Professional Documents
Culture Documents
Acc 1
Acc 1
10
Lead Component
D3 Discuss cyber security (a) Discuss forensic analysis
tools and techniques (b) Discuss malware analysis
(c) Discuss penetration
testing
(d) Discuss software security
D4 Evaluate cyber risk (a) Evaluate cyber risk
reporting reporting frameworks
565
Cyber security tools, techniques and reporting
2 Forensic analysis
As with any crime scene, virtual or physical, something is always left behind.
Forensic analysis is the process of examining the things that have been left
behind by the attack/attacker to increase understanding about the attack and
how the systems were breached to be able to improve defences in the future.
There are three main areas to consider in forensic analysis of cyber-attacks and
cyber security. They are:
System level analysis.
Storage analysis
Network analysis.
Each of these will be explored in more detail.
566
Chapter 10
567
Cyber security tools, techniques and reporting
Forensic analysis
After the attack on DigiNotar mentioned in the previous chapter, the
Dutch government commissioned Fox-IT to carry out forensic analysis on
the DigiNotar Network. As always with these incidents, the public never
find out the whole story, but some reports say that they were able to find
digital “fingerprints” on one of the servers and from this they were able to
work out that it was the same attacker who had also compromised
another certificate authority called Comodo based in New Jersey in
America.
This story suggests that the security preventing unauthorised access to a
firm’s network appears easier to get round than the security that
certificates provide.
568
Chapter 10
3 Malware analysis
Ideally no malware would get on to an entity’s systems, but the reality is it will.
Once malware has been identified, analysis of the software should be carried
out to understand as much as possible about the malware. The aim of malware
analysis is to understand how the malware got on to the computer and its
purpose, including whether it was intended specifically for the organisation.
Obtaining this information means organisations are better able to improve their
defences in the future.
569
Cyber security tools, techniques and reporting
4 Penetration testing
Penetration testing is another important step in the process of improving cyber
security, it is effectively testing how good the cyber security of a company is.
This can often involve the use of white hat hackers who are hired to try and
penetrate the network or system.
570
Chapter 10
571
Cyber security tools, techniques and reporting
572
Chapter 10
Example: Kaplan
As part of Kaplan’s security processes they have employed someone to
try to hack into the system and set up an administrator profile to install
malware, or pretty much whatever else they wanted.
This is not a one off event, but something that happens on a regular basis
– the hacker comes to a Kaplan office, so is on the internal Kaplan
network, and attempts to set up the profile. The first time the person
hacked in fairly quickly and was able to do everything they wanted.
Kaplan were given a report from the hacker and worked on the various
issues identified.
The next time the hacker was asked to attempt to gain access, whilst they
did get into the system, they were unable to set up any profiles and failed
to access any information or set up any malware.
As ways to hack into systems develop, Kaplan will revisit this security test
and continue to work on protecting Kaplan’s data.
573
Cyber security tools, techniques and reporting
Example: Kaplan
The example about Kaplan in chapter 9 discussed a situation where an
internally generated phishing email offering free coffee from a well-known
coffee outlet was sent to all staff, this is an example of simulated phishing
testing. The members of staff who clicked on the link were identified as
being more susceptible and so received additional training on how to spot
suspicious communications and how to react to them.
5 Software security
Software security is the process of writing security into the software. As attacks
on software can be complex, the security needs to be considered in different
ways, typically there are three levels to consider:
Level 1 – This primary level seeks to prevent the attacker from gaining
access to the software at all.
Level 2 – Unfortunately it is no longer realistic to expect that preventative
security will always work, so the second level is concerned with making
sure that if a breach occurs an alert notifies the appropriate parties that an
attack has breached the level 1 security.
Level 3 – While the alert will mean that the appropriate parties can
investigate the security breach, time is critical in any attack and in a very
short space of time data can be compromised, so the third level takes
automatic urgent action, for example locking down accounts and sensitive
information.
574
Chapter 10
Design review
The extent to which our phones, watches and, since the development of
the IoT, other devices, have become integral to the way we live and work,
was not envisaged when the software for these devices was originally
created.
This has led to a need to improve the security features designed into the
software.
575
Cyber security tools, techniques and reporting
576
Chapter 10
577
Cyber security tools, techniques and reporting
578
Chapter 10
6 Digital resilience
In their book, Beyond Cybersecurity: Protecting Your Digital Business,
published in 2015, Tucker Bailey, James Kaplan, Alan Marcus, Derek
O’Halloran and Chris Rezek discuss a concept called Digital Resilience. The
concept is about doing more than the minimum to protect the company and
comply with regulations, but to integrate cyber security into the business
operations.
They identify six actions an organisation must consider to achieve their digital
resilience, each of the six actions is considered below.
579
Cyber security tools, techniques and reporting
The tendency is often to focus on the final one of these, which can lead to
unnecessary expense.
6.3 Work out how best to deliver the new cyber security system
This area links into change management, and looks at how a company takes
these challenging targets and turns them into a reality. As with all controls the
workforce can often resist what are perceived to be additional controls believing
they will inhibit creativity, cause problems with current procedures or increase
the time to get things done.
Roles and reporting are important here, and part of the advice is to have a high
level manager responsible for all aspects of cyber security, perhaps reporting
into the board or potentially dual reporting into the leading risk manager within
the company too.
Example
A company could set up three packages:
Basic – this would be the lowest cost package and lead to the lowest
level of security, only covering absolutely essential (legal) requirements.
Standard – this would be a package that included a higher level of
security, potentially in line with activities of a business’s primary
competitors. It would also cost more to implement than the basic
package.
Premium – this package would include the top level security, and could
potentially differentiate a firm from its rivals. It would also cost a
significant amount more than the other packages.
This is just an illustration and four or five different packages maybe
created for analysis and selection.
580
Chapter 10
Example:
If a company, or some part of the organisation, has just started to use, or
is considering using, cloud based software or storage, then it is important
that cyber security processes are aligned to this.
581
Cyber security tools, techniques and reporting
7 Frameworks
As cyber security risks and cyber security risk management increase in focus,
so too does the need to report on them to stakeholders. At present there is no
regulatory requirement to report on cyber security and, because of the
complexity and rapidly changing environment in which cyber security sits, it is
unlikely any regulatory requirements will come in.
This has left both organisations and stakeholders in a difficult situation.
Organisations would like their stakeholders to know that they have robust cyber
security procedures in place, but don’t know how to convey this to the
stakeholder. Equally stakeholders are concerned about whether cyber security
is receiving the attention it requires within the organisation but don’t know if
what they are told has any real meaning.
As a result, frameworks have been created that, although they are not
mandatory, give an organisation something credible to show stakeholders to
confirm that they do have robust processes and controls in place.
7.1 AICPA
582
Chapter 10
583
Cyber security tools, techniques and reporting
7.3 Criteria
As with all approaches to analysing risk, identifying key considerations is easier
with a model, tool or guide of some description. For example, PESTEL is a
classic tool to assist in identifying threats and opportunities for a chosen firm.
To assist with the writing and evaluation of the management description and to
improve the comparability of the reports produced the AICPA uses two sets of
criteria:
Description criteria
This is a detailed (33 page) document giving guidance on the areas that
should be considered when identifying the cyber security risks the entity
faces and the controls it puts in place.
584
Chapter 10
585
Cyber security tools, techniques and reporting
586
Chapter 10
587
Cyber security tools, techniques and reporting
588
Chapter 10
Control criteria
This is even more detailed (over 300 pages) document giving guidance on
the types of risks and controls that may have been identified in the
description criteria and examples of other controls that could be used, that
managers and qualified accountants can use in their assertions and
reports. There are significant references to the COSO Internal Control
Framework, which should not be surprising given that cyber security risk
management is concerned with considering the effectiveness of the
controls in the organisation’s program.
589
Cyber security tools, techniques and reporting
590
Chapter 10
Consideration:
Disaster recovery plans (DRP) to support system recovery are tested to
make sure they meet the organisation’s commitments and system
requirements.
Example risk:
DRPs are not designed appropriately and backups are not enough to
allow recovery of the system to meet the organisation’s commitments and
system requirements.
Possible control:
Business continuity plans (BCPs) and DRPs including restoring backups
are tested at least annually. Test results are reviewed and plans are
adjusted accordingly.
Consideration:
Mitigating controls exists to prevent or detect and correct errors in
processing to meet processing integrity and system requirements.
Example risk:
Processing error, fraudulent action or another external event leads to
data loss.
Possible control:
Daily incremental backups are automatically performed and full weekly
backups are also carried out.
Consideration:
Confidential information is protected during system design, development,
testing and implementation to meet organisational confidentiality and
system requirements.
Example risk:
Data used in test systems is not appropriately protected from
unauthorised access and loss.
Possible control:
The organisation uses masking software to create test data that removes
and replaces any confidential data with dummy data prior to the creation
of the test database.
Consideration:
The organisation’s privacy commitments are communicated to internal
and external users appropriately, and internal users are able to carry out
their roles as required while adhering to those commitments.
Example risk:
Internal and external users are not aware of the privacy commitments
and how PII is collected and used.
Possible control:
The organisation makes its privacy commitments and practices available
to all data subjects both internal and external upon first collection of data,
and any updates to policy are communicated as appropriate and through
agreed preferences to the data subject.
591
Cyber security tools, techniques and reporting
This gives a flavour of the content, but it is impossible to reproduce it all in this
chapter. There are huge amounts of information available to help organisation
implement the AICPA cyber security risk management framework. Further
research is possible just type it into a search engine, but be careful to only click
on secure and trusted sites.
NIST
The NIST is the National Institute of Standards and Technology. It is a
non-regulatory agency of the US department of Commerce. As with many
governments around the world they seek to give advice about cyber
security. In the UK GCHQ has a section called the National Cyber
Security Centre that gives advice to UK organisations and individuals
about staying safe online.
592
Chapter 10
593
Cyber security tools, techniques and reporting
Technological advances mean that all frameworks including the AIC triad
must evolve. Some developments that pose particular challenges include:
Big data – extra challenges arise because of the huge volume of
information that needs to be protected, the variety of sources and types
of information and the speed with which it is updated. Making use of it
can be challenging, but also making sure that it is accessible, trustworthy
and private can become very costly.
Internet of things – as with any network, the more you increase the size,
the more access points are created and so the bigger the threat
becomes. The issue for the AIC triad is both privacy and security.
Privacy – it may only be fragments of data that are accessible from each
of the various endpoints, but when they are collated they can constitute
personally identifiable information.
Security – while computers get regular software patches and invariably
have good security configurations, many of the devices in the IoT that
connect to them don’t have the ability to receive software updates or do
not require passwords.
594
Chapter 10
595
Cyber security tools, techniques and reporting
596
Chapter 10
Scenario
Nouveau Cakes Ltd is an online cake making and delivery company
based within close proximity to the capital city and with good transport
links to the rest of the country. They offer to make delicious cakes for any
special occasion, with a wide variety of designs and deliver them to the
customer’s door within 24 hours of ordering on their website.
They have been in operation for 5 years and originally started when
founder and current executive chair Larissa Shazam became
disillusioned with her office job and decided to follow her passion for cake
baking. She originally auditioned for a television bakery contest to try and
raise her profile but failed to get through the auditions. Undeterred she
started doing local cake making and delivery within her home town and
surrounding village.
She quickly built up a good reputation, and started to use social media to
raise her profile. Requests for cakes started to come in from further afield
due to her presence on social media and, keen to capitalise on this
interest, she collaborated with a local distribution company and applied to
the bank for financing to increase the size of her operation.
The company now has its own website which is the primary source of its
orders and regular customers are able to set up an account for ease of
ordering and payment. The company has had to collaborate with a
national logistics company for their next day delivery services as the
demand for its cakes is increasing throughout the country.
Trigger
The finance director asks you in her office, she’s holding a copy of the
local newspaper, and is looking concerned.
“Thank you for the work you did for me last week, it was really useful. I
need your help again, I’ve just been reading about a local company that
has suffered a major setback due to a hacker gaining access to their
customer database. I’m concerned that as we expand, we may become a
target for such activities. We have hundreds of regular customers who
have set up an account and have stored payment details.
A friend of mine works in IT and is obsessed by cyber security and was
telling me all about the various frameworks and how they can be reported
now. I didn’t really understand it all, but I understand there are loads of
different approaches and that there is currently no standard approach. I
wondered if we should be doing something on cyber security now. I know
Larissa is considering listing the company if our success continues, she’s
even talking about overseas expansion!
597
Cyber security tools, techniques and reporting
Task
Please can you prepare the following for me for a meeting I have with
Larissa and the rest of the board tomorrow morning. I need it within the
hour so I can have a good look over it and ask you any questions:
(a) Outline the issues that we should be considering with regard to
cyber security. (15 minutes)
(b) An evaluation of the benefits and risks of adopting a cyber security
framework. (15 minutes)
(c) A brief evaluation of the cyber security frameworks available and a
recommendation for which one we should use. (15 minutes)
598
Chapter 10
“As you can see from this newspaper article, we launched the new
download app yesterday. However we have already had to suspend the
download service. Ronsteel Productions, one of the studios that license
most of our content to us, has already discovered some of its
programmes on internet pirate sites. The electronic signatures on those
files indicate that they originated from Couchweb.
In preparation for the launch of the app, we encrypted copies of the files.
These should have been impossible to play other than through the
subscriber’s app, linked to the subscriber’s Couchweb account. The
encryption has been extensively tested, but we now know that it is
possible to defeat it.
We have been able to identify the subscribers who were responsible for
the pirated copies and have cancelled their subscriptions.
Task
The CEO has asked me to brief him later today and I need your help in
preparing for the briefing. I need practical advice on the following matter:
(a) How would Enterprise Risk Management (ERM) provide an
effective approach to the prevention of this type of incident at
Couchweb in the future? (30 minutes)
599
Cyber security tools, techniques and reporting
8 Chapter summary
600
Chapter 10
601
Cyber security tools, techniques and reporting
602
Chapter 10
603
Cyber security tools, techniques and reporting
604
Chapter 10
605
Cyber security tools, techniques and reporting
606
Chapter 10
ISO27001
This is from the International Organisation for Standardisation and so
carries with it additional credibility. This kind of standard would give
additional credibility to NC if we were to move into business-to-business
sales. It follows very similar risk management processes including setting
up a security policy, using risk assessment and managing the risks
identified, and preparing a statement on the risks and controls in place. It
does not mandate specific controls, but does provide a checklist of
controls to consider.
AICPA cyber security risk management reporting
This is probably the most comprehensive and detailed of the frameworks
that exist at present, as such it would probably be the most expensive for
NC to undertake, but the result would be that our consideration and
controls would be perceived to be of the highest order. Again, it cannot
guarantee that NC would be immune from cyber security threats, but
would show our stakeholders that we take cyber security very seriously.
Given that Larissa has talked to you about listing, this level of reporting
would certainly give investors more confidence in our cyber security risk
management.
Summary
Given our current size, I think that we should start by using either the AIC
triad or the NIST framework. This will give us a good basis for control and
if we continue to expand we could look to adopt ISO27001 and the
AICPA cyber security risk management reporting.
607
Cyber security tools, techniques and reporting
608