Scenario Discussion Scenario 1 Company A holds contracts

Scenario Discussion

Scenario 1 Company A holds contracts with Do. D and Department of State. Its. HR Department begins to receive calls and emails regarding an email that was sent to Company employees notifying employees of a software upgrade to the Company’s HR application. Employees use the application to access their employment information such as pay stubs and benefits information. The email advised employees that the software upgrade required them to click on a link contained in the email in order to download the updated software.

Scenario 1 (continued) • Several employees reported to HR that, although they clicked on the link to upgrade the software per the email’s instructions, the upgrade did not run properly and the application appeared not to update. • HR does not report this issue to IT or anyone else. • Other employees reported to IT that they properly installed the upgrade, but that their machines have been running slowly ever since. • IT initiates a service ticket inquiry, but does not advise anyone else in the company.

Scenario 1 (continued) • One of the affected employees is an administrative user with privileged access to multiple servers including those containing CDI. • This user cut and pasted the link to his browser without reading the link and bypassing SOP. • At this point in the investigation, IT confirmed malware on a database server known to contain CDI and has initiated the Incident Response Process. The Information Security Team has not detected any data exfiltration to date. IT now notifies Company A management. • Company A spends 2 weeks determining the type of CDI potentially affected, and reviewing its contracts.

Scenario 1 (continued) • Questions to consider • • What is the first event that could have been a “cyber event”? How did internal company reporting system work? How well did users comply with NIST standards? Did Company have appropriate system monitoring? How prepared was Company A? How should Company A have conducted the investigation? When should it have notified Do. D? What other regulatory notification obligations may be in play?

Scenario 1 (continued) • Right before the Company notifies Do. D, The FBI visits the company and delivers a victim notification letter. • On that same day, an employee receives a voicemail from a cybersecurity blogger who stated that he has become aware of an apparent ongoing hack at the Company and would like to give the company an opportunity to comment before he posts his story on Tuesday. Blogger article published and picked up by media. • Company contacted by Customers. • The Company hears through an employee that a sub-contractor working on creating CDI has also been experiencing system problems. Company contacts sub, who assures them that there’s nothing to worry about because they’re using the cloud.

Scenario 1 (continued) • Questions to consider: • What role does law enforcement play? When should they be involved? • How should a company react to outside players like the blogger? Does that contact need to be disclosed to Do. D? • How does Company deal with customers? • How does Company deal with subcontractors? • Did the subcontract have appropriate flow-down language? • What issues does use of the cloud introduce?

Scenario 1 Complication • On Sunday evening, a Company Admin Employee receives an email from an unknown address indicating that all files in the database that stores CDI are encrypted. The email further advises that decryption is only possible with a privacy key and decrypt program, located on the sender’s secret server. To receive the private key, the sender demands the equivalent of $10, 000, paid by Bitcoin, by Monday morning at 9 AM. • Now what happens?