Lecturer-in-Charge: Dr. Henry KF Cheung (kf.cheung@unsw.edu.

au)
2

Copyright Notice
3

• There are some file-sharing websites that specialise in buying and selling academic work to
and from university students.

• If you upload your original work to these websites, and if another student downloads
and presents it as their own either wholly or partially, you might be found guilty of collusion —
even years after graduation.

• These file-sharing websites may also accept purchase of course materials, such as copies
of lecture slides and tutorial handouts. By law, the copyright on course materials, developed by
UNSW staff in the course of their employment, belongs to UNSW. It constitutes copyright
infringement, if not academic misconduct, to trade these materials.
4

Acknowledgement of Country

UNSW Business School acknowledges the Bidjigal

(Kensington campus) and Gadigal (City campus)
the traditional custodians of the lands where each
campus is located.

We acknowledge all Aboriginal and Torres Strait

Islander Elders, past and present and their
communities who have shared and practiced their
teachings over thousands of years including
business practices.

We recognize Aboriginal and Torres Strait Islander

people’s ongoing leadership and contributions,
including to business, education and industry. UNSW Business School. (2022, August 18). Acknowledgement of Country [online video].
Retrieved from https://vimeo.com/369229957/d995d8087f
5
What we will learn today:

1. Cloud Security

2. Roles of Cyber Personnel

3. Incident Management Case Study

6
 7

Cloud Security
(Shared by Aqua Security Software)
 8
Break
 9

So, who are the people involved in

cyber security management?
Meet Pi – Cyber Security Risk Manager
• Pi gets paid $130-180K to be the Sherlock Holmes of finding
out why the company’s cybersecurity isn’t good enough and
the people who want to steal their money and data and break
their systems
• Since his company doesn’t have unlimited money, staff, or
technology resources, he needs to decide what bad things are
most likely to happen and how best to stop them from
happening
• Pi is passionate about researching, analysing, and applying
different regulatory and policy frameworks to help the
company meet industry standards efficiently
Meet Bul – Network Security Engineer
• In exchange for (carefully) breaking into the company’s
systems, she gets paid $105-140K to tell them how to
stop it from happening again
• Sometimes when the real bad guys break in, she will
investigate how they got in and fix the hole(s) they used to
sneak in
• In a year’s time, she’s hoping to get promoted to Network
Security Manager, where she’ll manage, monitor and
oversee the network security of the company
Meet Jacob – Threat Intelligence Analyst
• The company gives him $98-137K to surf the Dark Web and
find out how the bad guys plan on getting past their security
controls
• He produces actionable intelligence on current and
developing threats to help the company prioritise its
cybersecurity measures
• If a breach occurs, he will determine if attacks need to be
monitored or disrupted, conduct investigations and contain
the breach, help the company adapt so the same attack
doesn’t work again, and integrate new tactics and threat data
into security tools
Meet Wis – Security Operations Engineer
• He gets paid $120-150K to do pretty much everything there
is to do in cybersecurity
• He identifies the company’s most critical assets (like a Risk
Manager), researches and analyses the latest threats (like a
Threat Intelligence Analyst), and performs post-incident
analyses (like a Network Security Engineer)
• He also enforces configuration and security policies in the
company, thinks about ways to automate security
procedures and processes, and watches network,
application, and other data to try to detect suspicious
activity that could indicate an adversary or malicious insider
is doing bad things inside the network
Meet Kai – Application Security Engineer
• The company pays him $120-157K to make sure that
their systems don’t have too many security holes
• He needs to know what the most likely attacks will be
so that he can help developers write secure code
• Once the developers have written their code, he checks
that it’s up to standard before it goes into production
• Even then, once it’s in production, he will occasionally
test the application to check for any weaknesses
Meet Su – Technical Project Manager
• For $110-157K, he manages a project for the company and
makes sure that the entire project’s lifecycle (from preparing
and planning to constructing and deploying) goes smoothly
• He has a knack for understanding the perspectives of all
project stakeholders and winning their trust and buy-in
• He oversees the project’s budget, schedule, communications,
gaps and risks, and completion
• On completion, he makes sure that everything is well-
documented and handed over to business operations
smoothly
Meet Mai – Security Awareness Specialist
• She gets paid $110-140K to teach people not to click on
funny links in strange emails (and a lot more!)
• She needs to know how to talk about cybersecurity in a
way that everyone can understand – even people who
still use Internet Explorer!
• She raises awareness about the common types of
attacks that target people – like phishing and social
engineering
• She also needs to boost employee morale so that they
are empowered to make secure decisions in their
everyday jobs
Meet Ku – Cloud Security Engineer
• News about security breaches keep him up at night, so
the company pays him $140-173K
• He does a similar job to an Application Security Engineer,
but for the CloudTM
• He keeps up to date with the latest threats to the
company’s cloud, develops new features to protect
against those threats, and builds, maintains, and upgrades
their cloud-based systems
• He also analyses the logs in their cloud environment to
make sure he has visibility over the various cloud services
so that he can detect attackers and prevent them from
breaking things
 18

Incident Management Case Study

In December 2013, Target Corporation, one of the largest retailers in the
US, announced that it had been the subject of a cyber attack that resulted
in the theft of credit and debit card information for 40 million Target
customers and personal information for an additional of 70 million

Source: https://www.hbs.edu/faculty/Pages/item.aspx?num=51339
 Attackers took Target missed alerts
Attackers took
advantage of weak sent by its anti-
advantage of weak
security controls within intrusion software, did
security at a Target
Target’s network and not enable automatic
vendor to gain foothold
successfully moved to deletion of malware,
in Target’s internal
the network’s most and missed alerts
network
sensitive areas about data extraction

Source: https://www.hbs.edu/faculty/Pages/item.aspx?num=51339
Target’s Pre-breach Information Security Team Structure

Information Protection Team

• Led by a Chief Privacy Office. Reports to CFO
• Vendor Assessment and Management Team (300 vendor assessments each year)
• Risk Review Committee provide guidance on risk mitigation (beyond cyber)
• Intake team answers security-related questions

Technology Services
• Led by CIO, reports to CEO
• Cyber Security team led by a senior director who reports to the CIO
• Security Operations Center (SOC) – a 24-hour alert management center
• Red team conducts network security test and simulated attack

Source: https://www.hbs.edu/faculty/Pages/item.aspx?num=51339
Target’s Pre-breach Information Security Team Structure

There are also

• Cybersecurity Program Governance – a committee consisted of senior
managers from different units, met quarterly
• Cyber Steering Committee – bringing people together to plan for future of the
cyber security program, review strategies and prepare agendas to discuss with
execs in the Cyber Executive Committee
• Corporate Security and InfoSec Investigations team, Internet and External
Auditors, Board Committees etc.

Source: https://www.hbs.edu/faculty/Pages/item.aspx?num=51339
 Target’s Incident Response

December 12, December 17,

December 14,
US December 13, December 15, It took Target Target
Target hired December 16,
Department of Target met CEO first until 6pm on prepared its
forensics Forensic
Justice (DOJ) with the DOJ found out the 15th to stores and call
team to work/investig
contacted and US Secret about the remove the centers to
investigate the ation
Target about Service breach malware answer
breach
the breach questions

Source: https://www.hbs.edu/faculty/Pages/item.aspx?num=51339
 Target’s Incident Response

December 19, Target

December 18, a popular
posted on its corporate
online security blog (Krebs December 18, Media December 27, Target
website (not the customer
on Security) reported that confirmed with Secret reversed its earlier position
website) and distributed
more than 1M cards had Service. Target refused to to confirm that PIN
press release stating that it
been compromised. This confirm the incident that information had in fact
was "aware of"
was the first public day been stolen
unauthorised access to
indication of the breach
payment card data

Source: https://www.hbs.edu/faculty/Pages/item.aspx?num=51339
Target’s Incident Response

The attack and Target’s response exposed the company to intense

criticism and raised questions about the accountability of board of
directors and committees that were responsible for the oversight of
both operational and reputational risks

What would be your recommendation?

People: Organisations do not have a formal cyber security
incident response team or a named individual

Processes: Organisations do not have a process in place

Technology: Inadequate monitoring processes, record evidence,

redundancy
• Preparation Tactical Strategic
• Detection and investigation Phase Phase
• Initial response
• Containment Initiation
Planning and
• Eradication and recovery Execution
• Notification
• Closure and post-incident activity Execution Metrics
• Documentation and evidence-handling
requirements Recovery
Termina-
Plan/Impro-
tion
vement
1. Categorise all assets – What is at risk? What is the scope of
the attack?
2. Identify key people, define roles and responsibilities
3. When should we invoke the recovery plan?
4. Who has the authority to invoke the plan?
5. Milestones, criteria for finalising
In the worst-case scenario, deliver bad news
Source: stacker.com