dustervoice wrote: »
The Answer is E:
Start up wireshark and capture what the hacker is doing. This is called non-repudiation as he cannot deny that he did it since you saw everything with your own eyes Then call the customer and tell them you have changed their password to a stronger one since they didn't choose a good one in the first place. (something you know)
LionelTeo wrote: »
C) Inform management through emergency help panel
dustervoice wrote: »
where are these questions coming from? i hope they are not on the cissp
LionelTeo wrote: »
The first thing in regards to this two type of question would be that D is definitely wrong. Uplugging the network or disbale the customer accounts violates the princinpal of least privileges. A bank teller should not have an access to disable customer account, that would be a privilege of a user account administration team, not a bank teller. The same goes to the operator, an operator should not have the privilege to unplug the cable from the network, that would be the responsbility of an incident handler, not an operator.
Answer D (disable the customer's account) is wrong because the Bank Teller should not have access to disbaling the account, this should be the privilege of user account administration team after approval by higher management.
TheProfezzor wrote: »
If you think a "Compromised Account" has nothing to do with incidents, you are wrong.
beads wrote: »
Incident Handling Methodology
Lessons learned (hence the small 'h')
- B Eads
cyberguypr wrote: »
Here you go: Computer Security Incident Handling – 6 Steps | Count Upon Security
If you really want details see the NIST 800-61 document referenced there.
There are a lot of flaws in your suggestion. Kindly read through:
I rest my case :P
- Being a bank teller, he doesn't have WireShark installed on his workstation, since his role only allows his to use a constrained interface with very minimal functionality.
- His role and his lack of knowledge and experience does not allow him to productively manage WireShark, or even configure it.
- The hacker is not currently carrying out an attack. The attack is not active at the moment and since WireShark carries out analysis on active packets over the network, he can't use the software in this situation.
- You cannot and should not share sensitive information such as a password, over the phone or a chat session. This will not only risk disclosure of information but, you will also come to know the password, which isn't at all recommended. (Use Assisted Password Recovery Instead).
- Normally, passwords for a banking application or an interface require complex passwords with up to 8 characters in length. Therefore, your conclusion about his password being too easy is invalid.
I hope you are just joking and playing around with the ISC2 terms. (sounds like you are) It would be really disaterous if a bank teller can run wireshark on the system, imagine the among of information he can sniftt. =O
If you are a chemist working in a highly dangerous biolab and notice if you are infected, what would you do
A) Contact the nearby doctor for help
Notify the law enforcement
C) Inform management through emergency help panel
D) Contain the virus (by killing yourself)
Clearly C. It sez right in the CBK that if you plan to die you must inform management so they can start business continuity plans.
That, my friends, is the one and only solution.
I never saw one like that. Not saying you won't, because it's massively random, but I didn't.
Firstly - think about this - a bank teller notices a customer's account is compromised, i.e., their bank account (checking or savings or money market, pick one.) I don't know of any bank customers who actually have *bank network* accounts. So we're talking about a 'money' account, not a 'network' account, so the 'user account administration team' doesn't come into play here at all... neither does any kind of traditional network-based incident response. A bank teller would not be looking at a customer's online banking screen (that the customer would see.) The have their own systems to view the account information, and they absolutely have the authority - if not responsibility - to disable an account suspected of being compromised or displaying signs of fraudulent activity. So anything from an infrastructure standpoint (logs, etc.) are unavailable to the teller. (The most logical example that the question is referencing, is that the teller noticed unauthorized wire transfers to a prince in Nigeria.)
Choice A, contacting the customer and ask them to change their password, needs to be done, but not done first.
Choice B, notify law enforcement, should never be done at the teller level. (Bank robbery's a different situation.) Tellers are not authorized to do this (in regards to possible bank account compromises) because they do not have all of the facts of the situation.
Choice C, document the incident and inform management, is the not the correct solution because it does nothing to mitigate the risk of more loss from the bank (money, not network) account. The first course of action is to stem the bleeding, right? Disabling the customer's account (which the teller does have authority to do, exactly for scenarios such as this.)
Choice D, disabling the customer's account, is the correct answer. It is the most effective, immediate step the teller can take to prevent any further loss, and is also what the customer would choose as well. (Keep having funds disappear while someone investigates? Yeah, that's not exactly what the customer wants.)
Since it's a money account, not a network account, unplugging the computer won't help.
In most cases, law enforcement would never become involved, nor should they, until the bank has completed its own investigation to determine what happened. And even they did, I can't even imagine that they would want to seize equipment. Data ****, other forensic work, possibly, but in the vast, vast , vast majority of cases, the issue/compromise occurred on the customer's end, and doesn't involve bank equipment.
All that said, it is a very poorly worded question, and I can see why some would choose option C. But tellers aren't trained to document fraud/compromise properly, and management will tell them to disable the account pending further investigation. And teller's (usually) don't go poking around accounts without the customer in front of them requesting a transaction. If this exact situation occurred, there would be discussions over why a teller was reviewing a customer's account. (not face-to-face was assumed since a choice was to call the customer.)
While it seems like an ideal situation to do so, there is a lot of problems pertaining to it. Firstly, when we look at people noticing about a possible incident, I can tell you that 90% of the time in the real world that such notice of incident is turns out to be false positive. People would jump and call incident at anything. This can go from unable to login, IE slowdown, website block, and people consider them as their computer being compromise even before someone else make the confirmation.
Yes, containment is a critical process, having the customer losing money is not an option the organization, however, the business owner is going to 100% loses more money when everyone stop doing business with your bank, that is when your customer goes to the press, and had the press to write bad things about you, before your business owner even had an official statement up and issue a warning to all employees not to talk to presses, reporter would by then caught hold of any of your bank employee and wrote any they can get hold of. What is a customer account worth when we talk about 50% of the customer losing faith in your bank?
Let's say you really would want to do containment. Then the more appropriate approach to do this is to have a chain of contact in place that can reach a very high level of contact that can authorize the containment in a short time, and in banks, it is not common to had such a contact. Bank don't just close account just because it is suspected to compromise, they had to close account on several other occasion like
- Banks account are use for terrorist activity or fund terroist
- Banks account are use to wash black money
- Banks account are compromised
- Other type of activities your respective government think it illegal.
- For multi national bank, banks had also to adhere to activity set by countries that laws had territorial effect.
- And I am sure there is a lot more in the list.
As such, even if such a containment action are necessary, a chain of contact can be set up easily and escalated to a critical point of contact in a short time. Bank Teller -> Manager -> Head Of Compliance (or respective duty) -> Respective Admin -> Back to Manager (where he a one time access to close account) -> Close Account -> *automated message to write to the customer account has been closed for investigation in a really nice manner will be trigger. team gets on the way to look if other account has been compromised.
Such routed chain can be set up in a really short amount of time, and a Bank Teller can easily fill up an incident ticket in the internal application, and it easily solve both the problem of closing the account quickly
and at the same time allowing your business owner will know who to look for when the press kicks in.
If you are still not convince, then let me ask the compliance representative on the process with the same question when I start work in JPMCC in 12 days, they should had a compliance course that is the same as my previous workplace.
You are quoting me out of context.... Re read my earlier comments. I said if there were NO compromise, there would be no basis for the question or indeed any of the answers.
I am amazed at how technical this question has gotten… The question did not ask what jurisdiction/rights the bank teller might have… it was not asking the roles and responsibilities of a bank teller… it is a purely hypothetical question – one that might not even happen in real life.
If I gave you 4 options at anything and ask what would you do first? It clearly indicates that you have the rights to do all 4… the test is in which choice you chose first.
As an example: It’s the final minutes of the World cup… your team is currently drawing 1:1 with Argentina, You were clear on goal about to score, when you noticed that your goalkeeper has fallen over at the other end of the pitch, what would you do first?
A. Run back to pick him up
B. Alert the referee of your goalkeeper falling over
C. Score the winning goal
D. Kick the ball off the pitch so you goalkeeper could get attention
2016 Goals: M.Sc Cyber Security :study:, ITILF COLOR=#FF0000]Passed[/COLOR, COBIT5 F COLOR=#ff0000]Feb[/COLOR][COLOR=#ff0000].[/COLOR, CGEITCOLOR=#ff0000]Jun[/COLOR][COLOR=#ff0000]. ???[/COLOR, CIPMCOLOR=#ff0000]???[/COLOR
I just don't see why you don't think a teller should be empowered with the ability to disable a bank account if they see evidence of fraudulent activity. They can do - literally - everything else with a customer's money.
I still contend it is a very poorly worded question, and that is the root of the issue.
I think you had a slight misunderstanding that I do not come from the point of the Bank Teller access right, but business owner respective rights to be able to get quick information why a bank account had been disabled if necessary. Secondly, I also write in respect to incident handling perspective in regards to the incident handling steps.
While there is a general understanding that containment comes after identification. Containment is not to be perform unless identification has been confirmed. The identification is split into 3 phases, a user who suspect the compromise, the user would inform a centralised location that handles and logs the cases, and another personnel would come down to onsite to assess before continuing to decide if incident should proceed to containment. Even if containment action is to be perform at a short time, this would be at the authorization of the centralize location and the centralize location has to be informed of such activity.
And from incident handling perspective, it has been mention before that organization should trust system administrator sense when they feel there is a compromise, but they still are not given the right to proceed to containment; even so, the ticket is log and incident handlers had to pay attention to what system administrator notice about the system they maintain.
In respect this question, the user would be the bank teller, and following the incident handling methodology, he would have to proceed to inform a centralise location as how the identification steps should go.
While previously I wrote examples coming from bank teller should not have any access to disabling an account, I try to give reasoning to answer in terms of elimination, considering the possible risk that bank teller can be disgruntled and the harm they can do if given such privilege, therefore such should be the privilege of another team, but it has since cause unnecessary confusion and it would be better if we would just focus on how the incident handling flow should go.
In regards to press handling, I try not put you out of context, I would think that you know avoid being painted too negatively by public press and having a correct release statements is also part of preparation phase of incident handling. And preparation is never in terms of if, but when; it is not a matter of rarely or not, but a matter of how things are done when it happens.
The last time during my previous banking compliance course, the compliance head did brief that we should report to their team for any fraudulent activities, as this is a possible scenario in real life, and I would probably had an opportunity to have another compliance course conducted by my next Bank. Do give me sometime to ask the compliance officer on their process, I am sure a bank like JPMCC should had their process scrutinize thoroughly by auditors that can give us an actual insight on what a Bank really practice in similar situation.
I've worked for numerous financial institutions (capital markets/equities and retail banking) on the security/credit risk side and *all* bank teller policy manuals I've reviewed from a SOX/GLBA/SIPC/OATS/FINRA regulatory perspective have directions for them to file a SAR (suspicious activity report) upon seeing suspicious activity which goes directly to management for further action. The only time I've seen bank tellers actually close/freeze accounts was when the customer was physically in front of them and there was something so obviously fraudulent with the account that they needed to take action. Again, they *did not have the authority or access* to perform a freeze on the account, the procedure was they needed to walk over to an on duty shift supervisor/bank manager and they would enter a specific CODE to freeze the funds and then have a conversation with the customer.
Any account freezes that were done with customer not present involved a call to the customer from the compliance/risk area informing them of what was going on and more times than less, it was for the *protection of the customer.*
Hope that helps to add a different level of perspective on what the answer would be. I would choose C. Banks really don't care much about worrying about customers complaining back about lost causes etc.. They have very large insurance policies to hedge against those occurrences. Those posting about media risk/reputational risk, all VIP account holders (balances $500k>|| >$1MM) -- there was a different level of conversation that occurred at that level. Banks are much more concerned with following their internal policies and procedures than worrying about inconveniencing one customer.
I would choose D as well.
The key is the Role Based Access Control... the power to disable an account should be controlled technically, and if the teller is empowered in that way then they have an option to use that power. Power is meant to be used. So I will reason and make my distinctions from that.
The tricky part in terms of CISSP experience is, would the average CISSP be in enough banks to have seen that only managers can disable accounts? If that answer to that is Yes, then option C is probably the correct answer.
Management has limited time and attention, and this situation may be time-dependent. It is also easier to ask for forgiveness than permission. And most customers would rather have their funds frozen temporarily by their bank than zeroed out short- or medium-term by an attacker
The nature of the question has to do with sequence of actions, or an appropriate response. Because D is included as one of four options, it is implied that it is a valid option. The bank teller is empowered to take action, including disabling an account, based on their discretion. Same for any of the other options. The task is to identify right action with respect to optimal use of resources.
Situationally speaking, bank account customers are protected from fraud by the bank itself. This means that if someone mugs you at knife point, steals your debit card and buys a bunch of T.V.s that there is a good chance that the bank will make the customer whole again. Now of course it depends further along the chain of investigation as facts are corroborated, if at all. The point is that in this situation, the bank's representative, the teller, is noticing informational behavior that matches a pattern of theft.
Perhaps the correct sequence of escalation in response is A) Disable the account Document the incident for management C) Contact the customer D) Contact Law enforcement.
A) Correct use of discretion, judgment, and control. Minor rollback cost. Minor risk that the customer is doing something totally different than normal and needing access to all their funds right away. They can just call in and get enabled.
Managers are not always available and the situation may worsen in the meantime. A bank teller robbed at gunpoint is not going to ask their manager what to do. Or, more analogous, a bank teller who sees a customer on the street in front of the bank appearing to get robbed, does not have to ask their manager what to do. No customer would expect such process.
C) Customer may need special handling or communication strategy. Contact information may be incorrect; direct contact right away may make situation worse. Managers tend to be better communicators than people filling a technical role. A manager is better positioned to explain a lockout in general, especially more-so as the appropriate report has documented.
D) Probably an over-response (based on immediacy) that has a lot more potential to waste the collective time and energy of multiple parties. This response is only valid if the incident has passed muster and this action is warranted (paperwork and documentation by all parties), otherwise it is like crying wolf.
I'm trying to locate documents related to the this model but can find anything on Google. i'm interested in knowing in detail what happens at each phase.
If you really want details see the NIST 800-61 document referenced there.
Cheers. Gonna download all the NIST 800 series and have a read.