In this lesson, I'll discuss the practical application of how we are using confidentiality, integrity and availability in all of them, really. How do we apply the CIA triad in a real practical sense to show you how they are absolutely important. Okay? So, this is what happened back, several months ago. It was a Monday morning and I hate Monday mornings because it's hard to wake up. You got your coffee and you're trying to wake up and you don't want to be bothered because all you want to do is look over the stuff from what's happening over the weekend. But, that's a Monday. You've got to deal with it. So, around 10:00 am, users started to call in that they couldn't access some of the files on the server. So, our help desk started to write this information down and it started to get elevated up to my teams, which are infrastructure teams to start looking at the servers themselves. So, what we did is we narrowed it down to a few departmental folders. The servers that we have are cross-campus file servers that have hundreds of thousands, if not, millions of files. And, I would say at least 1000, 2000, 3000, I can't even tell you how many different folders that we have on those servers. So, we started digging down and noticed that there were two folders that had problems. So, we looked at the files in the server and noticed that they were encrypted. What happened was, as soon as we saw that they were encrypted, we knew that we got hit by a ransomware called Locky. We didn't know it was Locky at that time, but we had information, because it was encrypted, we knew it was some kind of ransomware that was encrypting all that information. Now, let's talk about ransomware for just a minute, so you understand what ransomware actually is. Ransomware is a technology that attackers use to get you to unlock files. Now, this is June 2017. So, today or I guess sometime last week, the big web host just got hit with Locky or ransomware, and they paid a million dollars to decrypt those files to the attacker. So, ransomware doesn't destroy your files. What it does is, it encrypts them so that you can get them back. Typically, viruses are going to attack your computer and delete information and do other things nefarious with your computer. But, what ransomware does is, it gets you to pay for the unlocking of those files so that you can go back to normal. So, it doesn't do any damage. You just lose money out of it. And, this is what's happening all across the industry. Our computer security is going after ransomware. So, the A unavailability becomes extremely important. And we'll talk about that here in a minute. But, ransomware is extremely scary. So, let's talk about steps that we did when we were actually going through this. So, the first thing that we need to do, after we start gathering the logs and determine what it is, is cut off access from the server's side. And this was a Windows file server. The way Windows works is, it allows rights and permissions to objects. Objects, in the case of Windows, are considered any processes, user's files, directories, etc. that have a distinct assets, in layman's terms. Okay? So, since Locky operates via a user infection, we had to kill the access to the server, because at that point, we didn't know what user had access to those directories. We just knew that we had to cut off access to the server. So, at that point, we made the server read-only, which meant that no objects could write to data on the server. So, that killed off access for 100s, 1000, 2000 users, that were actually using the server at that time. So, nobody could write to it. They could read information from it, but they just couldn't write to it. The next step that we need to accomplish is cutting off access from the user. So, we knew it was a user that was infected. We looked up who had permissions to those folders, and then started looking at the access logs for every user on the network. So, the way we log things as we log a lot of information about the security and the environment, where we may have a thousand logs coming in a second, we had to, sort of, narrow down what folder it was, who had access to it, and then start looking at authentication logs. So, we found the user. We called the user and told her that she needed to unplug the ethernet cable. Now, if you're an executive and you think, well, why don't you just shut the computer down? Well, vital information is stored on that computer about the source of the attack. You always want to make sure that you unplugged the ethernet cable so that the attack stops. There can't be a network connection to the internet or to any other part of the network. Don't turn off the server because there may be a virus or something running in memory that will go away if we pull the power. So, it's always important to leave the computer up and running and logged in. Ask that user to make sure that we're not compromised in some other way. Next thing that we did is we assessed the damage. So, due to confidentiality, the damage was only done to a small part of the server. So again, confidentiality makes sure that those users who have access to the files are the only ones that have access to the files. They're confidential. So, those thousands of folders that we have on that server, that user only had access to two of them. So, the damage was limited due to the confidentiality of the processes that we have in place. So, unfortunately, 84,000 files were still encrypted in those two folders. However, the next step is, integrity allowed us to ensure that the files from the previous several hours were the only files damaged by malware. So, member integrity is looking at files, objects, processes, assets to make sure that information is accurate and correct. So, if we looked at what files were touched here and what files were touched here, and the dates that they were touched, then we were able to say, yes this file is a file that is no good anymore. Step three, recovery. So, during a major incident, availability becomes attacked as well since you're trying to ensure confidentiality and data from becoming breached. So, when we put the server in read-only, that resource, the availability, was gone. So, we pulled the backups that had taken place four hours prior and restored the files that were corrupted because we had that information. That is availability. Having backups of data makes sure availability is intact. However, availability is also, in fact, affected, if you don't have clusters of servers with that data. Now, it's very hard to have clusters of server in the file server instance and it would have actually, the virus would have encrypted all copies, but backups provided a way that we ensure availability. A lot of organizations are not this lucky. The million dollars that a web host paid to the attacker was because they didn't have good backups, because they weren't paying attention to availability or confidentiality. Confidentiality would have ensured that only processes that absolutely needed to have access to that data, actually had access. So, putting it all together, confidentiality limited the damage through permissions. Integrity assured that the correct files that had been compromised were actually compromised, and that we put back the right ones. And, availability allowed us to get systems functional again because we had the backups. So, let's talk a minute about your organization. So, unless we are covered in all three areas of confidentiality, integrity and availability on every system and every process, we're going to have an issue at one time or another. It's inevitable. So, failures on the part of this case study could have been that, maybe the user only needed to have access to one folder. Or, perhaps, the confidentiality or integrity was brought down a different way. We can analyze confidentiality, integrity and availability a number of different ways. But, it boils down to, if one of the pillars was not in place, the incident would have been much, much worse. And actually, I don't think it could have gotten any better. Whenever you're talking about information security, we got really lucky. We had all the key staff on hand. We have great logging information. We have great backups. And, everyone worked together to make sure that we were able to recover from this. But, every time you go through a process like this, you get better. So, thinking about confidentiality, integrity, and availability at every stage of a system life cycle, will ensure that you don't have problems but you could minimize the problems in the future.
