96%(95)91 out of 95 people found this document helpful
This preview shows page 1 - 4 out of 19 pages.
Running Head: CYBERSECURITY INCIDENT REPORT1Cyber Security Incident ReportUniversity of Maryland University College: CST 630
Cybersecurity Incident Report2Executive SummaryThe recent incident of the cyber-attack on our webserver has highlighted the importance of our network security here at SuperCyberSecure (SCS). As such, the purpose of this Cybersecurity Incident Report (CIR) is to perform as an After-Action Report. The attack that occurred on our network was done by leveraging a compromised laptop that was brought to workby an employee through the BYOD program. The laptop was left on the premises overnight, which is when the device performed an attack which attempted to leverage a PHP vulnerability (OSVDB-12184). This vulnerability has the possibility to lead to an unauthorized information disclosure. While the attack was not successful (this vulnerability was patched for our webserver), it brings to light the necessity of improving our BYOD policy, security monitoring and management of the network.The wireless and BYOD policy needs to be re-vamped to better monitor and protect our infrastructure; to do so we need to implement better rogue access point (AP) scanning and harden Cisco ISE configuration and its malicious activity response. We need to implement a remote configuration management system, that would allow us to better control, manage, and secure all devices on our network – those we provision, and those that are introduced to our network through the BYOD policy. If these actions were taken, the attack that was performed against our webserver would have either never been able to occurred.
Cybersecurity Incident Report3Wireless and BYOD Security PlanIn July of 2017, we introduced a Bring Your Own Device (BYOD) policy that allowed end users to bring their own devices (laptops) for use on the company network. This policy did not allow for wired access (due to infrastructure and ethernet cabling requirements), but for Wi-Fi access. Looking back, there was a large lack of security configurations and monitoring in place, to combat threats to the network.The threats for the Wireless Local Area Network (WLAN) come from two primary sources: unauthorized equipment, and rogue access points. The unauthorized equipment was not identified as we had not set up proper security configurations or monitoring for unauthorized devices (either wired, or wireless). Rogue Access Points (AP) impersonate a router from the network, in order to convince an end user to request access and attempt to authenticate with it. The rogue access point then steals the information the end user provided in order to impersonate the end user to the true network AP. Unauthorized devices can cause havoc on a network that is not properly secured. They can perform harder to detect actions, such as simply passively eavesdropping (made harder due to WPA2-Enterprise security protocols) to get information for a further attack vector, to traffic analysis (traffic patterns can provide information needed to properly hide attacks or identify possible vulnerabilities).