Cybersecurity-Student-Book Res Eng 1014

Cybersecurity
Student Book
www.isaca.org/cyber
Cybersecurity Student Book
About ISACA
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value from,
information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career
development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity
Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern
and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally
respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance
of Enterprise IT (CGEIT) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. The association has more than
200 chapters worldwide.
Disclaimer
ISACA has designed and created Cybersecurity Student Book (the Work) primarily as an educational resource for governance, security
and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be
considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, governance, security and
assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or
information technology environment.
Reservation of Rights
2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in
a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior
written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and
noncommercial use and for consulting/advisory engagements, and must include full attribution of the materials source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide Feedback: www.isaca.org/cybersecurity_student_book

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
2
Acknowledgments
Acknowledgments
ISACA Wishes to Recognize:
Expert Reviewers
Gary Babick, CISSP, Ernst & Young LLP, USA
Rehan Haque, CISA, CISM, ISO27001 LI, CBCP, BP, UK
Hildah Waithera Nduati, CISA, CISM, PRINCE2, Safaricom, Ltd., Kenya
Gaurav Thorat, Ernst & Young LLP, India
Board of Directors
Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Adaptive Computing, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, SABIC, Saudi Arabia, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany
Academic Program Subcommittee

Matthew Liotine, Ph.D., CBCP, CHS-III, CSSBB, MBCI, University of Illinois at Chicago, USA, Chairman
Daniel Canoniero, Universidad de Montevideo, Uruguay
Tracey Choulat, CISM, CGEIT, CRISC, University of Florida, USA
Umesh Rao Hodeghatta, Xavier Institute of Management, India
Nabil Messabia, CPA, CGA, Universit du Qubec en Outaouais, Canada
Mark Lee Salamasick, CISA, CSP, CIA, CRMA, University of Texas, USA
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
S. Vanderloot, CISA, CISM, CRISC, PhD, AST, CCNA, CCNA Security, CCSA, CEH, ECSA, ISO 27001 LA, NCSA, PCIP, UK
Nancy C. Wells, CISA, CRISC, USA
3
Table of Contents
Chapter 1. The Purpose of This Student Book..............................................................................................................................................6
Chapter 2. Introduction to Cybersecurity.....................................................................................................................................................7
Chapter 3. IT Governance and the Political Dimension................................................................................................................................8
Chapter 4. Who Are the Attackers?..............................................................................................................................................................9

Unsophisticated Attackers....................................................................................................................................................................9
Sophisticated Attackers........................................................................................................................................................................9
Corporate Espionage............................................................................................................................................................................9
State-sponsored Attackers..................................................................................................................................................................10
Other Attackers...................................................................................................................................................................................10
Chapter 5. Principles of Cybersecurity Law...............................................................................................................................................11

Computer Fraud and Abuse Act.........................................................................................................................................................11
Computer Misuse Act.........................................................................................................................................................................11
Industry Laws.....................................................................................................................................................................................11
Questions to Consider........................................................................................................................................................................11
Chapter 6. Security PolicyDesign, Development, Management and Implementation.............................................................................12

Using COBIT 5................................................................................................................................................................................12
Considerations During the Design Phase....................................................................................................................................12
Considerations During the Implementation Phase......................................................................................................................13
Chapter 7. Threat and Vulnerability Assessment.......................................................................................................................................14

Approaches to Assess Threats and Vulnerabilities.............................................................................................................................14
Inputs for Building a Risk Scenario...................................................................................................................................................14
Detecting Vulnerabilities....................................................................................................................................................................15
Chapter 8. Threat, Attack and Defense Models..........................................................................................................................................16

Stride..................................................................................................................................................................................................16
Threat Modeling.................................................................................................................................................................................16
Attack Modeling.........................................................................................................................................................................16
Reconnaissance...................................................................................................................................................................16
Scanning..............................................................................................................................................................................16
Gaining Access....................................................................................................................................................................16
Maintaining Access.............................................................................................................................................................16
Covering Tracks...................................................................................................................................................................17
Defense in Depth.........................................................................................................................................................................17
4
Acknowledgments
Chapter 9. Incident Response....................................................................................................................................................................18

Incident Response Phases..................................................................................................................................................................18
Preparation..................................................................................................................................................................................19
Detection.....................................................................................................................................................................................19
Containment................................................................................................................................................................................19
Eradication..................................................................................................................................................................................19
Post-incident Activity..................................................................................................................................................................19
Chapter 10. Conclusion..............................................................................................................................................................................20
Appendix A. Cybersecurity Policy Cross-references..................................................................................................................................21
Appendix B. Vulnerability and Threat Examples........................................................................................................................................24
Glossary.....................................................................................................................................................................................................26
5
Chapter 1. The Purpose of This Student Book

This student book was developed by ISACA for use with the five cybersecurity caselets. It is intended for use in undergraduate classes
to introduce students to cybersecurity topics as they align with the COBIT 5 framework.
This book assumes that students have a basic understanding of internetworked systems and common terms used in information
systems and information technology.
For an in-depth discussion of cybersecurity topics, please refer to the ISACA publications Transforming Cybersecurity, Responding to
Targeted Cyberattacks and Cybersecurity Fundamentals Study Guide.
6
Chapter 2. Introduction to Cybersecurity
Chapter 2. Introduction to Cybersecurity

Cybersecurity refers to protecting information assets by addressing threats to information processed, stored and transported by
information systems that are internetworked.1 The threats to information assets range from basic malware, such a viruses and worms,
to targeted, state-sponsored attacks, also known as advanced persistent threats (APTs). Enterprises of all sizes and individuals need
to not only be aware of these threats, but also the processes of managing the risk involved.
Over the last 25 years, the use of internetworked systems, particularly the Internet, has gone from the specialized realm of government
and academic systems to being a substantial part of our business and personal lives. Enterprises maintain web sites, email, e-commerce
and collaboration tools that are all connected to the Internet. Online banking, bill paying and shopping have made online financial
transactions common. Individuals have smartphones, tablets and a myriad of other devices that are always online. While being
connected provides incredible benefits and opportunities, it is important to remember that there are others connected to the Internet
who wish to compromise these systems for a variety of reasons.
This book discusses the information assets to be protected and the attackers. It examines the essential principles of cybersecurity law;
security policy: design, development, management and implementation; threat and vulnerability assessment; threat, attack and defense
models; and incident response.
1
ISACA, Cybersecurity Nexus FAQs, www.isaca.org/cyber/Documents/Cybersecurity-Nexus-FAQs_faq_Eng_0414.pdf
7
Chapter 3. IT Governance and the Political Dimension

In the previous section, cybersecurity was defined as the protection of information assets. The term information assets is
intentionally vague, as different industries, organizations, and individuals have different information assets in use. Laws regulate
some information assets, such as health records and other personal information.2 Other information assets, such as credit card
payment information, may be subject to contractual agreements. Some information is confidential strictly for competitive reasons. All
information assets may have value to an attacker, depending on their motivation.
Figure 1 shows examples of industry-specific assets and why they might be sought after.
Figure 1Industries, Information Assets and Values

Industry Information Assets Value
Banking Account and Financial Information Fraud
E-commerce (online stores) Credit Card Information Fraud
Personal Customer Information Identify Theft
Energy Industrial Control Systems Sabotage
Pharmaceutical Firms Intellectual Property Corporate or State Espionage
High-technology Firms
Government and Military State Secrets Espionage
This table only provides a few examples of the information assets that could be targeted by an attacker.
When preparing a cybersecurity strategy, it is important to identify which information assets may be of interest to different attackers.
Sometimes seemingly benign information, such as an internal organizational chart, can be useful for a social engineering attack. The
value of information may lie not only in how an organization uses the information, but how an attacker could use that information.
2
Laws vary greatly between countries. See the Cybersecurity Law section later in this book for more details.
8
Chapter 4. Who Are the Attackers?
Chapter 4. Who Are the Attackers?

The attackers, more formally known as threat actors, vary greatly in skills and motivation. Figure 2 shows the relative skills and
motivations of the various categories of attackers.
Figure 2Evolution of the Threat Landscape
Unsophisticated Attackers Sophisticated Attackers Corporate Espionage State-sponsored Attacks

(Script Kiddies) (Hackers) (insiders) Advanced Persistent Threat (APT)
You are attacked because you You are attacked because you Your current or former employee You are targeted because of who
are on the Internet and are on the Internet and seeks financial gain from you are, what you do, or the
have a vulnerability. have information of value. seling your IP. value of your IP.
State-sponsored
APT
Espionage and
Weaponization
Insiders
Personal Gain
Intelligence
Gathering
Risk
Hackers
Data Initial
Money Exfiltration Exploitation
APT
Life Cycle
Script Kiddies
Privilege Command
Escalation and Control
Amusement/
Experimentation/
Nuisance
Attacker Resources/Sophistication
1980s/1990s 2012
BrainBoot/Morris Worm Concept Macro Virus Anna Kournikova SQL Slammer MyDoom Storm botnet Aurora WikiLeaks SpyEye/Zeus
Polymorphic Viruses Melissa Sircam Blaster Netsky Koobface Mariposa Anonymous Duqu
Michelangelo I Love You Code Red and Nimda Sobig Sasser Conflicker Stuxnet LulzSec Flame
Source: ISACA, Responding to Targeted Cyberattacks, USA, 2013, figure 2
Unsophisticated Attackers
The unsophisticated attackers, also known as script kiddies, are fairly common. They tend to strike targets of opportunity and typically
use tools and techniques readily found on the Internet.
Sophisticated Attackers
Sophisticated attackers, sometimes known as hackers,3 typically have access to sophisticated tools and techniques. They have the skills
to adapt these tools and techniques to the target environment. Often the motivation for such attacks is financial gain. Organized crime
groups may employ these attackers for large cybercrime operations.
Corporate Espionage
Insiders can pose great danger to an organization. While they may not necessarily have the same level of sophistication as other
groups, they already have some access to network systems and information assets. Network defenses are often focused on monitoring
unauthorized external access, and internal access may go unnoticed.
3
here is much debate over the use of the term hackers, particularly because the word originally meant those who tinkered with computers. Some texts prefer crackers as a portmanteau
T
of criminal hackers.
9
State-sponsored Attackers
At the top end of the spectrum are state-sponsored attackers, also known as advanced persistent threats (APTs). APT groups
are often responsible for espionage and cyberwarfare. According to Mandiant, a group known as APT1 compromised at least 141
organizations through a systematic campaign.4 Another example of the sophistication of these attacks is Stuxnet, an advanced malware
used to attack Irans nuclear program.5
Other Attackers
Not all attackers or incidents fall neatly into these categories, and the threat landscape is constantly evolving. When an attack is
successful, a breach occurs. Verizon produces a Data Breach Investigations report each year that analyses a large number of
data breaches throughout the world. While the report shows that the motivation for most breaches is still financial, this is shifting.
Espionage has become a major motivation since 2009, and the numbers of attacks motivated by espionage rose from virtually zero to
almost 25% through 2013.6
Understanding the types of attackers is important for threat and attack modeling, which is discussed later in this book. Keep in mind
that while certain types of organizations may be more prone to being targeted by certain attackers, it is also possible for attackers to
shift to other targets as techniques and motivations change.
4
Mandiant, APT1, Exposing One of Chinas Cyber Espionage Units, intelreport.mandiant.com/Mandiant_APT1_Report.pdf
5
IEEE Spectrum, The Real Story of Stuxnet, 26 Feb 2013, spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
6
Verizon, 2014 Data Breach Investigations Report, 2014, www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf
10
Chapter 5. Principles of Cybersecurity Law
Chapter 5. Principles of Cybersecurity Law

In response to the rise of criminal activity associated with computer systems, several laws have been introduced in various nations over
the years. Unfortunately, the scope and implementation of these laws varies wildly across nations. This has resulted in a patchwork of
laws that may be challenging to navigate. This section will discuss some of the major legislation, but depending on an organizations
location and sector, there may be other laws that apply. It is essential to involve the legal department in cybersecurity decisions to
verify what laws apply to an organization.
Computer Fraud and Abuse Act

In the United States, many attacks against cybersecurity fall under the Computer Fraud and Abuse Act (CFAA) that is codified in
18 U.S.C. 1030.
Simply stated, the CFAA says, Whoever intentionally accesses a computer without authorization or exceeds authorized access, and
thereby obtains information from any protected computer shall be punished as provided in subsection (c) of this section.7
But what is a protected computer? The statute defined it as follows:
The term protected computer means a computer

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such
use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or
for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States
that is used in a manner that affects interstate or foreign commerce or communication of the United States;8
As most computers connected to the Internet are involved in some sort of interstate commerce, this definition is very broad.
Computer Misuse Act

Other countries have similar laws, such as Englands Computer Misuse Act.9 While the laws vary, the concept of unauthorized access
to a computer or network systems is central to many of them.
Industry Laws
There are specific laws for certain industries in some countries as well. In the United States, electronic protected health information
(e-PHI) is regulated by the security rule in part of the Health Insurance Portability and Accountability Act (HIPAA). This is
individually identifiable health information that is stored or transmitted electronically. This includes using technical controls to limit
access to e-PHI as well as ensuring the protection of the data as it travels over networks.10 This protection extends to how covered
entities allow third parties to access and use the data.
Cybersecurity laws are often related closely to privacy laws and should be considered together when establishing policies to ensure compliance.
Questions to Consider
When exploring the cybersecurity laws that affect an organization, the following questions should be considered:
Under which jurisdiction(s) does the organization operate and what specific laws apply to the organization?
By law, which information assets need to be protected?
How can these laws be incorporated into the organizations cybersecurity policy?
It is important to consider laws, particularly regarding unauthorized access, when conducting vulnerability assessments and
penetration tests. As the foundation of many of these laws is built upon authorized access, it is critical for the cybersecurity team to
have written authorization from the system owners of any system that might be accessed in the process. This is particularly challenging
when it comes to cloud-based systems, as ownership may not be apparent.
7
United States Government Printing Office (U.S. GPO), Computer Fraud and Abuse Act, 18 U.S.C. 1030,
www.gpo.gov/fdsys/pkg/USCODE-2010-title18/html/USCODE-2010-title18-partI-chap47-sec1030.htm
8
Ibid.
9
The National Archives of the United Kingdom, Computer Misuse Act 1990, www.legislation.gov.uk/ukpga/1990/18/contents
10
U.S. Department of Health & Human Services, Summary of the HIPAA Security Rule, www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
11
Chapter 6. Security PolicyDesign, Development,

Management and Implementation
While laws that pertain to cybersecurity are crucial to an enterprise, policy is what drives organizations. Transforming Cybersecurity
explains cybersecurity policy as follows:
The purpose of a cybersecurity policy is to clearly and unambiguously express the goals and objectives as well as the boundaries for
security management and security solutions. As such, the policy also serves to define the role and scope of cybersecurity within general
information security.11
Using COBIT 5
Cybersecurity policy may touch many aspects of an organization. Appendix A includes a matrix that cross-references cybersecurity
policy statements with areas such as strategy and compliance, as well as with COBIT 5 for Information Security policies.
Cybersecurity does not exist within a vacuum, and the policies should not only consider other organizational goals, but also support
those goals.
Considerations During the Design Phase

Policies should be designed around cybersecurity principles. COBIT 5 for Information Security has a list of information security
principles that transfer quite handily to cybersecurity.
In 2010, three leading global information security organisationsISACA, ISF and International Information System Security Certification
Consortium [(ISC)2]joined forces to develop 12 independent, non-proprietary principles that will help information security professionals
add value to their organisations by successfully supporting the business and promoting good information security practices. These
principles are structured in support of three tasks:
1. Support the business:
Focus on the business to ensure that information security is integrated into essential business activities.
Deliver quality and value to stakeholders to ensure that information security delivers value and meets business requirements.
Comply with relevant legal and regulatory requirements to ensure that statutory obligations are met, stakeholder expectations are
managed, and civil or criminal penalties are avoided.
Provide timely and accurate information on information security performance to support business requirements and manage
information risk.
Evaluate current and future information threats to analyse and assess emerging information security threats so that informed, timely
action to mitigate risk can be taken.
Promote continuous improvement in information security to reduce costs, improve efficiency and effectiveness, and promote a culture of
continuous improvement in information security.
2. Defend the business:
Adopt a risk-based approach to ensure that risk is treated in a consistent and effective manner.
Protect classified information to prevent disclosure to unauthorised individuals.
Concentrate on critical business applications to prioritise scarce information security resources by protecting the business applications
in which a security incident would have the greatest business impact.
Develop systems securely to build quality, cost-effective systems on which business people can rely.
3. Promote responsible information security behaviour:
Act in a professional and ethical manner to ensure that information security-related activities are performed in a reliable, responsible
and effective manner.
Foster an information security-positive culture to provide a positive security influence on the behaviour of end users, reduce the
likelihood of security incidents occurring, and limit their potential business impact.12
During the design phase, the focus should be on these principles as well as the other cybersecurity-specific principles discussed in this
book. It should be remembered that policies should be high-level guidance, not specific guides on how to accomplish tasks.
11
ISACA, Transforming Cybersecurity, USA, 2013, p. 83
12
ISACA, COBIT 5 for Information Security, USA, 2012, p. 29
12
Chapter 6. Security PolicyDesign, Development, Management and Implementation
Considerations During the Implementation Phase

Policies should be developed in conjunction with the stakeholders. This is extremely valuable when reaching the implementation
phase. Few things derail the policy process more than being given a new policy that completely disrupts a business units operations,
especially when the business unit had no input. The legal and compliance team should be consulted to ensure that legal and
regulatory obligations are met. System owners can provide valuable input about processes that may be impacted by a new policy.
Finally, policies should have the appropriate executive sponsors to support their implementation. Policy development is an iterative
process and should be flexible enough to address changing goals. Refer to appendix A for examples.
Implementing policies is not as easy as publishing a new policy guide and placing it on the shelf or corporate intranet. Existing
processes must be evaluated against the new policy and updated as necessary. If a needed process does not exist, it must be created
to support the policy. Organizational culture should be considered when implementing new policies and processes. Some organizations
are very dynamic, while others are slow to change.
Finally, how cybersecurity policies are managed should be considered. Policies should be regularly reviewed to ensure they are both
relevant and are achieving the desired goals. Outdated policies may not address current business needs.
13
Chapter 7. Threat and Vulnerability Assessment

An essential part of cybersecurity is assessing both the threats to the organization as well as the vulnerabilities that exist within the
organizations connected systems. A vulnerability is something that can be exploited by a threat. Specifically, the National Information
Assurance Glossary (NAIG) defines vulnerability as weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source.13 For example, if a program has a security flaw, that is the vulnerability.
A threat is an attack that can exploit the security flaw to gain access to or disrupt a system. NAIG refers to a threat as any
circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized
access, destruction, disclosure, modification of information, and/or denial of service.14 Assessing threats and vulnerabilities is an
important step in the overall process of risk assessment and management.

Approaches to Assess Threats and Vulnerabilities
There are three different approaches, depending on the organizations preference.15
1. Asset-based assessment: The organizations information assets and systems are identified. Threats and vulnerabilities are then
analyzed based on assets.
2. Threat-based assessment: Potential threats are identified, followed by an analysis of assets and vulnerabilities.
3. Vulnerability-based assessment: In this scenario, first vulnerabilities are identified and then tied to the information assets. Finally,
threats to those vulnerabilities and assets are determined.
No method is better than the other, although the different approaches may have different outcomes.
Appendix B provides a list of example vulnerabilities as well as the threats associated with the vulnerabilities.
Inputs for Building a Risk Scenario

When considering risk, one should create a risk scenario that forms a narrative exploring the possible disruptions to information
systems. Figure 3 indicates inputs to the risk scenario one might use for risk assessment. Each of the actor and threat types must be
considered during the threat assessment. The event is the result of the threat acting upon the vulnerability.
Figure 3Risk Scenario Structure
Event
Disclosure
Interruption
Modification
Theft
Destruction
Ineffective design
Threat Type Ineffective execution Asset/Resource
Malicious Rules and regulations People and skills
Accidental Inappropriate use Organisational structures
Error Process
Failure Infrastructure (facilities)
Nature IT infrastructure
External requirement Information
Applications
Actor Time
Internal (staff, contractor) Duration
External (competitor, outsider, Risk Scenario Timing occurrence (critical or non-critical)
business partner, regulator, market) Detection
Time lag
Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 36
13
Committee on National Security Systems (CNSS), National Information Assurance (IA) Glossary, 12 April 2010, www.ncix.gov/publications/policy/docs/CNSSI_4009.pdf
14
Ibid.
15
ISACA, Cybersecurity Fundamentals Study Guide, USA, 2014
14
Chapter 7. Threat and Vulnerability Assessment
Threats and vulnerabilities can be assigned qualitative characteristics, quantitative scores or a mix of both. Qualitative
characteristics focus on the impact to a business based on judgment and experience. Quantitative scores can be useful in assigning risk
based on threats and vulnerabilities. Typically, a numeric score is assigned based on the potential damage of the threat or vulnerability,
another for the likelihood of it manifesting, and a third score based on the value of the asset involved.
Threat actors can come in a variety of forms (see figure 4).
Figure 4Cybersecurity Threat Agents
Cyber Agent
Young, Unskilled Script Kiddies
Low Tech/ Online Social

Low Low-Medium
Capability Soft Skilled Hacker
Hostile Expertise
Friendly (Threat Agent)
Research Internal,
Researcher Community Low-Medium Skilled Employee
Ethical Hacker Market

Provider/
High High Tech/ Infrastructure Developer/
National Capability High Expertise Delivery Operator
Security Agent Security National
Mission State
Law
Enforcement Paid
Agent
Law Nonchalant Espionage
Enforcement Corp.
Mission Corporation
Infrastructure Tools User/ Socially
Use Deployer Motivated
Cyber-Soldier Citizens Hacktivist
Military
Ideologically
Group Category Motivated Cyber Terrorist
Individual Agent Profit

Oriented Cyber Criminal
Sector, Capability, Motive
Nationally
Examples of Concurrent Roles Motivated
Citizens Cyber Fighter
Source: European Union Agency for Network and Information Security (ENISA), ENISA Threat Landscape 2013: Overview of Current and Emerging Cyber-threats, 11 December 2013, figure 20
Detecting Vulnerabilities
Vulnerabilities can be discovered in multiple ways. Two common methods are vulnerability scanners and penetration tests, as shown
in figure 5.
Figure 5Two Methods of Detecting Vulnerabilities

Vulnerability Scanners Vulnerability scanners are tools that are designed to detect known software flaws and configurations.
The scanners then generate a report that can be used to document vulnerabilities. Often, these reports include scores indicating the
severity of vulnerabilities found.
Penetration Tests Penetration tests take the vulnerability results one step further. A penetration tester, sometimes known as an ethical hacker, attempts to
compromise the system using the same techniques a threat actor might attempt.
The penetration tester then creates a report documenting the findings of the test, along with remediation suggestions.
Lists of known vulnerabilities can also be found at the National Vulnerability Database at nvd.nist.gov.
15
Chapter 8. Threat, Attack and Defense Models

An important step in establishing an effective cybersecurity program is an understanding of the various threat, attack and defense
models. Not only does an understanding of these models help an organization assess risk, it allows the exploration of different
scenarios related to cybersecurity.
Stride
According to Microsoft, threat modeling is the methodical review of a system design or architecture to discover and correct
design-level security problems.16 The model Microsoft uses is called STRIDE. STRIDE is an acronym for Spoofing, Tampering,
Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege. Each component represents a different threat to
a system. The process of using STRIDE involves breaking down the components of a system, network or application and analyzing
where each of the categories may apply.
Threat Modeling
There are several threat modeling methodologies. Organizations need to evaluate the most appropriate one for their systems. When
modeling a threat, both capabilities and intent must be considered. This is important because capabilities vary greatly. A lone
hacktivist may have intent to do great harm, but may lack the capability of an organized crime syndicate. Attack modeling and
defense modeling form part of the overall process of threat modeling.
Attack Modeling
Attack modeling is the process of identifying and categorizing the actions an attacker may take against a particular system.
For example, the model used by penetration testers is similar to that of many attackers. The steps in that model are reconnaissance,
scanning or enumeration, gaining access, maintaining access and covering tracks. This is not always a linear process, and an attacker
may repeat an earlier step as new information presents itself.
Reconnaissance
Reconnaissance consists of gathering information about the target organization or system. This often consists of reviewing
the organizations web presence, and reading news articles, press releases and job postings to find information about systems and
technologies in use. Lists of, and information about, executives and other targets for phishing activities may be gathered from financial
reports and social media.
Scanning
Scanning, also called enumeration, is the attempt to locate systems accessible to the attacker and find the services running on them.
Typically, these are public facing systems, such as web servers, mail servers and File Transfer Protocol (FTP) servers. In the event the
attacker already has a foothold inside the network, due to being an insider or through other means, this scan could include all internal
servers and applications as well.
Gaining Access
The next step is gaining access. This is where the attacker exploits a vulnerability to take control of a system. After the attacker has
access to the system, he/she has several options. The attacker may look for information on the system to use to compromise other
systems. The attacker may seek to elevate his/her privileges on the system, gaining administrator level access. The attacker may also
use the compromised system as an attack platform to pivot into other systems.
Maintaining Access
Once access is achieved, the attacker will seek to maintain access. This may involve installing backdoors that allow the attacker to
easily connect to the system again, creating additional accounts on the system or installing other malware. The goal of this step is to
aid in further attacks by eliminating the need to exploit the vulnerability again.
16 Hernan, Shawn, Scott Labert, Tomasz Ostwald, Adam Shostack, Uncover Security Design Flaws Using the STRIDE Approach, MSDN Magazine,
msdn.microsoft.com/en-us/magazine/cc163519.aspx
16
Chapter 8. Threat, Attack and Defense Models
Covering Tracks
Finally, the attacker may attempt to cover the tracks. This primarily involves removing log files that would enable an individual to
retrace the attackers steps while investigating the incident. By removing the log files, it is more difficult for incident responders to
know the scope of the attack.
These are general steps used in an attack and can be useful in modeling an attack. Less sophisticated attackers may forgo some of these
steps. More sophisticated attackers may include additional steps. For more information on the latter, please see the ISACA publication
Responding to Targeted Cyberattacks.
Defense in Depth
Defense modeling follows a similar progression of steps and is often described as providing defense in depth. The concept of defense
in depth is that the organization has several layers of defense that must be defeated for the attacker to be successful. For example, an
organization can have a perimeter firewall, an intrusion detection system (IDS), a host-based firewall and a patched operating system
with unneeded services turned off.
The National Institute of Standards and Technology (NIST) provides a number of guides relating to security. For example,
NIST SP800-12317 provides guidance for configuring server security. The steps to secure the operating system (OS) are:
Patch and update the OS.
Harden and configure the OS to address security adequately.
Install and configure additional security controls, if needed.
Test the security of the OS to ensure that the previous steps adequately addressed all security issues.
Remember that all of these modeling tasks are iterative. Threats evolve constantly, and as an organization grows or moves into
different sectors, it may attract different attackers with different capabilities. Systems will be added and removed from the enterprise,
and the defense models should be applied to new systems. Both the new systems and the defense models must be re-evaluated in light
of changes. For example, if a system that required a specific firewall rule is removed, the firewall should be updated appropriately.
Some modeling can be much more detailed, forming a decision tree for an attack or defense. This sort of modeling is very intensive
and requires deep analysis of the systems involved. For example, the model may list actions that an attacker will take if they detect a
particular service running. Likewise, the defense model may show the options for dealing with traffic that is allowed through a firewall
instead of blocked.
17
Scarfone, Karen; Wayne Jansen; Miles Tracy; Guide to General Server Security, NIST, 2008, csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
17
Chapter 9. Incident Response

Despite an organizations best efforts, attackers are sometimes successful. When this happens, an incident occurs. It is important
to distinguish between events and incidents. NIST defines an event as any observable occurrence in a network or system.18 This
includes normal network operations, such as connections to servers, email transactions and database updates. NIST goes on to define
a computer security incident as a violation or imminent threat of violation of computer security policies, acceptable use policies, or
standard security practices.
When incidents occur, it is essential to have a plan in place to handle them. That is the purpose of incident response. The people
trained to deal with incidents are called incident handlers and are part of an incident response team.
Incident Response Phases

The ISACA Cybersecurity Fundamentals Study Guide describes incident response as a formal program that prepares an entity for an
incident.
This [an incident response formal program] generally includes:

1. Preparation to establish roles, responsibilities and plans for how an incident will be handled
2. Detection and Analysis capabilities to identify incidents as early as possible and effectively assess the nature of the incident
3. Investigation capability if identifying an adversary is required
4. Mitigation and Recovery procedures to contain the incident, reduce losses and return operations to normal
5. Post-incident Analysis to determine corrective actions to prevent similar incidents in the future19
The incident response phases are also shown in figure 6.
Figure 6Incident Response Phases
Containment,
Detection Eradication Post-incident
Preparation and Analysis Activity
and Recovery
Source: ISACA, Cybersecurity Fundamentals Study Guide, USA, 2014, p. 95
18
ichonski, Paul; Tom Millar; Tim Grance; Karen Scarfone; Computer Security Incident Handling Guide, NIST, 2012, csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
C
19
ISACA, Cybersecurity Fundamentals Study Guide, USA, 2014
18
Chapter 9. Incident Response
Preparation
The first step of incident response should occur long before an incident actually happens. This is the preparation phase. This is the
time to create an organizations incident response plans, establish policies for handling incidents and develop relationships with
law enforcement and other entities, such as Internet service providers (ISPs), that may be involved in the incident response plan. This
is also the time to acquire the forensics tools and skills needed to investigate an incident. During preparation, an organization should
implement controls on systems, establish baselines and perform risk assessments.
Detection
Threats will be identified during the detection and analysis phase. Incidents may be detected from a variety of sources, including
reports from end users, administrators and external entities. Similarly, they may be triggered by an alarm from intrusion detection
systems (IDSs) or log management software.
Once an incident is suspected, the incident response team should analyze the information to determine whether an actual incident has
occurred or whether it was simply an event. This analysis should use the known baseline information from the preparation phase, event
correlation and external resources. The information gathered and the analysis performed should be thoroughly documented. If forensic
evidence is gathered, a chain of custody should be established, documenting each person involved in handling the evidence.
Containment
Once an incident has been declared, the next step is containment. The idea behind containment is to limit the amount of damage the
attacker can cause as well as preserving evidence. This may include moving the machine to an isolated Virtual local area network
(VLAN) or disconnecting it from the network to prevent it from affecting other systems and to disrupt the attackers control. A VLAN
is a networking technique that allows systems to be virtually grouped or isolated from other networked systems, regardless of physical
location. This is accomplished by a setting on the switch or the router that connects the device to the network. Additional forensic data
is often collected at this point for further analysis, or for use in legal action. The length of this phase should be agreed on by the system
owner and the incident response team, because the system involved will be unavailable during this time.
Eradication
Once the attack has been contained, the eradication phase begins. This is when the root cause of the incident is determined, and it is
eradicated. The systems should be cleaned up and then checked for new vulnerabilities. After the system has been restored, recovery
takes place by reinstating the services the system provided.
As shown in figure 6, the analysis and recovery phase and the containment and eradication phase can feed into each other. As new
information is discovered, the incident handler should identify and analyze this information and act appropriately.
Post-incident Activity
Finally, there is the post-incident activity. This is primarily about lessons learned. The incident handling team should document the
results of the investigation as well as the steps taken. Not only should the incident itself be reviewed, but also the processes and
performance of the incident team should be reviewed as part of a continuous improvement process.
19
Chapter 10. Conclusion

Cybersecurity is an exciting and quickly changing field. This student book presents an introduction to several key cybersecurity
concepts. Each topic could be a book by itself. For continued learning, please refer to the ISACA publications Transforming
Cybersecurity, Responding to Targeted Cyberattacks and Cybersecurity Fundamentals Study Guide.
20
Appendix A. Cybersecurity Policy Cross-references

Figure 7Components of the Cybersecurity Policy20
COBIT 5 for Information Security
Cybersecurity Policy Subject/Area Policy Set Cross-references
Analyze business risk of attacks/breaches to business processes and prioritize Strategy Information security
cybersecurity accordingly. Risk management
Establish the tolerated level of attacks and breaches, as seen from a business perspective. Strategy Information security
Risk management
Perform stakeholder analysis (internal and external) and derive requirements for Strategy Information security
cybersecurity. Risk management
Perform business (and legal/regulatory) requirements analysis (internal and external) and Strategy Compliance
derive specific requirements for cybersecurity. Risk management
Define high-level cybersecurity objectives and obtain senior management sign-off. Strategy Information security
Identify (globally and locally) laws, regulations and governance rules for cybersecurity, and Governance Compliance
define requirements. Compliance
Mandate these requirements throughout the overall cybersecurity system and its Governance Compliance
components. Compliance
Establish cybersecurity KPIs and Operations Information security
regular reporting. Compliance
Establish cybersecurity KRIs and Operations Information security
regular reporting. Risk Risk management
Identify threats to all parts of the enterprise (see previous). Risk Information security
Risk management
Anticipate future threats through cybercrime and cyberwarfare. Risk Information security
Risk management
Collect data and evidence on cybersecurity incidents, attacks and breaches. Operations Communications and operations
Apply horizon scan and detailed data analysis techniques to obtain a reasonably solid outlook Operations Communications and operations
on the future of cybersecurity. Risk management
Leverage external expertise as appropriate. Strategy Information security
Acquisition/development/maintenance
Establish a continuous improvement process based on past experience and future trends. Operations Information security
Establish a fault/error tolerant cybersecurity process. Operations Information security
Risk management
Asset management
Business continuity (BC)/disaster recovery (DR)
Foster a culture that promotes improvement and adaptive thinking. Culture Information security
Rules of behavior
Communications and operations
Define appropriate risk identification and assessment process. Risk Information security
Risk management
Validate risk treatment options in cybersecurity. Risk Information security
Risk management
Align risk with the selected overall governance model. Risk Information security
Governance Risk management
Include past incidents and technical/organizational learnings. Operations Communications and operations
Identify and assess new risk arising from cybercrime and cyberwarfare. Operations Communications and operations
Risk
20
ISACA, Transforming Cybersecurity, USA, 2013, figure 29
21
Figure 7Components of the Cybersecurity Policy (cont.)

Establish data classification with regard to cybercrime. Operations Information security
Compliance Compliance
Asset management
Establish data classification with regard to cyberwarfare. Operations Information security
Compliance Compliance
Asset management
Include cloud-based storage and services as well as data residing, or flowing through, mobile Operations Information security
or public devices. Compliance
Asset management
Vendor management
Provide cybersecurity-related input to general identity and access management. Operations Communications and operations
Identify critical business applications by performing a BIA with a cybersecurity perspective. Continuity Information security
BC/DR
Perform an in-depth dependency analysis from the critical application layer down to identify Continuity Information security
potentially vulnerable points of entry. BC/DR
Focus cybersecurity on the weakest link in the chain and align to overall BIA. Continuity Information security
BC/DR
Risk management
Allocate resources and funding in line with the real cybercrime and cyberwarfare threats, Continuity Information security
and consider indirect attack vectors and attack approaches. BC/DR
Risk management
Adopt the mindset of the attackergreatest havoc with least effort. Continuity Information security
BC/DR
Risk management
Establish software life cycle controls for self-developed and customized applications. Operations Acquisition/development/maintenance
Define cybersecurity onboarding process for potentially critical applications Operations Acquisition/development/maintenance
and systems.
Engage with vendors to achieve upstream cybersecurity controls. Operations Vendor management
Engage with vendors to manage zero-day vulnerabilities and points of entry. Operations Vendor management
Apply governance (see previous chapter) to cybersecurity policies, standards Governance Information security
and KOPs. Compliance
Introduce self-assessment and peer assessment routines for exposed personnel Operations Information security
(integrity assurance). Culture Compliance
(outside information security:
HR policy set)
Perform background checks (on an opt-in basis) for personnel in cybersecurity. Operations Information security
Culture Compliance
HR policy set)
Define and implement appropriate checks and verifications for new hires in Operations Information security
sensitive positions. Culture Compliance
HR policy set)
Define and implement appropriate procedures for termination. Operations Information security
Culture Compliance
HR policy set)
22
Figure 7Components of the Cybersecurity Policy (cont.)

Ensure recognition of cybersecurity personnel by appropriate incentives Culture Information security
and acknowledgement. Compliance
Rules of behavior
HR policy set)
Define cybersecurity behavioral guidance. Culture Rules of behavior
Foster awareness about cybersecurity and cybercrime. Culture Compliance
Rules of behavior
Provide practical examples and cases of attacks/breaches. Operations Information security
Culture
Highlight business impact of attacks/breaches. Operations Information security
Culture
Link to guiding principles (see following text) for cybersecurity. Governance Information security
23
Appendix B. Vulnerability and Threat Examples

Figure 8Cybervulnerabilities, Threats and Risk (Illustrative)21
Vulnerability Threat Risk and Impact
Spear phishing Attackers may gain access through phish payload or Initial data loss or leakage leading to secondary financial and
combined social-technical follow-up. operational impact
Water holing Attackers may gain control of attractive web sites and Initial behavioral errors leading to secondary financial and
subsequent control of visitors. operational impact
Wireless/mobile APT Attacks may compromise wireless channels and/or mobile Partial or full control of one or more wireless installations
devices to enable temporary or permanent control. and/or mobile devices; direct or indirect impact on all critical
IT applications and services
Zero-day Attacks use zero-day exploits to circumvent existing defenses. Partial or full control of applications and underlying
systems/infrastructure, leading to secondary
operational impact
Excessive privilege Inside attacks may happen using inappropriate privileges and Full and (technically) legitimate control outside the boundaries
access rights. of organizational GRC, secondary financial, operational and
reputational impacts
Social engineering Attackers exploit social vulnerabilities to gain access to Partial or full control of human target(s), subsequent
information and/or systems. compromise of IT side, secondary impacts on
personal/individual well-being
Home user APT Attacks use the fact that home environments may be less well Partial or full control of applications, systems and home
protected than organizational environments. infrastructures, secondary financial, operational and
reputational impacts, including impacts on personal/individual
well-being
Extended IT infrastructure APT Attacks may target the IT infrastructure underlying critical Full control of infrastructure, risk of extended control, including
organizational processes. public infrastructures or business partners
Non-IT technical infrastructure APT Attacks may tunnel the barrier between IT and other critical Partial or full control of nonstandard IT and technical
infrastructures within the enterprise. infrastructure, e.g., supervisory control and data acquisition
(SCADA), secondary operational impact
Vendor/business partner exploit There are attacks on trusted business partners or vendors, Initial attack through organizational IT directed at third parties,
compromising key software or deliverables. with financial, operational and reputational impact
21
24
Appendix B. Vulnerability and Threat Examples
Figure 9Vulnerabilities in Context (Illustrative)22

Vulnerability Motive Opportunity Effort
Spear phishing Financial, competitive espionage, data theft, Email access to target Medium to high, depending on quality
etc.; often preparatory to main attack of phish
Water holing Financial, competitive espionage, data theft, Email access to target, control of attractive High, depending on precision of targeting
etc.; often preparatory to main attack web sites (the watering holes)
Wireless/mobile APT Financial, espionage, blackmail/extortion, theft of (Temporary) proximity to target Low to medium
personally identifiable information (PII), etc.
Zero-day Financial, operational, data theft, blackmail/ Availability of suitable zero-day exploits, Medium to high
extortion, control of technical infrastructure organized handling of exploits
Excessive privilege Financial, personal (e.g., disgruntled employee), Deficiencies in identity and access Low to medium
data theft, blackmail/extortion, reputational management, corruption, etc.
Home user APT Financial, espionage, data theft, theft of PII, etc. Physical or logical access to target Low to high, depending on level of
protection of target environment
Extended IT Operational, blackmail/extortion, control of Logical access to target, often preceded by High to very high, depending on level
infrastructure APT technical infrastructure, data corruption or other forms of attack of protection of target environment
deletion, cyberwarfare
Non-IT technical Operational, blackmail/extortion, control of Logical access to target, often preceded by High to very high, depending on level
infrastructure APT technical infrastructure, data corruption or other forms of attack of protection of
deletion, cyberwarfare target environment
Vendor/business Financial, personal (e.g., disgruntled employee), Logical access to target, often preceded by Low to high, depending on effort needed for
partner exploit data theft, blackmail/extortion, reputational other forms of attack introductory attacks
22
25
Glossary
A
Acceptable use policyA policy that establishes an agreement between users and the enterprise and defines for all parties the ranges
of use that are approved before gaining access to a network or the Internet
Access control list (ACL)An internal computerized table of access rules regarding the levels of computer access permitted to logon
IDs and computer terminals. Also referred to as access control tables.
Access rightsThe permission or privileges granted to users, programs or workstations to create, change, delete or view data and files
within a system, as defined by rules established by data owners and the information security policy
AccountabilityThe ability to map a given activity or event back to the responsible party
Advanced Encryption Standard (AES)A public algorithm that supports keys from 128 bits to 256 bits in size
Advanced persistent threat (APT)An adversary that possesses sophisticated levels of expertise and significant resources which
allow it to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-61).
The APT:
1. Pursues its objectives repeatedly over an extended period of time
2. Adapts to defenders efforts to resist it
3. Is determined to maintain the level of interaction needed to execute its objectives
AdversaryA threat agent
AdwareA software package that automatically plays, displays or downloads advertising material to a computer after the software
is installed on it or while the application is being used. In most cases, this is done without any notification to the user or without the
users consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the users
consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the
sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user,
and it provides the user with a specific service.
Anti-malwareA technology widely used to prevent, detect and remove many categories of malware, including computer viruses,
worms, Trojans, key-loggers, malicious browser plug-ins, adware and spyware
Antivirus softwareAn application software deployed at multiple points in an IT architecture. It is designed to detect and potentially
eliminate virus code before damage is done and repair or quarantine files that have already been infected.
AssetSomething of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances
and reputation
AttackAn actual occurrence of an adverse event
Attack mechanismA method used to deliver the exploit. Unless the attacker is personally performing the attack, an attack
mechanism may involve a payload, or container, that delivers the exploit to the target.
Attack vectorA path or route used by the adversary to gain access to the target (asset). There are two types of attack vectors:
ingress and egress (also known as data exfiltration).
26
Glossary
Audit trailA visible trail of evidence enabling one to trace information contained in statements or reports back to the original
input source
AuthenticationThe act of verifying the identity of a user and the users eligibility to access computerized information.
Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness
of a piece of data.
AuthenticityUndisputed authorship.
AvailabilityEnsuring timely and reliable access to and use of information.
B
Back doorA means of regaining access to a compromised system by installing software or configuring existing software to enable
remote access under attacker-defined conditions
BotnetA term derived from robot network; is a large automated and distributed network of previously compromised computers
that can be simultaneously controlled to launch large-scale attacks such as a denial-of-service attack on selected victims
Bring your own device (BYOD)An enterprise policy used to permit partial or full integration of user-owned mobile devices for
business purposes
Brute force attackRepeatedly trying all possible combinations of passwords or encryption keys until the correct one is found
Buffer overflowOccurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was
intended to hold. Since buffers are created to contain a finite amount of data, the extra informationwhich has to go somewhere
can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through
programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks,
the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that
could, for example, damage the users files, change data, or disclose confidential information. Buffer overflow attacks are said to have
arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
C
Chain of custodyA legal principle regarding the validity and integrity of evidence. It requires accountability for anything that
will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected until the time it is
presented in a court of law. Includes documentation as to who had access to the evidence and when, as well as the ability to identify
evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain
of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the
evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was at all times under
strict control and not subject to tampering.
Chief information security officer (CISO)The person in charge of information security within the enterprise
Chief security officer (CSO)The person usually responsible for all security matters both physical and digital in an enterprise
CipherAn algorithm to perform encryption
CiphertextInformation generated by an encryption algorithm to protect the plaintext and that is unintelligible to the
unauthorized reader
27
CleartextData that is not encrypted. Also known as plaintext.
Cloud computingConvenient, on-demand network access to a shared pool of resources that can be rapidly provisioned and released
with minimal management effort or service provider interaction
ComplianceAdherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as
well as voluntary requirements resulting from contractual obligations and internal policies
Computer emergency response team (CERT)A group of people integrated at the enterprise with clear lines of reporting and
responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control,
and should also act as a single point of contact for all incidents and issues related to information systems.
Computer forensicsThe application of the scientific method to digital media to establish factual information for judicial review.
This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized
activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems
(e.g., personal computers, networks, wireless communication and digital storage devices) in a way that is admissible as evidence in a
court of law.
ConfidentialityPreserving authorized restrictions on access and disclosure, including means for protecting privacy and
proprietary information
Configuration managementThe control of changes to a set of configuration items over a system life cycle
ContainmentActions taken to limit exposure after an incident has been identified and confirmed
ControlThe means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be
of an administrative, technical, management, or legal nature
CountermeasureAny process that directly reduces a threat or vulnerability
Cross-site scripting (XSS)A type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a
browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web
application uses input from a user within the output it generates without validating or encoding it. (OWASP)
CryptographyThe art of designing, analyzing and attacking cryptographic schemes
CyberespionageActivities conducted in the name of security, business, politics or technology to find information that ought to
remain secret. It is not inherently military
CybersecurityThe protection of information assets by addressing threats to information processed, stored, and transported by
internetworked information systems
CyberwarfareActivities supported by military organizations with the purpose to threat the survival and well-being of
society/foreign entity
28
Glossary
D
Data ownerThe individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of
computerized data
DatabaseA stored collection of related data needed by enterprises and individuals to meet their information processing and
retrieval requirements
Defense in depthThe practice of layering defenses to provide added protection. Defense in depth increases security by raising
the effort needed in an attack. This strategy places multiple barriers between an attacker and an enterprises computing and
information resources.
Demilitarized zone (DMZ)A screened (firewalled) network segment that acts as a buffer zone between a trusted and untrusted
network. A DMZ is typically used to house systems such as web servers that must be accessible from both internal networks and
the Internet.
Denial-of-service attack (DoS)An assault on a service from a single source that floods it with so many requests that it becomes
overwhelmed and is either stopped completely or operates at a significantly reduced rate
Digital forensicsThe process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally
acceptable in any legal proceedings
Digital signatureA piece of information, a digitized form of signature, that provides sender authenticity, message integrity and
nonrepudiation. A digital signature is generated using the senders private key or applying a one-way hash function.
Domain name system (DNS)A hierarchical database that is distributed across the Internet that allows names to be resolved into IP
addresses (and vice versa) to locate services such as web and e-mail servers
Domain name system (DNS) exfiltration Tunneling over DNS to gain network access. Lower-level attack vector for simple to
complex data transmission, slow but difficult to detect.
Due careThe level of care expected from a reasonable person of similar competency under similar conditions
Due diligenceThe performance of those actions that are generally regarded as prudent, responsible and necessary to conduct a
thorough and objective investigation, review and/or analysis
Dynamic portsDynamic and/or private ports--49152 through 65535: Not listed by IANA because of their dynamic nature.
E
EncryptionThe process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm
with a key) and producing an encrypted message (ciphertext)
Encryption algorithmA mathematically based function or calculation that encrypts/decrypts data
Encryption keyA piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext
EradicationWhen containment measures have been deployed after an incident occurs, the root cause of the incident must be
identified and removed from the network. Eradication methods include: restoring backups to achieve a clean state of the system,
removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the
same root cause.
29
EventSomething that happens at a specific place and/or time
EvidenceInformation that proves or disproves a stated issue. Information that an auditor gathers in the course of performing an IS
audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support
ExploitFull use of a vulnerability for the benefit of an attacker
F
File transfer protocol (FTP)A protocol used to transfer files over a Transmission Control Protocol/ Internet Protocol (TCP/IP)
network (Internet, UNIX, etc.)
FirewallA system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier
between a secure and an open environment such as the Internet
Forensic examinationThe process of collecting, assessing, classifying and documenting digital evidence to assist in the
identification of an offender and the method of compromise
FreewareSoftware available free of charge
G
GatewayA device (router, firewall) on a network that serves as an entrance to another network
GovernanceEnsures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise
objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance
against agreed-on direction and objectives. Conditions can include the cost of capital, foreign exchange rates, etc. Options can include
shifting manufacturing to other locations, subcontracting portions of the enterprise to third parties, selecting a product mix from many
available choices, etc.
Governance, risk management and compliance (GRC)A business term used to group the three close-related disciplines
responsible for the protection of assets, and operations
GuidelineA description of a particular way of accomplishing something that is less prescriptive than a procedure
H
HackerAn individual who attempts to gain unauthorized access to a computer system
Hash functionAn algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the
same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a message to be
derived or reconstituted from the result produced by the algorithm or to find two different messages that produce the same hash result
using the same algorithm.
HijackingAn exploitation of a valid network session for unauthorized purposes
Hypertext Transfer Protocol (HTTP)A communication protocol used to connect to servers on the World Wide Web. Its primary
function is to establish a connection with a web server and transmit hypertext mark-up language (HTML), extensible mark-up
language (XML) or other pages to client browsers.
30
Glossary
I
ImagingA process that allows one to obtain a bit-for-bit copy of data to avoid damage of original data or information when multiple
analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and
other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.
ImpactMagnitude of loss resulting from a threat exploiting a vulnerability
Impact analysisA study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of
adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods.
This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for
establishing the recovery strategy.
IncidentAny event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a
reduction in, the quality of that service
Incident responseThe response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its
people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery
plan (DRP), performing damage assessment, and any other measures necessary to bring an enterprise to a more stable status.
Incident response planThe operational component of incident management. The plan includes documented procedures and
guidelines for defining the criticality of incidents, reporting and escalation process, and recovery procedures.
Information securityEnsures that within the enterprise, information is protected against disclosure to unauthorized users
(confidentiality), improper modification (integrity), and non-access when required (availability).
Information security programThe overall combination of technical, operational and procedural measures and management
structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and
risk analysis
Information systems (IS)The combination of strategic, managerial and operational activities involved in gathering, processing,
storing, distributing and using information and its related technologies. Information systems are distinct from information technology
(IT) in that an information system has an IT component that interacts with the process components.
InjectionA general term for attack types which consist of injecting code that is then interpreted/executed by the application (OWASP)
Intangible assetAn asset that is not physical in nature. Examples include: intellectual property (patents, trademarks, copyrights,
processes), goodwill, and brand recognition.
IntegrityGuarding against improper information modification or destruction, and includes ensuring information nonrepudiation
and authenticity
Intellectual propertyIntangible assets that belong to an enterprise for its exclusive use. Examples include: patents, copyrights,
trademarks, ideas, and trade secrets.
International Organization for Standardization (ISO)The worlds largest developer of voluntary international standards
Internet Control Message Protocol (ICMP)A set of protocols that allow systems to communicate information about the state of
services on other systems. For example, ICMP is used in determining whether systems are up, maximum packet sizes on links, whether
a destination host/network/port is available. Hackers typically use (abuse) ICMP to determine information about the remote site.
31
Internet protocol (IP)Specifies the format of packets and the addressing scheme
Internet service provider (ISP)A third party that provides individuals and enterprises with access to the Internet and a variety of
other Internet-related services
IntruderIndividual or group gaining access to the network and its resources without permission
Intrusion detectionThe process of monitoring the events occurring in a computer system or network to detect signs of unauthorized
access or attack
Intrusion detection system (IDS)Inspects network and host security activity to identify suspicious patterns that may indicate a
network or system attack
Intrusion preventionA pre-emptive approach to network security used to identify potential threats and respond to them to stop, or
at least limit, damage or disruption
Intrusion prevention system (IPS)A system designed to not only detect attacks, but also to prevent the intended victim hosts from
being affected by the attacks
InvestigationThe collection and analysis of evidence with the goal to identifying the perpetrator of an attack or unauthorized
use or access.
IP addressA unique binary number used to identify devices on a TCP/IP network
IT governanceThe responsibility of executives and the board of directors; consists of the leadership, organizational structures and
processes that ensure that the enterprises IT sustains and extends the enterprises strategies and objectives
K
Key-loggerSoftware used to record all keystrokes on a computer
L
Local area network (LAN)Communication network that serves several users within a specified geographic area. A personal
computer LAN functions as a distributed processing system in which each computer in the network does its own processing and
manages some of its data. Shared data are storedin a file server that acts as a remote disk drive for all users in the network.
LoggingFiles that record transactions for historic purposes or for troubleshooting. Logging provides the basic data required to
monitor and detect unauthorized activity and to analyze potential security breaches.
M
MalwareShort for malicious software. Designed to infiltrate, damage or obtain information from a computer system without the
owners consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. Spyware is
generally used for marketing purposes and, as such, is not malicious, although it is generally unwanted. Spyware can, however, be used
to gather information for identity theft or other clearly illicit purposes.
32
Glossary
Man-in-the-middle attackAn attack strategy in which the attacker intercepts the communication stream between two parts
of the victim system and then replaces the traffic between the two components with the intruders own, eventually assuming control of
the communication
Media access control (MAC) addressA unique identifier assigned to network interfaces for communications on the physical
network segment
Mobile deviceA small, handheld computing devices, typically having a display screen with touch input and/or a miniature keyboard
and weighing less than two pounds
N
National Institute of Standards and Technology (NIST)Develops tests, test methods, reference data, proof-of concept
implementations, and technical analyses to advance the development and productive use of information technology. NIST is a US
government entity that creates mandatory standards that are followed by federal agencies and those doing business with them.
Network address translation (NAT)A methodology of modifying network address information in datagram packet headers while
they are in transit across a traffic routing device for the purpose of remapping one IP address space into another
Network interface card (NIC)A communication card that when inserted into a computer, allows it to communicate with other
computers on a network. Most NICs are designed for a particular type of network or protocol
NonrepudiationThe assurance that a party cannot later deny originating data; provision of proof of the integrity and origin of the
data and that can be verified by a third party. A digital signature can provide nonrepudiation.
O
Open Web Application Security Project (OWASP)An open community dedicated to enabling organizations to conceive, develop,
acquire, operate, and maintain applications that can be trusted
Operating system (OS)A master control program that runs the computer and acts as a scheduler and traffic controller
P
PacketData unit that is routed from source to destination in a packet-switched network. A packet contains both routing information
and data. Transmission Control Protocol/Internet Protocol (TCP/IP) is such a packet-switched network.
PasswordA protected, generally computer-encrypted string of characters that authenticate a computer user to the computer system
Password crackerA tool that tests the strength of user passwords by searching for passwords that are easy to guess. It repeatedly
tries words from specially crafted dictionaries and often also generates thousands (and in some cases, even millions) of permutations of
characters, numbers and symbols.
PatchFixes to software programming errors and vulnerabilities
33
Patch managementAn area of systems management that involves acquiring, testing and installing multiple patches (code changes)
to an administered computer system in order to maintain up-to-date software and often to address security risk. Patch management
tasks include the following: maintaining current knowledge of available patches; deciding what patches are appropriate for particular
systems; ensuring that patches are installed properly; testing systems after installation; and documenting all associated procedures,
such as specific configurations required. A number of products are available to automate patch management tasks. Patches are
sometimes ineffective and can sometimes cause more problems than they fix. Patch management experts suggest that system
administrators take simple steps to avoid problems, such as performing backups and testing patches on non-critical systems prior to
installations. Patch management can be viewed as part of change management.
PayloadThe section of fundamental data in a transmission. In malicious software this refers to the section containing the
harmful data/code.
Penetration testingA live test of the effectiveness of security defenses through mimicking the actions of real-life attackers
Personal identification number (PIN)A type of password (i.e., a secret number assigned to an individual) that, in conjunction
with some means of identifying the individual, serves to verify the authenticity of the individual. PINs have been adopted by financial
institutions as the primary means of verifying customers in an electronic funds transfer (EFT) system.
PhishingThis is a type of electronic mail (email) attack that attempts to convince a user that the originator is genuine, but with
the intention of obtaining information for use in social engineering. Phishing attacks may take the form of masquerading as a lottery
organization advising the recipient or the users bank of a large win; in either case, the intent is to obtain account and personal
identification number (PIN) details. Alternative attacks may seek to obtain apparently innocuous business information, which may be
used in another form of active attack.
PolicyGenerally, a document that records a high-level principle or course of action that has been decided on.
The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives
and strategic plans established by the enterprises management teams.
In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling
exceptions, and the manner in which compliance with the policy will be checked and measured.
Port (Port number)A process or application-specific software element serving as a communication endpoint for the Transport
Layer IP protocols (UDP and TCP)
Port scanningThe act of probing a system to identify open ports
Principle of least privilege/accessControls used to allow the least privilege access needed to complete a task
PrivacyFreedom from unauthorized intrusion or disclosure of information about an individual
ProbeInspect a network or system to find weak spots.
ProcedureA document containing a detailed description of the steps necessary to perform specific operations in conformance with
applicable standards. Procedures are defined as part of processes.
ProtocolThe rules by which a network operates and controls the flow and priority of transmissions.
34
Glossary
R
RecoveryThe phase in the incident response plan that ensures that affected systems or services are restored to a condition specified
in the service delivery objectives (SDOs) or business continuity plan (BCP)
RegulationRules or laws defined and enforced by an authority to regulate conduct
Regulatory requirementsRules or laws that regulate conduct and that the enterprise must obey to become compliant
RemediationAfter vulnerabilities are identified and assessed, appropriate remediation can take place to mitigate or eliminate
the vulnerability.
RiskThe combination of the probability of an event and its consequence (ISO/IEC 73)
Risk acceptanceIf the risk is within the enterprises risk tolerance or if the cost of otherwise mitigating the risk is higher than the
potential loss, the enterprise can assume the risk and absorb any losses.
Risk assessmentA process used to identify and evaluate risk and its potential effects. Risk assessments are used to identify those
items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk
assessments are also used to manage the project delivery and project benefit risk.
Risk avoidanceThe process for systematically avoiding risk, constituting one approach to managing risk
Risk managementThe coordinated activities to direct and control an enterprise with regard to risk. In the International Standard, the
term control is used as a synonym for measure. (ISO/IEC Guide 73:2002)
One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies,
such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the
enterprises risk appetite. (COBIT 5 perspective)
Risk mitigationThe management of risk through the use of countermeasures and controls
Risk reductionThe implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the
organizations risk tolerance
Risk toleranceThe acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues
its objectives
Risk transferThe process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by
outsourcing the service
Risk treatmentThe process of selection and implementation of measures to modify risk (ISO/IEC Guide 73:2002)
Root cause analysisA process of diagnosis to establish the origins of events, which can be used for learning from consequences,
typically from errors and problems
Rootkit A software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system
RouterA networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to
another, based on addressing at the network layer (Layer 3) in the open systems interconnection (OSI) model. Networks connected by
routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as
source addresses, destination addresses, protocol and network applications (ports).
35
S
SafeguardA practice, procedure or mechanism that reduces risk
Secure Socket Layer (SSL)A protocol that is used to transmit private documents through the Internet. The SSL protocol uses a
private key to encrypt the data that are to be transferred through the SSL connection.
Secure hypertext transfer protocol (S/HTTP)An application layer protocol, S/HTTP transmits individual messages or pages
securely between a web client and server by establishing an SSL-type connection.
Security perimeterThe boundary that defines the area of security concern and security policy coverage
SegmentationNetwork segmentation is the process of logically grouping network assets, resources, and applications together into
compartmentalized areas that have no trust of each other.
Segregation/separation of duties (SoD)A basic internal control that prevents or detects errors and irregularities by assigning to
separate individuals the responsibility for initiating and recording transactions and for the custody of assets. Segregation/ separation
of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code
without detection.
SensitivityA measure of the impact that improper disclosure of information may have on an enterprise
Single factor authentication (SFA)Authentication process that requires only the user ID and password to grant access
SpamComputer-generated messages sent as unsolicited advertising
Spear phishingAn attack where social engineering techniques are used to masquerade as a trusted party to obtain important
information such as passwords from the victim
SpoofingFaking the sending address of a transmission in order to gain illegal entry into a secure system
SpywareSoftware whose purpose is to monitor a computer users actions (e.g., web sites visited) and report these actions to a third
party, without the informed consent of that machines owner or legitimate user. A particularly malicious form of spyware is software
that monitors keystrokes to obtain passwords or otherwise gathers sensitive information such as credit card numbers, which it then
transmits to a malicious third party. The term has also come to refer more broadly to software that subverts the computers operation
for the benefit of a third party.
SQL injectionResults from failure of the application to appropriately validate input. When specially crafted user-controlled
input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the
database in ways not envisaged during application design. (MITRE)
System hardeningA process to eliminate as many security risks as possible by removing all nonessential software programs,
protocols, services and utilities from the system
36
Glossary
T
Tangible assetAny asset that has physical form
TargetPerson or asset selected as the aim of an attack
ThreatAnything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
A potential cause of an unwanted incident (ISO/IEC 13335).
Threat agentMethods and things used to exploit a vulnerability. Examples include determination, capability, motive and resources.
Threat analysis/assessmentAn evaluation of the type, scope and nature of events or actions that can result in adverse consequences;
identification of the threats that exist against enterprise assets. The threat analysis usually defines the level of threat and the likelihood
of it materializing.
Threat eventAny event during which a threat element/actor acts against an asset in a manner that has the potential to directly
result in harm
Threat vectorThe path or route used by the adversary to gain access to the target
Transmission control protocol (TCP)A connection-based Internet protocol that supports reliable data transfer connections.
Packet data are verified using checksums and retransmitted if they are missing or corrupted. The application plays no part in validating
the transfer.
Transmission control protocol/Internet protocol (TCP/IP)Provides the basis for the Internet; a set of communication protocols
that encompass media access, packet transport, session communication, file transfer, electronic mail (e-mail), terminal emulation,
remote file access and network management
Transport Layer Security (TLS)A protocol that provides communications privacy over the Internet. The protocol allows client/
server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery (RFC 2246).
Transport Layer Security (TLS) is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. The TLS
Record Protocol provides connection security with some encryption method such as the Data Encryption Standard (DES). The TLS
Record Protocol can also be used without encryption. The TLS Handshake Protocol allows the server and client to authenticate each
other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged.
Trojan horsePurposefully hidden malicious or damaging code within an authorized computer program. Unlike viruses, they do not
replicate themselves, but they can be just as destructive to a single computer.
Two-factor authenticationThe use of two independent mechanisms for authentication, (e.g., requiring a smart card and a password)
typically the combination of something you know, are or have
V
ValueThe relative worth or importance of an investment for an enterprise, as perceived by its key stakeholders, expressed as total life
cycle benefits net of related costs, adjusted for risk and (in the case of financial value) the time value of money
Virtual private network (VPN)A secure private network that uses the public telecommunications infrastructure to transmit data.
In contrast to a much more expensive system of owned or leased lines that can only be used by one company, VPNs are used by
enterprises for both extranets and wide areas of intranets. Using encryption and authentication, a VPN encrypts all data that pass
between two Internet points, maintaining privacy and security.
37
VirtualizationThe process of adding a guest application and data onto a virtual server, recognizing that the guest application
will ultimately part company from this physical server
VirusA program with the ability to reproduce by modifying other programs to include a copy of itself. A virus may contain
destructive code that can move into multiple programs, data files or devices on a system and spread through multiple systems
in a network.
Voice-over Internet Protocol (VoIP)Also called IP Telephony, Internet Telephony and Broadband Phone, a technology that makes
it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of over dedicated
voice transmission lines
VulnerabilityA weakness in the design, implementation, operation or internal control of a process that could expose the system to
adverse threats from threat events
Vulnerability analysis/assessmentA process of identifying and classifying vulnerabilities
Vulnerability scanningAn automated process to proactively identify security weaknesses in a network or individual system
W
Web serverUsing the client-server model and the World Wide Webs HyperText Transfer Protocol (HTTP), web server is a software
program that serves web pages to users
Wireless local area network (WLAN)Two or more systems networked using a wireless distribution method
WormA programmed network attack in which a self-replicating program does not attach itself to programs, but rather spreads
independently of users action
Write blockerA device that allows the acquisition of information on a drive without creating the possibility of accidentally
damaging the drive
Write protectThe use of hardware or software to prevent data to be overwritten or deleted
Z
Zero-day exploitA vulnerability that is exploited before the software creator/vendor is even aware of its existence
38

Cybersecurity-Student-Book Res Eng 1014

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cybersecurity-Student-Book Res Eng 1014

Caricato da

Copyright:

Formati disponibili

Cybersecurity

Provide Feedback: www.isaca.org/cybersecurity_student_book

Cybersecurity Student Book

Academic Program Subcommittee

Chapter 2. Introduction to Cybersecurity.....................................................................................................................................................7

Chapter 3. IT Governance and the Political Dimension................................................................................................................................8

Chapter 4. Who Are the Attackers?..............................................................................................................................................................9

Chapter 5. Principles of Cybersecurity Law...............................................................................................................................................11

Chapter 6. Security PolicyDesign, Development, Management and Implementation.............................................................................12

Chapter 7. Threat and Vulnerability Assessment.......................................................................................................................................14

Chapter 8. Threat, Attack and Defense Models..........................................................................................................................................16

Chapter 9. Incident Response....................................................................................................................................................................18

Chapter 10. Conclusion..............................................................................................................................................................................20

Appendix A. Cybersecurity Policy Cross-references..................................................................................................................................21

Appendix B. Vulnerability and Threat Examples........................................................................................................................................24

Chapter 1. The Purpose of This Student Book

Chapter 2. Introduction to Cybersecurity

Chapter 3. IT Governance and the Political Dimension

Figure 1Industries, Information Assets and Values

Chapter 4. Who Are the Attackers?

Figure 2Evolution of the Threat Landscape

Unsophisticated Attackers Sophisticated Attackers Corporate Espionage State-sponsored Attacks

Source: ISACA, Responding to Targeted Cyberattacks, USA, 2013, figure 2

Chapter 5. Principles of Cybersecurity Law

Computer Fraud and Abuse Act

But what is a protected computer? The statute defined it as follows:

The term protected computer means a computer

Computer Misuse Act

Chapter 6. Security PolicyDesign, Development,

Considerations During the Design Phase

Considerations During the Implementation Phase

Chapter 7. Threat and Vulnerability Assessment

Inputs for Building a Risk Scenario

Figure 3Risk Scenario Structure

Source: ISACA, COBIT 5 for Risk, USA, 2013, figure 36

Threat actors can come in a variety of forms (see figure 4).

Figure 4Cybersecurity Threat Agents

Low Tech/ Online Social

Ethical Hacker Market

Individual Agent Profit

Figure 5Two Methods of Detecting Vulnerabilities

Chapter 8. Threat, Attack and Defense Models

Chapter 9. Incident Response

Incident Response Phases

This [an incident response formal program] generally includes:

The incident response phases are also shown in figure 6.

Figure 6Incident Response Phases

Source: ISACA, Cybersecurity Fundamentals Study Guide, USA, 2014, p. 95

Chapter 10. Conclusion

Appendix A. Cybersecurity Policy Cross-references

Figure 7Components of the Cybersecurity Policy (cont.)

Figure 7Components of the Cybersecurity Policy (cont.)

Appendix B. Vulnerability and Threat Examples

Figure 9Vulnerabilities in Context (Illustrative)22

AdversaryA threat agent

AttackAn actual occurrence of an adverse event

AvailabilityEnsuring timely and reliable access to and use of information.

CipherAn algorithm to perform encryption

CleartextData that is not encrypted. Also known as plaintext.

CountermeasureAny process that directly reduces a threat or vulnerability

CryptographyThe art of designing, analyzing and attacking cryptographic schemes

Encryption algorithmA mathematically based function or calculation that encrypts/decrypts data

EventSomething that happens at a specific place and/or time

ExploitFull use of a vulnerability for the benefit of an attacker