Alex Makumbi
04 March 2017
One day, large sums of money were withdrawn from several networked ATM systems by the same User ID.
A large sums of money was withdrawn from several networked ATM systems by the same User ID. Given that the core existence of a bank is to manage and keep customers money safe and secure, we have to identify this incident as a major incident (high urgency) because of its impact to customers and integrity of the bank’s reputation in community. There is a lot of unknowns in regards to the extent of the breach. We need to know how the attacker managed to exploit our current defenses, does the attacker have access to private and confidential information of a significant number of individuals, how quickly can we restore the ATM system among other questions to be asked.
Once the breach has been made aware to the incident manager, he summons the 1st level support to conduct an immediate incident resolution. Their objective is to use any means possible to stop the damage and restore the ATM system back to its original state. In our case, they would have to patch up the vulnerability that allowed the attacker to exploit the system causing the breach. Since this breach is of high urgency the time allocated to resolve the breach is 1 hour, and if that time exceeds the incident has to be transferred to team within 2nd level support. If hypothetically my role was incident manager, I would immediately bring the issue to 2nd level support to mitigate the time it takes to resolve the security breach instead of summoning the 1st level support because of the urgency of the breach.
The 1st level and 2nd level management of incident response requires response teams to recover and gather as much information about the breach to be recorded and stored for archiving. A collection of incident investigations is archived for future reference to ensure that swift action is taken on recurring breaches or service interruptions in the future. It is important to also note that when an incident is logged, the duration and how the incident was resolved is also recorded. Incident logging is also helpful to gain an insight as to the kinds of breaches or service interruptions the organization experiences overtime (ITIL Incident Management, 2016).
As mentioned before, if hypothetically I was an incident manager I would have immediately summoned 2nd level support team. The 2nd level support team would quickly look at archived incident reports to determine if a previous incident or detected vulnerability exploit on the ATM system is similar to our current breach. If the detected vulnerability was not previously archived, the ATM system networked breach would be a “Zero Day Attack”. Zero Day Attacks are difficult to get to the root because they are new to the system. Specialist support groups or third party experts might have to be involved to see that no farther withdrawal of money is made from the ATM system.
When an accurate analysis of the breach is gathered, bank users and staff members would be made aware of the occurring or occurred incident in an effort to get users vigilant and keep an eye out for suspicious activities or to anticipate any service interruptions. The security incident notification message to ATM system users will have instructions with step by step explanations on actions they can take to protect themselves.
During the incident management processes, detailed data about the breach was thoroughly documented to be archived. Details such as how the attacker managed to break the ATM system defenses, how much damage was caused to the bank and ATM users, how long it took to restore the ATM system, which response teams addressed the breach, how much money did it cost the bank, what tools where used to mitigate further withdrawal of money. Before the case is fully closed, a final review is conducted to ensure the incident is actually resolved and that sufficient detail supporting the incident is of quality.
Once the case has gone through quality control and properly archived, an ongoing monitoring process of the system for prior incidents including the ATM system networked breach has to be evaluated to continue implementing counter-measures that address likely weaknesses to the system.
Sources
ITIL Incident Management. (2016). Incident Management. Retrieved from http://wiki.en.it-processmaps.com/index.php/Incident_Management#Incident-Record
National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf