Theory to Practice
Many of life’s failures are people who did not realize how close they
were to success when they gave up.
Thomas Edison
7.1 Introduction
It is time to put the concepts you have been reading about into practice. The
previous chapters gave you the foundation needed to understand the impli-
cations of decisions made during real security incidents. There are three
cases presented in this chapter. I will present the rst two cases in a story
format as they happened. The third case recounts the details of a high- prole
litigation. After each case, an after action report (aka a postmortem) will be
presented. A postmortem is an exercise that a team performs to review a
project with the goal that improvements will be made for the next project.
Organizations that want to learn from their mistakes and continuously
improve do this type of exercise after a challenging project. It is important
to note that this is also a great exercise to do when a project is successful
so that things that worked well are repeated. Since the presentation in this
chapter is for illustrative purposes, the postmortems have been pared down
a bit. If you are interested in learning the complete process to perform a
postmortem, read “An Approach to Postmorta, Postparta and Post Project
Reviews” by Norman Kerth.
7.2 Case Study 1: It Is All Fun and Games
until Something Gets Deleted
You are the new chief information security ofcer (CISO) of a large organi-
zation. As with most senior-level executives, you are responsible for main-
taining and overseeing many moving pieces in the organization; however,
This is a ctional case based on the experiences of Robert Maley, founder of Strategic CISO
and a former CISO of a large organization.
128 What Every Engineer Should Know About Cyber Security
since you have only been in place a few days, you are still getting a grasp
on the organization as a whole. You are still determining the critical assets,
the topology of the network, and, most important, the personnel resources
you have to help you do your job of securing the infrastructure of this com-
pany. Unfortunately, you have already noticed that industry best practices
in the area of security have not found their way to this organization … yet.
You begin your day like any other day with meetings and e-mail. It is
about 11:00 a.m., and you decide to take a break. You stop in the restroom
and overhear a conversation between an engineer and the IT administrator
who walked in after you; they are discussing a recent incident. Here is what
you hear:
Paul (engineer): Hey, David, how’s it going?
David (IT administrator): Pretty good, Paul. Sorry I didnt meet you guys last
night for happy hour. I noticed at the end of the day that the web
server went ofine.
Paul: Oh, did you get it back up and running?
David: Yeah, it was no big deal. The global.asa
le was deleted. We got it back
up and running in no time.
Paul: That’s cool. I’ll let you know when we plan another happy hour.
You are alarmed at the casual conversation regarding this incident. You
leave the restroom and wait for David in the hall, who realizes you over-
heard the conversation when he sees you:
CISO: Hey, David. I overheard your conversation about the web server issue.
I would like to review the incident report.
David (now looks like a deer caught in the headlights): I didnt ll out a report
because it was an easy x.
CISO: Lets discuss this in my ofce.
Before you give David a lecture on why documenting an incident and fol-
lowing an incident response process is crucial, you decide to listen to the
facts rst. You begin your discussion in line with the incident response process:
CISO: David, please rst explain in detail how you detected this incident.
David: Sure. I uploaded a new PDF to the database and wanted to test how
the information from the PDF was displayed on our website, but
I couldnt access the website because it was ofine. Ichecked the
root directory of the server and noticed the global.asa le was
The global.asa le is a special le that handles session and applications events on a server.
In this case, the main function of the globa.asa le is to provide information to the web page
regarding where the information that needs to be displayed is located.

Get What Every Engineer Should Know About Cyber Security and Digital Forensics now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.