1.

National Cyber Awareness System

Five products in the National Cyber Awareness System offer a variety of information for
users with varied technical expertise. Those with more technical interest can read the
Alerts, Analysis Reports, Current Activity, or Bulletins. Users looking for more general-
interest pieces can read the Tips.
 Current Activity
Provides up-to-date information about high-impact types of security activity affecting
the community at large.
 Alerts
Provide timely information about current security issues, vulnerabilities, and
exploits.
 Bulletins
Provide weekly summaries of new vulnerabilities. Patch information is provided
when available.
 Tips
Provide advice about common security issues for the general public.
 Analysis Reports
Provide in-depth analysis on a new or evolving cyber threat.
=============================================================
=============================================================

2.
Internet Fraud
Internet fraud is the use of Internet services or software with Internet access to defraud
victims or to otherwise take advantage of them. Internet crime schemes steal millions of
dollars each year from victims and continue to plague the Internet through various methods.
Several high-profile methods include the following:

 Business E-Mail Compromise (BEC): A sophisticated scam targeting businesses

working with foreign suppliers and companies that regularly perform wire transfer
payments. The scam is carried out by compromising legitimate business e-mail
accounts through social engineering or computer intrusion techniques to conduct
unauthorized transfers of funds.
 Data Breach: A leak or spill of data which is released from a secure location to an
untrusted environment. Data breaches can occur at the personal and corporate levels
and involve sensitive, protected, or confidential information that is copied,
transmitted, viewed, stolen, or used by an individual unauthorized to do so.
  E-Mail Account Compromise (EAC): Similar to BEC, this scam targets the general
public and professionals associated with, but not limited to, financial and lending
institutions, real estate companies, and law firms. Perpetrators of EAC use
compromised e-mails to request payments to fraudulent locations.
 Malware/Scareware: Malicious software that is intended to damage or disable
computers and computer systems. Sometimes scare tactics are used by the
perpetrators to solicit funds from victims.

 Phishing/Spoofing: Both terms deal with forged or faked electronic documents.
Spoofing generally refers to the dissemination of e-mail which is forged to appear as
though it was sent by someone other than the actual source. Phishing, also referred to
as vishing, smishing, or pharming, is often used in conjunction with a spoofed e-mail.
It is the act of sending an e-mail falsely claiming to be an established legitimate
business in an attempt to deceive the unsuspecting recipient into divulging personal,
sensitive information such as passwords, credit card numbers, and bank account
information after directing the user to visit a specified website. The website, however,
is not genuine and was set up only as an attempt to steal the user's information.
 Ransomware: A form of malware targeting both human and technical weaknesses in
organizations and individual networks in an effort to deny the availability of critical
data and/or systems. Ransomware is frequently delivered through spear phishing
emails to end users, resulting in the rapid encryption of sensitive files on a corporate
network. When the victim organization determines they are no longer able to access
their data, the cyber perpetrator demands the payment of a ransom, typically in virtual
currency such as Bitcoin, at which time the actor will purportedly provide an avenue
to the victim to regain access to their data.
 ============================================================
========================================================

3.

Cyber security: A vertical industry application

New threats, risk management and IoT may make transform cyber security from being a
set of horizontal technologies into a vertical business application

Cyber security has always been a horizontal technology practice that’s roughly the same
across all industry sectors. Yes, some industries have different regulations, use cases or
business processes that demand specific security controls, but overall every company needs
things like firewalls, IDS/IPS, threat management gateways and antivirus software regardless.
 Generic security requirements will remain forever, but I see a burgeoning trend transforming
cybersecurity from a set of horizontal technologies to a vertical industry application. These
drivers include:

 Increasing business focus on cybersecurity. While it sounds like industry hype,

cybersecurity has actually become a boardroom issue and corporate boards understand
industry-specific risks much better than technology gibberish about malware and exploits. To
accommodate these corporate executives, CISOs will need communications skills, as well as
tools and technologies that help translate cybersecurity data into meaningful industry and
corporate risk intelligence that can drive investment and decision making. Security
intelligence vendors like BitSight and SecurityScorecard are already exploiting this need,
offering industry-centric cybersecurity metrics for business use.

 CISO progression. The present generation of CISOs grew up through the ranks of IT and
security with career development responsibilities such as network operations and firewall
administration. Yes, the next generation of CISOs will still need some technology chops, but
this role is moving closer and closer to business management. In fact, the best CISOs
understand industry business processes, regulations and risk above and beyond technology.

Business-centric CISO resumes are a “nice-to-have” today but will evolve into a true
requirement over the next few years. In the near future, cybersecurity executives will build
their careers as financial services CISO, healthcare CISO or public sector CISO rather than
vanilla CISO.

 Advancing regulations. While there are already a lot of industry regulations, such as
FISMA, HIPAA/HITECH and NERC, additional industry regulations are bound to occur.
This will happen quite quickly if a major data breach disrupts operations in a particular
industry.

 Industry-focused threats. Targeted threats can generally be traced back to cyber adversaries
that specialize on a particular industry in a particular geography. This makes sense: Attacking
a U.S. bank demands language skills and business process and regulatory knowledge that
isn’t applicable for attacking banks in France or Germany.

These industry-centric threats are precisely why we have specific industry Information
Sharing and Analysis Centers (ISACs). Cybersecurity professionals are often encouraged to
“think like the enemy.” Increasingly, this demands industry-specific business and IT
knowledge—not just a broad understanding of cyber adversary tactics, techniques and
procedures (TTPs).

 IoT. This is the big Papi of change agents for cybersecurity, as industry IoT applications will
radically alter business processes, technology elements and threats. And while we’ve created
an uber technology category called IoT, the fact remains that IoT healthcare applications will
be vastly different than those designed for energy, manufacturing, retail or transportation. As
an example, think about the specific industry, business process and technology knowledge
you would need to prevent, detect or remediate a Stuxnet-like attack.

As I previously mentioned, there will always be a need for horizontal security technologies,
but CISOs will increasingly judge these technologies based upon two criteria: 1) best-of-
breed security efficacy and 2) how well these point tools can be integrated into enterprise
solutions that encompass vertical industry-specific requirements.

I anticipate a transition to vertical industry-specific cybersecurity over the next few years.
Cybersecurity professionals should prepare for this evolution by developing their business process
and technology skills, while vendors should pick focus industries and partner accordingly.

=====================================================
==================================================

4.

Information Security Control

Information security (IS) is designed to protect the confidentiality, integrity and availability
of computer system data from those with malicious intentions.Confidentiality, integrity and
availability are sometimes referred to as the CIA Triad of information security.

NETWORK SECURITY TOOLS. Add application testing to your network security tools.
As companies strive to protect their computer systems, data and people from cyber attack,
many have invested heavily in network security tools designed to protect the network
perimeter from viruses, worms, DDoS attacks and other threats.

==================================================================
=================================================================

5.

DATA SECURITY MANAGEMENT

Data security should be an important area of concern for every small-business owner. When
you consider all the important data you store virtually -- from financial records, to customers'
private information -- it's not hard to see why one breach could seriously damage your
business.

According to the most recent Verizon Data Breach Investigations Report [PDF], an estimated
"285 million records were compromised in 2008." And 74 percent of those incidents were
from outside sources.

The key security measures that every small business should be taking.

1. Establish strong passwords

Implementing strong passwords is the easiest thing one can do to strengthen your security.

Cloutier shares his tip for crafting a hard-to-crack password: use a combination of capital and
lower-case letters, numbers and symbols and make it 8 to 12 characters long.

According to Microsoft, you should definitely avoid using: any personal data (such as your
birthdate), common words spelled backwards and sequences of characters or numbers, or
those that are close together on the keyboard.

As for how often you should change your password, Cloutier says that the industry standard
is "every 90 days," but don't hesitate to do it more frequently if your data is highly-sensitive.

Another key: make sure every individual has their own username and password for any login
system, from desktops to your CMS. "Never just use one shared password," says Cloutier.

And finally, "Never write it down!" he adds.

2. Put up a strong firewall

In order to have a properly protected network, "firewalls are a must," Cloutier says.

A firewall protects your network by controlling internet traffic coming into and flowing out
of your business. They're pretty standard across the board -- Cloutier recommends any of the
major brands.

3. Install antivirus protection

Antivirus and anti-malware software are essentials in your arsenal of online security
weapons, as well.

"They're the last line of defense" should an unwanted attack get through to your network,
Cloutier explains.

4. Update your programs regularly

Making sure your computer is "properly patched and updated" is a necessary step towards
being fully protected; there's little point in installing all this great software if you're not going
to maintain it right.

"Your security applications are only as good as their most recent update," Watchinski
explains. "While applications are not 100 percent fool-proof, it is important to regularly
update these tools to help keep your users safe."

Frequently updating your programs keeps you up-to-date on any recent issues or holes that
programmers have fixed.

5. Secure your laptops

Because of their portable nature, laptops are at a higher risk of being lost or stolen than
average company desktops. It's important to take some extra steps to make certain your
sensitive data is protected.

Cloutier mandates "absolutely: encrypt your laptop. It's the easiest thing to do."

Encryption software changes the way information looks on the harddrive so that, without the
correct password, it can't be read.

Cloutier also stresses the importance of never, ever leaving your laptop in your car, where it's
an easy target for thieves. If you must, lock it in your trunk.

6. Secure your mobile phones

Cloutier points out that smart phones hold so much data these days that you should consider
them almost as valuable as company computers -- and they're much more easily lost or
stolen. As such, securing them is another must.

The must-haves for mobile phones:

 Encryption software
 Password-protection (Cloutier also suggests enabling a specific "lock-out" period,
wherein after a short amount of time not being used, the phone locks itself)
 Remote wiping enabled

Remote wiping is "extremely effective," Cloutier says, recounting the story of one executive
who lost his Blackberry in an airport, after he had been looking at the company's quarter
financials. The exec called IT in a panic, and within 15 minutes they were able to completely
wipe the phone.

7. Backup regularly
Scheduling regular backups to an external hard drive, or in the cloud, is a painless way to
ensure that all your data is stored safely.
The general rule of thumb for backups: servers should have a complete backup weekly, and
incremental backups every night; personal computers should also be backed up completely
every week, but you can do incremental backups every few days if you like ("however long
you could live without your data," Cloutier explains).

Getting your data compromised is a painful experience -- having it all backed up so you don't
completely lose it will make it much less so.

8. Monitor diligently
"All this great technology […] is no good unless you actually use it. You have to have
someone be accountable for it," says Cloutier.

One good monitoring tool Cloutier suggests is data-leakage prevention software, which is set
up at key network touchpoints to look for specific information coming out of your internal
network. It can be configured to look for credit card numbers, pieces of code, or any bits of
information relevant to your business that would indicate a breach.

If you don't monitor things, warns Cloutier, "it's a waste of time and a waste of resources."
And you won't know that you've been compromised until it's far too late.

9. Be careful with e-mail, IM and surfing the Web

It's not uncommon for a unsuspecting employee to click on a link or download an attachment
that they believe is harmless -- only to discover they've been infected with a nasty virus, or
worse.

"Links are the numbers one way that malware ends up on computers," says Cloutier. "Links
are bad!"

As such, never click on a link that you weren't expecting or you don't know the origination of
in an e-mail or IM.

You have to "be smart when surfing the Web," Watchinski warns. "[You] should take every
"warning box" that appears on [your] screen seriously and understand that every new piece of
software comes with its own set of security vulnerabilities."

10. Educate your employees

Teaching your employees about safe online habits and proactive defense is crucial.

"Educating them about what they are doing and why it is dangerous is a more effective
strategy than expecting your IT security staff to constantly react to end users’ bad decisions,"
Watchinski says.

==================================================================
==================================================================