134 What Every Engineer Should Know About Cyber Security
(e.g., employee can casually send out condential information) of the organi-
zation as well as become a conduit for worms
*
and viruses.
The exact AUP excerpt read as follows:
INSTANT MESSAGING and CHAT Services:
Use of instant messaging or chat applications on the company network
is not acceptable.
To monitor the IM restriction, the intrusion detection system was
congured to generate an alert if IM was being utilized. Well, one afternoon,
Alex informed Jenny that the IM alarm had been triggered. Upon analysis,
the identity of the employee was discovered, but the CIRT needed to analyze
the hard drive to determine the nature of the messages. If the messages
were inappropriate, this would be grounds for the employee’s dismissal.
Alex informed Jenny of the situation and they made a plan. They needed
to inform the director of Human Resources (HR) of the violation and plan
atime to approach the employee to conscate the employee’s hard drive. The
team decided to approach the employee within the hour.
The CIRT team and director of HR gathered and approached the employee.
Jenny said, “It has come to our attention that you are in violation of this
organization’s acceptable use policy. We will need to conscate your hard
drive.” The employee obviously was stunned, but was cooperative.
The CIRT team brought the hard drive back to their lab, made a
forensically sound
†
copy of the hard drive, and began their analysis. They
knew the instant massager client, so they needed to analyze the application
to determine the messages that were received and sent. They discovered
that the messages were of an inappropriate nature, which is grounds for
dismissal. They needed to follow appropriate procedures to store the evi-
dence in the event that the employee decided to contest the dismissal.
For now, the situation was handed over to Human Resources to dismiss
theemployee.
7.3.1 After Action Report
7.3.1.1 What Worked Well?
The CISO has done an excellent job implementing industry’s best practices
into this organization’s security prole. An AUP policy was written,
implemented, and followed. The organization had a dedicated team to
respond to the incident and they followed forensically sound procedures to
analyze the situation.
*
The terms worms and viruses are often used interchangeably but are in fact different. A virus
is distributed by making copies of itself. A worm uses a computer network to replicate itself.
It searches for servers with security holes and makes copies of itself there.
†
“Forensically sound” refers to the manner in which the electronic information was acquired.
The process ensures that the acquired information is as it was originally discovered and thus
reliable enough to be evidence in a court proceeding.