Reacher case "MGM resorts security breach 2023"
1.
please use the framework to analyze the security breach that you picked for your final report.
Follow the structure defined in the anatomy framework, research and collect facts for the following category:
Threats
Threat agent
Vulnerability
Discovery
Investigation
Impact
Remediation
2.
Using the following matrices to evaluate the disclosure:
Completeness
Timeliness
Management Involvement
How complete was the disclosure? what aspects of breach were disclosed (Threat – threat agent – vulnerability – actual breach – discovery – investigation – impact – remediation)?
How timely was the disclosure? Did it provide adequate time references for evaluation (report lag, discovery lag, investigation lag, remediation lag)?
Did management involve themselves in the disclosure? (signature of C-suite executives)
You may also consider other aspect to evaluate the disclosure.
The research notes does not need to be written in full paragraphs, you may use bullet points to summarize your findings.
Lecture – Unit 5 The Anatomy of a Cybersecurity Event
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
Last Week…
Need of Audit Standards
auditor’s conduct
auditor’s performance
auditor’s tasks
The Standard Argument
Does do things “by the book” hampers auditor’s ability to conduct audit?
Can auditors think “out-side-of-the-box”?
Developing audit steps
The structure
From PFSPGP to audit steps
Audit steps and audit evidence
A Cybersecurity “Event”
MGM’s cybersecurity “issues”
What we observed may be the symptom (emails down, website down, slot machine mal-function), not the actual breach event.
Reporting or investigating the symptoms may not be enough unless the root cause is found.
The need to understand the cybersecurity events
It’s more than just “what happened?”
The need to understand the cybersecurity events
Threats
Threat:
“something bad may happen to you!”
loss of data?
Loss of asset?
Critical infrastructure?
The risks, aka, “what is at stake?”
Threats can be numerous
Threat Agents
Threat agent
Those who carried out the attack
Who “realized” the threats
Think beyond just “hackers”
May not be “human” agent
The actor that enabled the threats
Vulnerability
Vulnerability
The “weakness”
What allowed threat agent to take advantage of
“easy targets”
no vulnerability, no threat.
Investigations
Investigations
Internal investigation
Third-party? Law enforcements?
What tools and methods were used?
How investigation results are communicated?
Impact Assessments
Impact assessment
the “Ooops”
Impact assessment might not be possible without investigation
Impact on reputation?
Real economic impacts
long term, short term?
Remediation
Remediation efforts
“stop loss”
what was done and what needs to be done.
DRP & BCI, recovery from the event, and continuation of business operations.
Putting it together
Research & Reading
Research task:
Use NIST’s Special publication on Computer Security Incident Handling Guide to research on the following:
What is an incident?
How to handle an incident
Information sharing and coordination
image1.jpeg
image2.png
image3.png
image5.png
image6.emf
image7.emf
image8.jpeg
image9.jpeg
image10.jpeg
image11.jpeg
image12.jpeg
image13.jpeg
image14.emf
image15.tmp
,
Lecture – Unit 9 Evaluate Disclosure
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
Dye’s Analogy (1985)
Dye (1985) provided a simple analogy using agency theory showing why management would manipulate disclosure:
management’s actions are subject to moral hazard and hidden actions, and
investors, individually, learn about the manager’s actions through disclosure that would reflect the management’s action through stock price changes.
Disclosure allows the principal to mitigate the moral hazard problem by tying the manager’s compensation to the firm’s stock price;
Dye’s Analogy (1985)
In this case, the manager could game the system and make disclosure sufficient to impact or not-impact the firm’s future cash flows.
The firm’s stock price would then become a function of that disclosure rather than a function of investor knowledge about the manager’s actions.
Therefore, firm’s stock price became “influenced” by the disclosure, even more so, by the content of the disclosure.
Dye’s Analogy & Cybersecurity Breach Disclosure
Subsequent to a security breach, managers may foresee that security breach events are intrinsically complex and difficult to understand for the principal;
it may take much longer for the full investigation to be completed.
The manager may very reasonably elect to control the disclosure in a manner that favors the manager’s self-interest.
The market reaction would be a function of the “diluted disclosure”, or “glorified disclosure” not the management’s effort and their true actions in managing or mis-managing the firm.
The Tale of Two Disclosures
StumbleUpon provided little information in its disclosure.
However, it is difficult to evaluate just how “bad” it is.
Need of measuring instruments
The Tale of Two Disclosures
Comparing to another disclosure…
Measuring the Quality of the Disclosure
Discussion: What makes a good disclosure?
ACCURATE
TIMELY
RELEVANT
COMPLETE
MANAGEMENT INVOLVEMENT & CREDIBILITY
Disclosure Accuracy
Accuracy is an important aspect of disclosure.
It’s important for the preparer to issue disclosure truthfully based on best available information at hand.
However…
Accuracy of disclosure is impossible to measure consistently as the “truth” is not observable from the information users’ perspective.
Disclosures are “assumed to be accurate” after independent audit.
Disclosure Timeliness
Timely disclosure allows investors to make timely decisions.
However, in cybersecurity breach, one single dimension of timeliness may not be adequate enough…
Time dimension of cybersecurity breach may include:
When incident occurred
When incident were discovered
When investigation started
When remediation were determined
When external disclosure were issued.
Disclosure Timeliness
These dimensions allows the information user to determine the “lag time” of various events:
Discover lag (from incident occurrence to discovery)
Investigation lag (from discovery to investigation)
Remediation lag (from investigation to remediation)
Disclosure lag (from discovery to external disclosure)
Disclosure Timeliness