Discover millions of ebooks, audiobooks, and so much more with a free trial

From $11.99/month after trial. Cancel anytime.

The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks
The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks
The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks
Ebook398 pages11 hours

The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks

Rating: 0 out of 5 stars

()

Read preview

About this ebook

In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, the latter is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation.

This book is a comprehensive cyber security implementation manual which gives practical guidance on the individual activities identified in the IT Governance Cyber Resilience Framework (CRF) that can help organisations become cyber resilient and combat the cyber threat landscape.

Suitable for senior directors (CEO, CISO, CIO), compliance managers, privacy managers, IT managers, security analysts and others, the book is divided into six parts:

Part 1: Introduction. The world of cyber security and the approach taken in this book.
Part 2: Threats and vulnerabilities. A discussion of a range of threats organisations face, organised by threat category, to help you understand what you are defending yourself against before you start thinking about your actual defences.
Part 3: The CRF processes. Detailed discussions of each of the 24 CRF processes, explaining a wide range of security areas by process category and offering guidance on how to implement each.
Part 4: Eight steps to implementing cyber security. Our eight-step approach to implementing the cyber security processes you need and maintaining them.
Part 5: Reference frameworks. An explanation of how standards and frameworks work, along with their benefits. It also presents ten framework options, introducing you to some of the best-known standards and giving you an idea of the range available.
Part 6: Conclusion and appendices. The appendices include a glossary of all the acronyms and abbreviations used in this book.

Whether you are just starting out on the road to cyber security or looking to enhance and improve your existing cyber resilience programme, it should be clear that cyber security is no longer optional in today’s information age; it is an essential component of business success.

Make sure you understand the threats and vulnerabilities your organisation faces and how the Cyber Resilience Framework can help you tackle them. Start your journey to cyber security now – buy this book today!

LanguageEnglish
Publisheritgovernance
Release dateDec 10, 2020
ISBN9781787782624
Author

Alan Calder

Alan Calder is a leading author on IT governance and information security issues. He is the CEO of GRC International Group plc, the AIM-listed company that owns IT Governance Ltd. Alan is an acknowledged international cyber security guru. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). He is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.

Read more from Alan Calder

Related to The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks

Related ebooks

Computer & Internet Law For You

View More

Related articles

Reviews for The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks

Rating: 0 out of 5 stars
0 ratings

0 ratings0 reviews

What did you think?

Tap to rate

Review must be at least 10 words

    Book preview

    The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks - Alan Calder

    Newsletter

    Part 1: Introduction

    CHAPTER 1: THE THREAT LANDSCAPE

    We live in a world where technology and vast quantities of data play a considerable role in everyday life, personal and professional. For the foreseeable future (and perhaps beyond), their growth and prominence are showing no signs of slowing down, even if the technology in question will likely change in ways perhaps unimaginable today. Naturally, all this innovation brings huge opportunities and benefits to companies and individuals alike. However, these come at more than just a financial cost.

    In the world as we know it, you can be attacked both physically and virtually. For today’s organisations, which rely so heavily on technology – particularly the Internet – to do business, the latter is the far more threatening of the two. The cyber threat landscape is complex and constantly changing. For every vulnerability fixed, another pops up, ripe for exploitation. Worse, when a vulnerability is identified, a tool that can exploit it is often developed and used within hours – faster than the time it normally takes for the vendor to release a patch, and certainly quicker than the time many organisations take to install that patch.

    The fact that technology is involved gives attackers a huge advantage over the defenders – not only can they attack anyone, anywhere, from the comfort of their home, they often have automated tools to identify their victims – and their vulnerabilities – for them. Moreover, from an attacker’s perspective, there is often a very good risk-to-reward ratio: for the victim, it can be hard enough to detect that the attack happened at all, never mind trace who was behind it. It is the very nature of the digital information that we are trying to protect that is easy to copy. In fact, stealing the information does not require removing it from its original location at all, meaning that the owner of that information may never realise that the theft happened.

    Unfortunately for us, committing crimes over the Internet can also be very lucrative. Physical pickpocketing may earn a thief cash and credit cards (that will likely be blocked very quickly, and can probably only be used up to the contactless limit per transaction anyway), but digitally targeting someone gives them a chance to steal that person’s identity and get credit cards issued in the victim’s name. Upscale that, and a criminal might think about targeting businesses that hold databases with thousands or even millions of credit card details and personal information about their owners. Whether they then directly use that information for themselves or sell it on the dark web (where you can buy virtually anything, from drugs and organs to hacking software and stolen credentials), the profits are certainly far greater than those of a physical crime conducted in the same timescale and with the same manpower.

    Because virtually every organisation holds valuable information, often in huge quantities (even if you are a small business), everyone is a target. More often than not, organisations cannot do business if they lose access to that information – making it one of their most important assets. At the same time, the fact that criminals can extract significant value from this information means that it is an asset to them too. There is good reason to refer to them as information ‘assets’ – by definition, someone else wants to get hold of them. Many a time, that ‘someone’ is a business partner who will go through the proper channels – but not everyone will take the legal route.

    It should therefore not come as a surprise that 46% of UK businesses alone experienced at least one cyber attack or breach during 2019, which increased to as much as 75% for large businesses.¹ Such attacks might range from simple phishing emails to complex, detailed operations masterminded by criminal gangs – although the trend over the past five years, according to the UK government’s 2020 Cyber Security Breaches Survey, is that cyber attacks are evolving and becoming more frequent² – but even the simplest attack, if executed successfully, can wreak havoc if you are not prepared. Clearly, it is in your organisation’s best interests to protect itself. Although this might cost, it will certainly prove far cheaper than experiencing a breach and having to deal with the operational, financial and reputational damage that follows.

    Yet, given the frequency of data breaches and cyber attacks in the press, many of them large-scale, you could be forgiven for thinking that it is impossible to defend your organisation against the predations of cyber attackers – after all, if massive multinationals cannot stay secure, what hope is there for small businesses?

    The answer is: more than you think. Cyber security does not have to cost vast amounts of money or take years to implement, particularly if you take a strategic approach and aim for the lower-hanging fruit first. And it is a worthwhile investment: no matter the size of your organisation, improving cyber security helps protect your data and that of your clients, improving business relations and opening up new business opportunities.

    ¹ UK Department for Digital, Culture, Media & Sport, Cyber Security Breaches Survey 2020, March 2020, https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020.

    ² Ibid.

    CHAPTER 2: INFORMATION AND CYBER SECURITY

    The terms ‘information security’ and ‘cyber security’ are often used interchangeably, when in fact they refer to different (albeit related) things.

    To start with the similarities, both information and cyber security are concerned with security on three fronts:

    1.Confidentiality:

    Information assets and systems should only be accessible to those who need access.

    2.Integrity:

    Information assets and systems should be protected from unauthorised modification, destruction and loss.

    3.Availability:

    Information assets and systems should be accessible to authorised persons as and when necessary.

    Considering all three aspects of security (also referred to as ‘CIA’) means that you will not make the common mistake of only taking confidentiality into account. Clearly, restricting information on a need-to-know basis is a critical element of security, but that information is only useful if you know it is correct and you are able to access it when you need it.

    There are, however, some important distinctions to draw between information and cyber security. The former considers all information held by an organisation, irrespective of whether that information is electronic or in hard copy format, whereas cyber security is a subset of information security, focusing specifically on protecting electronic information.

    Even though cyber security may seem like the more obvious route for organisations to take, considering how our world is becoming increasingly digitalised, there will always be an element of physical security to consider, if only because you need to protect your hardware to be able to access your digital information. On top of the matter of availability, firewalls and anti-malware software cannot completely protect your devices if someone can just look over your shoulder at what you are doing or take the device altogether.

    Part 3 of this book delves into the sort of measures you can take to protect your organisation from these risks.

    CHAPTER 3: CYBER RESILIENCE

    Unfortunately, even the most secure organisation can still fall victim to a cyber attack. To a large extent, it is simply a case of having the odds stacked against you: although you need to protect all your assets from all types of threat, an attacker requires only one weakness to get into your systems. On top of that, any security measure you put in place is only designed to stop a handful of threats – at most. That means that it is likely to be inherently ineffective against other kinds of threat.

    It is important both to recognise these challenges and to not view them as insurmountable.

    To understand why the former is so important, you only have to look at the past. History teaches us that if you assume that something cannot possibly go wrong, you may find it difficult, if not impossible, to remedy the situation if it goes wrong anyway. The Germans in World War II deemed the Enigma machine to be uncrackable, so never even considered the possibility that the British were intercepting and decrypting their messages. The RMS Titanic was deemed unsinkable, so only had 20 lifeboats with capacity for just over 1,000 people, when the ship itself had capacity for more than 3,000 individuals.

    On the other hand, acknowledging that your security system may fail despite your best efforts enables you to pre-emptively consider how something might go wrong and what you can do to limit the damage in such a situation. In other words, thinking resiliently will enable you to recover from attack – even if rare, when one happens, the consequences can be crippling if you have not planned how you will respond.

    Taking a defence-in-depth approach, where you have multiple layers of defence, each defending against a specific – and different – type of threat (this concept is discussed further in 12.12.8), is an excellent place to start. It is also vital that you do not limit your defences to preventive measures (see chapter 12), but also put detective measures (see chapter 13) in place – so you know when your preventive measures have failed – as well as responsive measures (see chapter 14), so you can move swiftly to contain the damage.

    CHAPTER 4: REGULATORY AND CONTRACTUAL REQUIREMENTS

    If the fact that your organisation needs to wade through a complex cyber threat landscape in order to compete in today’s digital world is in itself not a strong enough case to invest in cyber security and resilience, the added pressure from a global regulatory system that is beginning to catch up might be.

    4.1 International data privacy laws

    The introduction of the EU General Data Protection Regulation (GDPR) in 2016 – which was enforced two years later – marked a major milestone for data protection and privacy laws across the world. Most of us remember the flood of ‘we need your consent’ emails that arrived in our inboxes in the days leading up to and after the GDPR took effect,³ but those emails were only the tip of the iceberg.

    The GDPR places a wide range of security and privacy obligations on organisations that process the data of EU residents and is supported by a regime of significant financial penalties (up to the greater of 4% of annual turnover or €20 million (about £18 million or $23 million)). The GDPR also requires organisations based outside of the EU that process personal data on EU residents to appoint an EU representative, extending the reach of those obligations and penalties far beyond the EU’s physical borders. The Regulation is further enforced on an international level by prohibiting EU organisations from transferring data outside the EEA unless the recipient organisation in a ‘third country’ can guarantee that the GDPR’s standard for data security will be met.

    However, the GDPR is not the only data privacy law to have emerged in recent years. California and Brazil have respectively seen the California Privacy Rights Act (CPRA) and Lei Geral de Proteção de Dados Pessaoais (General Data Privacy Law) introduced, and further regulatory action on an international level is expected in the coming years.

    4.2 Cyber security requirements for critical infrastructure

    The increasing regulatory focus on data protection, privacy and continuity of key services inevitably leads to an increasing focus on cyber security, as so much of the information held by organisations is in electronic formats. Many organisations, including the majority of essential services, also rely on an electronic infrastructure.

    In view of that reliance, laws such as the EU Directive on security of network and information systems (NIS Directive) have also been introduced in recent years. This directive places specific cyber security and incident response obligations on digital service providers, including Cloud service providers and operators of essential services (OES), such as power and water, with a view to mitigating the disruption that could occur as the result of a major cyber security incident.

    For these types of critical providers, a successful cyber attack can easily have an impact in the physical world – think, for example, about the impact WannaCry had on the UK’s National Health Service, where thousands of appointments had to be cancelled.⁴ Because the health sector is such a vital one to keep going whatever the circumstances, healthcare organisations may well face additional cyber security requirements, such as the Data Security and Protection (DSP) Toolkit for the UK, and the Health Insurance Portability and Accountability Act (HIPAA) for the US.

    4.3 Contractual requirements

    It is not just laws that mandate effective cyber security. Cyber security obligations in contracts are also becoming increasingly common, as organisations better recognise the risks posed by information-sharing between suppliers and partners (third-party threats are discussed in more detail in chapter 10).

    If your organisation takes card payments, for example, banks will expect you to adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS). As another example, many government contracts mandate a minimum level of cyber security to enter the tendering process, and often ask for proof in the form of certification to a recognised standard. Big, long-term contracts now commonly also ask for a minimum level of security, and for it to be proven in a supplier audit or through some form of externally verified certification. Organisations bound by these obligations are often also required to ensure comparable security throughout their supply chains.

    ³ As an aside, not all of those emails were necessary. Consent is only one of six lawful bases for processing – if you need to contact someone to provide a service in order to fulfil a contract, for instance, you can rely on contractual necessity. As another example, if you already have a commercial relationship with someone, you can often rely on legitimate interests to send them relevant marketing material.

    ⁴ BBC News, NHS ‘could have prevented’ WannaCry ransomware attack, October 2017, https://www.bbc.co.uk/news/technology-41753022.

    CHAPTER 5: IMPLEMENTING CYBER SECURITY

    Although chapter 1 mentioned that cyber security need not be expensive, and that your implementation does not need to take a long time, it can still be difficult to know where to start.

    In truth, there are many different and valid ways of implementing cyber security. The correct one for your organisation depends on your goals and requirements, so a good place to start is by clearly defining what they are. Our eight-step approach to implementing cyber security, laid out in part 4 of this book, will discuss in more detail how you might do this. For now, think about basic questions such as:

    •How do you identify threats and vulnerabilities? Is that process consistently applied?

    •What are your most important assets, and what level of protection do they need?

    •Are there specific regulatory or contractual requirements for cyber security that you must meet?

    •What level of security do your customers expect?

    •What do your competitors do in terms of security?

    •Do you rely on and/or offer services that must meet a minimum level of availability?

    •If you suffered a cyber incident or data breach, what would the consequences be?

    •How would you know an incident occurred?

    At this stage, do not worry about coming up with comprehensive answers – these questions are just intended to help get your juices flowing.

    5.1 Making trade-offs

    Whatever approach to security you take – even if that is to do nothing at all – there are always trade-offs to make.

    Doing nothing might be cheaper and more convenient in the short term, but with the inevitability of sooner or later being attacked, in the long term you may end up with a big bill and significant inconvenience (dealing with regulators and the press, operational impact, etc.). However, putting security measures in place also involves making trade-offs. To name but two examples, some solutions will be cheaper but might only protect you against one type of attack, while others might be more expensive but easier to implement or more convenient to use and maintain.

    Budget, privacy, convenience, complexity, resources, time, flexibility, etc. may all need to be considered as you decide what trade-offs to make and what solutions to implement. Ultimately, this process lies at the very heart of security, cyber or otherwise: deciding what sacrifices you are prepared to make (and are necessary) so you can meet your security requirements. More simply put, much like many other decisions in life, it is a process of weighing up the pros and cons. There is no such thing as perfect security, but there are solutions out there that are perfect for meeting your security needs.

    5.2 Three security pillars

    As you make your security trade-offs, be aware that your measures have to cover the three security ‘pillars’ – people, processes and technology – if you are to create an effective security system. People often just think about what technology to implement when they invest in cyber security, overlooking that any technical measures need to be implemented and maintained by people, who need to follow defined processes.

    The ‘people’ element is not limited to specialist staff. With the prevalence of the internal threat, any authorised user that has access to your systems can be a risk factor. They are often not maliciously motivated, but could have made a mistake – whether it is something relatively pedestrian, such as losing a USB stick, or something more exceptional, such as falling for a sophisticated phishing attack – that results in a data breach, installs malware, gives the attacker access to their account or any number of other cyber incidents. Chapter 8 has a more detailed discussion on the human threat.

    Of course, technology can help mitigate these threats to an extent – for instance, by installing anti-malware software and firewalls. However, much in tune with the earlier trade-off discussion, these solutions are not perfect, even if they can help prevent many common and low-level attacks. You will need some form of staff training and awareness if your employees are to recognise phishing attempts and other indicators of a cyber attack, and respond accordingly, in line with the appropriate policies and procedures.

    There are many more examples in which the three pillars clearly interact. Lockable cabinets are not very helpful if people forget to lock them overnight (or worse still, do not put confidential documents in them in the first place). If the person next to the intercom has to regularly buzz colleagues in because people forget their ID card, they may habitually not actually check who they are letting in. Having your password policy enforce complex passwords is not much use if people reuse passwords or write them down, etc.

    There is, however, one final point to remember, which is easily overlooked. Where people are involved, security can be both a feeling and a reality, and there are many cases in which only one of them is true. Most people consider flying less secure than driving, for instance, yet the statistics consistently show that aeroplane crashes are far rarer than fatal driving accidents. In a cyber security context, the knowledge that antivirus software has been installed might make you feel safe, and perhaps make you more careless when surfing the web than you otherwise would be. Such dangers should be considered as you select your security measures.

    5.3 The IT Governance Cyber Resilience Framework (CRF)

    Admittedly, there is a lot to take in when it comes to cyber security. However, you do not need to do all the legwork yourself – for a start, books such as this one can offer a trove of practical tips and guidance. There are also many frameworks available that can offer you an existing and proven structure to work from, reassuring you that you are heading in the right direction. There is a big range to choose from, although in the UK two are particularly common: Cyber Essentials, which has just five basic controls, and ISO 27001, which contains a substantial 114 controls, although you are only expected to implement those relevant to you. Part 5 of this book summarises ten different best-practice frameworks, so you can get an idea of the options available, and which might be suitable for your organisation.

    If these types of frameworks, for whatever reason, are not for you, rest assured that this book primarily offers content in line with best practice without referring to any external standard or framework. However, since this book still needs to be structured in an easy-to-follow format, the security controls and implementation steps covered are based on the IT Governance CRF, depicted in part in Table 1.

    This framework, first released in February 2019,⁵ forms a good base for any cyber security project for a number of reasons:

    •It has a comprehensive selection of processes (see the first column in Table 1), reducing the odds of overlooking any areas that require security controls.

    •The process selection is extremely flexible – you only implement the measures that you need based on your compliance and business requirements. Because of this, you can treat part 3 of this book (where each CRF process is discussed in detail) in an encyclopaedic way if you want to – reading just the bits you need in an order of your choice (although reading it from beginning to end works just as well). Chapter 11 provides a summary of each process, enabling you to quickly determine which processes you need to look at further.

    •The Framework offers further flexibility in its four maturity levels, discussed in more detail in chapter 16. This means that, on top of excluding

    Enjoying the preview?
    Page 1 of 1