Follow-Up re: Human Resources Data Modification
1. Identify areas that were not addressed by the IT staff’s response to the incident.
Based on the narrative, the only corrective measure the company implemented was PKI. As noted in the original evaluation, several areas need to be addressed:
Climate/culture of the organization
Employee training for social engineering attacks
Positive identification of employees when granting role-based access
Vulnerabilities within and without the network, specifically to sniffers and eavesdropping
The ease with which the employee changed his pay rate, indicating a single system used for HR profiles rather than segregated duties & systems
The PKI that was installed only addressed the HR system, rather than the entire organization
Honestly, the whole environment at this company needs a complete evaluation and overhaul!
2. Outline the other attacks mentioned in the scenario that were not noticed by the organization.
Unauthorized Privilege Escalation
a. Describe the nature of the attacks not noticed by the organization.
By “the nature of the attacks” I interpret this to mean the source of the attacks, or the skillset required to carry out the attacks. I believe this employee was tenured based on their ability to:
Hack into the HR system
Successfully intercept the email from audit to the other individuals
Successfully impersonate the individuals the email from audit was sent to
Successfully identify the company president and other employees whose pay records were modified
Successfully eliminate evidence of the attack, indicated by two paycheck cycles going by before audit caught the error
Knowing which access to acquire in order to modify other payroll records
Taken holistically, this indicates an employee who knew the organization and the company’s network quite well. This employee knew basic network attack tactics, and the checks and balances that