Meeuwisse Rauf. - Cybersecurity for Beginners

Cybersecurity for Begin ners

A guide to the essentials of cybersecurity, cyber-terrorism & hacktivism.

What are they? Where are they headed? How can you guard against them?

RAEF MEEUWISSE

Copyright 2015 Raef Meeuwisse.

Raef Meeuwisse, Icutrain Ltd, 37 St Margarets Street, Canterbury, KENT CT1 2TU

Email:

Twitter: @grcarchitect

First Printing: 2015

First published by: Icutrain Ltd

All rights reserved. No part of this book may be reproduced, stored, or transmitted by any meanswhether auditory, graphic, mechanical, or electronicwithout written permission of both publisher and author, except in the case of brief excerpts used in critical articles and reviews. Unauthorized reproduction of any part of this work is illegal and is punishable by law.

ISBN: 978-1-4834-3123-9 (sc)

ISBN: 978-1-4834-3122-2 (e)

Because of the dynamic nature of the Internet, any web addresses or links contained in this book may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them.

Any people depicted in stock imagery provided by Thinkstock are models, and such images are being used for illustrative purposes only.

Certain stock imagery Thinkstock.

Lulu Publishing Services rev. date: 05/07/2015

Contents

Dedication

For Dawn Meeuwisse, whose passing makes it clear that technology will not replace everything. For Ruth, whose patience has helped me complete the book.

For you the reader. This is my first version, let me know where you want it improved.

If you arent concerned about Cybersecu rity,

you dont know enough abou t it.

1: Cybersecurity & its Ori gins.

Describes how reliant we have become on our electronic devices and the reasons that we all need to be concerned about cybersecurity.

2: About the Case Stu dies.

Establishes the format, content and purpose of the case studies and provides some initial terminology definitions.

3: Case Study: Target 2013.

Uses facts from the theft of over 40 million customer cardholder details to demonstrate that cybersecurity breaches tend to result from a long list of security gaps.

4: The Disciplines Within Cybersecu rity.

Begins to introduce the list of skills required to put together a cybersecurity team.

5: Case Study: Edward Snowden 2013.

Reinforces the fact that breaches are not due to a single gap. Introduces insider threats and the importance of human factors to cybersecurity.

6: Basic Cybersecurity Conc epts.

Demonstrating how common sense is still at the core of cybersecurity. Introduces existing, established approaches used to combat threats.

7: Human Fac tors.

Technology does not fail without human involvement. Outlines how and why people are considered the weakest links in the cybersecurity chain.

8: Technical Fac tors.

Looks at the core of current cybersecurity approaches, what technical protection is typically used to protect against the threats.

9: Evolving Attack & Defense Met hods.

Reviews how attack and defense methods are evolving.

10: Case Study: Sony 2014.

Brings together how human and technical factors can combine to create devastating consequences in a very recent example.

11. The Cybersecurity Cold War.

Covers the range of different organizations and individuals who are looking to benefit from cybersecurity gaps and what their motives are.

12. Risk-Based Cybersecurity & Stacked R isks.

Increases understanding on how to measure risks more thoroughly and protect against chains of risks forming and failing together.

13. How Cyber Exposed Are You?

Provides some simple, logical self-checks to instantly understand how confident you are (or are not) about your organizations cybersecurity status.

14. What to do When Things go W rong ..

How to manage Security Incidents through a logical process.

15. A Glimpse toward the Fu ture.

Predicts the major technical changes expected over the next 10 years and then looks out as far as 2050 to understand where cybersecurity is headed.

16. Bringing it all Toge ther.

Pulls all of the sections of cybersecurity that have been learned through the book together to reinforce a confidence in understanding cybersecurity, where it fails and how to put an effective defense in place.

Cybersecurity To English (Definit ions)

An A-to Z list of cybersecurity related terms in this book.

Note that an expanded version of the Cybersecurity to English Dictionary is available to purchase separately

Nobody ever made a statue to honor a commi ttee

If you are reading this book in its first year of publication, you might be wondering why there are so few books on the subject of cybersecurity.

The reasons are simple:

• Most cybersecurity experts get paid a lot anyway.
• Most of us are really busy.
• Very few of us know what we are doing well enough to put our reputation on the line by writing a book on the subject.

We also have to keep up to date. The subject area is evolving fast.

As I write this first edition, there is not even consensus on how to write the word cybersecurity. Is it one word or two? In the US, the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST) and ISACA (originally the Information Systems Audit & Control Authority) all use the one word version. So does this book.

My aim has been to create something less technical and more informative than other available texts, providing an easy insight into how we got to need cybersecurity, what the implications are and to demonstrate that there are effective methods to control and mitigate the problems.

Attending multiple information security and cybersecurity conferences each year, often as a speaker, I began to realize in discussions with literally hundreds of professionals just how little concise and reliable information was available in the public domain. Most organizations, together with their information and cybersecurity professionals are constantly trying to keep up with what the latest threats are and how to effectively measure, manage and monitor them.

Now that technology and digital devices are a core part of any organization and even critical to most people at an individual level, it became apparent that almost everybody would like to better understand this subject area. That means that not just technical people want to understand cybersecurity.

For that reason, this book is designed to be a great essentials text for anybody who wants to get a broad, rapid and holistic view of the subject area. You do not need any previous technical knowledge. Whenever any technical term is used, you will find a plain, non-technical English definition right below its first usage.

Although I have worked in security and compliance for well over a decade, it was only in 2009 that I began to need to specifically review and audit cybersecurity. I was lucky to be sponsored by one of the largest companies in the world to look into both their internal controls and their most significant suppliers.

One of those early pieces of work was to prepare a white paper on the capabilities and limitations of Amazon Web Services, Salesforce and others. The significance of the contract value from the sponsoring company provided me with access to some of the best cybersecurity minds on the planet and to a rapid and early appreciation of cyber risks and how to mitigate them.