The Cybersecurity Landscape

Cybersecurity risks and threats are ever-present in our world today. The infrastructure of
networks and the Internet are increasingly vulnerable to a wide variety of both physical
and cyber attacks. Sophisticated cyber criminals, as well as nations, exploit these
vulnerabilities to steal information and money.

Our networks are particularly difficult to secure for a number of reasons:

 Networks are increasingly integrated and complex.

 Networks are connected to physical devices.

 Cyber criminals can access networks from anywhere in the world.

In today’s workforce, there is a shortage of people trained in the field of cybersecurity.

Here are just a few of the specialties you might consider for your career:

 Cybersecurity Specialist

 Cybersecurity Forensic Expert

 Information Security Expert

 Ethical Hacker

All of these roles can be part of your work in the exciting, ever-changing, high-demand field
of cybersecurity. Students who complete the Cybersecurity Essentials course are prepared
to continue their education in more advanced security courses.

A Global Community

When you participate in the Networking Academy, you are joining a global community
linked by common goals and technologies. Schools, colleges, universities, and other
entities in over 160 countries participate in the program.

Look for the Cisco Networking Academy official site on Facebook© and LinkedIn©. The
Facebook site is where you can meet and engage with other Networking Academy
students from around the world. The Cisco Networking Academy LinkedIn site connects
you with job postings, and you can see how others are effectively communicating their
skills.

More Than Just Information

The netacad.com learning environment is an important part of the overall course

experience for students and instructors in the Networking Academy. These online course
materials include course text and related interactive media, paper-based labs, and many
different types of quizzes. All of these materials provide important feedback to help you
assess your progress throughout the course.
The material in this course is presented using a broad range of technologies including text,
graphics, voice, video, and rich interactions. These technologies help facilitate how people
work, live, play, and learn.

Networking and the Internet affect people differently in different parts of the world.
Although we have worked with instructors from around the world to create these
materials, it is important that you work with your instructor and fellow students to make
the material in this course applicable to your local situation.

How We Teach

E-doing is a design philosophy that applies the principle that people learn best by doing.
The curriculum includes embedded, highly interactive e-doing activities to help stimulate
learning, increase knowledge retention, and make the whole learning experience much
richer. This e-doing makes understanding the content much easier.

Course Overview

By the end of this course, you will be able to:

 Describe the characteristics of criminals and heroes in the cybersecurity realm.

 Describe the principles of confidentiality, integrity, and availability as they relate to

data states and cybersecurity countermeasures.

 Describe the tactics, techniques and procedures used by cyber criminals.

 Describe how technologies, products, and procedures are used to protect

confidentiality.

 Describe how technologies, products, and procedures are used to ensure integrity.

 Describe how technologies, products, and procedures provide high availability.

 Explain how cybersecurity professionals use technologies, processes, and procedures

to defend all components of the network.

 Explain the purpose of laws related to cybersecurity.

Chapter 1: Cybersecurity - A World of Experts and Criminals

Many of the world’s original hackers were computer hobbyists, programmers and students
during the 60’s. Originally, the term hacker described individuals with advanced
programming skills. Hackers used these programming skills to test the limits and
capabilities of early systems. These early hackers were also involved in the development
of early computer games. Many of these games included wizards and wizardry.

As the hacking culture evolved, it incorporated the lexicon of these games into the culture
itself. Even the outside world began to project the image of powerful wizards upon this
misunderstood hacking culture. Books such as Where Wizards Stay up Late: The Origins of
The Internet published in 1996 added to the mystique of the hacking culture. The image
and lexicon stuck. Many hacking groups today embrace this imagery. One of the most
infamous hacker groups goes by the name Legion of Doom. It is important to understand
the cyber culture in order to understand the criminals of the cyber world and their
motivations.

Sun Tzu was a Chinese philosopher and warrior in the sixth century BC. Sun Tzu wrote the
book titled, The Art of War, which is a classic work about the strategies available to
defeat the enemy. His book has given guidance to tacticians throughout the ages. One of
Sun Tzu’s guiding principles was to know your opponent. While he was specifically
referring to war, much of his advice translates to other aspects of life, including the
challenges of cybersecurity. This chapter begins by explaining the structure of the
cybersecurity world and the reason it continues to grow.

This chapter discusses the role of cyber criminals and their motivations. Finally, the
chapter explains how to become a cybersecurity specialist. These cybersecurity
specialists help defeat the cyber criminals that threaten the cyber world.

Overview of the Cybersecurity Domains

There are many data groups that make up the different domains of the “cyber world”. When
groups are able to collect and utilize massive amounts of data, they begin to amass power
and influence. This data can be in the form of numbers, pictures, video, audio, or any type
of data that can be digitized. These groups could become so powerful that they operate as
though they are separate powers, creating separate cybersecurity domains.

Companies such as Google, Facebook, and LinkedIn, could be considered to be data

domains in our cyber world. Extending the analogy further, the people who work at these
digital companies could be considered cybersecurity experts.

The word ‘domain’ has many meanings. Wherever there is control, authority, or protection,
you might consider that 'area' to be a domain. Think of how a wild animal will protect its
own declared domain. In this course, consider a domain to be an area to be protected. It
may be limited by a logical or physical boundary. This will depend on the size of the system
involved. In many respects, cybersecurity experts have to protect their domains according
the laws of their own country.

Examples of Cybersecurity Domains

The experts at Google created one of the first and most powerful domains within the
broader cyber world of the Internet. Billions of people use Google to search the web every
day. Google has arguably created the world’s largest data collection infrastructure. Google
developed Android, the operating system installed on over 80% of all mobile devices
connected to the Internet. Each device requires users to create Google accounts that can
save bookmarks and account information, store search results, and even locate the device.
Click here to see some of the many services Google currently offers.

Facebook is another powerful domain within the broader Internet. The experts at Facebook
recognized that people create personal accounts every day to communicate with family
and friends. In doing so, you are volunteering a great deal of personal data. These
Facebook experts built a massive data domain to enable people to connect in ways that
were unimaginable in the past. Facebook affects millions of lives on a daily basis and
empowers companies and organizations to communicate with people in a more personal
and focused manner.

LinkedIn is yet another data domain on the Internet. The experts at LinkedIn recognized
that their members would share information in the pursuit of building a professional
network. LinkedIn users upload this information to create online profiles and connect with
other members. LinkedIn connects employees with employers and companies to other
companies worldwide. There are broad similarities between LinkedIn and Facebook.

A look inside these domains reveals how they are constructed. At a fundamental level,
these domains are strong because of the ability to collect user data contributed by the
users themselves. This data often includes users’ backgrounds, discussions, likes,
locations, travels, interests, friends and family members, professions, hobbies, and work
and personal schedules. Experts create great value for organizations interested in using
this data to better understand and communicate with their customers and employees.

The Growth of the Cyber Domains

The data collected within the Internet is considerably more than just the data that the
users contribute voluntarily. Cyber domains continue to grow as science and technology
evolve, enabling the experts and their employers (Google, Facebook, LinkedIn, etc.) to
collect many other forms of data. Cyber experts now have the technology to track
worldwide weather trends, monitor the oceans, as well as the movement and behavior of
people, animals and objects in real time.

New technologies, such as Geospatial Information Systems (GIS) and the Internet of
Things (IoT), have emerged. These new technologies can track the health of trees in a
neighborhood. They can provide up-to-date locations of vehicles, devices, individuals and
materials. This type of information can save energy, improve efficiencies, and reduce
safety risks. Each of these technologies will also result in exponentially expanding the
amount of data collected, analyzed and used to understand the world. The data collected
by GIS and IoE poses a tremendous challenge for cybersecurity professionals in the future.
The type of data generated by these devices has the potential to enable cyber criminals to
gain access to very intimate aspects of daily life.

Who Are the Cyber Criminals?

In the early years of the cybersecurity world, the typical cyber criminals were teenagers or
hobbyists operating from a home PC, with attacks mostly limited to pranks and vandalism.
Today, the world of the cyber criminals has become more dangerous. Attackers are
individuals or groups who attempt to exploit vulnerabilities for personal or financial gain.
Cyber criminals are interested in everything from credit cards to product designs, and
anything with value.

Amateurs

Amateurs, or script kiddies, have little or no skill, often using existing tools or instructions
found on the Internet to launch attacks. Some are just curious, while others try to
demonstrate their skills and cause harm. They may be using basic tools, but the results
can still be devastating.

Hackers

This group of criminals breaks into computers or networks to gain access for various
reasons. The intent of the break-in determines the classification of these attackers as
white, gray, or black hats. White hat attackers break into networks or computer systems to
discover weaknesses in order to improve the security of these systems. The owners of the
system give permission to perform the break-in, and they receive the results of the test. On
the other hand, black hat attackers take advantage of any vulnerability for illegal personal,
financial or political gain. Gray hat attackers are somewhere between white and black hat
attackers. The gray hat attackers may find a vulnerability and report it to the owners of the
system if that action coincides with their agenda. Some gray hat hackers publish the facts
about the vulnerability on the Internet, so that other attackers can exploit it.

The figure gives details about the terms white hat hacker, black hat hacker, and gray hat
hacker.

Organized Hackers

These criminals include organizations of cyber criminals, hacktivists, terrorists, and state-
sponsored hackers. Cyber criminals are usually groups of professional criminals focused
on control, power, and wealth. The criminals are highly sophisticated and organized, and
may even provide cybercrime as a service. Hacktivists make political statements to create
awareness to issues that are important to them. Hacktivists publically publish
embarrassing information about their victims. State-sponsored attackers gather
intelligence or commit sabotage on behalf of their government. These attackers are
usually highly trained and well-funded. Their attacks focus on specific goals that are
beneficial to their government. Some state-sponsored attackers are even members of their
nations’ armed forces.

Cyber Criminal Motives

Cyber criminal profiles and motives have changed over the years. Hacking started in the
‘60s with phone freaking (or phreaking) which refers to using various audio frequencies to
manipulate phone systems. In the mid-‘80s, criminals used computer dial-up modems to
connect computers to networks and used password-cracking programs to gain access to
data. Nowadays, criminals are going beyond just stealing information. Criminals can now
use malware and viruses as high tech weapons. However, the greatest motivation for most
cyber criminals is financial. Cybercrime has become more lucrative than the illegal drug
trade.
General hacker profiles and motives have changed quite a bit. The figure displays modern
hacking terms and a brief description of each.

Why Become a Cybersecurity Specialist?

The demand for cybersecurity specialists has grown more than the demand for other IT
jobs. All of the technology that transforms the kingdom and improves people’s way of life
also makes it more vulnerable to attacks. Technology alone cannot prevent, detect,
respond and recover from cybersecurity incidents. Consider the following:

 The skill level required for an effective cybersecurity specialist and the shortage of
qualified cybersecurity professionals translates to higher earning potential.

 Information technology is constantly changing. This is also true for cybersecurity. The
highly dynamic nature of the cybersecurity field can be challenging and fascinating.

 A cybersecurity specialist’s career is also highly portable. Jobs exist in almost every
geographic location.

 Cybersecurity specialists provide a necessary service to their organizations,

countries, and societies, very much like law enforcement or emergency responders.

Becoming a cybersecurity specialist is a rewarding career opportunity.

Thwarting Cyber Criminals

Thwarting the cyber criminals is a difficult task and there is no such thing as a “silver
bullet.” However, company, government and international organizations have begun to take
coordinated actions to limit or fend off cyber criminals. The coordinated actions include:

 Creating comprehensive databases of known system vulnerabilities and attack

signatures (a unique arrangement of information used to identify an attacker’s
attempt to exploit a known vulnerability). Organizations share these databases
worldwide to help prepare for and fend off many common attacks.

 Establishing early warning sensors and alert networks. Due to cost and the
impossibility of monitoring every network, organizations monitor high-value targets or
create imposters that look like high-value targets. Because these high-value targets
are more likely to experience attacks, they warn others of potential attacks.

 Sharing cyber intelligence information. Business, government agencies and countries

now collaborate to share critical information about serious attacks to critical targets
in order to prevent similar attacks in other places. Many countries have established
cyber intelligence agencies to collaborate worldwide in combating major
cyberattacks.

 Establishing information security management standards among national and

international organizations. The ISO 27000 is a good example of these international
efforts.

 Enacting new laws to discourage cyberattacks and data breaches. These laws have
severe penalties to punish cyber criminals caught carrying out illegal actions.

The figure displays measures to thwart cyber criminals and a brief description of each.

Common Threats to End Users

As previously described, there are experts who are innovators and visionaries. They build
the different cyber domains of the Internet. They have the capacity to recognize the power
of data and harness it. Then they build their organizations and provide services, as well as
protecting people from cyberattacks. Ideally, cybersecurity professionals should recognize
the threat that data poses if it is used against people.

Threats and vulnerabilities are the main concern of cybersecurity professionals. Two
situations are especially critical:

 When a threat is the possibility that a harmful event, such as an attack, will occur.

 When a vulnerability makes a target susceptible to an attack.

For example, data in the wrong hands can result in a loss of privacy for the owners, can
affect their credit, or jeopardize their career or personal relationships. Identity theft is big
business. However, it is not necessarily the Googles and Facebooks that pose the greatest
risk. Schools, hospitals, financial institutions, government agencies, the workplace and e-
commerce pose even greater risks. Organizations like Google and Facebook have the
resources to hire top cybersecurity talent to protect their domains. As more organizations
build large databases containing all of our personal data, the need for cybersecurity
professionals increases. This leaves smaller businesses and organizations competing for
the remaining pool of cybersecurity professionals. Cyber threats are particularly dangerous
to certain industries and the records they must maintain.

Types of Personal Records

The following examples are just a few sources of data that can come from established
organizations.

Medical Records

Going to the doctor’s office results in the addition of more information to an electronic
health record (EHR). The prescription from a family doctor becomes part of the EHR. An
EHR includes physical health, mental health, and other personal information that may not
be medically related. For example, an individual goes to counseling as a child because of
major changes in the family. This will be somewhere in his or her medical records. Besides
the medical history and personal information, the EHR may also include information about
that person’s family. Several laws address protecting patient records.

Medical devices, such as fitness bands, use the cloud platform to enable wireless transfer,
storage and display of clinical data like heart rates, blood pressures and blood sugars.
These devices can generate an enormous amount of clinical data that can become part of
a medical record.

Education Records

Education records include information about grades, test scores, attendance, courses
taken, awards, degrees awarded, and disciplinary reports. This record may also include
contact information, health and immunization records, and special education records,
including individualized education programs (IEPs).

Employment and Financial Records

Employment information can include past employment and performance. Employment

records can also include salary and insurance information. Financial records may include
information about income and expenditures. Tax records could include paycheck stubs,
credit card statements, credit rating and banking information.

Threats to Internet Services

There are many essential technical services needed for a network, and ultimately the
Internet, to operate. These services include routing, addressing, domain naming, and
database management. These services also serve as prime targets for cyber criminals.

Criminals use packet-sniffing tools to capture data streams over a network. This means
that all sensitive data, like usernames, passwords and credit card numbers, are at risk.
Packet sniffers work by monitoring and recording all information coming across a network.
Criminals can also use rogue devices, such as unsecured Wi-Fi access points. If the
criminal sets this up near a public place, such as a coffee shop, unsuspecting individuals
may sign on and the packet sniffer copies their personal information.

Domain Name Service (DNS) translates a domain name, such as www.facebook.com, into
its numerical IP address. If a DNS server does not know the IP address, it will ask another
DNS server. With DNS spoofing (or DNS cache poisoning), the criminal introduces false
data into a DNS resolver’s cache. These poison attacks exploit a weakness in the DNS
software that causes the DNS servers to redirect traffic for a specific domain to the
criminal’s computer, instead of the legitimate owner of the domain.

Packets transport data across a network or the Internet. Packet forgery (or packet
injection) interferes with an established network communication by constructing packets
to appear as if they are part of a communication. Packet forgery allows a criminal to
disrupt or intercept packets. This process enables the criminal to hijack an authorized
connection or denies an individual’s ability to use certain network services. Cyber
professionals call this a man-in-the-middle attack.

The examples given only scratch the surface of the types of threats criminals can launch
against Internet and network services.

Threats to Key Industry Sectors

Key industry sectors offer networking infrastructure systems such as manufacturing,

energy, communication and transportation. For example, the smart grid is an enhancement
to the electrical generation and distribution system. The electrical grid carries power from
central generators to a large number of customers. A smart grid uses information to create
an automated advanced energy delivery network. World leaders recognize that protecting
their infrastructure is critical to protecting their economy.
Over the last decade, cyberattacks like Stuxnet proved that a cyberattack could
successfully destroy or interrupt critical infrastructures. Specifically, the Stuxnet attack
targeted the Supervisory Control and Data Acquisition (SCADA) system used to control and
monitor industrial processes. SCADA can be part of various industrial processes in
manufacturing, production, energy and communications systems. Click here to view more
information about Stuxnet attack.

A cyberattack could bring down or interrupt industry sectors like telecommunication,

transportation or electrical power generation and distribution systems. It could also
interrupt the financial services sector. One of the problems with environments that
incorporate SCADA is the fact that designers did not connect SCADA to the traditional IT
environment and the Internet. Therefore, they did not properly consider cybersecurity
during the development phase of these systems. Like other industries, organizations using
SCADA systems recognize the value of data collection to improve operations and decrease
costs. The resulting trend is to connect SCADA systems to traditional IT systems.
However, this increases the vulnerability of industries using SCADA systems.

The advanced threat potential that exists today demands a special breed of cyber security
experts.

Threats to People’s Way of Life

Cybersecurity is the ongoing effort to protect networked systems and data from
unauthorized access. On a personal level, everyone needs to safeguard his or her identity,
data, and computing devices. At the corporate level, it is the employees’ responsibility to
protect the organization’s reputation, data, and customers. At the state level, national
security and the citizens’ safety and well-being are at stake.

Cybersecurity professionals are often involved in working with government agencies in

identifying and collecting data.

In the U.S., the National Security Agency (NSA) is responsible for intelligence collection
and surveillance activities. The NSA built a new data center just to process the growing
volume of information. In 2015, the U.S. Congress passed the USA Freedom Act ending the
practice of collecting U.S. Citizens’ phone records in bulk. The program provided metadata
that gave the NSA information about communications sent and received.

The efforts to protect people’s way of life often conflicts with their right to privacy. It will
be interesting to see what happens to the balance between these rights and the safety of
Internet users.
Internal and External Threats

Internal Security Threats

Attacks can originate from within an organization or from outside of the organization, as
shown in the figure. An internal user, such as an employee or contract partner, can
accidently or intentionally:

 Mishandle confidential data

 Threaten the operations of internal servers or network infrastructure devices

 Facilitate outside attacks by connecting infected USB media into the corporate
computer system

 Accidentally invite malware onto the network through malicious email or websites

Internal threats have the potential to cause greater damage than external threats because
internal users have direct access to the building and its infrastructure devices. Internal
attackers typically have knowledge of the corporate network, its resources, and its
confidential data. They may also have knowledge of security countermeasures, policies
and higher levels of administrative privileges.

External Security Threats

External threats from amateurs or skilled attackers can exploit vulnerabilities in

networked devices, or can use social engineering, such as trickery, to gain access.
External attacks exploit weaknesses or vulnerabilities to gain access to internal
resources.

Traditional Data

Corporate data includes personnel information, intellectual property, and financial data.
Personnel information includes application materials, payroll, offer letters, employee
agreements, and any information used in making employment decisions. Intellectual
property, such as patents, trademarks and new product plans, allows a business to gain
economic advantage over its competitors. Consider this intellectual property as a trade
secret; losing this information can be disastrous for the future of the company. Financial
data, such as income statements, balance sheets, and cash flow statements, gives insight
into the health of the company.
The Vulnerabilities of Mobile Devices

In the past, employees typically used company-issued computers connected to a corporate

LAN. Administrators continuously monitor and update these computers to meet security
requirements. Today, mobile devices such as iPhones, smartphones, tablets, and
thousands of other devices, are becoming powerful substitutes for, or additions to, the
traditional PC. More and more people are using these devices to access enterprise
information. Bring Your Own Device (BYOD) is a growing trend. The inability to centrally
manage and update mobile devices poses a growing threat to organizations that allow
employee mobile devices on their networks.

The Emergence of the Internet of Things

The Internet of Things (IoT) is the collection of technologies that enable the connection of
various devices to the Internet. The technological evolution associated with the advent of
the IoT is changing commercial and consumer environments. IoT technologies enable
people to connect billions of devices to the Internet. These devices include appliances,
locks, motors, and entertainment devices, to name just a few. This technology affects the
amount of data that needs protection. Users access these devices remotely, which
increases the number of networks requiring protection.

With the emergence of IoT, there is much more data to be managed and secured. All of
these connections, plus the expanded storage capacity and storage services offered
through the Cloud and virtualization, has led to the exponential growth of data. This data
expansion created a new area of interest in technology and business called “Big Data".

The Impact of Big Data

Big data is the result of data sets that are large and complex, making traditional data
processing applications inadequate. Big data poses both challenges and opportunities
based on three dimensions:

 The volume or amount of data

 The velocity or speed of data

 The variety or range of data types and sources

There are numerous examples of big corporate hacks in the news. Companies like Target,
Home Depot and PayPal are subjects of highly publicized attacks. As a result, enterprise
systems require dramatic changes in security product designs and substantial upgrades to
technologies and practices. Additionally, governments and industries are introducing more
regulations and mandates that require better data protection and security controls to help
guard big data.

Using Advanced Weapons

Software vulnerabilities today rely on programming mistakes, protocol vulnerabilities, or

system misconfigurations. The cyber criminal merely has to exploit one of these. For
example, a common attack involved constructing an input to a program in order to
sabotage the program, making it malfunction. This malfunction provided a doorway into the
program or caused it to leak information.

There is a growing sophistication seen in cyberattacks today. An advanced persistent

threat (APT) is a continuous computer hack that occurs under the radar against a specific
object. Criminals usually choose an APT for business or political motives. An APT occurs
over a long period with a high degree of secrecy using sophisticated malware.

Algorithm attacks can track system self-reporting data, like how much energy a computer
is using, and use that information to select targets or trigger false alerts. Algorithmic
attacks can also disable a computer by forcing it to use memory or by overworking its
central processing unit. Algorithmic attacks are more devious because they exploit
designs used to improve energy savings, decrease system failures, and improve
efficiencies.

Finally, the new generation of attacks involves intelligent selection of victims. In the past,
attacks would select the low hanging fruit or most vulnerable victims. However, with
greater attention to detection and isolation of cyberattacks, cyber criminals must be more
careful. They cannot risk early detection or the cybersecurity specialists will close the
gates of the castle. As a result, many of the more sophisticated attacks will only launch if
the attacker can match the object signature targeted.

Broader Scope and Cascade Effect

Federated identity management refers to multiple enterprises that let their users use the
same identification credentials gaining access to the networks of all enterprises in the
group. This broadens the scope and increases the probability of a cascading effect should
an attack occur.
A federated identity links a subject’s electronic identity across separate identity
management systems. For example, a subject may be able to log onto Yahoo! with Google
or Facebook credentials. This is an example of social login.

The goal of federated identity management is to share identity information automatically

across castle boundaries. From the individual user’s perspective, this means a single sign-
on to the web.

It is imperative that organizations scrutinize the identifying information shared with

partners. Social security numbers, names, and addresses may allow identity thieves the
opportunity to steal this information from a partner to perpetrate fraud. The most common
way to protect federated identity is to tie login ability to an authorized device.

Safety Implications

Emergency call centers in the U.S. are vulnerable to cyberattacks that could shut down
911 networks, jeopardizing public safety. A telephone denial of service (TDoS) attack uses
phone calls against a target telephone network tying up the system and preventing
legitimate calls from getting through. Next generation 911 call centers are vulnerable
because they use Voice-over-IP (VoIP) systems rather than traditional landlines. In addition
to TDoS attacks, these call centers can also be at risk of distributed-denial-of-service
(DDoS) attacks that use many systems to flood the resources of the target making the
target unavailable to legitimate users. There are many ways nowadays to request 911 help,
from using an app on a smartphone to using a home security system.

Heightened Recognition of Cybersecurity Threats

The defenses against cyberattacks at the start of the cyber era were low. A smart high
school student or script kiddie could gain access to systems. Countries across the world
have become more aware of the threat of cyberattacks. The threat posed by cyberattacks
now head the list of greatest threats to national and economic security in most countries.

Addressing the Shortage of Cybersecurity Specialists

In the U.S., the National Institute of Standards and Technologies (NIST) created a
framework for companies and organizations in need of cybersecurity professionals. The
framework enables companies to identify the major types of responsibilities, job titles, and
workforce skills needed. The National Cybersecurity Workforce Framework categorizes
and describes cybersecurity work. It provides a common language that defines
cybersecurity work along with a common set of tasks and skills required to become a
cybersecurity specialist. The framework helps to define professional requirements in
cybersecurity.

The National Cybersecurity Workforce Framework

The Workforce Framework categorizes cybersecurity work into seven categories.

Operate and Maintain includes providing the support, administration, and maintenance
required to ensure IT system performance and security.

Protect and Defend includes the identification, analysis, and mitigation of threats to
internal systems and networks.
Investigate includes the investigation of cyber events and/or cyber crimes involving IT
resources.

Collect and Operate includes specialized denial and deception operations and the
collection of cybersecurity information.

Analyze includes highly specialized review and evaluation of incoming cybersecurity

information to determine if it is useful for intelligence.

Oversight and Development provides for leadership, management, and direction to

conduct cybersecurity work effectively.

Securely Provision includes conceptualizing, designing, and building secure IT systems.

Within each category, there are several specialty areas. The specialty areas then define
common types of cybersecurity work.

The figure displays each of the categories and a brief description of each.
Professional Organizations

Cybersecurity specialists must collaborate with professional colleagues frequently.

International technology organizations often sponsor workshops and conferences. These
organizations often keep cybersecurity professionals inspired and motivated.

Click the logos in the figure to learn more about a few important security organizations.
Cybersecurity Student Organizations and Competitions

Cybersecurity specialists must have the same skills as hackers, especially black hat
hackers, in order to protect against attacks. How can an individual build and practice the
skills necessary to become a cybersecurity specialist? Student skills competitions are a
great way to build cybersecurity knowledge skills and abilities. There are many national
cybersecurity skills competitions available to cybersecurity students.

Click the logos in the figure to learn more about student cybersecurity competitions,
organizations, and clubs.

https://www.uscyberpatriot.org/

https://www.skillsusa.org/

https://www.uscyberchallenge.org/

https://nationalcyberleague.org/

Industry Certifications

In a world of cybersecurity threats, there is a great need for skilled and knowledgeable
information security professionals. The IT industry established standards for cybersecurity
specialists to obtain professional certifications that provide proof of skills, and knowledge
level.
CompTIA Security+

Security+ is a CompTIA-sponsored testing program that certifies the competency of IT

administrators in information assurance. The Security+ test covers the most important
principles for securing a network and managing risk, including concerns associated with
cloud computing.

EC-Council Certified Ethical Hacker (CEH)

This intermediate-level certification asserts that cybersecurity specialists holding this

credential possess the skills and knowledge for various hacking practices. These
cybersecurity specialists use the same skills and techniques used by the cyber criminals
to identify system vulnerabilities and access points into systems.

SANS GIAC Security Essentials (GSEC)

The GSEC certification is a good choice for an entry-level credential for cybersecurity
specialists who can demonstrate that they understand security terminology and concepts
and have the skills and expertise required for “hands-on” security roles. The SANS GIAC
program offers a number of additional certifications in the fields of security administration,
forensics, and auditing.

(ISC)^2 Certified Information Systems Security Professional (CISSP)

The CISSP certification is a vendor-neutral certification for those cybersecurity specialists

with a great deal of technical and managerial experience. It is also formally approved by
the U.S. Department of Defense (DoD) and is a globally recognized industry certification in
the security field.

ISACA Certified Information Security Manager (CISM)

Cyber heroes responsible for managing, developing and overseeing information security
systems at the enterprise level or for those developing best security practices can qualify
for CISM. Credential holders possess advanced skills in security risk management.

Company-Sponsored Certifications

Another important credential for cybersecurity specialists are company-sponsored

certifications. These certifications measure knowledge and competency in installing,
configuring, and maintaining vendor products. Cisco and Microsoft are examples of
companies with certifications that test knowledge of their products. Click here to explore
the matrix of the Cisco certifications shown in the figure.

Cisco Certified Network Associate Security (CCNA Security)

The CCNA Security certification validates that a cybersecurity specialist has the
knowledge and skills required to secure Cisco networks.

Click here to learn more about the CCNA Security certification.

How to Become a Cybersecurity Expert

To become a successful cybersecurity specialist, the potential candidate should look at

some of the unique requirements. Heroes must be able to respond to threats as soon as
they occur. This means that the working hours can be somewhat unconventional.

Cyber heroes also analyze policy, trends, and intelligence to understand how cyber
criminals think. Many times, this may involve a large amount of detective work.

The following recommendations will help aspiring cybersecurity specialists to achieve

their goals:

 Study: Learn the basics by completing courses in IT. Be a life-long learner.

Cybersecurity is an ever-changing field, and cybersecurity specialists must keep up.

 Pursue Certifications: Industry and company sponsored certifications from

organizations such as Microsoft and Cisco prove that one possesses the knowledge
needed to seek employment as a cybersecurity specialist.

 Pursue Internships: Seeking out a security internship as a student can lead to

opportunities down the road.

 Join Professional Organizations: Join computer security organizations, attend

meetings and conferences, and join forums and blogs to gain knowledge from the
experts.

 Chapter 1: Cybersecurity - A World of Experts and Criminals

 This chapter explained the structure of the cybersecurity world and the reasons it
continues to grow with data and information as the prized currency.
 This chapter also discussed the role of cyber criminals by examining what
motivates them. It introduced the spread of threats due to the ever-expanding
technical transformations taking place throughout the world.
 Finally, the chapter explained how to become a cybersecurity specialist to help
defeat the cyber criminals who develop the threats. It also discussed the resources
 available to help create more experts. While you must stay on the right side of the
law, cyber security experts must have the same skills as cyber criminals.
 If you would like to further explore the concepts in this chapter, please check out
the Additional Resources and Activities page in Student Resources.

Chapter 2: The Cybersecurity Cube

Cybersecurity professionals are best described as experts charged with the protection of
cyberspace. John McCumber is one of the early cybersecurity experts, developing a
commonly used framework called the McCumber Cube or the Cybersecurity Cube. This is
used as tool when managing the protection of networks, domains and the Internet. The
Cybersecurity Cube looks somewhat like a Rubik's Cube.

The first dimension of the Cybersecurity Cube includes the three principles of information
security. Cybersecurity professionals refer to the three principles as the CIA Triad. The
second dimension identifies the three states of information or data. The third dimension of
the cube identifies the expertise required to provide protection. These are often called the
three categories of cybersecurity safeguards.

The chapter also discusses the ISO cybersecurity model. The model represents an
international framework to standardize the management of information systems.

The Principles of Security

The first dimension of the cybersecurity cube identifies the goals to protect cyberspace.
The goals identified in the first dimension are the foundational principles. These three
principles are confidentiality, integrity and availability. The principles provide focus and
enable the cybersecurity expert to prioritize actions when protecting any networked
system.

Confidentiality prevents the disclosure of information to unauthorized people, resources, or

processes. Integrity refers to the accuracy, consistency, and trustworthiness of data.
Finally, availability ensures that information is accessible by authorized users when
needed. Use the acronym CIA to remember these three principles.

The States of Data

Cyberspace is a domain containing a considerable amount of critically important data;
therefore, cybersecurity experts focus on protecting data. The second dimension of the
Cybersecurity Cube focuses on the problems of protecting all of the states of data in
cyberspace. Data has three possible states:

 Data in transit

 Data at rest or in storage

 Data in process

The protection of cyberspace requires cybersecurity professionals to account for the

safeguarding of data in all three states.

Cybersecurity Safeguards

The third dimension of the Cybersecurity Cube defines the skills and discipline a
cybersecurity professional can call upon to protect cyberspace. Cybersecurity
professionals must use a range of different skills and disciplines available to them when
protecting the data in the cyberspace. They must do this while remaining on the ‘right side’
of the law.

The Cybersecurity Cube identifies the three types of skills and disciplines used to provide
protection. The first skill includes the technologies, devices, and products available to
protect information systems and fend off cyber criminals. Cybersecurity professionals have
a reputation for mastering the technological tools at their disposal. However, McCumber
reminds them that the technological tools are not enough to defeat cyber criminals.
Cybersecurity professionals must also build a strong defense by establishing policies,
procedures, and guidelines that enable the users of cyberspace to stay safe and follow
good practices. Finally, users of cyberspace must strive to become more knowledgeable
about the threats of the cyberspace and establish a culture of learning and awareness.
The Principle of Confidentiality

Confidentiality prevents the disclosure of information to unauthorized people, resources

and processes. Another term for confidentiality is privacy. Organizations restrict access to
ensure that only authorized operators can use data or other network resources. For
example, a programmer should not have access to the personal information of all
employees.

Organizations need to train employees about best practices in safeguarding sensitive

information to protect themselves and the organization from attacks. Methods used to
ensure confidentiality include data encryption, authentication, and access control.

Protecting Data Privacy

Organizations collect a large amount of data. Much of this data is not sensitive because it
is publicly available, like names and telephone numbers. Other data collected, though, is
sensitive. Sensitive information is data protected from unauthorized access to safeguard
an individual or an organization. There are three types of sensitive information:

 Personal information is personally identifiable information (PII) that traces back to an

individual. Figure 2 lists this category of data.

 Business information is information that includes anything that poses a risk to the
organization if discovered by the public or a competitor. Figure 3 lists this category of
data.

 Classified information is information belonging to a government body classified by its

level of sensitivity. Figure 4 lists this category of data.
Controlling Access

Access control defines a number of protection schemes that prevent unauthorized access
to a computer, network, database, or other data resources. The concepts of AAA involve
three security services: Authentication, Authorization and Accounting. These services
provide the primary framework to control access.

The first “A” in AAA represents authentication. Authentication verifies the identity of a
user to prevent unauthorized access. Users prove their identity with a username or ID. In
addition, users need to verify their identity by providing one of the following as shown in
Figure 1:

 Something they know (such as a password)

 Something they have (such as a token or card)

 Something they are (such a fingerprint)

For example, if you go to an ATM for cash, you need your bankcard (something you have)
and you need to know the PIN. This is also an example of multifactor authentication.
Multifactor authentication requires more than one type of authentication. The most popular
form of authentication is the use of passwords.

Authorization services determine which resources users can access, along with the
operations that users can perform, as shown in Figure 2. Some systems accomplish this by
using an access control list, or an ACL. An ACL determines whether a user has certain
access privileges once the user authenticates. Just because you can log onto the
corporate network does not mean that you have permission to use the high-speed color
printer. Authorization can also control when a user has access to a specific resource. For
example, employees may have access to a sales database during work hours, but the
system locks them out after hours.

Accounting keeps track of what users do, including what they access, the amount of time
they access resources, and any changes made. For example, a bank keeps track of each
customer account. An audit of that system can reveal the time and amount of all
transactions and the employee or system that executed the transactions. Cybersecurity
accounting services work the same way. The system tracks each data transaction and
provides auditing results. An administrator can set up computer policies as shown in
Figure 3 to enable system auditing.

The concept of AAA is similar to using a credit card, as indicated by Figure 4. The credit
card identifies who can use it, how much that user can spend, and accounts for items or
services the user purchased.

Cybersecurity accounting tracks and monitors in real time. Websites, like Norse, show
attacks in real-time based on data collected as part of an accounting or tracking system.
Click here to visit the Norse list of attack maps.

Laws and Liability

Confidentiality and privacy seem interchangeable, but from a legal standpoint, they mean
different things. Most privacy data is confidential, but not all confidential data is private.
Access to confidential information occurs after confirming proper authorization. Financial
institutions, hospitals, medical professionals, law firms, and businesses handle
confidential information. Confidential information has a non-public status. Maintaining
confidentiality is more of an ethical duty.
Privacy is the appropriate use of data. When organizations collect information provided by
customers or employees, they should only use that data for its intended purpose. Most
organizations will require the customer or employee to sign a release form giving the
organization permission to use the data.

All of the laws listed in the figure include a provision for dealing with privacy starting with
U.S. laws in Figure 1. Figure 2 lists a sampling of international efforts. Most of these laws
are a response to the massive growth in data collection.

The growing number of privacy related statutes create a tremendous burden on

organizations that collect and analyze data. Policies are the best way for an organization
to comply with the growing number of privacy related laws. Policies enable organizations
to enforce specific rules, procedures, and processes when collecting, storing, and sharing
data.

Principle of Data Integrity

Integrity is the accuracy, consistency, and trustworthiness of data during its entire life
cycle. Another term for integrity is quality. Data undergoes a number of operations such as
capture, storage, retrieval, update, and transfer. Data must remain unaltered during all of
these operations by unauthorized entities.

Methods used to ensure data integrity include hashing, data validation checks, data
consistency checks, and access controls. Data integrity systems can include one or more
of the methods listed above.

Need for Data Integrity

Data integrity is a fundamental component of information security. The need for data
integrity varies based on how an organization uses data. For example, Facebook does not
verify the data that a user posts in a profile. A bank or financial organization assigns a
higher importance to data integrity than Facebook does. Transactions and customer
accounts must be accurate. In a healthcare organization, data integrity might be a matter
of life or death. Prescription information must be accurate.

Protecting data integrity is a constant challenge for most organizations. Loss of data
integrity can render entire data resources unreliable or unusable.
Integrity Checks

An integrity check is a way to measure the consistency of a collection of data (a file, a

picture, or a record). The integrity check performs a process called a hash function to take
a snapshot of data at an instant in time. The integrity check uses the snapshot to ensure
data remains unchanged.

A checksum is one example of a hash function. A checksum verifies the integrity of files,
or strings of characters, before and after they transfer from one device to another across a
local network or the Internet. Checksums simply convert each piece of information to a
value and sum the total. To test the data integrity, a receiving system just repeats the
process. If the two sums are equal, the data is valid (Figure 1). If they are not equal, a
change occurred somewhere along the line (Figure 2).

Common hash functions include MD5, SHA-1, SHA-256, and SHA-512. These hash functions
use complex mathematical algorithms. The hashed value is simply there for comparison.
For example, after downloading a file, the user can verify the integrity of the file by
comparing the hash values from the source with the one generated by any hash calculator.

Organizations use version control to prevent accidental changes by authorized users. Two
users cannot update the same object. Objects can be files, database records, or
transactions. For example, the first user to open a document has the permission to change
that document; the second person has a read-only version.

Accurate backups help to maintain data integrity if data becomes corrupted. An

organization needs to verify its backup process to ensure the integrity of the backup
before data loss occurs.

Authorization determines who has access to an organization’s resources based on their

need to know. For example, file permissions and user access controls ensure that only
certain users can modify data. An administrator can set permissions for a file to read-only.
As a result, a user accessing that file cannot make any changes.
The Principle of Availability

Data availability is the principle used to describe the need to maintain availability of
information systems and services at all times. Cyberattacks and system failures can
prevent access to information systems and services. For example, interrupting the
availability of the website of a competitor by bringing it down may provide an advantage to
its rival. These denial-of-service (DoS) attacks threaten system availability and prevent
legitimate users from accessing and using information systems when needed.

Methods used to ensure availability include system redundancy, system backups,

increased system resiliency, equipment maintenance, up-to-date operating systems and
software, and plans in place to recover quickly from unforeseen disasters.

Five Nines

People use various information systems in their day-to-day lives. Computers and
information systems control communications, transportation and the manufacturing of
products. The continuous availability of information systems is imperative to modern life.
The term high availability, describes systems designed to avoid downtime. High availability
ensures a level of performance for a higher than normal period. High availability systems
typically include three design principles (Figure 1):

 Eliminate single points of failure

 Provide for reliable crossover

 Detect failures as they occur

The goal is the ability to continue to operate under extreme conditions, such as during an
attack. One of the most popular high availability practices is five nines. The five nines refer
to 99.999%. This means that downtime is less than 5.26 minutes per year. Figure 2
provides three approaches to five nines.
Ensuring Availability

Organizations can ensure availability by implementing the following:

 Equipment maintenance

 OS and system updates

 Backup testing

 Disaster planning

 New technology implementations

 Unusual activity monitoring

 Availability testing