assess the situation?
• What does having the unusual traffic going to Mongolia add to the complexity of resolving any potential incidents involving theft of intellectual property?
Assignment Requirements
• Written communication: Written communication is free of errors that detract from the overall message.
• APA formatting: Resources and citations are formatted according to APA (6th edition) style and formatting.
• Length of paper: 2-3 pages, excluding the references page.
• Font and font size: Times New Roman, 12 point.
Required Reading
Incident Response and Contingency Planning
INTRODUCTION
Unit 6 covers the concepts of incident response and contingency planning. The percentage of businesses that survive and are still in business five years following a major incident or disaster is very low.
The reality is that planning for events that may never happen often does not get a high priority in many organizations, despite these grim figures of the impact on those businesses for failure to plan. Information security professionals are not always in a position to influence enterprise-level planning; however, prudent professionals examine the environment and include their own planning for how security can be maintained in the event of an emergency.
Most organizations do not have trained forensics professionals in-house, so they are unprepared when an incident occurs that requires collection of evidence. An effective security professional will have initiated activity toward identifying resources, creating procedures, and having the framework for a response to a critical incident that may end up being litigated in a court of law. Unit 6 covers some of the resources and strategies that are available to security professionals toward accomplishing those objectives.
OBJECTIVES
To successfully complete this learning unit, you will be expected to:
1. Identify the characteristics and roles of incident response and disaster recovery contingency plans.
2. Explore the relationship between IT contingency planning and overall enterprise business continuity planning.
3. Recommend appropriate workflows within a specific organization in response to a potential incident.
4. Evaluate security controls that would have aided in discovery, data collection, and analysis following a specific incident within an organization.
5. Evaluate the impact to multinational organizations of having network segments in underdeveloped countries.
6. Exhibit proficiency in writing, critical thinking, and research topic areas in IT security fundamentals.
• Required Reading
Complete the following required reading:
1. Use Information Security Management Handbook to read Chapter 11, "CERT Resilience Management Model: An Overview," pages 135-152.
2. Use Computer Security Incident Handling Guide to read pages 1-51.