Effective Learning Strategies "CyberProtect" - Learning about System Security” Ann O'Brien, Phone: 608-219-7428,aobrien@bus.wisc.edu Adapted from Jim Mensching, Chico State University The case is easily replicated at other schools in that the Department of Defense simulation and professional practice materials are available on-line, free of charge. Overview As cloud computing expands and SSAE 16 is adopted, understanding system security issues becomes increasingly critical. Using the Department of Defense (DOD) CyberProtect simulation, students assume the role of a system administrator; learn about system security threats, and research professional practice issues related to attestation reporting on service organization controls. Learning Objectives - Using active learning: 1. Become familiar with Information System security attacks (e.g., data thefts, modifications, jamming, etc.). 2. Understand the damages and risks involved with specific attacks. 3. Become increasingly proficient at determining which controls can prevent, detect and correct the attacks. 4. Research and demonstrate basic understanding of professional practice issues related to system security, particularly SSAE 16 (e.g., SOC 2 Type 2), SAS 70, and trust services. Part I of this project is a fun introduction to system security concepts where, acting as a system administrator in the DOD CyberProtect video-game-type simulation, students protect their systems from attacks such as viruses, flooding, data theft, jamming,etc. Students complete at least one round (four quarters) during which they experience multiple attacks to security measures implemented. Each of these attacks may be either successful (the controls failed to prevent the attack) or unsuccessful (the controls stopped the attack from doing damage). Students record the attacks that were perpetrated on their system during each step of the simulation and note whether or not the controls implemented were effective, noting failures in security in the previous quarter, and determining why the controls in place did not prevent the attack. Students then attempt to improve their system for the subsequent quarter. Part II relates system security issues with professional standards using research and class discussion on “cloud” computing, software as a service (SaaS), and SSAE 16 (effective as of June 15, 2011, an enhancement to SAS 70 for Reporting on Controls at a Service Organization) and “trust” services. AICPA Core Competencies Addressed As recommended by the AECC, the instructional method is based on the overriding objective of students learning by doing on their own, as active participants rather than passive recipients; identifying and solving unstructured problems. “Learning to learn” is facilitated by the simulation, applying concepts and principles, and the process of continuous improvement of effective controls with each successive round. Life-long learning is based on skills, knowledge, and professional orientation. -Skills: Completing the simulation, matrix and researching practice issues require Intellectual skills: the ability to locate, obtain and organize information, the ability to identify and solving unstructured problem in unfamiliar settings, and the exercise of judgment based on comprehensive of an unfocused set of facts. -Knowledge: The case is focused on an information system, enhancing students’ understanding of the role of info technology in organization. -Professional Orientation: By researching professional standards regarding security, students learn the importance of competence and concern of the public interest. The simulation, writing and research case enhances capabilities needed by accounting graduates intellectual skills, communication skills, and accounting knowledge. In particular: -Intellectual skills: capacities for inquiry, abstract logical thinking, inductive and deductive reasoning, and critical analysis; the ability to identify and solve unstructured problems in unfamiliar setting and to apply problem-solving skills in a consultative process; understanding the determining forces in a given situation and to predict their effects. -Communication skills: presenting and defending views effectively through writing; locating, obtaining, and organizing a report, and using information from a variety of sources. -Accounting knowledge: regarding the role of information systems and the integrity of financial data and safeguarding of assets. Student Requirements: Part I – CyberProtect Simulation and Notes Launch the DOD simulation from http://iase.disa.mil/eta/cyber-protect/launchcontent.html or download the CyberProtect program from a link on the course web site. Students must complete at least one complete round of the simulation (four quarters) with at least a 75% rating. During each quarter, you will experience multiple attacks and each of these may be either successful (i.e. your controls failed to prevent the attack) or unsuccessful (i.e. the controls stopped the attack from doing damage). As students go through the simulation, they investigate any failures in security in the previous quarter and determine why the controls in place did not prevent the attack. Then they attempt to improve the system for the subsequent quarter. The ultimate objective of the simulation as originally designed by the DOD is to produce a 90% readiness rating. If this is achieved, then students can print out a certificate that states that they have reached that level (for their resume perhaps). For AIS 340, students are NOT required to reach a 90% readiness rating, just complete at least four quarters with a 75% rating. Student Requirements: Part II – System Security and Professional Standards such as SSAE 16 and Trust services Accountants must have an understanding of relevant professional pronouncements regarding risks and controls such as those presented in CyberProtect. In the era of growing information technology and systems outsourcing, companies such as payroll processors, data centers, and Software as a Service (SaaS) providers, etc. typically need to provide clients with a SSAE 16 Type II report. SSAE 16 is an enhancement to SAS 70, the former standard for Reporting on Controls at a Service Organization. To gain familiarity with this topic, students should peruse websites such as SSAE16.com, AICPA.org (privacy and SOC) and using Google, find other information regarding trust services and SSAE 16. An online quiz will test basic understanding of these concepts. See sample. Deliverables <directions given to students>: Part I – CyberProtect Simulation (1)Using a format shown in the following matrices*, record the attacks that were perpetrated on your system during each step of the simulation and note whether the controls were effective or ineffective. (2)To confirm that you have completed one simulation and a readiness rating of 75%, capture the end results of the simulation and submit an electronic copy of that document (note: it is probably easiest to just do a screen capture – control alt print screen - and paste it into your MS Word document if you experience a problem electronically printing the network configuration to your desktop). (3)Also, include a screen print of the network configuration at the beginning of the fourth quarter. Part I deliverable should be submitted before 8am, Nov 30 to the course assignment dropbox. Be sure to include your name on your submission. Part II – System Security and Professional Standards - Go to the course website and complete the online quiz before 8am, Nov 30 and be prepared to discuss the topic in class on Nov. 30. *Successful Attacks Matrix (controls failed to prevent the attack) Quarter Source Attack Damage Caused Missing Control Etc. *Unsuccessful Attacks Matrix (controls blocked the attack) Quarter Source Attack Possible Damage Preventive Control Etc. Quarter – The quarter in which the attack occurred (1-4) (multiple attacks per quarter are possible). Source (I or E) – Was the attack from a party internal or external to the organization? Attack – A brief description of the attack. Damage Caused – What damage did the attack do? Missing Control – What control or controls would have prevented the attack? Possible Damage – What damage could have the attack done if it had been successful? Preventive Control – What control or controls prevented the attack? The following table shows all of the possible attacks in the Cyber Protect simulation. Students should become familiar with each attack, be able to describe the possible problems the attack could cause, and also be able to explain the control (or controls) that should be used to prevent the attack from being successful. Information Security Attacks Attack Data Modification Data Theft Flooding Imitation or Spoofing Jamming Mole Packet Sniffer Social Engineering Virus Description Change or destroy information on a system Steal sensitive information without owner knowing about it Bombards system with more messages or information than it can handle Pretends to be a valid user by using a stolen userID/password or by “hijacking” a valid session Electronically disrupt transmission signals A trusted person of an organization gives information to an outsider Tools collect information from network such as UserID, passwords, contents of E-mail messages, credit card numbers. Information obtained by talking with people, obtaining their trust, and tricking them to give out information, like passwords. Malicious program that reproduces by attaching itself to a computer program. Following is a list of problems and attacks not included in the simulation. Attack Unlicensed Software Buffer Overflow Attack Logic Time Bomb Port Scanning Zero Day Attack Phishing Attack Password Cracking Man in the Middle Attack Description Users have installed unlicensed software on your systems Data sent to a computer purposely exceeds the fixed length of a data buffer and over writes code in the system Malicious code is placed into a program that is triggered by an event or at a certain point in time A hacker attempts to find a system vulnerability by looking for open, unprotected communication ports A vendor announces the release of a patch to address a known vulnerability to their software and someone attacks your system based on this vulnerability An employee receives an email that requests confidential information and the email supplies a bogus website that appears to be a valid company Hacker attempts to determine passwords by using software designed specifically to find passwords A computing device is inserted into a network that intercepts messages and passes them on to create the appearance of direct communication between users when the communication is actually controlled by the attacker As time allows, we will consider these additional attacks and (1) discuss what risks are involved in the specific attack, (2) discuss a control (or controls) that can be used to either prevent or detect and correct the problem and finally (3) describe in detail how the controls would be implemented. CyberProtect and Professional Standards Online Quiz Questions 1-3: 1. A service organization’s services are part of an entity’s information system if they affect which of the following: Classes of transactions in the entity’s operations that are significant to the entity’s financial statements Procedures and records for initiating, recording and processing and reporting the entity transactions Financial reporting process used to prepare the entity’s financial statements Capturing events and conditions that are significant to the entity’s financial statements Manual accounting records of the entity All of the above None of the above 2. Which of the following is an example of a service organization that will likely require an SSAE Type II Report: Payroll Processing Loan Servicing Software as a Service (SaaS) Medical Claims Processors All of the above None of the above 3. Which of the following is a FALSE statement regarding SSAE 16: SSAE 16 is the most current standard for Reporting on Controls at a Service Organization. SSAE 16 is an enhancement of SAS 70. SSAE 16 does not rise to the level of assurance of the international standard for service organization reporting, ISAE 3402. Public companies are required to use a SSAE 16 qualified providers to give investors assurance over controls that are not performed by the company. All of the above None of the above CyberProtect and Professional Standards Online Quiz Questions 3-6: 4. Which of the following is a FALSE statement regarding SSAE 16 Type I reports: Type I reports on the suitability of the design of controls. Type I reports read like a narrative of the process and how control objectives tie into the process. Auditors will review management’s assessment of the design and walk through the control objectives and activities and verify that they are designed as management noted. A major difference between SAS 70 and SSAE 16 is that with SAS 70 managers reported on controls. All of the above None of the above 5. Which of the following is a FALSE statement regarding SSAE 16 reports: Type I reports focus on whether or not controls are in place. Type II reports focus on testing the operational effectiveness of the controls. SOC 1 focuses on financial reporting activities. SOC 2 and SOC 3 focus on non-financial reporting. All of the above None of the above 6. Trust services such as SysTrust and Web Trust assure which of the following: Security Availability Confidentiality Processing Integrity Privacy All of the above None of the above Assessment Instrument/Rubric I have graded this case on a satisfactory/unsatisfactory basis in past years. However, a point system could be as followed: Points 50 Simulation Compile at least one round of simulation with 75% rating evidenced by screen shot. This measures the successful understanding of the basic security concepts. 20 Matrices Completed as followed: 5 Poor or incomplete analysis 15 Adequate 20 Excellent 25 Research quiz 100 POSSIBLE TOTAL Online quiz