apter 14 | Cyber Threats Tum utd Using information technology (IT) is a vital factor in the success of modern organisations. Creating, ining and managing the security of IT systems is a key risk-reducing strategy. Sensitive information and technology Cybersecurity protects information and technology from threats. Information Sensitive information is protected as a priority. Sensitive information must be protected from unauthorised access as it could harm the organisation or individual if the information was disclosed publicly or privately without permission. Business information _This can be general information about the running of the ‘organisation (e.g. staff schedules) or unique proprietary information developed or purchased by the organisation that holds significant value (e.g. business plans). Personal information _Information specific to a single person that can be used to identify/locate them (e.g. customer or employee addresses). Classified inform: Information restricted by the government (e national security). formation on © Astranti 2020 182 astrantiChapter 14 Cyber Threats Personal information PII and PIFI are considered especially important due to the potential for damage (eg. fraud or identity theft) Types of personal information Some industric tion, e.g. medical recore ewegcant Pil (Personally Identifiable MM PIFI (Personally Identifiable tn) aT Ure Ceo) Information that can be Aspecific type of Pll, that traced to individuals and, if contains personal financial disclosed, could potentially information, such as bank cause harm to that account details which could individual. be used to defraud or ‘otherwise harm the individual. How can the ways that companies interact with technology be different? Types of technology used Eg. customer relationship management (CRM) systems, computers and telephones. The ways that the Eg. connection via a wide area network (WAN), such as the Internet company is connected or intranet, or virtual private network (VPN). with the technology The se providers used Eg. cloud storage software or call centre capabilities to help by the company customers. The ways in which the Eg. through use of third-party sites. company delivers its products or services to customers Organisations need to be aware of the growing risks of cybersecurity breaches, along with ways to minimise risk. © Astranti 2020 183 astrantiChapter 14 Cyber Threats Nature of cybersecurity risk A threat to the integrity or the operations of an organisation's IT systems and the information they contain. This could be in the form of: + Technical risks, e.g, IT security flaws + Procedural risks, e.g. user failures or mistakes There are inherent risks that every business handling sensitive information will need to manage, eg. theft or disclosure, alteration of information or damage to systems. Risk types External risk Typically from malicious actors, people or programs that damage systems, and steal or alter information, Internal risk From misunderstanding policies or procedures on handling sensitive information, or from fraudulent current or ex-employees. © Astrantt 2020 184 astrantiChapter 14 Cyber Threats For financial gain Directly by stealing data for a ransom or to sell. Indirectly by corporate espionage, where a company may contract a malicious actor to attack a competitor for its own gain. For the sake of the attack Malicious actors may wish to test their hacking abilities. itself Hacktivists (hacking activists) may attack the systems of ‘companies that operate in a way which does not conform with the beliefs of the hacktivist (eg. animal rights activist hacking a ‘company that sells fur). Malware that has the one aim of attacking systems to disrupt them. Attacks from state-sponsored or state-run actors, usually targeted at foreign organisations for security or international trade reasons, Changes that affect cyber threat levels Expansion Mergers and acq Change in regulations By expanding servers and systems, there is more opportunity for system weaknesses to be exploited. Systems are often merged, and, while changes are being made, systems will be less protected, More people involved means that there's a greater risk of human error. Eg. the 2018 EU GDPR (General Data Protection Regulation Act) changed data handling requirements, which meant that companies had to update or change systems to adhere to these regulations. Itis the responsibility of management to understand and manage an organisation's cybersecurity risks, © Astranti 2020 185 astrantiChapter 14 Cyber Threats Malware includes any form of malicious software or code created by a hacker. Computer viruses Computer worms Trojan Botnets Malvertising Ransomware Spyware Application attacks © Astranti 2020 Malicious codes designed to change the way a computer operates (e.g. deleting all the files on the hard drive), spreading from host to host. They attach themselves to legitimate files (e.g. emails) and require user interaction to activate the code. Similar to viruses, but they are able to activate and replicate without any user interaction. They often slow down computers and clog up bandwidth. A harmful piece of malware that is hidden as a useful piece of software and is installed unknowingly. A number of Intemnet-connected devices that are controlled by a ‘botnet agent’ and infected by malware, enabling an agent to remotely control and access information on the system, undetected, Often installed using trojans. ‘Online advertising with a hidden malicious code placed on sites Using legitimate advertising. A serious cyber threat as it requires no user activation, ‘An attack by malicious actors to prevent access to data and systems until a demanded ransom is met. Malware which, when installed, is used to monitor and steal ‘computer use data and information. Keylogging is a form of spyware, which is malware that remotely records every keystroke a person makes. Malware that targets applications to steal data or attack the system (see table below). 186 astrantiChapter 14 Cyber Threats Examples of application attacks Denial-of-service (DoS) attack service (DDoS) attack ‘An attack that suspends the owner's use of a resource by blocking connection to the Internet through flooding the system with traffic or crashing the system by exploiting flaws. A type of DoS attack sent from other computers that are already infected with DoS malware. Structured query language SQL is a computer language used to store, retrieve and manipulate (SQL) injection Cross-site scripting (XSS) attacks Buffer overflow attack data within databases. An injection attack adds an additional background SQL code. The user of the database will then inadvertently feed data to the attacker or assist the attacker in destroying database information. Malicious codes are injected into trusted web pages and apps. When certain app functionalities are used, the malicious codes are sent to apps to access sensitive app information. The app trusts the codes as they are received from trusted web pages and apps, meaning that attacks are not detected or prevented. ‘An attack which exploits programs that allow human or software input into memory, enabling the rewriting of data beyond the usual remit of the program. External data may be overwritten and lost. © Astranti 2020 187 astrantiChapter 14 Cyber Threats Black hat hacker White hat hacker/ethical hackers Blue hat hackers Grey hat hackers ‘A malicious actor who uses their IT expertise to break into someone else's system without permission, Hacktivists fall into this group, and hacktivist attacks can be divided into two groups: cyberterrorism (to cause damage or disrupt systems) or freedom of information (disclosing stolen non-public information). This is an illegal form of hacking, Non-malicious actors who break into secure systems to discover exploitable weaknesses in order to report or fix them (see below). They may be hired directly or otherwise work for a cybersecurity consultancy firm. This is a legal form of hacking. The term given to groups of white hat hackers working for cybersecurity consultancy firms. This is a legal form of hacking. Non-malicious actors who hack into systems without permission to find flaws. They may publicly publish their findings or notify the IT system's owner. This is still an illegal form of hacking, despite non-malicious intentions, Functions performed by white hat hackers + Penetration testing — Hackers practise penetrating the client's system in a mock hacking attack, using the same tactics that malicious hackers would + Vulnerability assessments ~ Assessing the IT system's resources, ranking the importance of the resources, identifying vulnerabilities the resources have, and then creating solutions Social engineering Manipulative techniques to cause a person to carry out specific activities or to release confidential information, as requested by the hacker. Social engineering is based on the six principles of influence. © Astranti 2020 188 astrantiChapter 14 Cyber Threats Reciprocity Commitment and consistency Social proof/consensus Author Liking Scarcity Examples of hacking that use social engineer Baiting Phishing Spear phishing People are more likely to do a favour for someone else when they have received a favour from that person. Acommitment to doing something, verbally or written, makes an entity more likely to follow through with it. People often copy the behaviour of those around them. People are more likely to follow orders of someone with expertise or authority. Individuals are more likely to do something when asked by someone they like or find attractive. When a resource is considered scarce, people are more likely to act to purchase or experience it before they miss out. Enticing the victim by promising a reward or appealing to curiosity. Eg, sending fake but convincingly real-looking emails that seem as though they contain important information that the recipient would not want to miss out on seeing. Clicking on the email will release malware onto the victim's device. Corresponding with victims, posing as a trusted entity (e.g. a bank) in order to fraudulently acquire sensitive information (e.g. bank details) These attacks are usually generic and target multiple people. A form of phishing which requires gathering information on a specific entity to conduct a targeted attack Man-in-the-middle (MitM) A third party will monitor, create or manipulate correspondence attacks © Astranti 2020 between two parties who believe they are communicating directly w each other. The third party will use the correspondence for their own gain, such as through redirecting payments to their own account. 189 astrantiChapter 14 Cyber Threats Risk of security vulnerab’ Ss Hackers rely on security vulnerabilities in order to breach a system's cyber defences. Its the responsibility of the organisation's leadership to protect its systems to the highest standard and eliminate vulnerabilities. Technical deficiencies Exposures caused by software defects and insufficient cyber protections. Software updates aim to eliminate vulnerabilities by ‘patching’ over the issue with a solution. Procedural deficiencies Failures and mistakes made by an organisation. These can be either IT-related (e.g. faulty configuration) or user-related (e.g. users having insecure passwords. Direct risks to IT systems: + Destruction of information ~ Information important to the functioning of the business could be lost due to hacking or accidental deletion + Theft of information ~ Sensitive information can be damaging if stolen, e.g. propriety business information which could be sold to a competitor + Disclosure of information - Secure information may be made public + Alteration of information - Information can be altered, so it is no longer correct + Disruption of systems - Where a system cannot be accessed temporarily, such as through a ransomware attack + Damage to systems ~ Breaches may have permanent effects, crashing the entire system that ‘a company uses, meaning that some information will likely be lost © Astranti 2020 190 astrantiChapter 14 Cyber Threats System downtime Halting communications or business operations may prevent an ‘organisation from generating revenue. Damaged reputation _ Failure to properly protect sensitive information (e.g. customer details) will ikely tarnish an organisation's reputation. Customer flight If an organisation proves itself incapable of protection from cyber threats, customers are likely to look elsewhere, Legal consequences In heavily regulated industries, such as banks, legal action and fines may apply if information is not properly protected. These consequences need to be factored into strategic decisions regarding the management of cybersecurity risk. RY To Social media is the term given to mainly online sites that allow the sharing of news, photos and information for social purposes. Some examples: + Professional social media - Eg. Linkedin + Photo sharing - Eg. Instagram + Opinion - Eg, TripAdvisor Employment prospects Poor behaviour and representation on social media may discourage potential employers from hiring individuals or even cause individuals to be fired. Fraud Information can be gathered from social media profiles for fraudulent purposes. © Astranti 2020 191 astrantiChapter 14 Cyber Threats Intellectual property Legal use Trolling Intellectual property may be used or stolen without the consent of the creator, but it is often hard to prove the source of the property. Information on social media can be monitored and used as, evidence in criminal proceedings. Online abuse is common on social media. Social media risks to organisations Decrease in productivity Reputation Account hacking Resources Human error Data protection Social media can be a distracting influence while staff are at work. Misuse of company social media accounts by an individual could be detrimental to the entire company’s reputation, Hackers can hijack a company's social media page in order to tarnish its reputation. Running social media pages can be a drain on manpower and resources. Those running social media pages may accidentally share an inappropriate link or post. Even on social media, data protection regulations need to be followed, which can prove difficult. Market research Advertising Recruitment Understanding trends © Astranti 2020 ‘Questionnaires and surveys can be used to gather big data, Social media can be a free form of advertising. Through using networking sites, ideal candidates can be found. Understanding how trends begin can help a company to plan for future trends. 192 astrantiChapter 14 Cyber Threats 9 reputation Online feedback sites can strengthen a company's reputation and subsequently attract new customers. Communication Social media provides a free way for companies to find and ‘communicate with each other. Monitoring competitor Social media serves as a free method for monitoring activity ‘competitor activities. PURE By this stage you should know: + The three different types of sensitive information ‘+ Two important kinds of personal information + The different ways that companies interact with technology, including the types of technology and the way they are connected «The difference between procedural and technical threats to a business «The difference between internal and external risks to IT ‘+ Three motivations for cybersecurity attacks + Three changes that affect cyber threat levels ‘Eight examples of malware, along with how they affect systems ‘+ Five specific kinds of application attacks | What a hacker is, and the difference between black hat and white hat hackers '* What social engineering is, and Cialdini’s six principles of influence «Four examples of hacking that use social engineering ‘+ Where the responsibility for eliminating cybersecurity risk falls Risks to IT systems that security vulnerabilities pose © Astranti 2020 193 astrantiChapter 14 Cyber Threats Question Time It's now time to practise questions! If you've signed up for our practice questions or are on our fully inclusive course, here's a direct link to questions for this chapter: [reared If you want to sign up for our practice questions, here's where you will find more details: Sr ime} © Astranti 2020 194 astrantiCybersecurity Objectives Cav Tera MUCUC ald Establishing and maintaining cybersecurity objectives is vital. These objectives must be incorporated into an organisation's strategy. fey Teas me y(cy + Abbusiness must establish its nature, operations and the nature of information at risk first + Then the organisation's management can determine the cybersecurity objectives needed Considerations when determining cybersecurity objectives for an or: Risk appetite If more risk-seeking, organisations are less likely to invest a great deal of money into cybersecurity. Risk-averse organisations are more likely to invest more resources into cybersecurity. Organisational objectives Cybersecurity objectives must be aligned with the overall organisational objectives. Availability How accessible information and systems are to individuals within or outside of the organisation. Confident Ensuring information is not accessed by or disclosed to unauthorised individuals.Chapter 15 Cybersecurity Objectives Integrity of data Information must be protected from any unauthorised tampering, ensuring that it stays accurate and complete. Integrity of processing _Information systems must be protected. Deciding on key cybersecurity objectives + Organisations should carry out a cybersecurity ‘health check’ to find where there is the greatest need for protection + Cybersecurity objectives should be decided at board level and communicated to everyone in the organisation + The board should regularly discuss ways to ensure that these objectives are continuing to be applied Cybersecurity risk management Cybersecurity objectives are used in the process to assess risk. Threats to cybersecurity objectives must be identified and managed in the same way as other threats: © Astranti 2019 2 astrantiChapter 15 Cybersecurity Objectives Centralised agement and governance Overall cybersecurity objectives and their implementation fall under the responsibilities of the board. Cybersecurity risk governance structure Objectives should be shared with employees at all levels, through measures such as employee handbooks and tr ing. External communication Procedures must be communicated to third parties that handle Providing board oversight Hiring and developing qualified personnel ‘company information. Regular board meetings should be held to identify risks that need managing, The board must be kept well informed by management. ‘As well as giving all staff enough training to work in line with cybersecurity objectives, specialist personnel should be hired (see table below). Specialist cybersecurity personnel Chief information security To lead cybersecurity programmes. officer (CISO) Chief technology officer (CTO) Chi (clo) information officer Chief risk officer (CRO) General cybersecurity roles © Astranti 2019 The expert responsible for the organisation's technology and systems used. The officer linking the CISO and the CTO to the board, responsible for reporting issues to the board. The officer with the overall responsibility for assessing and managing risk, All departments should have individuals dedicated to ensuring that objectives are carried out 3 astrantiChapter 15 Cybersecurity Objectives Additionally: + The CIO and CRO must work closely with the board to ensure that cybersecurity objectives and measures will be implemented throughout the organisation. + The CRO, ClO and CTO work with all levels of the business to feed information back up to the board so that appropriate action can be taken + Organisations must ensure that information shared with third parties (e.g. suppliers and software providers) is also protected + Only essential information should be shared + Any communication with third parties should be undertaken on pre-agreed appropriate channels + Procedures must be communicated to third parties Protection focus Areas of IT to protect within an orga Networks How devices are connected to allow sharing of information and resources. Servers A computer program or device that provides data storing and processing functions for other programs or devices Intranets Closed systems often used within companies to share documents and data with specific users. Data Data can be stored physically on hard drives or remotely via software, such as cloud storage. Personal devices Any device used to access sensitive information, e.g. desktop computers in work or any mobile devices outside of work. Applications (apps) Apps can be used within the business (e.g. for payroll tasks) or provided for customer use (e.g. shopping apps) © Astranti 2019 4 astrantiChapter 15 Cybersecurity Objectives PU Riel By this stage, you should know: + That cybersecurity objectives must be incorporated into all areas of an organisation ‘+ How risk appetite and organisational objectives are involved in setting cybersecurity objectives + The four key cybersecurity objectives according to AICPA ‘* Who is responsible for forming and maintaining cybersecurity objectives + How cybersecurity objectives link to risk management ‘+ Four processes to monitor, identify and mitigate risk ‘+ Four specialist roles in managing cybersecurity objectives ‘+ How sensitive information shared with third parties can be protected + Six examples of the IT hardware and software that needs to be protected as part of cybersecurity objectives Got it? If not, go back and re-read the study text before moving on. © Astranti 2019 5 astrantiCe Tetra alte) Tsay Businesses implement controls and processes to protect their information and systems and to ensure that their cybersecurity objectives are met. This is an important framework for businesses to use to establish, implement, operate, ‘monitor, review, maintain and improve an information security management system (ISMS). Itis considered to be a strong information security standard. Physical controls These help reduce the risk of, e.g: + Unauthorised access - Eg. locks on doors and filing cabinets + Theft - Eg. locked computers and alarm systems © Astranti 2019 133 astrantiChapter 16 Cybersecurity Processes Also known as public key certificates or identity certificates, this is a digital control used to prove the identity of an online entity + The current standard certificate type is a Transport Layer Security (TLS) certificate, which is issued and signed by an authorised certificate issuer + Itis not something that is physically seen, but is looked for by devices to confirm that the entity they are interacting with is who it should be - the owner of the ‘public key’ (Le. an online identity) + Ifa device finds that the entity has a certificate indicating that it is the owner of a public key, interaction with the entity will be allowed + Ifthe device does not find a certificate, a warning will be displayed to the device user This control can be used to minimise the risk of man-in-the-middle attacks (malicious entities pretending to be another user to manipulate interactions for their own benefit) Network configuration management (NCM) NCM is the general management, organisation and monitoring of an entire network, including any linked devices and programs. Information, including the following, is stored in a single location, often a database: + Device information, including what access the device has and how recently it has been backed up and updated + Software information, showing when updates are needed This information is used for device management and troubleshooting. © Astranti 2019 134 astrantiChapter 16 Cybersecurity Processes Formalised, standards, rules and procedures on the use of systems. They include rules and procedures on: + Checks - Checking data input against control totals, e.g. if ten transactions of £100 have been entered, the change in the system should total £1,000 + Authorisation — Obtaining explicit authorisation for transactions prior to processing + Authorisation of system changes — If systems are designed in a very structured way, any changes need to follow the same structure. + Back-ups ~ Regular back-ups of the system and data should be undertaken Other specific admi Passwords Encryption irus software Firewall © Astranti 2019 rative controls ‘A number, or set of characters, or a mixture of the two, which must be entered into the system to allow access. To be effective, they should be changed regularly and not be written down. Password recovery capabilities should be available. Stops unauthorised people accessing information by converting information into a secret code that can only be deciphered by the intended recipient. Software to prevent devices being affected by viruses (malicious software), Anti-virus software will identify and attempt to remove viruses found on the system. This can be cheap and easy to implement. A secure barrier system that monitors network traffic travelling to and from the internal trusted network. It can be either hardware or software. The firewall attempts to prevent viruses or malware from entering the network by only allowing traffic in that fits in with a set of predetermined rules. 135, astrantiChapter 16 Cybersecurity Processes IT application or program controls are fully automated (i. performed automatically by the system) and designed to ensure the complete and accurate processing of data, from input through to output. Controls include: + Completeness checks - To ensure records were processed from initiation to completion + Validity checks - To ensure that only valid data is input or processed + Identification - To ensure that all users are uniquely identified + Authorisation — To ensure that only approved users can undertake certain tasks + Forensic controls - To ensure that data is scientifically and mathematically correct based on inputs and outputs Communication and training This is an important control as a well-educated workforce can hugely reduce the risks posed by cybersecurity attacks. Handbooks and training sessions should be used to keep employees informed of policies, procedures, good practice and general online safety. + Adequate controls (see earlier) should be used + All devices with access to systems and sensitive information must be protected, including mobile devices De SUC erst) General IT controls are used to protect the integrity of the systems and information that an organisation uses. © Astranti 2019 136 astrantiChapter 16 Cybersecurity Processes Physical controls - Protecting the physical environment that systems are kept in Fire damage Eg. installing fire alarms, sprinkler systems and fire extinguishers. Flood damage Can be minimised by choosing locations with no flood risk and properly maintaining the buildings that house the systems. Power failure Eg. back-up generators to restore power. Audit trails allow transactions to be followed all the way through a process. Audit trails are especially useful in: + Testing systems - To identify at what stage an error has occurred + Investigations — E.g. investigating fraud and corruption + Examining the effectiveness of controls — By checking each step in a process is properly undertaken (usually by internal audit) Other methods of protection Software updates Keeping operating systems and software updated to ensure that previous vulnerabilities are eliminated. Configurations Through adding or removing the functionality of a device to reduce any risks to security. Detection and monitori Cybersecurity breaches may not have visible effects and can go unnoticed by device users; therefore, itis, important to have good systems in place that monitor network activity and detect whether there is any unwanted activity or software. © Astranti 2019 137 astrantiChapter 16 Cybersecurity Processes Event logging and Storing information on device usage, including who used the aggregation device and what sites and apps were visited, Most modem ‘computer systems do this already. Intrusion detection and Apps that constantly monitor activities to detect any malicious prevention systems or unauthorised access. Threat monitoring Monitoring threats, such as hacking methods, can enable ‘companies to better educate employees on protecting themselves and their devices. Event monitoring Logs of events can help to highlight unusual activity. Security A software solution that collects and analyses real-time information/incident and_ information from a company's entire infrastructure to monitor event management all systems’ security. Monitoring all systems as a whole means (SIEM) that SIEM is better equipped to detect unusual activity than individual monitoring systems. Modern security ‘A function that constantly works to monitor and analyse operation centre (SOC) security controls and investigate any security threats. This functions expertise is often outsourced. Closed-circuit television A camera system that can be used to record and monitor (cctv) activity at chosen set-up locations. ye Reo Lcd Contingency controls + Acontingency plan outlines the steps which will be taken in case of a ‘disaster’, e.g. fire, flood or virus + The longer a system can't be used, the worse the consequences will be + Acompany may have a team to respond to cyber threats, e.g. computer security incident response teams (CSIRTs) are teams entrusted to respond to information security breaches and ensure that a business continues to function © Astranti 2019 138 astrantiChapter 16 Cybersecurity Processes + Minimise losses - Minimise losses and effects caused by cyberattacks, e.g. loss of revenue and damage to reputation + Understand causes of a breach — Investigating the technical aspects of why a breach happened in the first place + Develop and implement an incident response plan (IRP) - Organising disaster recovery plans + Provide up-to-date information on latest cyber threats — Any increased threats to a business should be communicated, e.g. industry-focused hacking attacks + Keep stakeholders informed - CSIRTs can be responsible for communicating details to shareholders, staff, customers, media, etc. in the event of a cybersecurity breach + Restore normal operations - CSIRTs can assist in implementing the disaster recovery plan so that the business can quickly return to normal operations + Recommend new policies after an incident - Recommending new policies, training and procedures to prevent an incident from reoccurring Disaster recovery and business continuity plans include: Processing facil Creation of processing facilities on separate sites, which could be both physical and online locations. Shared systems Agreements with other companies to share systems in case of a disaster. Back-up systems Important files may be stored remotely, e.g, through a cloud service. To be effective, back-ups should happen regularly. Back-up sites (See the table below) © Astranti 2019 139 astrantiChapter 16 Cybersecurity Processes Hot back-up site A copy of the website/systems with all the same capabilities, hosted in a different location. An expensive option but provides the fastest return to normal operations. Warm back-up site A site equipped with some resources and functionality of the original site. Cheaper and less comprehensive than a hot back- up site. Cold back-up sites Very basic technology and facilities. The cheapest but most basic back-up site, with the longest delay to resuming normal operations. Blockchain Blockchain is an attractive way for large organisations to safely and publicly store large amounts of information relating to financial transactions in a ledger-style format. Blockchain typically involves online transactions made with a currency, e.g. Bitcoin. The ‘block’ + Stores digital pieces of information, e.g. details of financial transactions + Each block can hold hundreds or thousands of items of data © Astranti 2019 140 astrantiChapter 16 Cybersecurity Processes Information must be verified by computers on the blockchain network before a block can be added to the blockchain, e.g. to confirm the value of the purchase with the retailer and the transaction details + Information is encrypted so that details are tured into a unique digital signature + Each block is given a unique ‘hash code’ which distinguishes it from other blocks The ‘chain’ + When multiple blocks are connected together, they form a chain + As soon as a block has been verified, it will join the end of a chain + The hash code of a block is related to the contents of the previous block + The chain forms a public database of information as it can be freely viewed + There are multiple different chains in use for each different currency Blockchain records are hard to alter because: + The hash code of a block is related to the contents of the previous block, so, ifa single piece of information in a block changes, the hash code of the next block will no longer be valid + Aninvalid hash code means that blocks on either side will not recognise it, so the block cannot be part of the chain + Once a record is made in a block, it cannot be altered as this would require altering all the blocks which have been subsequently added + The most common usage so far is as a way of handling transactions + Itcan be used to transfer and store money without the need for them to be recorded and processed by a separate body that charges a fee, e.g. banks + It isa shared and widely accessible system, providing a trusted record of events between groups © Astranti 2019 141 astrantiChapter 16 Cybersecurity Processes Costs reduced Cross-border payments ‘Smart contracts Money and assets are traceable Block editing is unlikely as a hacker would need information on the rest of the chain to alter a block, as well as access to all the copies of the blockchain in the network. Charges from banks are eliminated. Blockchain can be used to send and receive money overseas, providing a fast, inexpensive and direct alternative to using banks. Blockchain can be used to transfer any asset through a contract, written in computer code. Itis the same principle as a transaction being added to the blockchain as the smart contract will only become active once it has been verified by a network of computers. Details of a blockchain transaction could be added to balance sheets in real time using automated technology. As the system is widely accessible, stakeholders and regulating bodies could access transactions in real time, reducing the need for financial reports. Transactions and ownership are entirely traceable as records cannot be changed after they are made. PUR iir © Astranti 2019 142 astrantiChapter 16 Cybersecurity Processes ‘+ What network configuration management is, and what it is used for «What administrative controls are, and how they can be used, along with four ‘examples «What application controls are, along with five examples «The importance of communication and training as a control ‘+ What controls can be used to protect the physical location of systems ‘© What audit trails are, and three ways that they can be used '* How software updates and configuration can protect devices «What centralised monitoring is, along with some examples «The importance of contingency controls ‘* Responsibilities of computer security incident response teams (CSIRTs) * Four disaster recover/business continuity planning methods, including three types of online back-up site ‘© What blockchain is, and how it is useful in finance Got If not, go back and re-read the study text before moving on. © Astranti 2019 143 astrantiCybersecurity: Tools and Spear Techniques Cybersecu BCR taal Cay Companies must take every step possible to mitigate the risk of cyber-attacks occurring. The five cybersecurity tools and techniques that companies can use to safeguard themselves are: Forensic analysis Malware analysis, Penetration testing Software security Digital resilience © Astranti 2019 144 astrantiChapter 17 Cybersecurity: Tools and Techniques System-level analysis Storage analysis Network analysis © Astranti 2019 This looks for any unauthorised changes that have been made to the computer system. This involves: + Checking whether accounts on the company's system are fake or operated by real people + Checking whether a company has adhered to its security protocols + Checking whether changes have been made to a company's file systems, particularly those containing sensitive data and information + Checking whether security controls have been disabled Check whether high-level access accounts have been used at unusual times or performed suspicious activities Analysing the file system to see if the cyber-attacker has made any changes, e.g. modifying or deleting files. Expertise may be required to recover deleted or corrupted files successfully. The larger the information system, the harder this can be. Looking at the movement of data across a network to ident unusual or suspicious activity. Detecting unusual or suspicious movement of data can pre- empt and prevent a future cyber-attack. However, this can compromise the privacy of the network's legitimate users. 145 astrantiChapter 17 Cybersecurity: Tools and Techniques Malware analysi Definition Malware analysis The analysis perform after a cyber attack of the malware to find out how it works and how it gained access to prevent it reoccurring. This process is called reverse engineering, The first steps towards reverse engineering are decompilation or disassembly. + Decompilation - The process of converting the malware program from its binary form into the closest possible representation of its source code + Disassembly — Converting the malware program from its binary form into its assembler form (this can be understood by specialists, but is less useful than the source code) Definition Source code The set of instructions that constitutes a computer program, which can be understood by specialists. ‘Once specialists can read the code of the malware, it can be reverse-engineered to find information ‘on how it works and what the goal of the cyber-attack was. Malware may have been programmed to make this harder, e.g, by the malware creator adding extra ‘layers’ to the malware’s code. © Astranti 2019 146 astrantiChapter 17 Cybersecurity: Tools and Techniques If reverse engineering reveals that the malware was specifically targeting the company, the ‘company will know to prioritise protecting the asset that caused it to be targeted, Network discovery Vulnerability probing Exploiting vulneral © Astranti 2019 ‘The process of determining the extent of a company's network. Network discovery can reveal shortcomings in the way that the company’s network is set up, such as vulnerabilities that need to be fixed, e.g, software not being properly updated or devices using default passwords. This process is carried out to determine which devices on a company's network are especially vulnerable to cyber-attacks. Specialist software can be used to find vulnerabilities and assess them for their relative severity. ‘The final step is to find out the potential consequences if vulnerabilities are targeted. The severity will depend on: + How easy it is to access the device/system without authorisation + How long it takes to access the device/system without authorisation + How much of the device/system can be accessed without authorisation 147 astrantiChapter 17 Cybersecurity: Tools and Techniques Internal network penetration testing Web application penetration testing Wireless network penetration testing Simulated phishing testing © Astranti 2019 + How much control an unauthorised user is able to exert over the device/system White hat/ethical hackers can be hired to analyse these flaws. This focuses on the ability of users, both approved and unapproved, to access company information and install malware, e.g. to identify normal users that can access sensitive information or harm the computer system. Focuses on testing the vulnerabilities in a company’s web applications, which often store sensitive information, to identify issues such as: *+ Insufficient validation of user inputs causing the ‘opportunity for injection attacks (cross-site scripting (XSS) attacks) + Incorrect configuration allowing privilege escalation This looks for vulnerabilities that could allow a cyber-attacker to gain access to wireless networks, eg, through insecure encryption of data transmitted over wireless networks or a lack of controls over wireless uploads. Testing the likelihood of employees being tricked into disclosing sensitive information, e.g. whether employees fall for email phishing attempts, or whether employees properly adhere to company policy concerning sensitive information 148 astrantiChapter 17 Cybersecurity: Tools and Techniques Definition Cross-site scripting (XSS) attacks Where a cyber-attacker fools an application into running a malicious code. Privilege escalation When a user has more control over an application than they should. Ce eee Software security Involves the consideration of security during the programming process © Astranti 2019 149 astrantiChapter 17 Cybersecurity: Tools and Techniques Design review Code review Security testing © Astranti 2019 The consideration of building security features in a company’s software from the very beginning rather than integrating it afterwards Consideration of how company software is programmed to ensure that only authorised users are able to access sensitive data. This is performed using two main methods: ‘Two-step verification — Where users are required to present two different pieces of identification information, e.g. a password and a security question response ‘Two-step authentication — Where users are required to provide two different types of identification information out of things the person knows, e.g, their password), things the person has, e.g. a USB key, and/or things the person is, e.g. their fingerprint This checks whether the company's cybersecurity controls are being used and whether or not they are adequate (similar to an internal audit) The two main cybersecurity controls are (both ISO 27001 compliant): Version control - This control type is integrated into the company’s network configuration management (NCM) and ensures that all network devices are running the latest versions of their respective software. Old versions are likely to have more vulnerabilities that are yet to be fixed by updates. Patch management — A patch is a type of small software update created by the software developer, designed to quickly fix a newly found security vulnerability in the software. 150 astrantiChapter 17 Cybersecurity: Tools and Techniques Patch management is a control that is also integrated into a company’s NCM to ensure that devices search for and download the latest patches for their respective software. Tra This is the integration of cybersecurity measures into a company’s business operations, developed as an idea by Bailey et al. in 2015. Three-step identification 1) The company identifies the information it has that of all the issues would be of interest to cyber-attackers 2) The company needs to establish the steps that a cyber- attacker would need to take to gain access to this information 3) The company will then look at what cybersecurity defences it has in place to prevent each individual step that the cyber-attacker would need to take Aiming towards awell- The process of incorporating a cybersecurity plan into the defined target company strategy, which should be feasible, challenging and easily understood by all staf. Determining how best to Involves overcoming the difficulties that come with introducing deliver the new new cybersecurity controls, e.g. tackling any employee cybersecurity system concerns. This is best undertaken by a high-level manager assigned specifically to overseeing cybersecurity, who reports to the company board or senior risk manager. © Astranti 2019 151 astrantiChapter 17 Cybersecurity: Tools and Techniques the trade- Risk levels faced by companies from cyber-attacks will depend offs between risk and on the comprehensiveness of their cybersecurity systems. resource usage Better cybersecurity systems will cost more, so companies must decide how many resources to allocate, based on: + The organisation's attitude towards risk + The sensitivity and/or value of the information it, possesses + The resources available to the company Developing a plan that This process involves checking that a company's cybersecurity aligns business and systems remain equipped to deal with changes to its computer technology systems, ie. considering cybersecurity implications when changing business plans. Ensuring sustained This process involves the company ensuring that cybersecurity business engagement _ is afforded due attention at every level of planning and operation. PCR ir LD © Astranti 2019 152 astrantiChapter 17 Cybersecurity: Tools and Techniques cry © Astranti 2019 153 astranti ‘eal tringA company's stakeholders want to know that the company has adequate cybersecurity measures in place to minimise cybersecurity risk. Reporting is a key way to communicate this information to stakeholders. Companies can pledge to follow a clearly outlined approach to cybersecurity reports, which is in the best interest of all its stakeholders. UCC CCS iC Meer Accountants (AICPA) framework The AICPA framework produces cybersecurity risk reports for a company's stakeholders. There are three stages of reporting under the AICPA framework: Management's Providing the company's stakeholders with an overview of the description company's current cybersecurity situation including the following three areas of information:. + Anassessment of what sensitive data and information the company is responsible for + Analysis, by the company's management, of the types and likelihood of cybersecurity risks that the company is exposed to as a result of having this information + The steps that the company has taken to mitigate the risks outlined astranti © Astranti 2020 224 Financ eatingChapter 18 Cybersecurity: Risk Reporting Management's ‘The company’s management then evaluates the cybersecurity assertion details from the previous step and states whether or not the company approach has been adequate. The practitioner's Finally, a qualified AICPA accountant reviews the work of the i managers and critiques their assessment of the company's, cybersecurity risks and accompanying mitigation strategies. Each of these stages is performed according to criteria set out by the AICPA, which adhere to the “standards of suitability” listed below: The description criteria are directly relevant to the company Descriptions provided according to the critetia are objective Itis possible to take consistent measurements according to the criteria All factors relevant to a company's cyber security are included © 6 6 6 In 2017, AICPA released the “description criteria for management's description of an entity's cybersecurity risk management programme”: © Astranti 2020 228 astrantiChapter 18 Cybersecurity: Risk Reporting 1. Nature of business and This calls for a company to disclose the scope of its operations operations. Risk will vary based on the scope, especially, depending on the following factors: + The main products/services of the company and how they are distributed + The features of the markets the company operates in + Details of the company’s businesses 2. Nature of information at The company needs to disclose the sensitive information that risk itis responsible for handling in any capacity, e.g. personally identifiable financial information (PIFI) for customers and employees. 3. Cybersecurity risk The company must disclose its objectives rel management programme cybersecurity.e.g. confidentiality, integrity of data, etc, as well objective as its commitment to achieving and maintaining them. The AIC Triad framework is a key set of standards that a company could aim for regarding these criteria. 4. Factors that have a The AICPA (2017) outlines three factors that a company significant effect on should disclose during this stage of reporting: inherent cybersecurity risks + Characteristics of technologies, connection types, service providers and delivery channels used + Organisational and user characteristics + Environmental, technological, organisational and other ‘changes at the entity and in its environment during the period covered by the description Companies should also outline details of any significant cybersecurity events that occurred in the relevant period © Astranti 2020 226 astrantiChapter 18 Cybersecurity: Risk Reporting 5. Cybersecurity risk governance structure 6. Cybersecurity risk assessment processes 7. Cybersecurity communications and the quality of cybersecurity information 8. Monitoring of cybersecurity risk management programme © Astranti 2020 This covers the company's approach to fostering integrity and ethical values into its cybersecurity processes, including the following considerations: + How adherence to cybersecurity standards is ensured How the board is involved with cybersecurity, and the level of knowledge that board members have + Procedures regarding responsibility for cybersecurity and reporting cybersecurity issues + How employees are held accountable for their role in the cybersecurity process Outlining in detail the company's process for identifying cybersecurity risks, including how severity of risk is determined. The risks should be evaluated for how they relate to the achievement of its cybersecurity objectives. Analysis of risks due to interaction with third parties, e.g. vendors and business partners, is also required. Describing the process for communicating its cybersecurity responsibilities, objectives and incidents, both internally and externally. This must include an outline of what the company's thresholds are for determining whether a cybersecurity event is an incident requiring further investigation. The company must outline its processes for evaluating its cybersecurity controls and keeping them up to date, e.g. adhering to standards, such as ISO 27001 This includes the company's procedures for combatting any shortcomings in its cybersecurity processes. 227 astrantiChapter 18 Cybersecurity: Risk Reporting 9. Cybersecurity control The company must outline the following three aspects of its processes cybersecurity control process: + The company's process for designing and implementing control processes in response to identified cybersecurity risks + Asummary of the extent and structure of the company's IT systems and networks + The main policies and processes that the company has implemented to deal with the cybersecurity risks it faces Sent UCR Cera OL) Co eri This is an optional framework to help US-based companies improve their approach to cybersecurity, based on the analysis and mitigation of risk. The NIST framework has three parts: + The Framework Implementation Tiers + The Framework Core + The Framework Profiles © Astranti 2020 228 astranti