.

UNIVERSITY OF GONDAR
INSTITUTE OF TECHNOLOGY
DEPARTMENT OF COMPUTER ENGINEERING
COMPUTER NETWORK SECURITY
ASSIGNMENT
• NAME ID

Samuel Teshale GUR/03077/14

Submitted to M.r : Abraham Getachew

Submission date :22/03/2025

Case Study 1: Ransomware Incident at a Healthcare
Provider

• A major hospital experienced a ransomware incident resulting in the encryption

of all patient records, thereby hindering clinicians' access to essential medical
data.
The perpetrators demanded a substantial ransom payment in cryptocurrency.
This event presented the hospital with significant ethical and operational
challenges, specifically regarding the decision to comply with the ransom demand
versus attempting data recovery via backup systems.
 Questions:
1. What proactive measures should the hospital have implemented to mitigate the
risk of a ransomware attack?
Answer:
To reduce the risk of a ransomware attack, the hospital should have implemented
the following proactive measures:

1.Regular Backups: Maintain frequent, encrypted, and offline backups of all critical
data, including patient records, to ensure data can be restored without paying the
ransom.
 conti...
2. Endpoint Protection: Deploy advanced endpoint detection and response (EDR)
solutions to identify and block ransomware threats.

3. Network Segmentation: Isolate critical systems (e.g., patient records) from less
secure networks to limit the spread of ransomware.

4. Employee Training: Conduct regular cybersecurity awareness training to

prevent phishing attacks, a common ransomware delivery method.

5. Patch Management: Ensure all software, operating systems, and devices are
regularly updated to address vulnerabilities.
 conti...
6. Access Controls: Implement the principle of least privilege (PoLP) to restrict
access to sensitive data and systems.

7. Incident Response Plan: Develop and test a comprehensive incident response

plan to ensure a swift and effective response to ransomware attacks.

8. Multi-Factor Authentication (MFA): Require MFA for accessing sensitive

systems to reduce the risk of unauthorized access.
 conti...
2. What are the ethical and legal ramifications associated with paying the ransom
demand?
Answer:
Ethical Considerations:

Encouraging Criminals: Paying the ransom may incentivize attackers to target

other healthcare providers or the same organization again.

Patient Trust: Paying the ransom could undermine patient trust if they perceive
the hospital as being unprepared or prioritizing cost over security.

Moral Dilemma: There is a moral obligation to protect patient data and avoid
funding criminal activities.
 conti...
Legal Considerations:

• Regulatory Compliance: Paying the ransom may violate laws or regulations,

depending on the jurisdiction, especially if the attackers are on sanctioned
entities lists.

• Data Privacy Laws: Failure to protect patient data could result in penalties under
regulations like HIPAA (Health Insurance Portability and Accountability Act) or
GDPR (General Data Protection Regulation).

• Liability: The hospital could face lawsuits from patients or stakeholders if paying
the ransom leads to further harm or data breaches.
 conti...
3. As the designated Cybersecurity Officer, what recommendations would you
provide to the hospital regarding incident response?
Answer:
Incident Response Recommendations:

Isolate Affected Systems: Immediately disconnect infected systems to prevent the

ransomware from spreading.

Assess Backup Integrity: Verify the integrity of backups and initiate data
restoration processes if backups are available and unaffected.
 cont...
• Engage Law Enforcement: Report the incident to relevant authorities (e.g., FBI, local
cybersecurity agencies) for assistance and to comply with legal obligations.

• Avoid Paying the Ransom: Discourage paying the ransom, as it does not guarantee data
recovery and may encourage future attacks.

• Communicate Transparently: Notify affected patients, staff, and stakeholders about the
incident, ensuring transparency while maintaining compliance with data breach
notification laws.

• Conduct a Post-Incident Review: Analyze the attack to identify vulnerabilities and improve
defenses, updating the incident response plan accordingly.

• Enhance Cybersecurity Measures: Implement stronger security controls, such as advanced

threat detection, regular penetration testing, and continuous monitoring.
Case Study 2: Phishing Incident at a Financial Institution
• A staff member at a multinational bank inadvertently clicked on a phishing
email, disguised as a critical communication from the IT department. This email
contained a malicious link which deployed malware, thereby enabling
unauthorized access to confidential customer financial information.
Consequently, the bank experienced reputational harm and is now subject to
regulatory investigation.
• Questions:
1. What preventative measures, encompassing employee education and robust
security
Answer:

Employee Education:

Phishing Awareness Training

 conti...
Simulated Phishing Tests
Clear Reporting Procedures
Robust Security Policies
Email Filtering
Web Filtering
Regular Updates
 conti...
• 2.Upon discovery of the security breach, what immediate response protocols
should the bank enact?
Answer:

1.Contain the Breach:

Disconnect affected systems to prevent further spread.
Disable compromised accounts.
2. Assess the Impact:
Identify affected systems and data.
Determine the extent of unauthorized access.
3.Engage Incident Response Team:
Investigate the breach and initiate remediation.
Involve legal, compliance, and PR teams.
 cont...
• Notify Relevant Parties:
Inform regulators and affected customers as required by law.
2. Preserve Evidence:
Document actions and preserve logs for forensic analysis.

3. Remediate Vulnerabilities:
Remove malware, patch systems, and strengthen security controls.

4. Communicate Transparently:
Issue a public statement to maintain trust.
conti...
• In what ways can multi-factor authentication (MFA) and supplementary security
protocols mitigate the potential for successful phishing attacks?
• Multi-Factor Authentication (MFA):

• Enhanced Security: Requires multiple verification steps (e.g., password + SMS

code), making it harder for attackers to gain access even if credentials are
compromised.

• Mitigating Phishing Impact: Prevents unauthorized access if phishing leads to

credential theft.

• Supplementary Security Protocols:

conti...
Supplementary Security Protocols:

Email Authentication:
Endpoint Detection and Response (EDR)
Zero Trust Architecture
Behavioral Analytics
Privileged Access Management (PAM)
Case Study 3: Mitigating Insider Threats in a Technology
Organization
• This case study examines a scenario involving a malicious insider at a technology
company. A disaffected IT employee, possessing privileged access to confidential
intellectual property, exfiltrated proprietary data to a competitor. The data
breach, discovered several weeks post-incident, resulted in significant financial
damages and subsequent litigation.
• Questions:
• 1.What proactive security controls and monitoring mechanisms can be deployed
to effectively detect and deter insider threats?
• Answer:

To mitigate insider threats, organizations can deploy the following proactive

security controls and monitoring mechanisms:
 cont...
a. Access Controls:
Principle of Least Privilege (PoLP)
Role-Based Access Control (RBAC)
b. Monitoring and Detection:
User Activity Monitoring (UAM)
Data Loss Prevention (DLP) Tools
Behavioral Analytics:
 conti...
c. Technical Safeguards:
Encryption
Endpoint Security
Network Segmentation
d. Employee Awareness and Reporting:
Insider Threat Training
Anonymous Reporting Channels
e. Regular Audits and Reviews:
Access Reviews
cont..
• 2.How can organizations strategically manage employee access rights to minimize risk while
maintaining operational efficiency and productivity?
• Answer:

• To balance security and operational efficiency, organizations can implement the following strategies:
a. Implement Least Privilege and Role-Based Access:
• Ensure employees have access only to the data and systems required for their specific roles.
• Regularly review and adjust access rights as roles change.
b. Use Just-in-Time (JIT) Access:
• Grant temporary, time-bound access to sensitive systems or data only when needed for specific tasks.
c. Segregation of Duties (SoD):
• Divide critical tasks among multiple employees to prevent any single individual from having excessive
control or access.
 conti...
d. Automated Access Management:
• Use identity and access management (IAM) tools to automate the provisioning
and de-provisioning of access rights, reducing the risk of human error.

e. Regular Access Reviews:

• Conduct periodic audits of employee access rights to ensure they are
appropriate and up to date.

f. Monitor Privileged Accounts:

• Closely monitor and restrict access to privileged accounts (e.g., admin accounts)
and implement session recording for these accounts.
conti...
• 3.What legal recourse is available to a company in cases of employee data theft,
and what steps should be taken to initiate such actions?
Answer:

• n cases of employee data theft, organizations can take the following legal
actions:
a. Legal Recourse Available:
1. Civil Litigation
2.Criminal Charges
3.Breach of Contract
4. intellectual Property (IP) Protection
 conti...
b. Steps to Initiate Legal Actions:

1. Preserve Evidence
2. Engage Legal Counsel
3. Engage Legal Counsel
4. Report to Law Enforcement
5. Notify Affected Parties
6. Pursue Civil Remedies
7. Review and Strengthen Policies

Reference Deepseek.