Cyber Resilience: Defence-in-depth principles
By Alan Calder and Alan Medcroft
()
About this ebook
For the foreseeable future (and perhaps beyond), the growth and prominence of data in business shows no signs of slowing down, even if the technology in question will likely change in ways perhaps unimaginable today. Naturally, all this innovation brings huge opportunities and benefits to organisations and people alike. However, these come at more than just a financial cost.
In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, the latter attack is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation. Worse, when a vulnerability is identified, a tool that can exploit it is often developed and used within hours – faster than the time it normally takes for the vendor to release a patch, and certainly quicker than the time many organisations take to install that patch.
This book has been divided into two parts:
- Part 1: Security principles.
- Part 2: Reference controls.
Part 1 is designed to give you a concise but solid grounding in the principles of good security, covering key terms, risk management, different aspects of security, defence in depth, implementation tips, and more. This part is best read from beginning to end.
Part 2 is intended as a useful reference, discussing a wide range of good-practice controls (in alphabetical order) you may want to consider implementing. Each control is discussed at a high level, focusing on the broader principles, concepts and points to consider, rather than specific solutions. Each control has also been written as a stand-alone chapter, so you can just read the controls that interest you, in an order that suits you.
Alan Calder
Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
Read more from Alan Calder
ISO 22301:2019 and business continuity management - Understand how to plan, implement and enhance a business continuity management system (BCMS) Rating: 5 out of 5 stars5/5IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT Rating: 4 out of 5 stars4/5ISO/IEC 38500: The IT Governance Standard Rating: 5 out of 5 stars5/5Information Security Risk Management for ISO 27001/ISO 27002, third edition Rating: 4 out of 5 stars4/5Information Security Risk Management for ISO27001/ISO27002 Rating: 4 out of 5 stars4/5PCI DSS: A pocket guide, sixth edition Rating: 0 out of 5 stars0 ratingsRisk Assessment for Asset Owners Rating: 4 out of 5 stars4/5Cyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5PCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide Rating: 2 out of 5 stars2/5Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsEU GDPR - A pocket guide, second edition Rating: 0 out of 5 stars0 ratingsIT Governance: A Pocket Guide Rating: 3 out of 5 stars3/5ISO 27001/ISO 27002: A guide to information security management systems Rating: 0 out of 5 stars0 ratingsNine Steps to Success: North American edition: An ISO 27001 Implementation Overview Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for operators of essential services Rating: 0 out of 5 stars0 ratingsSelling Information Security to the Board: A Primer Rating: 0 out of 5 stars0 ratingsThe EU Data Protection Code of Conduct for Cloud Service Providers: A guide to compliance Rating: 0 out of 5 stars0 ratingsIT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsThe Case for ISO27001:2013 Rating: 1 out of 5 stars1/5IT Regulatory Compliance in the UK Rating: 0 out of 5 stars0 ratingsCompliance for Green IT: A Pocket Guide Rating: 5 out of 5 stars5/5A concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsNetwork and Information Systems (NIS) Regulations - A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsPCI DSS: A Pocket Guide - 3rd edition Rating: 0 out of 5 stars0 ratingsThe Green Office: A Business Guide Rating: 0 out of 5 stars0 ratings
Related to Cyber Resilience
Related ebooks
Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications Rating: 0 out of 5 stars0 ratingsCan. Trust. Will.: Hiring for the Human Element in the New Age of Cybersecurity Rating: 5 out of 5 stars5/5Cybersecurity For Beginners: Learn How To Defend Against Online Threats Rating: 0 out of 5 stars0 ratingsCybersecurity: Issues of Today, a Path for Tomorrow Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Mindset: Cultivating a Culture of Vigilance Rating: 0 out of 5 stars0 ratings8 Steps to Better Security: A Simple Cyber Resilience Guide for Business Rating: 0 out of 5 stars0 ratingsManaging Information Security Breaches: Studies from real life Rating: 0 out of 5 stars0 ratingsCISSP:Cybersecurity Operations and Incident Response: Digital Forensics with Exploitation Frameworks & Vulnerability Scans Rating: 0 out of 5 stars0 ratingsCertified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/57 Rules To Become Exceptional At Cyber Security Rating: 5 out of 5 stars5/5Comprehensive Guide to Personal Cybersecurity: Personal Cybersecurity Practices for a Safer Digital Life Rating: 0 out of 5 stars0 ratingsCybersecurity Design Principles: Building Secure Resilient Architecture Rating: 0 out of 5 stars0 ratingsCybersecurity Jobs & Career Paths: Find Cybersecurity Jobs, #2 Rating: 0 out of 5 stars0 ratingsThe Psychology of Information Security: Resolving conflicts between security compliance and human behaviour Rating: 5 out of 5 stars5/5Anti Hacking Security: Fight Data Breach Rating: 0 out of 5 stars0 ratingsBuilding Effective Cybersecurity Programs: A Security Manager’s Handbook Rating: 4 out of 5 stars4/5Gray Hat: Vulnerability Scanning & Penetration Testing Rating: 0 out of 5 stars0 ratingsThe Network Security Test Lab: A Step-by-Step Guide Rating: 0 out of 5 stars0 ratingsMCSA Windows Server 2016 Practice Tests: Exam 70-740, Exam 70-741, Exam 70-742, and Exam 70-743 Rating: 0 out of 5 stars0 ratingsIT Security Management A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSecurity Intelligence: A Practitioner's Guide to Solving Enterprise Security Challenges Rating: 0 out of 5 stars0 ratingsA concise introduction to the NIS Directive: A pocket guide for digital service providers Rating: 0 out of 5 stars0 ratingsCyber Security: The complete guide to cyber threats and protection Rating: 0 out of 5 stars0 ratingsData Loss Prevention Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsCybersecurity Awareness A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsA Convenient Guide to Starting You on Threat Modeling Rating: 0 out of 5 stars0 ratingsService Catalogue A Clear and Concise Reference Rating: 0 out of 5 stars0 ratingsData Breach Response A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsSecuring Cloud Services - A pragmatic guide: Second edition Rating: 0 out of 5 stars0 ratingsOSI-model Third Edition Rating: 0 out of 5 stars0 ratings
Earth Sciences For You
SAS Survival Handbook, Third Edition: The Ultimate Guide to Surviving Anywhere Rating: 4 out of 5 stars4/5The Witch's Yearbook: Spells, Stones, Tools and Rituals for a Year of Modern Magic Rating: 5 out of 5 stars5/5A Fire Story: A Graphic Memoir Rating: 4 out of 5 stars4/5Foraging for Survival: Edible Wild Plants of North America Rating: 0 out of 5 stars0 ratingsNorwegian Wood: Chopping, Stacking, and Drying Wood the Scandinavian Way Rating: 4 out of 5 stars4/5438 Days: An Extraordinary True Story of Survival at Sea Rating: 4 out of 5 stars4/5Rockhounding for Beginners: Your Comprehensive Guide to Finding and Collecting Precious Minerals, Gems, Geodes, & More Rating: 0 out of 5 stars0 ratingsHow to Make Hand-Drawn Maps: A Creative Guide with Tips, Tricks, and Projects Rating: 4 out of 5 stars4/5Answers to Questions You've Never Asked: Explaining the 'What If' in Science, Geography and the Absurd Rating: 3 out of 5 stars3/5Nuclear War Survival Skills: Lifesaving Nuclear Facts and Self-Help Instructions Rating: 4 out of 5 stars4/5Fantasy Map Making: Writer Resources, #2 Rating: 4 out of 5 stars4/5We Are the Weather: Saving the Planet Begins at Breakfast Rating: 4 out of 5 stars4/5Civilized to Death: The Price of Progress Rating: 4 out of 5 stars4/5Summary of Bruce H. Lipton's The Biology of Belief 10th Anniversary Edition Rating: 5 out of 5 stars5/5The Pocket Guide to Prepping Supplies: More Than 200 Items You Can?t Be Without Rating: 5 out of 5 stars5/5The Phantom Atlas: The Greatest Myths, Lies and Blunders on Maps Rating: 4 out of 5 stars4/5Being Human: Life Lessons from the Frontiers of Science (Transcript) Rating: 4 out of 5 stars4/5Building Natural Ponds: Create a Clean, Algae-free Pond without Pumps, Filters, or Chemicals Rating: 4 out of 5 stars4/5Rockhounding & Prospecting: Upper Midwest: How to Find Gold, Copper, Agates, Thomsonite, and Other Favorites Rating: 5 out of 5 stars5/5Geology: A Fully Illustrated, Authoritative and Easy-to-Use Guide Rating: 4 out of 5 stars4/5Energy: A Beginner's Guide Rating: 4 out of 5 stars4/5Herbalism and Alchemy Rating: 0 out of 5 stars0 ratingsYoung Men and Fire Rating: 4 out of 5 stars4/5Bushcraft Basics: A Common Sense Wilderness Survival Handbook Rating: 0 out of 5 stars0 ratingsGemstone Tumbling, Cutting, Drilling & Cabochon Making: A Simple Guide to Finishing Rough Stones Rating: 5 out of 5 stars5/5
Reviews for Cyber Resilience
0 ratings0 reviews
Book preview
Cyber Resilience - Alan Calder
INTRODUCTION
This book has been divided into two parts:
•Part 1: Security principles
•Part 2: Reference controls
Part 1 is designed to give you a concise but solid grounding in the principles of good security, covering key terms, risk management, different aspects of security, defence in depth, implementation tips, and more. This part is best read from beginning to end.
Part 2 is intended as a useful reference, discussing a wide range of good-practice controls (in alphabetical order) you may want to consider implementing. Each control is discussed at a high level, focusing on the broader principles, concepts and points to consider, rather than specific solutions. Each control has also been written as a standalone chapter, so you can just read the controls that interest you, in an order that suits you.
Together, the book will give you a good understanding of the fundamentals of cyber security and resilience, without tying them to specific standards, frameworks or solutions, and provide an excellent starting point for any cyber resilience implementation project.
Part 1: Security principles
CHAPTER 1: THE CYBER THREAT LANDSCAPE
We live in a world where technology and vast quantities of data play a considerable role in everyday life, personal and professional. For the foreseeable future (and perhaps beyond), their growth and prominence show no signs of slowing down, even if the technology in question will likely change in ways perhaps unimaginable today. Naturally, all this innovation brings huge opportunities and benefits to organisations and individuals alike. However, these come at more than just a financial cost.
In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, being attacked virtually is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation. Worse, when a vulnerability is identified, a tool that can exploit it is often developed and used within hours – faster than the time it normally takes for the vendor to release a patch, and certainly quicker than the time many organisations take to install that patch.
The cyber criminal’s point of view
The nature of the cyber world means that cyber attackers can attack anyone, anywhere, from the comfort of their home. You might say that they were ahead of the game in terms of taking advantage of the benefits and opportunities offered by working remotely.
Furthermore, from an attacker’s perspective, there is often a very good reward-to-risk ratio: for the victim, it can be hard enough to detect that an attack happened at all, never mind trace who was behind it. It is in the very nature of the digital information that we are trying to protect that it is easy to copy. In fact, stealing the information does not require removing it from its original location at all, meaning that the owner of that information may never realise that the theft happened.
Unfortunately for us, committing crimes over the Internet can also be very lucrative. Physical pickpocketing may earn a thief cash and credit cards (that will likely be blocked very quickly, and probably can only be used up to the contactless limit per transaction anyway), but digitally targeting someone gives them a chance to steal that person’s identity and get credit cards issued in the victim’s name. Upscale that, and a criminal might think about targeting organisations that hold databases with thousands or even millions of payment card details and personal information about their owners. Whether they then directly use that information for themselves or sell it on the dark web (where you can buy virtually anything, from drugs and human organs to hacking software and stolen credentials), the profits are certainly far greater than those of a physical crime conducted in the same timescale and with the same manpower.
Moreover, cyber criminals are spoilt for choice when it comes to deciding who to target. Because virtually every organisation holds valuable information, and often in huge quantities, essentially anyone will do. In fact, criminals often do not target specific businesses at all, but specific vulnerabilities. Attackers tend to use automated tools to identify those vulnerabilities, and therefore their victims, for them.
Securing your assets
The information that attackers target is often vital to the organisations that hold it. More often than not, you cannot do business if you lose access to that information, making it one of your most important assets. At the same time, the fact that criminals can extract significant value from this information means that it is an asset to them too. There is good reason to refer to them as information ‘assets’ – by definition, someone wants to get hold of them. Many a time, that ‘someone’ is a business partner that will go through the proper channels – but not everyone will take the legal route.
With all this in mind, it should not come as a surprise that cyber attacks are – and will probably continue to be – on the rise. Such attacks can vary widely, ranging from simple phishing emails to complex, detailed operations masterminded by skilled criminal gangs. However, even the simplest attack, if executed successfully, can wreak havoc if you are not prepared.
Clearly, it is in your organisation’s best interests to protect yourself. While this might cost, it will prove far cheaper than experiencing a breach and having to deal with the operational, financial and reputational damages that follow.
Is security affordable?
Despite the clear value of implementing security measures, given the frequency of data breaches and cyber attacks in the press, many of them large-scale, you could be forgiven for thinking that it is impossible to defend your organisation against the predations of cyber attackers. After all, if massive multinationals cannot stay secure, what hope is there for small businesses?
The truth is that you can achieve far more, and on a far smaller budget, than you think. Particularly if you take a strategic approach and aim for the lower-hanging fruit first, becoming secure – and even becoming cyber resilient (more on that distinction in Chapter 3) – does not have to cost vast amounts of money or take years to implement. And it is a worthwhile investment: no matter the size of your organisation, improving your security helps protect your data and that of your clients, improving business relations and opening new business opportunities.
CHAPTER 2: LEGAL AND CONTRACTUAL REQUIREMENTS
Although the best mindset towards implementing security is to think of it as a business investment, it can take hard legal and/or contractual requirements to secure the necessary commitment and resources from your organisation. (Making a tight budget stretch is one thing; doing so without organisation-wide commitment is quite another.)
Data privacy laws
As far as legal requirements are concerned, data privacy laws have been widely updated in recent years. The most well-publicised one was the EU General Data Protection Regulation (GDPR), enforced in 2018, which marked a major milestone for data protection and privacy laws across the world. The EU GDPR places a wide range of security and privacy obligations on organisations that process the data of EU residents and is supported by a regime of significant financial penalties (up to the greater of 4% of annual turnover or €20 million).
Following the introduction of the EU GDPR, other updated privacy laws have emerged around the world, including the UK GDPR and Data Protection Act (DPA) 2018 in the UK, and the California