Portfolio

Cybersecurity

Incident Handler’s Journal

GoGolfAZ homepage

I participated in this lab throughout the duration of the Google Cybersecurity Professional Certificate. The purpose was to practice my documentation skills when dealing with a security incident.

This lab is based on the following hypothetical scenario:

A small U.S. health care clinic specializing in delivering primary-care services experienced a security incident on a Tuesday morning, at approximately 9:00 a.m. Several employees reported that they were unable to use their computers to access files like medical records. Business operations shut down because employees were unable to access the files and software needed to do their job.

Additionally, employees also reported that a ransom note was displayed on their computers. The ransom note stated that all the company’s files were encrypted by an organized group of unethical hackers who are known to target organizations in healthcare and transportation industries. In exchange for restoring access to the encrypted files, the ransom note demanded a large sum of money in exchange for the decryption key.

The attackers were able to gain access into the company’s network by using targeted phishing emails, which were sent to several employees of the company. The phishing emails contained a malicious attachment that installed malware on the employee’s computer once it was downloaded.

Once the attackers gained access, they deployed their ransomware, which encrypted critical files. The company was unable to access critical patient data, causing major disruptions in their business operations. The company was forced to shut down their computer systems and contact several organizations to report the incident and receive technical assistance.

Date May 28, 2023
Description Document a cybersecurity incident
Tool(s) used None
The 5 W’s
  • Who: An organized group of unethical hackers
  • What: A ransomware security incident
  • Where: At a healthcare company
  • When: Tuesday 9:00 AM
  • Why: The incident happened because unethical hackers were able to access the company’s systems using a phishing attack. Once they gained access the hackers launched their ransomware on the company’s systems, encrypting company files in the process. The motivation of the attackers was financial given that they left a ransom note demanding a large sum of money in exchange for decrypting the files.
Additional notes

An incident like this can be prevented in the future by educating users on how to avoid phishing attacks. They need to be instructed to never open attachments in emails from unknown senders, and to check very carefully to ensure that the email does indeed come from a known/trusted sender. The organization should also be conducting regular backups to a secure location such that machines can be reimaged and files restored in the event of a similarly successful attack. Restoration procedures should also be tested to ensure that it can be done in the event of an incident like this.

As far as paying the ransom goes, this is something that should be coordinated with an incident response team, law enforcement, and any relevant regulatory bodies. The reason being that it may not be prudent or even legal to pay the ransom depending on the jurisdiction. However, if it is legal then it may be prudent in this case to hopefully regain access to the encrypted files so that business operations can be restored as soon as possible.

 

Return to Portfolio