Project Scenario - Computer Forensics

Assignment 1

Project Scenario - Computer Forensics

Organization Name: Mega Corp Inc.

With high-visibility breaches in the news impacting such well-known companies as RSA and Sony, the board of directors of Mega Corp has directed the CEO to establish incident response and forensics capabilities that will ensure they are prepared to meet any potential challenges that might come the way of the organization. The CEO wants an independent perspective and has recruited you to be his highly paid consultant. You will provide him with a set of recommendations that he can use to meet the board's request.

The recommendations you will be expected to provide as the deliverables for this project are:

1. Properly differentiate forensics and incident response activities.

2. Recommend appropriate changes to the existing architecture and IT assets of the project organization.

3. Recommend an appropriate set of preventative controls for implementation in the project organization.

4. Recommend appropriate physical space, incident response, and forensics tools requirements for the project organization and forensics partner.

5. Identify appropriate roles and responsibilities needed for effective forensics incident response for the project organization.

6. Develop appropriate incident classification and response procedures for the project organization.

7. Develop appropriate recommendations for continuous performance improvement of forensics and incident response procedures for the project organization.

 

High Level Details

Locations:

. Headquarters: Phoenix, Arizona.

. Distribution sites: New York, San Francisco, and New Orleans.

. Global locations: Germany, India, China, Australia, South Africa, and Dubai.

Employees:

. Phoenix, Arizona: About 1200 users.

. Distribution sites:

. New York: 45 users.

. San Francisco: 30 users.

. New Orleans: 25 users.

· Global locations:

. Germany: 15 users.

. India: 12 users.

. China: 10 users.

. Australia: 8 users.

. South Africa: 6 users.

. Dubai: 5 users.

 

Main Infrastructure items:

· Hosts: They are primarily Windows XP but there are examples of both Macintosh- and Linux-based systems that have been approved for use at some sites.

· Cisco Routers and Switches: Each site will include their local switches and routers, which will be connected directly to the main data center located at the headquarters in Arizona.

· Firewalls: The headquarters and distribution sites have redundant ASA firewalls at the edge of their network and the global locations rely on the host-based Windows firewalls to protect their systems.

· Intrusion Detection: The malware solution for the organization is purchased and managed by each location and is the only form of IDS that is currently in place.

· Domain servers: Running Windows 2008.

· DNS servers.

· DHCP servers.

· Active Directory.

· Exchange Mail servers.

· File & Print servers.

· ERP system (such as PeopleSoft).

 

Current Environment

Mega Corp Inc. is a multi-national conglomerate consisting of two primary lines of business. These are:

· Mega Corp Consulting. The security consulting operation is located in the corporate headquarters in Phoenix, with remote partners responsible for sales and consultant oversight housed in offices within the nine sales, warehousing, and distribution centers worldwide.

· Mega Corp Solutions. The security products sales and distribution operations are also located in the corporate headquarters in Phoenix. Sales and solutions support staff are housed in offices within the nine sales, warehousing, and distribution centers worldwide.

Mega Corp owns a large office complex in Phoenix, where it is the sole tenant. The building houses the majority of IT staff and assets, both of which are located in the basement of the building in a secure, environmentally controlled space. The exception is first-level support, which is outsourced to India and shares space with the sales and warehousing functions in the country.

Remote sales, warehousing and distribution centers are all located in commercial space settings in shopping malls. They are spaces with separate entrances and exits that have common walls with the neighboring businesses. Some of the locations have a common basement or attic space that they share as storage space with the existing businesses in the mall. These locations will include your backbone network devices (routers, switches), domain controllers, DNS, mail servers, and firewall and intrusion detection systems that allow users to work locally in the event of a broader system failure.

Data on the servers is replicated twice a day from your local sites to the global locations to ensure a safe and secure date transactions between sites and help with a speedy data recovery in times of disasters.

The network is segmented into 10 global virtual LANs that logically separate into the following user groups:

· Information Technology.

· Management.

· Finance.

· Human Resources.

· Marketing and Sales.

· Product Development.

· Training.

· Remote Users.

· Security and Facilities Departments.

· All other users.

New system user requests are completed by the site manager via an electronic form located on the company intranet. User management staff completes those requests from their headquarters location and e-mail the site manager with the account and password information. Account ID is the first initial and last name of the employee. Multiples are mitigated through the addition of a 1, a 2, or, if necessary, a 3 at the end of the ID. Temporary passwords repeat the account ID and then require the user to change the password at logon. All users will be hosted in the main Active Directory servers, which will be designated as the corporate domain system for all hosts in the company.

Project Objectives

To successfully complete this project, you will be expected to:

· Properly differentiate forensics and incident response activities.

· Recommend appropriate changes to the existing architecture and IT assets of the project organization.

· Recommend an appropriate set of preventative controls for implementation in the project organization.

· Recommend appropriate physical space, incident response, and forensics tools requirements for the project organization and forensics partner.

· Identify appropriate roles and responsibilities needed for effective forensics incident response for the project organization.

· Develop appropriate incident classification and response procedures for the project organization.

· Develop appropriate recommendations for continuous performance improvement of forensics and incident response procedures for the project organization.

 

 

 

 

 

 

 

 

 

Week 10

· Forensics and Incident Response Recommendations (pages depending on questions)

Throughout the course you have been gathering information that will help you create your recommendations for MegaCorp about how they might create and maintain effective forensics and incident response capabilities in order to handle any future events involving their information assets. Using the formatting instructions below create a document for MegaCorp senior managers that addresses the following questions:

· How do Forensics activities differ from Incident response activities?

· What changes do you recommend be made to the existing architecture and management of IT assets to better support forensics and incident response activities?

· What categories of preventative controls, necessary to support forensics and incident response activities, do you recommend that MegaCorp IT staff evaluate and implement?

· What are the space and tools considerations both for MegaCorp and to include in the forensics partner contract that is important to ensure proper preparation for follow up of a potential event?

· Who (what roles) are involved in forensics and incident response work and what are the activities for which they are responsible?

· What are the high level steps to classifying, evaluating and responding to each of those classifications?

· What are some strategies that MegaCorp can use to monitor and improve the performance of their forensics and incident response procedures?

Project Requirements

To achieve a successful project experience and outcome, you are expected to meet the following requirements.

· Written communication: Written communication should be free of errors that detract from the overall message.

· Length of paper: No page length requirements. Your incident response recommendations will dictate the number of pages required.

· Parts of paper:

10. Cover sheet.

10. Table of contents.

10. Introduction.

10. Body of document.

10. Summary.

. List of references: A list of references, including books, Web sites, articles, and other resources.

. Font and font size: Arial, 10 point.

. APA Formatting:  The paper should include a cover sheet, table of contents, executive summary, body of the document, and properly cited reference page.

When complete, submit your document in the assignment area.

[u10d1] Unit 10 Discussion 1

Performance Management and Improvement (1-page Discussion)

You have done all that you can to help MegaCorp develop an effective forensics and incident response framework. The last set of recommendations that you plan to make involves how the members of MegaCorp's forensics and incident response can ensure that their procedures are working properly through the use of an incident post-mortem and follow-up plan. Discuss what steps you would include in a quality improvement process following an incident, to ensure that not only are events evaluated but that any recommended changes are actually implemented into the existing procedures to create incremental improvements in effective response.

[u10d2] Unit 10 Discussion 2

Course Reflections (1-page Discussion)

Share what you learned in this course that you believe will be helpful to you in your future endeavors. Tell the class what you liked the most and what you liked the least.