It’s Friday afternoon at Quantum Naval Solutions.  A network intrusion detection system has identified vulnerability scanning activity from an internal IP address. The activity stops, and the device using that IP address disappears from the network. How should Quantum handle this situation?
Quantum activates its written Incident Response Plan. The specific cybersecurity requirements and controls cited in the plan will vary between different regulatory frameworks. But here are my thoughts in the context of CMMC controls:
To start, Quantum should review network device logs (routers, firewalls, and switches) to identify the scanning device. As a CMMC compliant company, Quantum has implemented AU.L2-3.3.1 (System Auditing) to ensure that it generates audit logs for all system events. These logs provide insight into which devices were active during the scans. AU.L2-3.3.2 (User Accountability) further ensures relevant logs are collected for deeper analysis to determine the identity of the device performing the scan.
To identify the individual responsible for the scans, the security team must review user authentication and access logs. AC.L1-3.1.2 (Limit System Access) and AC.L1-3.1.2 (Transaction and Function Control) were implemented to ensure that only authorized users access systems and data, and that specific functions, like vulnerability scanning, can only be performed by authorized users or devices under their control. IA.L2-3.5.2 (Authentication) implementation ensured that the vulnerability scanning can be traced back to a user who has proven they are who they say they are.
If the vulnerability scans target critical hosts containing Controlled Unclassified Information (CUI), the incident response escalates. Quantum’s Incident Response Plan addresses IR.L2-3.6.2 (Incident Reporting), which requires organizations to report incidents involving CUI immediately to senior management and possibly external stakeholders. The Incident Response Plan points the response team to the Risk Assessment Policy developed to implement RA.L2-3.11.1 (Risk Assessments). The Risk Assessment Policy defines Quantom’s strategy for assessing risks associated with security incidents like this unauthorized vulnerability scan.
This is the type of planning Quatronics ensures is included in the written Incident Response Plan in addition to other information security documentation when helping companies like Quantum prepare for CMMC or other assessments like HIPAA or ISO 27001. Not only is it crucial for the government certification for continued funding but it protects the company as a whole from breaches in security.
0 Comments