1.
Why is costing information (for example, the calculation of WIP inventory valuation) important to financial reporting?
Please research and discuss at least one point through the discussion
2.
In this week, we discussed the firm's perspective on security incident handling and introduced NIST's security Incident Response Life Cycle (IRLC). (Prepare – Discover & Analysis – Containment, Eradication & Recovery – Post-Incident Activities)
Have you or people around you ever experienced a security breach? Using the IRLC and share your experience.
How prepared were you before the incident? (prior training? knowledge? controls?)
How was the incident discovered and analyzed?
How did you contain, eradicate and recover from the incident?
Any post-incident activities were performed? What did you learn from the incident?
Share your experience and evaluate your "cybersecurity incident handling" using the CMM General model, how mature was your incident handling capability? briefly explain why.
(Attach is for Question 2)
Lecture – Unit 10 Cybersecurity Incident Management & Controls
ACCT 855
Seminar in Cybersecurity Audit and Disclosure
Dr. Tien Lee, Ph.D., PMP, CISA, CISSP [email protected] | (415)644-TIEN San Francisco State University Lam Family College of Business
So Far…
Auditors’ perspective
Currently state of cybersecurity
Audit program
Current practices & use of standards
The anatomy of a cybersecurity event (Research workshop)
Cybersecurity threats & SOC audits
Audit Evidences
Evaluating Disclosure (research workshop)
Firm’s perspective (issuer)
This week: Firm’s handling of Cybersecurity Event.
An Incident? Event? Breach? Hack?
First issue faced by the issuer is… “What is a cybersecurity breach?”
Event and incidents
Event: Any observable occurrence in a system or network.
Adverse events: are events with a negative consequence. e.g. system crash,
security incident: a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
A breach:
An intrusion or unauthorized access to system or network.
may NOT cause ANY adverse event, yet.
An Incident? Event? Breach? Hack?
A “Hack”:
Usually implies an attack from an external party.
A breach can be caused by internal or external party.
Definition matters:
An event may or may not be “adverse”
An adverse event may or may not be caused by a security breach.
A breach may or may be observable.
A breach may or may not cause an event, adverse or not.
Consider these: An unlogged adverse event vs. an observed breach
How a Breach Slip through the Crack?
Breach is not observed or adverse events were not logged.
Inadequate event log, transaction journal.
Some hackers may attempt to erase the footprint by purging the event log.
Technical: Lack of detection controls
Human: Lack of security awareness (ignorance is a bliss)
No additional check e.g. internal or external audits.
the attackers simply has not done anything yet.
Side-channel attack: the breach was accomplished without direct attack.
Incident Response
Organization should provide organizational-specific definition on security incident.
When a security incident is observed/discovered/reported, the incident response function should be activated. (fire alarm -> sprinkler)
For federal agencies, per OMB and FISMA
Incident response capability must be established
To have procedures for detecting, reporting, and responding to security incidents.
Establish centralized incident response team (US-CERT)
The CSIRT
The Computer Security Incident Response Team:
Models: Ad-hoc, priority-based, centralized, distributed, or coordinated. (small-> large organizations)
Staffing: in-house employees; partially outsourced; on-call (retention-based), fully-outsourced.
Considerations:
Availability (24/7? 1-hr response time?)
Cost
Expertise / specialization / org. knowledge
Segregation of duty
Quality of work
Personnel issues and considerations
Why Cost Matters
The shorter the response time, the more expensive.
Cheaper for longer response, but cost of disruption can become too high.
Incident Response Personnel Considerations
Security Clearance?
Skill-inventory
Morale, stress, overtime
Potential interpersonal conflicts
Technical lead, audit/compliance lead
Authorities and access
Rotation, correlation, overlap of skills.
Within the Firm:
Management: establishes incident response policy, budget, and staffing
BOD: Monitoring the internal effort and reporting of the incident to the Board.
Information assurance: Audit committee, internal audit function, collection/preservation of evidence
IT support
Legal department: plan for legal ramifications, prosecutions, lawsuits
PR, Media relations, Social Media team, rumor control: to control the dialog
HR: vetting employee, contractors, assisting with disciplinary actions.
Internal Auditor’s Role
Internal audit function serves the investigative role to assist the CSIRT.
Internal auditor’s role in an incident is NOT to perform assurance service. (no audit shall be done DURING the handling of an incident!)
Provide evidence gathering and preservation
Work with external auditors, law enforcements, contractors, or specialists.
Monitor on behalf of the Board
Report to the management and the Board.
Internal Auditor’s Role
Internal audit function serves the investigative role to assist the CSIRT.
Internal auditor’s role in an incident is NOT to perform assurance service. (no audit shall be done DURING the handling of an incident!)
Provide evidence gathering and preservation
Work with external auditors, law enforcements, contractors, or specialists.
Monitor on behalf of the Board
Report to the management and the Board. (management or board then report externally)
Internal Auditor’s Role
Internal audit function serves the investigative role to assist the CSIRT.
Internal auditor’s role in an incident is NOT to perform assurance service. (no audit shall be done DURING the handling of an incident!)
Provide evidence gathering and preservation
Work with external auditors, law enforcements, contractors, or specialists.
Monitor on behalf of the Board
Report to the management and the Board. (management or board then report externally)
Incident Response Life Cycle: Preparation
Preparation:
Most important
“Prevention is better than cure”
Seek to improve the incident preparedness
ISSUE: Difficult to show ROI on prevention. (can be done by tracking cost avoided)
Detection – How a Breach is Discovered?
By checking / acting on an adverse event
By intrusion detection mechanisms (detection controls)
By routine, periodic, or unannounced audits
By whistleblower or internal reporting channel
By customers, vendors, or business partners.
By law enforcement agencies
By the attackers themselves
NOTE: bad record keeping (event logs& transaction journals) can severely hamper discovery or detection!!
Analysis Step: Determine Incident Handling
Impossible to write procedures or step-by-step for EVERY incident.
Group incident by type and determine the incident response plan accordingly.
Common grouping techniques:
By asset type: (cash, trade secret, PIN, company data…)
By channel of attack: (web, mobile devices, B2B network)
By source: (internal, external, collusion)
By attack type: (technical, human…)
By parties involved: (foreign agencies, law enforcements, external contractors…
By urgency
Containment, Eradication, and Recovery
Containment: done before an incident overwhelms resources or increases damage.
Provides time for developing a tailored remediation strategy.
Containment strategy may differ based on result of the detection and analysis.
Eradication and recovery should be done in a phased approach.
Eradication may not be possible until law enforcement gave the OK (if law enforcements are involved)
Recovery should be done ONLY when historical data are secured.
Post-incident Activities
Lesson learned
Breach report (internal & external)
Determine follow-up activities
Internal Audit on the event handling process
Collect info KPIs
Response time
Various time lags
Time per incident
Objective assessment of incident
Report to the Board of Directors.
Base on lesson learned, update firm’s preparedness.
Capability Maturity Model
A general model used for measuring and establishing how “mature” is a certain process.
CMM general model:
Initial (chaotic, ad hoc, individual heroics)
Repeatable - the process is at least documented sufficiently such that repeating the same steps
Defined - the process is defined/confirmed as a standard business process.
Quantitative Managed – in accordance with agreed-upon metrics.
Optimized - includes deliberate process optimization and continuous improvement.
Paper walk-through, Drills, and War Games.
Using scenarios to test firm’s preparedness.
E.g. “unauthorized access to payroll records” – what to do?
Paper walk-through: check the firm’s capability ON PAPER. And walk through the process in situ.
Drills: Instead just performing tasks on-paper, affected individuals are required to perform actual tasks.
War games: unannounced, use of actual third party to carry out attack.
VERY EXPENSIVE!!!
Need preparation so that business operations are not interrupted.