OS3 T3

 Introduction  

Given the increase in emerging threats of cyberattacks, such as Ransomware, Linkchain Gaming recognises the urgency in creating a reliable and rapid disaster recovery plan. Senior management has expressed its concerns over the company's current ability to cope with a serious incident and has set a target to restore core systems within 24 hours of major disruption. The available budget is £55,000, as it is estimated that an hour of downtime would cost the company £4,000 in lost revenue. The plan consists of practical, cost-effective steps to help the organisation recover swiftly from an attack, minimise downtime and protect vital data. In this plan, I will be talking about how to respond, contain, and restore the system. 

Insider Threat Risk Assessment 

An insider attack is particularly dangerous at Linkchain Gaming for the following reasons; all identified from the current infrastructure: 

Excessive privileges: All staff are given full administrative rights to their laptops. This means any employee, not just the IT staff, can install applications, delete system files or even disable security software without any restrictions.  

Weak Authentication: All new accounts share the default password “Password1”. Whilst staff are ‘recommended’ to change this, it's not enforced. A disgruntled employee who knows this policy could potentially access colleagues’ accounts.  

No Multi-Factor Authentication (MFA): There is no second layer of authentication on VPN access, email, or any other system. A compromised password gives full access.  

Backup Vulnerability: Backups are performed weekly to a single USB drive, which is stored at the home of an IT team member. An insider who is aware of this arrangement could time an attack shortly after a backup is taken, maximising data destruction. If the IT team member were themselves the malicious insider, they could destroy or withhold the backup entirely. 

VPN workaround: Due to only 20 VPN licenses being available, staff are encouraged to download files locally, disconnect, work offline, and reconnect to upload. This means at any given time, significant amounts of company data exist only on individual laptops, which are unencrypted, unmonitored, and outside the network perimeter. 

No monitoring or alerting: There is currently no system in place to detect unusual activity, such as user bulk-downloading files, accessing systems outside their normal hours, or attempting to delete backup data. 

 

 

Disaster Recovery Recommendations 

Immediate Detection and Response 

(0-4 Hours) 

Deploy a Security Information and Event Management (SIEM) System 

A SIEM platform such as Microsoft Sentinel should be deployed to monitor all network activity in real time. The SIEM will collect logs from the file server, VPN server, mail exchange, and user endpoints, and will generate automated alerts when suspicious activity is detected. For example, a user accessing files outside normal working hours, bulk deletion or files, or multiple failed login attempts.  

This is essential for Linkchain Gaming because currently, there is no monitoring in place at all. The previous insider attack may have gone undetected for an extended period as a result. Faster detection directly reduces the RTO. 

Written Incident Response Runbook 

An incident response runbook must be created and provided to all IT staff. This document provides step-by-step instructions so that when an alert is raised, the team does not waste valuable time deciding what to do. Given that the IT team comprises only four people, one manager, one technician, and two apprentices, clear procedures are especially important. The runbook should include: 

Step 1: Identify and confirm the incident via SIEM alerts 

Step 2: Isolate the affected user account immediately (disable in Active Directory without notifying the user) 

Step 3: Disconnect affected endpoints from the network 

Step 4: Notify the network manager and senior management 

Step 5: Preserve all logs and do not alter any systems that may be needed for investigation 

Step 6: Contact a third-party forensic specialist if required 

 

 

 

 

 

Containment  

(4-24 Hours) 

Implement the Principle of Least Privilege and Remove Universal Admin Rights 

Currently, all staff at Linkchain Gaming have full administrative access to their laptops. This must be changed immediately. Standard users should not be able to install software, modify system settings, or disable security tools. Only IT staff should retain administrative privileges, and even these should be separated, with day-to-day tasks performed under a standard account, with admin credentials used only when required. 

This directly addresses the insider threat: a disgruntled developer with admin rights can cause significantly more damage than one operating under a standard account. 

Enforce Multi-Factor Authentication (MFA) 

MFA must be enforced across all systems, particularly VPN access and email. Microsoft Authenticator or a similar tool should be deployed. Even if an insider shares or steals a colleague's password (which is trivially easy given the "Password1" default), they will be unable to authenticate without the second factor. 

As the existing ID cards are smartcards whose functionality has not yet been implemented, these could be configured to serve as MFA tokens for network access, reducing additional hardware costs. 

Enforce Password Policy via Active Directory 

The current system relies on staff voluntarily changing their password away from "Password1." This is insufficient. Active Directory Group Policy should be configured to: 

  • Force a password change on first login 

  • Require a minimum password length of 12 characters 

  • Require a mix of uppercase, lowercase, numbers, and special characters 

  • Prevent reuse of the last 10 passwords 

  • Lock accounts after 5 failed login attempts 

Network Segmentation 

The current network treats all users equally. A developer, a manager, and an IT administrator all operate on the same flat network. If any one of these accounts is compromised, the attacker has access to everything. The network should be segmented using VLANs into at minimum three zones: 

  • Management VLAN — managers and sensitive HR/financial data 

  • Staff VLAN — general developers and content staff 

  • IT/Infrastructure VLAN — servers and IT administration 

Firewall rules between segments should ensure that, for example, a staff account cannot directly communicate with the server VLAN without going through controlled access points. This contains an insider attack to the segment in which the compromised account operates. 

Restoration 

(24-48 Hours) 

Replace USB Backup System with Automated, Immutable Cloud Backups 

This is the single most critical change Linkchain Gaming must make. The current system, a weekly manual backup to a USB drive stored at an employee's home, is inadequate for several reasons: 

  • A week's worth of data could be lost in an attack 

  • The backup is entirely dependent on one individual 

  • An insider with knowledge of the system could destroy the local backup before attacking 

  • There is no way to verify the backup worked without physically retrieving the drive 

The recommended solution is to implement an automated cloud backup system such as Veeam Cloud Connect or Azure Backup, configured to: 

  • Run every 4 hours (meeting the 4-hour RPO target) 

  • Store backups as immutable, meaning they cannot be altered or deleted, even by administrators, for a defined retention period (e.g., 30 days) 

  • Encrypt all backup data in transit and at rest 

  • Automatically verify backup integrity after each job 

Linkchain Gaming has historically resisted cloud services due to data security concerns. However, major cloud providers such as Microsoft Azure offer data residency guarantees, keeping data within the UK, ISO 27001 certification, and encryption standards that far exceed what Linkchain Gaming can achieve with a USB hard drive. The immutability feature is specifically designed to protect against insider attacks, so that even a malicious IT administrator cannot delete a cloud backup within the retention window. 

 

Maintain Server Recovery Images  

Pre-configured system images of each critical server (file server, mail exchange, VPN server) should be maintained and stored in the cloud. If a server must be wiped and rebuilt following an attack, a golden image allows the IT team to restore it to a known-good state within 2–3 hours rather than rebuilding from scratch, which could take days. 

Priority restoration order: 

  1. VPN Server (restores remote staff access) 

  1. File Server (restores access to company files from backup) 

  1. Mail Exchange Server (restores email communications) 

Preventative Controls 

Updated Policies 

The current policies were created from generic templates four years ago and are not specific to a game development company. All policies, particularly the Computer Misuse Policy and the Password Policy, must be reviewed, updated, and tailored to Linkchain Gaming's specific environment. Policies should be formally acknowledged by all staff (signed or digitally confirmed) rather than simply included in an induction pack. 

Annual Security Awareness Training 

The single induction video created four years ago is wholly inadequate as a security training programme. Staff should complete updated, interactive security awareness training annually, with specific modules on: 

  • Recognising phishing and social engineering 

  • Reporting suspicious behaviour from colleagues 

  • Safe data handling and VPN use 

  • Physical security responsibilities 

 

User Behaviour Analytics (UBA) 

Often included with SIEM platforms, UBA tools build a behavioural baseline for each user and alert the IT team when deviations occur, for example, a developer suddenly accessing HR files, or someone connecting to the VPN at 3 am and downloading large volumes of data. This is a highly effective insider threat detection control, and is especially relevant given Linkchain Gaming's recent history. 

 

 

 

Implement Smartcard Access Using Existing ID Cards 

Staff are already issued with smartcard-enabled ID cards, but this functionality has not been activated. Implementing smartcard authentication for network login would provide a strong second authentication factor at minimal additional hardware cost, since the cards already exist. 

 

Budget Breakdown 

Recommendations 

Estimated Cost 

SIEM System  

£11,000 

Network Segmentation and VLAN Configuration 

£7,000 

Immutable Cloud Backup (Azure Backup) 

£10,000 

Additional VPN Licenses (20 -> 50) 

£4,000 

Server Golden Images and Recovery Storage  

£5,000 

Multi-Factor Authentication Deployment 

£3,000 

Smartcard Reader Implementation 

£2,000 

Incident Response Runbook (external consultant) 

£2,000 

Security Policy Review & Update 

£2,000 

Annual Security Awareness Training 

£3,000 

Admin Rights Reconfiguration (IT staff time) 

£1,500 

Password Policy Enforcement (IT staff time) 

£500 

Contingency Recovery 

£2,000 

Total 

£53,000 

 

The total spends of £53,000 remains within the £55,000 budget, with a £2,000 contingency reserve held for unexpected costs during implementation. Given that a single 48-hour outage could cost £192,000 in lost revenue alone, before accounting for reputational damage or regulatory consequences, this investment represents exceptional value. 

Role 

Responsibility During Incident 

Network Manager 

Incident lead; decisions on isolation and recovery 

Network Support Technician 

Technical execution of containment and restoration 

IT apprentices 

Monitoring SIEM alerts, logging incident timeline 

Senior Management 

Business decisions; communications to stakeholders 

HR Manager 

Employee-related actions (suspension, access removal) 

Third-Party Forensics Specialist 

Preserved evidence analysis; post-incident report 

The IT team's small size (four people) means clear role assignment is critical. Without a defined structure, two apprentices and a technician may be uncertain what to do in a high-pressure incident, causing delay. 

Disaster Recovery Plan Testing Schedule 

A plan that has never been tested cannot be relied upon in a real emergency. The following schedule is recommended: 

Test Type 

Frequency 

Description 

Tabletop Exercise 

Quarterly 

Senior management and IT Team walk through a simulated scenario 

Backup Restore Test 

Every 2 months 

Verify that backup can be restored within RTO 

Simulated Incident 

Annually 

Full simulation of an insider attack scenario 

Policy Review 

Annually 

Ensure all policies remain relevant and up-to-date 

User Training Completion Check 

Annually  

Confirm all staff have completed the updated security training  

 

Conclusion 

Linkchain Gaming's current infrastructure contains multiple serious vulnerabilities that a malicious insider could exploit with relative ease, from the universal default password to the weekly USB backup that could be sabotaged, to the complete absence of monitoring. The previous incident involving a disgruntled employee demonstrates this is not a theoretical risk. 

The recommendations in this plan directly address these specific weaknesses. By deploying automated monitoring (SIEM), replacing the USB backup with immutable cloud backups, enforcing MFA and strong passwords, removing unnecessary admin privileges, and segmenting the network, Linkchain Gaming can detect an insider attack within one hour, contain it within four, and restore full operations within 48 hours. 

The total investment of £53,000 is justified many times over by the £4,000-per-hour cost of downtime and the significant reputational and legal consequences a serious, unmitigated attack could bring. These measures do not simply aid recovery; they fundamentally improve the company's security posture against the very type of threat it has already experienced. 

 

Comments

Popular posts from this blog

OS A3 Task 1

OS A3 Task 2