Resource Downloads
Google Slides | Microsoft PowerPoint | PDF Presentation
Injection
The facilities director says that a student was heard bragging that they have hacked the door access and camera systems and can get into the school anytime.
Discussion Prompts
- How do you determine if this is a confirmed security incident or some kind of anomaly?
- How do you identify what systems, data, people, and operational processes are potentially involved?
- What real or potential risk(s) does your organization face?
- What short term containment options do you have?
- Can you contain it without destroying evidence?
- What is the operational impact of the incident and your containment strategy?
Check Your Work
- Review access logs.
- Review user activity logs.
- Correlate known good access with potential malicious access.
- Compromised Account Activities
- End sessions
- Revoke tokens
- Force password change
- Force MFA
- Check email system for rules or delegation changes.
- Ask user to change PW is used on other accounts (business or personal).
- Review user accounts for shared accounts and appropriate privilege levels (principle of least privilege).
- Is MFA available for these systems?