Question

The Information Technology department notifies you that there has been evidence of unusual behavior from a privileged user's account, in this case the Chief Financial Officer (CFO). The CFO indicates that they had received an email from a close friend with an attachment, clicked on a link, but it turned out to be junk and they ignored it. IT began their initial investigation immediately, and found that the email was likely a successful spear fishing attempt, from a similar but slightly different email address that mirrored the information of the friend's account.. What actions do you recommend be taken to contain this incident, and return to normal operations? Additionally, what steps should be taken to gather evidence during this procedure, in case it is later determined that you need to contact authorities? (the course is called cybersecurity management)

Answer 1

Below actions are recommended to be taken to contain the incident and and return to normal operations:

1. First of all it is crucial to inform in detail the entire incident to the IT department so that they are able to take necessary remedial steps.

2. All the associated networks and connected databases must be checked throughly for any fishing attempts and proper verification must be done.

3. It is important to format all the affected systems immediately and take data backup of all the critical information. This is required in order to prevent from data loss and data theft.

Below steps should be taken to gather evidence during this procedure:

1. First of all the CFO must be interviewed about the email that he was about to receive from the close friend and what contents was he expecting in the email.

2. The situation that led the CFO to open the email attachment of prospected fishing mail and put the information system at risk.

3. Why did the CFO not inform the IT department beforehand if he suspected any fraud mail since he knew the mail ID of his close friend and did not receive mail from same email ID?