During the Incident A. Managing the Incident i. Identify the potential assets (e.g., single assets, groups of assets, and/or systems of assets) affected by the incident.

During the Incident
A. Managing the Incident
i. Identify the potential assets (e.g., single assets, groups of assets, and/or
systems of assets) affected by the incident.
Based on the scenario provided the first and immediate asset affected is the user with the
ransomware error message. That would include the computer being used and anything associated
with the computer including the network connection and the potential for shared file storage for
the encrypted documents trying to be accessed. Spreading outward from this point there is direct
concern for all the devices on the network in the finance department. This includes any and all
access points, printers, desktop computers and potentially even routers and switches. Moving the
scope further out, due to the lack of network segmentation, there is a large potential for this
incident to have spread business wide. This includes other departments, network servers and
databases as well as any device connected to the network, such as personal devices like cell
phones. In short, from a brief overview and minimal details currently available, the risk is
currently to all assets at this location.
ii. Explain potential methods you would use to contain the incident.
The initial response to this must be swift in order to contain the incident as quickly and
safely as possible to prevent the outward spread. First would be the immediate removal of the
affected device from the network and isolation of the device. If this is done quickly, there is the
possibility to contain the incident to the single device. From there I would recommend the
disconnection of the finance department from the rest of the system. This can help mitigate the
threat to the single department while more details are gained. I would then recommend closely