Answer Description

As you are scanning the live/production system a non-intrusive scan is best. Non-intrusive means security issues will be identified but not exploited as to not negatively impact the system. The issue with this is some vulnerabilities cannot be found without trying an exploit (e.g. a SQL injection to delete data can't be tested without actually deleting data). Due to this the scenario described in the question is not ideal and it's possible vulnerabilities that exist will not be found.

Answer Description

The slight difference in appearance between the devices is an indicator that some devices may be counterfeit. It is also possible the manufacture simply made small changes to the devices and you have received two versions. You should take the serial numbers and verify their authenticity with Cisco and then return them if they are indeed counterfeit.

Wikipedia

Counterfeit electronic components are electronic parts whose origin or quality is deliberately misrepresented. Counterfeiting of electronic components can infringe the legitimate producer's trademark rights. Because counterfeit parts often have inferior specifications and/or quality, they may represent a hazard if incorporated into critical systems such as aircraft navigation, life support, military equipment, or space vehicles. The marketing of electronic components has been commoditized, making it easier for the counterfeiter to introduce substandard and counterfeit devices into the supply chain.

Answer Description

This type of penetration test is known as a black box test. In this scenario the tests have little to no information on how the website works. For example they are not given the type of web server or access to the source code. Instead the 'attackers' will have to gather information and test different attack methods to see what works and what doesn't.

Wikipedia

Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance. It is sometimes referred to as specification-based testing.

Answer Description

'deny tcp any server tcp 80' will deny all tcp traffic to any server on port 80.

Wikipedia

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object) An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects Each entry in a typical ACL specifies a subject and an operation For instance, if a file object has an ACL that contains (Alice: read,write Bob: read), this would give Alice permission to read and write the file and only give Bob permission to read it

Answer Description

Changes, even urgent ones, should be documented and approved based on company policy. This is typically called something like a "Change Request" or CR, or a "Request For Change" or RFC. This is the first step in deploying updates, configuration changes, etc.

Wikipedia

Change management (sometimes abbreviated as CM) is a collective term for all approaches to prepare, support, and help individuals, teams, and organizations in making organizational change. It includes methods that redirect or redefine the use of resources, business process, budget allocations, or other modes of operation that significantly change a company or organization. Organizational change management (OCM) considers the full organization and what needs to change, while change management may be used solely to refer to how people and teams are affected by such organizational transition. It deals with many different disciplines, from behavioral and social sciences to information technology and business solutions. As change management becomes more necessary in the business cycle of organizations, it is beginning to be taught as its own academic discipline at universities. There are a growing number of universities with research units dedicated to the study of organizational change. One common type of organizational change may be aimed at reducing outgoing costs while maintaining financial performance, in an attempt to secure future profit margins. In a project-management context, the term "change management" may be used as an alternative to change control processes wherein changes to the scope of a project are formally introduced and approved.Drivers of change may include the ongoing evolution of technology, internal reviews of processes, crisis response, customer demand changes, competitive pressure, acquisitions and mergers, and organizational restructuring.

Answer Description

Some Malware will attempt to contact a Command-and-Control (C2) server or network to let the creators of the malware know it has infected a target. The malware will then be given commands remotely from the C2 server to steal data, infect more hosts or begin monitoring the infected device. The act of calling a C2 server is also called a beacon. The communication with known C2 addresses is a common sign that an infection has occurred within a network. One common use of this type of Malware is for a botnet. The C2 server may for example then send a command to all infected devices to initiate a Distributed Denial of Service (DDOS) attack (this is just one example).

Answer Description

Containment techniques are options for limiting the spread of malware after it has been discovered on a network. The best response is to isolate any systems that are infected or believed to be infected so they cannot propagate the malware to other systems. From the security and IT teams can begin determining the impact and remediation options.

Answer Description

syslog is a vendor neutral standard for message logging. It includes a standard format for logs as well as a network protocol for sending log data to another device. Common uses of syslog are on Unix and Linux operating systems and network devices like routers, switches and firewalls.

Wikipedia

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the type of system generating the message, and is assigned a severity level. Computer system designers may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository. Implementations of syslog exist for many operating systems. When operating over a network, syslog uses a client-server architecture where a syslog server listens for and logs messages coming from clients.

Answer Description

Switches automatically reduce collision domains by only transmitting data on the physical ports that are needed based on MAC addresses (as opposed to a Hub which broadcasts all data to all ports). When used with VLANs switches also reduce broadcast domains.

Wikipedia

A network switch (also called switching hub, bridging hub, and, by the IEEE, MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A network switch is a multiport network bridge that uses MAC addresses to forward data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches.Switches for Ethernet are the most common form of network switch. The first MAC Bridge was invented in 1983 by Mark Kempf, an engineer in the Networking Advanced Development group of Digital Equipment Corporation. The first 2 port Bridge product (LANBridge 100) was introduced by that company shortly after. The company subsequently produced multi-port switches for both Ethernet and FDDI such as GigaSwitch. Digital decided to license its MAC Bridge patent in a royalty-free, non-discriminatory basis that allowed IEEE standardization. This permitted a number of other companies to produce multi-port switches, including Kalpana. Ethernet was initially a shared-access medium, but the introduction of the MAC bridge began its transformation into its most-common point-to-point form without a collision domain. Switches also exist for other types of networks including Fibre Channel, Asynchronous Transfer Mode, and InfiniBand. Unlike repeater hubs, which broadcast the same data out of each port and let the devices pick out the data addressed to them,

Answer Description

Based on the information you have the most likely attack (against the website) is a DNS hijacking. The attackers gained control of the company's domain name and are holding it for ransom.

Wikipedia

Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts, but also in terms of readership and/or audience for non-profit or artistic web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords, spam, or may distribute malware from the perceived "trusted" domain

Answer Description

Ubuntu is a Linux distribution that uses systemd and has a command line tool journalctl to review and query system logs. Using the _UID=$UID option you can filter to certain users using the User ID (UID). History is a similar tool in Linux to show a users history of commands, however it does not track everything, can be cleared and deleted easily and finally only tracks a limited number of past commands (it is intended for convenience not security reviews). Finally net user is a Windows command and not Linux.

Wikipedia

systemd is a software suite that provides an array of system components for Linux operating systems. The main aim is to unify service configuration and behavior across Linux distributions. Its primary component is a "system and service manager" — an init system used to bootstrap user space and manage user processes. It also provides replacements for various daemons and utilities, including device management, login management, network connection management, and event logging. The name systemd adheres to the Unix convention of naming daemons by appending the letter d. It also plays on the term "System D", which refers to a person's ability to adapt quickly and improvise to solve problems.Since 2015, the majority of Linux distributions have adopted systemd, having replaced other init systems such as SysV init. It has been praised by developers and users of distributions that adopted it for providing a stable, fast out-of-the-box solution for issues that had existed in the Linux space for years. At the time of adoption of systemd on most Linux distributions, it was the only software suite that offered reliable parallelism during boot as well as centralized management of processes, daemons, services and mount points. Critics of systemd contend that it suffers from mission creep and bloat; the latter affecting other software (such as the GNOME desktop), adding dependencies on systemd, reducing its compatibility with other Unix-like operating systems and making it difficult for sysadmins to integrate alternate solutions. Concerns have also been raised about Red Hat and its parent company IBM

Answer Description

When a user or system wants to make a request to another system without revealing it's identity a proxy can be used. Proxies act as intermediaries to transmit data between systems. The most common use case is to route web requests from internal users and devices through a reverse proxy so that external web servers cannot tell which internal user or device made the original request.

Wikipedia

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.Instead of connecting directly to a server that can fulfill a request for a resource, such as a file or web page, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

Answer Description

The term Trusted Operating System (TOS) refers to an operating system that has been certified to have a certain level of security. The requirement of this certification are defined in the Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC). Many organizations (especially governments) may only use operating systems certified as Trusted OS's.

Wikipedia

Trusted Operating System (TOS) generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. The most common set of criteria for trusted operating system design is the Common Criteria combined with the Security Functional Requirements (SFRs) for Labeled Security Protection Profile (LSPP) and mandatory access control (MAC). The Common Criteria is the result of a multi-year effort by the governments of the U.S., Canada, United Kingdom, France, Germany, the Netherlands and other countries to develop a harmonized security criteria for IT products.

Answer Description

Layer 2 addresses (also called physical address) are MAC addresses. Using MAC filtering you can disallow any devices that are not explicitly granted access. While this can help increase security, it is not fool proof and advanced attackers can easily spoof the MAC address to gain access. MAC filtering alone is not sufficient to protect a network.

Wikipedia

In computer networking, MAC address filtering is a security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that they would like to access the network. While giving a network some additional protection, MAC filtering can be circumvented by using a packet analyzer to find a valid MAC and then using MAC spoofing to access the network using that address. MAC address filtering can be considered as security through obscurity because the effectiveness is based on "the secrecy of the implementation or its components".

Answer Description

A Data Protection Officer (DPO) is a role given to someone in an organization who is responsible for ensuring the security and confidentiality of any personal data the organization stores. This includes employees, third party vendors, customers and any other Personally Identifiable Information (PII). Typically the role is given to a higher level executive, director or manager.

Wikipedia

A data protection officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the European Union (EU) General Data Protection Regulation (GDPR). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation. According to the GDPR, the DPO shall directly report to the highest management level. This doesn't mean the DPO has to be directly managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.The core responsibilities of the DPO include ensuring his/her organization is aware of, and trained on, all relevant GDPR obligations. Additionally, they must conduct audits to ensure compliance, address potential issues proactively, and act as a liaison between his/her organization and the public regarding all data privacy matters.In Germany, a 2001 law established a requirement for a DPO in certain organizations and included various protections around the scope and tenure for the role, including protections against dismissal for bringing problems to the attention of management. Many of these concepts were incorporated into the drafting of Article 38 of the GDPR and have continued to be incorporated in other privacy standards.

Answer Description

Most likely this was a Distributed Denial of Service (DDOS) attack using bots to create large amounts of malicious web requests. With enough requests the web server's capacity will be exhausted and no one will be able to access the website.

Wikipedia

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate this type of attack, as simply attempting to block a single source is insufficient because there are multiple sources.A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade. Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge, blackmail and hacktivism can motivate these attacks.

Answer Description

An anomaly-based Network Intrusion Detection System (NIDS) detects unusual network traffic after first being 'trained' on normal network traffic. Theses systems use data mining and artificial intelligence to classify traffic as normal or anomaly/potentially malicious.

Wikipedia

An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection

Answer Description

You are hired to do an analysis on the systems to determine the impact of a malicious actor. Hardening and wiping the servers is outside of the scope of this analysis, but may be a recommended next step based on your findings. The logical step is to determine which servers are the most critical based on the data hosted on them, and begin analyzing them one-by-one in order of most important/critical data.

Answer Description

This type of malware is called Ransomware. It holds data or information ransom until a fee is paid after which point it will return the information or data (or so it says...). Based on the information available in the question this is the only conclusion we can make. It is possible as the CEO of the company they were targeted specifically via social media (spear phishing) but there isn't definitive evidence of this yet.

Wikipedia

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.Starting as early as 1989 with the first documented ransomware known as the AIDS trojan, the use of ransomware scams has grown internationally. There were 181.5 million ransomware attacks in the first six months of 2018. This record marks a 229% increase over this same time frame in 2017. In June 2014, vendor McAfee released data showing that it had collected more than double the number of ransomware samples that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US$3 million before it was taken down by authorities,

Answer Description

Gran' was a victim of a voice phishing or vishing attack. This is the term used when an attacker contacts the victim via phone and attempts to steal personal information or by tricking the user to install malware on their computer. They may claim to be from a valid tech support company or vendor such as Microsoft or as a bill collector from a local utility company or anything in between.

Wikipedia

Voice phishing, or vishing, is the use of telephony (often Voice over IP telephony) to conduct phishing attacks. Landline telephone services have traditionally been trustworthy; terminated in physical locations known to the telephone company, and associated with a bill-payer. Now however, vishing fraudsters often use modern Voice over IP (VoIP) features such as caller ID spoofing and automated systems (IVR) to impede detection by law enforcement agencies. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. Usually, voice phishing attacks are conducted using automated text-to-speech systems that direct a victim to call a number controlled by the attacker, however some use live callers. Posing as an employee of a legitimate body such as the bank, police, telephone or internet provider, the fraudster attempts to obtain personal details and financial information regarding credit card, bank accounts (e.g. the PIN), as well as personal information of the victim. With the received information, the fraudster might be able to access and empty the account or commit identity fraud. Some fraudsters may also try to persuade the victim to transfer money to another bank account or withdraw cash to be given to them directly. Callers also often pose as law enforcement or as an Internal Revenue Service employee. Scammers often target immigrants and the elderly, who are coerced to wire hundreds to thousands of dollars in response to threats of arrest or deportation.Bank account data is not the only sensitive information being targeted. Fraudsters sometimes