Effective Learning Strategies
"CyberProtect" - Learning
about System Security”
Ann O'Brien, Phone: 608-219-7428,aobrien@bus.wisc.edu
Adapted from Jim Mensching, Chico State University
The case is easily replicated at other schools in that the Department of Defense
simulation and professional practice materials are available on-line, free of charge.
Overview
As cloud computing expands and SSAE 16 is
adopted, understanding system security issues
becomes increasingly critical.
Using the Department of Defense (DOD)
CyberProtect simulation, students assume the
role of a system administrator; learn about
system security threats, and research
professional practice issues related to
attestation reporting on service organization
controls.
Learning Objectives - Using active learning:
1. Become familiar with Information System security attacks
(e.g., data thefts, modifications, jamming, etc.).
2. Understand the damages and risks involved with specific
attacks.
3. Become increasingly proficient at determining which
controls can prevent, detect and correct the attacks.
4. Research and demonstrate basic understanding of
professional practice issues related to system security,
particularly SSAE 16 (e.g., SOC 2 Type 2), SAS 70, and trust
services.
Part I of this project is a fun introduction to system security
concepts where, acting as a system administrator in the DOD CyberProtect
video-game-type simulation, students protect their systems from attacks such
as viruses, flooding, data theft, jamming,etc. Students complete at least one
round (four quarters) during which they experience multiple attacks to security
measures implemented. Each of these attacks may be either successful (the
controls failed to prevent the attack) or unsuccessful (the controls stopped the
attack from doing damage). Students record the attacks that were perpetrated
on their system during each step of the simulation and note whether or not the
controls implemented were effective, noting failures in security in the previous
quarter, and determining why the controls in place did not prevent the attack.
Students then attempt to improve their system for the subsequent quarter.
Part II relates system security issues with professional standards
using research and class discussion on “cloud” computing, software as a service
(SaaS), and SSAE 16 (effective as of June 15, 2011, an enhancement to SAS 70
for Reporting on Controls at a Service Organization) and “trust” services.
AICPA Core Competencies Addressed
As recommended by the AECC, the instructional method is based on the
overriding objective of students learning by doing on their own, as active
participants rather than passive recipients; identifying and solving
unstructured problems. “Learning to learn” is facilitated by the simulation,
applying concepts and principles, and the process of continuous improvement
of effective controls with each successive round.
Life-long learning is based on skills, knowledge, and professional
orientation.
-Skills: Completing the simulation, matrix and researching practice issues
require Intellectual skills: the ability to locate, obtain and organize
information, the ability to identify and solving unstructured problem in
unfamiliar settings, and the exercise of judgment based on comprehensive of
an unfocused set of facts.
-Knowledge: The case is focused on an information system, enhancing
students’ understanding of the role of info technology in organization.
-Professional Orientation: By researching professional standards regarding
security, students learn the importance of competence and concern of the
public interest.
The simulation, writing and research case enhances capabilities needed by
accounting graduates intellectual skills, communication skills, and accounting
knowledge. In particular:
-Intellectual skills: capacities for inquiry, abstract logical thinking, inductive
and deductive reasoning, and critical analysis; the ability to identify and solve
unstructured problems in unfamiliar setting and to apply problem-solving
skills in a consultative process; understanding the determining forces in a
given situation and to predict their effects.
-Communication skills: presenting and defending views effectively through
writing; locating, obtaining, and organizing a report, and using information
from a variety of sources.
-Accounting knowledge: regarding the role of information systems and the
integrity of financial data and safeguarding of assets.
Student Requirements: Part I – CyberProtect Simulation and Notes
Launch the DOD simulation from http://iase.disa.mil/eta/cyber-protect/launchcontent.html or
download the CyberProtect program from a link on the course web site.
Students must complete at least one complete round of the simulation (four
quarters) with at least a 75% rating. During each quarter, you will experience
multiple attacks and each of these may be either successful (i.e. your controls
failed to prevent the attack) or unsuccessful (i.e. the controls stopped the attack
from doing damage).
As students go through the simulation, they investigate any failures in security
in the previous quarter and determine why the controls in place did not
prevent the attack. Then they attempt to improve the system for the
subsequent quarter. The ultimate objective of the simulation as originally
designed by the DOD is to produce a 90% readiness rating. If this is achieved,
then students can print out a certificate that states that they have reached that
level (for their resume perhaps). For AIS 340, students are NOT required to
reach a 90% readiness rating, just complete at least four quarters with a 75%
rating.
Student Requirements: Part II – System Security and Professional Standards
such as SSAE 16 and Trust services
Accountants must have an understanding of relevant professional
pronouncements regarding risks and controls such as those presented in
CyberProtect. In the era of growing information technology and systems
outsourcing, companies such as payroll processors, data centers, and Software
as a Service (SaaS) providers, etc. typically need to provide clients with a SSAE
16 Type II report. SSAE 16 is an enhancement to SAS 70, the former standard for
Reporting on Controls at a Service Organization.
To gain familiarity with this topic, students should peruse websites such as
SSAE16.com, AICPA.org (privacy and SOC) and using Google, find other
information regarding trust services and SSAE 16.
An online quiz will test basic understanding of these concepts. See sample.
Deliverables <directions given to students>:
Part I – CyberProtect Simulation (1)Using a format shown in the following
matrices*, record the attacks that were perpetrated on your system during each
step of the simulation and note whether the controls were effective or
ineffective. (2)To confirm that you have completed one simulation and a
readiness rating of 75%, capture the end results of the simulation and submit an
electronic copy of that document (note: it is probably easiest to just do a screen
capture – control alt print screen - and paste it into your MS Word document if
you experience a problem electronically printing the network configuration to
your desktop). (3)Also, include a screen print of the network configuration at
the beginning of the fourth quarter. Part I deliverable should be submitted
before 8am, Nov 30 to the course assignment dropbox. Be sure to include your
name on your submission.
Part II – System Security and Professional Standards - Go to the course website
and complete the online quiz before 8am, Nov 30 and be prepared to discuss
the topic in class on Nov. 30.
*Successful Attacks Matrix (controls failed to prevent the attack)
Quarter
Source Attack Damage Caused
Missing Control
Etc.
*Unsuccessful Attacks Matrix (controls blocked the attack)
Quarter Source Attack Possible Damage
Preventive Control
Etc.
Quarter – The quarter in which the attack occurred (1-4) (multiple attacks per
quarter are possible).
Source (I or E) – Was the attack from a party internal or external to the
organization?
Attack – A brief description of the attack.
Damage Caused – What damage did the attack do?
Missing Control – What control or controls would have prevented the attack?
Possible Damage – What damage could have the attack done if it had been
successful?
Preventive Control – What control or controls prevented the attack?
The following table shows all of the possible attacks in the Cyber Protect
simulation. Students should become familiar with each attack, be able to
describe the possible problems the attack could cause, and also be able to
explain the control (or controls) that should be used to prevent the attack from
being successful.
Information Security Attacks
Attack
Data
Modification
Data Theft
Flooding
Imitation or
Spoofing
Jamming
Mole
Packet Sniffer
Social
Engineering
Virus
Description
Change or destroy information on a system
Steal sensitive information without owner knowing about it
Bombards system with more messages or information than it can handle
Pretends to be a valid user by using a stolen userID/password or by “hijacking”
a valid session
Electronically disrupt transmission signals
A trusted person of an organization gives information to an outsider
Tools collect information from network such as UserID, passwords, contents of
E-mail messages, credit card numbers.
Information obtained by talking with people, obtaining their trust, and tricking
them to give out information, like passwords.
Malicious program that reproduces by attaching itself to a computer program.
Following is a list of problems and attacks not included in the simulation.
Attack
Unlicensed
Software
Buffer Overflow
Attack
Logic Time
Bomb
Port Scanning
Zero Day Attack
Phishing Attack
Password
Cracking
Man in the
Middle Attack
Description
Users have installed unlicensed software on your systems
Data sent to a computer purposely exceeds the fixed length of a data buffer and
over writes code in the system
Malicious code is placed into a program that is triggered by an event or at a
certain point in time
A hacker attempts to find a system vulnerability by looking for open, unprotected
communication ports
A vendor announces the release of a patch to address a known vulnerability to
their software and someone attacks your system based on this vulnerability
An employee receives an email that requests confidential information and the
email supplies a bogus website that appears to be a valid company
Hacker attempts to determine passwords by using software designed specifically
to find passwords
A computing device is inserted into a network that intercepts messages and
passes them on to create the appearance of direct communication between users
when the communication is actually controlled by the attacker
As time allows, we will consider these additional attacks and (1) discuss what risks are involved in the specific
attack, (2) discuss a control (or controls) that can be used to either prevent or detect and correct the problem
and finally (3) describe in detail how the controls would be implemented.
CyberProtect and Professional Standards Online Quiz Questions 1-3:
1.
A service organization’s services are part of an entity’s information system if they
affect which of the following:
Classes of transactions in the entity’s operations that are significant to the entity’s financial statements
Procedures and records for initiating, recording and processing and reporting the entity transactions
Financial reporting process used to prepare the entity’s financial statements
Capturing events and conditions that are significant to the entity’s financial statements
Manual accounting records of the entity
All of the above
None of the above
2.
Which of the following is an example of a service organization that will likely
require an SSAE Type II Report:
Payroll Processing
Loan Servicing
Software as a Service (SaaS)
Medical Claims Processors
All of the above
None of the above
3.
Which of the following is a FALSE statement regarding SSAE 16:
SSAE 16 is the most current standard for Reporting on Controls at a Service Organization.
SSAE 16 is an enhancement of SAS 70.
SSAE 16 does not rise to the level of assurance of the international standard for service organization
reporting, ISAE 3402.
Public companies are required to use a SSAE 16 qualified providers to give investors assurance over
controls that are not performed by the company.
All of the above
None of the above
CyberProtect and Professional Standards Online Quiz Questions 3-6:
4. Which of the following is a FALSE statement regarding SSAE 16 Type I
reports:
Type I reports on the suitability of the design of controls.
Type I reports read like a narrative of the process and how control objectives tie into the process.
Auditors will review management’s assessment of the design and walk through the control objectives and
activities and verify that they are designed as management noted.
A major difference between SAS 70 and SSAE 16 is that with SAS 70 managers reported on controls.
All of the above
None of the above
5. Which of the following is a FALSE statement regarding SSAE 16 reports:
Type I reports focus on whether or not controls are in place.
Type II reports focus on testing the operational effectiveness of the controls.
SOC 1 focuses on financial reporting activities.
SOC 2 and SOC 3 focus on non-financial reporting.
All of the above
None of the above
6. Trust services such as SysTrust and Web Trust assure which of the
following:
Security
Availability
Confidentiality
Processing Integrity
Privacy
All of the above
None of the above
Assessment Instrument/Rubric
I have graded this case on a satisfactory/unsatisfactory basis in past years.
However, a point system could be as followed:
Points
50
Simulation
Compile at least one round of simulation with
75% rating evidenced by screen shot. This
measures the successful understanding of the
basic security concepts.
20
Matrices
Completed as followed:
5
Poor or incomplete analysis
15 Adequate
20 Excellent
25
Research
quiz
100
POSSIBLE
TOTAL
Online quiz