Information security

Let’s start by thinking about what cybersecurity is and what we are trying to accomplish. Most
definitions of cybersecurity tend to focus on technology, so a typical definition might include the
“security of digital systems” or “security of communications”. These definitions tend to get
blurry, very quickly. For instance:
 What if a fraudster sends an email to a person claiming to be from their bank and asking
for their personal identification number (PIN). Is that a cybersecurity concern?
 What if a private investigator calls an employee of a company to ask him to print some
confidential files and leave the papers in the mail room them to collect. Is that a
cybersecurity concern?
In the real world, most attacks typically have some digital elements as well as some human
factors and occasionally a physical element too. Please keep this in mind. We should not just
focus on digital elements because this limits our thought process and gives potential attackers
greater flexibility.
Let’s consider a new concept called information security. Information security focuses on
the value of the information we are trying to protect rather than how we protect it. The
following diagram shows that under information security are the physical elements and digital
elements.

 Physical security is the practice of physically protecting assets like buildings, security
cameras, equipment, and property from physical threats such as theft, vandalism, fire, and
natural disasters.
 Cybersecurity is the practice of protecting and recovering networks, devices, and
programs from any type of malicious cyber attack.
 Good security cannot have one without the other and both must work towards the same
objectives.

EXAMPLE
Let's consider this from a customer's perspective. Imagine that you go to a travel company and
share your passport details to book a trip abroad. What if an employee of the company
accidentally emails your passport details to the wrong address or drops printed papers with your
passport details from a briefcase on a train? The result is the same. Your private information has
 been compromised. In information security, the emphasis is on the outcome rather than the
exact method.
What are cybersecurity professionals trying to accomplish?
According to the National Institute of Standards and Technology (NIST), information
security is: "The protection of information and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction in order to provide confidentiality,
integrity, and availability."
So, information security’s objectives are often defined using the CIA triad as a good starting
point. CIA is a mnemonic for the three objectives: Confidentiality, Integrity, and Availability.

Confidentiality Confidentiality means preventing information from falling into the hands of
Information is private people who do not have authorization to access the information.

Integrity Integrity means making sure the information stays accurate and consistent,
Information has not been and ensuring that unauthorized people cannot makes any changes to the
altered information.

Availability Availability means timely and reliable access to and use of the information
Information can be when required.
accessed when required

The CIA triad is a model to help guide policies for information security within an organization.
Different organizations and scenarios may mean that one objective is prioritized over the others.

EXAMPLE
Let's look at some examples to put the information security objectives into context for you.
 Confidentiality may be the most important objective for government intelligence
agencies. Think about the lengths they go to in order to keep information private, such as
using bespoke encryption or even lead-lined brief cases that sink if thrown into a body of
water.
 Integrity may be the most important objective for banks. Think about if you spent USD
$10 on a pizza. You would not be particularly concerned about this transaction being
confidential. However, if the transaction is altered and you end up spending USD
$10,000 instead, then you would be in serious financial trouble. Should this happen at
scale for your bank, it could cease operating as a result of a loss of trust.
 Availability may be the most important objective for a website. Think about if you have
a blog. You would not be particularly concerned if it was confidential or an editor helps
correct your spelling. You want it to be there and available to you any time you want to
update and publish it.
What do you think?
Let's look at how the information security objectives could relate to your day-to-day life by
evaluating assets that you likely value. In cybersecurity, an asset is defined as something that has
a value to its owner. Assets can be digital, such as a program, or physical, such as a server.
Sensitive information such as databases, research, or records can also be called information
assets.
Consider your personal bank account, photo library, social media account, and mobile
phone. How would a loss of Confidentiality, Integrity, and Availability impact you for each
asset? Use this provided scale of 1 to 5 to type your rating in the provided fields.
1) Low consequence: You would have no noticeable impact to day-to-day life.
3) Medium consequence: You would have minor impact resulting in a couple of hours of lost
time.
5) High consequence: You would have a life changing, massive impact that could last for months
or years.
The Highest value will calculate automatically so you can compare how you value your assets
and priorities.

EXAMPLE
There is one example already displaying for you: an online debate submission. In this example:
 A loss of Confidentiality is considered annoying, but will have only a minor impact and
is given a rating of 2.
 A loss of Integrity from another person editing the submission could start an argument,
which could lead to wasted time making updates. Integrity is therefore given a rating
of 3.
 Finally, should the online comment disappear entirely, or become inaccessible, there are
virtually no impacts, so a loss of Availability is given a rating of 1.
Now, using the rating system above, try and complete your evaluations.
Confidentiality Integrity Availability Highest value
Online debate 2 3 1 3
submission
Bank account
Photo library
Social media account
Mobile phone

When you are finished, you can see that certain assets matter more to you than others. This
should correspond with the Highest values you see. Do any of your evaluations of value surprise
you?
From a security perspective, it is sensible to prioritize your protections around the assets which
matter most to you. For instance, the password for your password manager may be 20+
characters long and kept private whereas a home wifi password may occasionally be shared with
friends and family!
In cybersecurity, organizations make these decisions all of the time.
Topic 2.
Key elements of cybersecurity
There are many ways to secure information assets and deciding on the best approach is an
important consideration in cybersecurity.

EXAMPLE
Imagine you have an expensive painting that you need to protect. One option could be to hire
some security guards to stand by the painting and constantly watch it. Another option could be
that you require all prospective visitors to your painting to place a monetary deposit down or
seek insurance confirmation. Finally, you could opt for laser trip wires, security cameras, and
motion sensors to detect unknown people. Each of these options has various advantages and
disadvantages. Like all great heist movies, relying on only one option may not be enough.
There are three key elements of cybersecurity to consider:

These are the areas where an attacker could attack and where organizations should focus
cybersecurity efforts. Let's examine them further in this lesson.
People
As counter intuitive as it might be for a highly digital industry, people are the most important
part of cybersecurity. First, people are the end users of digital systems and second, people are
often those responsible for the design and maintenance of digital systems. Human action is by far
the leading cause of cybersecurity incidents. When organizations design a secure system, they
must design with people in mind.
A common example of this going wrong is the case of alert fatigue. If people receive too many
notifications or alarms, then they eventually become desensitized to it. Good systems will be
designed to anticipate and make allowances for human behavior.
Process
In business, most activities follow a clearly defined set of steps. These processes can aid
cybersecurity by considering security at each step or hinder cybersecurity by being frustrating for
the end user.
Imagine a process which makes a user complete a 20-question survey whenever they wish to
report suspicious activity. Many users, who could contribute useful information, might be
deterred and give up the process.
Good processes have the following attributes:
 They are clear and as easy as possible. During the process, it should be obvious what to
do at every stage. Processes should not use unnecessary jargon or be written in an
ambiguous fashion.
 They are accessible or well known. All users who could follow a process at any stage,
should know how to access the process. A good example of this commonly being done
well is with fire evacuations in buildings. Most people know where the nearest
evacuation points are because of good signage.
 They are consistent. Processes should not contradict each other, if possible. If a process
has a lot of exceptions or deviations, it increases complexity. Later, you will learn about
how cyber attackers can exploit this during their attacks.
Technology
Technology is all of the underlying infrastructure.
Within cybersecurity, this commonly covers elements such as device encryption, network
perimeter defenses, and anti-malware technologies.
Within business, good uses of technology solve problems without creating new ones for their
users.
An example of good technical security is device management software, which can track software
patch statuses and apply updates. This is often an essential tool for large organizations. If this is
done correctly, then the technology is non-intrusive and users will be secured in a passive
manner. If this is done poorly, then users might try to disable the software entirely. As users of
devices, you encounter this too.
The following table shows some technological leaps for security, their perceived drawbacks, and
some downsides to their introduction from the user perspective.
 Undesirable user
Technological leap Business benefit Perceived drawback responses

Automated patch All software is up-to- Interruptions to use User does not power
management date of device down devices

High complexity Harder for attackers Tedious to use P@ssw0rd!

mandatory passwords to guess passwords

Mandatory passwords Passwords cannot be Predictably PasswordJan to then

expire after 30 days compromised for repetitive PasswordFeb
long periods of time

Encrypted emails Attackers cannot read Additional Disable encryption

emails in transit configuration and feature
complexity

You can see it is important for organizations to educate users as to why exactly the technology
has been introduced and why perceived drawbacks might be necessary.
Software development
Automated patch management is just one way that automation has improved software
development and security. To learn more, read about DevOps and DevSecOps, two related
approaches to software development that automate testing and security throughout the process.
DevOps (PDF)
DevSecOps (PDF)
What do you think?
Here are some questions to think about. Please type your answer to each question in the boxes.
Reflecting and typing an answer is a good way to process your thoughts. Your answers are just
for you and are only saved in this course for you. Be sure to click Save Text.
Think of a time when you have examined your own personal digital security for your computer
and/or devices.
1. In terms of people, did you attempt to educate yourself to improve your security posture?
Save Text

2. In terms of process, did you start any new processes, such as enabling two-factor
authentication for each login?

Save Text

3. In terms of technology, did you purchase or use a new technology to help improve your
personal security?

Save Text
Now try to apply what you’ve learned in this lesson. Please type your answers in the boxes. Your
answers are just for you and are only saved in this course for you. Be sure to select Save
Text after finishing each answer.
Explain how each key element of cybersecurity applies to the following examples.
Online bank account
People:

Save Text
Process:
Save Text
Technology:

Save Text
Personal laptop
People:

Save Text
Process:

Save Text
Technology:

Save Text
 Risk management
Risks are part of everyday life and something we are all instinctively familiar with. A risk is the
possibility of something happening with a negative consequence. Managing risk is at the heart of
most businesses and the core of many industries, such as the insurance industry. Good businesses
understand and manage risks effectively to give them a competitive advantage.
In this lesson, we'll explore some key concepts about risk and how they apply to cybersecurity.
Risk valuation
All risks are not equally important. Certain risks may require urgent attention whereas others
may be ignored. Risks that are more significant, are known as high risks. Here is a basic
equation to calculate the value of a risk:
Risk value = Consequence x Likelihood

Consequence is the impact and associated damages.

Likelihood is how often the risk impact occurs.
Ideally, for mathematical reasons, it would be great if we had good statistical information for
every risk. If, for instance, we know on a given year that 1 in 10 cars will experience a flat tire,
then the associated risk value can be easily worked out.

EXAMPLE
An example of the risk value equation applied to the the previous flat tire scenario could be as
follows. An individual may lose a day's productivity as a result of getting a flat tire on the way to
work. The consequence of this risk would be the loss of one day of work. While this
consequence is annoying, remember the likelihood of the risk is low - 1 in 10 cars in a given
year. This means we may assess the overall risk value to be low.
Within cybersecurity, likelihood is hard to directly measure due to the constant evolution of
technology and involvement of outside attackers. As a good rule of thumb, the likelihood of an
organization being attacked depends partly on three attributes as follows:
Likelihood = Adversary capability x Adversary motivation x Vulnerability severity

An adversary is a general term used to describe an entity who wishes to compromise an

information system. Later in this course, you will learn more about how adversaries can be
categorized. This will enable you to assign values for their capabilities and motivations.
Vulnerabilities are potential weaknesses within a system that could be exploited to compromise
it. For instance, a vulnerability could be a webpage that does not authenticate a user correctly.

EXAMPLE
An example of this second equation could be as follows. Let's imagine a bank is being targeted
by a criminal gang who is interested in stealing users' banking login details and passwords.
 The adversary capability could be assessed as medium because the criminals could use
a range of tools and develop their own tools if required.
 Their motivation could be assessed as high because they could attempt multiple attacks
over a period of time.
 An identified vulnerability could be assessed as high because it is comparatively easy to
exploit. For example, certain vulnerabilities have published descriptions online which
enable attackers to mirror attacks easily.
Note: Using the rating terms of "low", "medium", and "high" is an example of qualitative
analysis of risk. In an ideal world, we would use exact numbers or percentages; however these
can be hard to find so estimates are often all we have.
Risk response
Once an organization has assessed all of its risks, the emphasis is then placed upon risk
management, or response. In general, there are four responses to a risk that an organization could
choose. The following table describes them.

Accept The organization accepts the risk in its current form. This is a decision that will be made by a senior
individual within the organization, referred to as a “risk owner”.

Reduce The organization could decide a risk is too large to accept and aim to have it reduced in some fashio
This could either be through reducing the likelihood or consequence.

Transfe The organization may want a third party to accept the risk, or part of it, instead of accepting it
r themselves. This is done via insurance.

Reject The organization could decide a risk is too high and may withdraw from being affected by it. This w
 have significant business impacts such as shutting down sites or avoiding markets.

EXAMPLE
Let's illustrate these four responses to a risk. Imagine that you are considering starting a cake
baking business at home. There is a risk that your kitchen could be damaged if you set your oven
on fire during the baking process. Here are several responses to this risk.
 Acceptance: You could look at the risk and with faith in your baking, take the chance
that it is unlikely anything will go wrong. Should your baking go wrong, you can repair
your kitchen and are prepared to do so.
 Reduction: You decide that you would prefer your kitchen and oven are not put at a high
level of risk and you decide to reduce the risk. You could reduce the likelihood of fire-
related incidents by installing a smoke detector to provide early warning. You could
reduce the consequence of a fire by having a fire suppression system installed. Both
options will incur a small cost, but you believe they are worth it.
 Transference: You go to your insurance company and upgrade your insurance to cover
home cooking related fires. They perform their own assessment of the risk. Together you
agree on a cost to pay them to cover the risk. Should your oven catch fire, they will cover
the costs. This arrangement incurs a cost initially, but limits your liability.
 Rejection: You decide that the oven-related fire risk is too high. You could change
recipes to make cakes without using an oven or not start your business in the first place.
As you can see from this example, there are many things to consider in even a simple example.
Businesses with rapidly changing IT technology face many continually evolving risks. Risk
management is a full time occupation in many companies and guides a lot of both strategic and
tactical decision making.
Risk appetite
A risk appetite is the level of risk an organization is willing to accept.
 An organization is said to have a high risk appetite if it is willing to accept a high level of
risk.
 An organization is said to have a low risk appetite if it does not like accepting risk.
What do you think?
Here is a question to think about. Please type your answer in the box. Reflecting and typing an
answer is a good way to process your thoughts. Your answer is just for you and is only saved in
this course for you. Be sure to click Save Text.
Think of a risk that you have recently encountered in your life.
What was the risk and your response? Did you accept, reduce, transfer, or reject it?

Save Text
Now try to apply what you’ve learned in this lesson. Please type your answers in the boxes. Your
answers are just for you and are only saved in this course for you. Be sure to select Save
Text after finishing each answer.
Think of a life event that you have experienced that involved a cybersecurity risk. Some
examples include opening a bank account, creating a new social media account, or setting up a
home internet network.
What was the risk?

Save Text

What was your risk response? Explain how you accepted, reduced, transferred, or rejected the
risk.

Save Text
Common misconceptions
There are a lot of misconceptions about cybersecurity in the world today. They range from
unrealistic Hollywood clichés about the process of attacking a computer system to outdated
stereotypes of people who work in the industry. Let's examine a few common misconceptions
and provide some clarity for you.
Expand each misconception to debunk it.

Everyone who works in cybersecurity comes from an IT background.

While most roles within cybersecurity rely on IT either in part or entirely, the roles don’t all have
a firm dependence on that background. As you should already have noticed, since cybersecurity
covers so much, there is demand for talent in lots of areas. Skills range from people management
and communication to mathematics and data science. Having a diverse set of experiences and
skills also helps teams approach problems in new ways and this is very valuable.

All hackers are criminals.

The term hacker historically refers to someone who enjoys adapting things and discovering how
they work. This definition got mixed up with people who illegally tried to gain access to
computer systems with the intent of hijacking their operations. Today, there are thousands of
computer hackers who are employed in a variety of IT roles and contribute toward understanding
IT systems in a legal fashion as part of many businesses. Their curiosity and drive are invaluable
in ensuring IT systems are built in a safe and secure manner.

Cybersecurity is something I can’t do.

Due to the constantly evolving areas in cybersecurity and vast scope, there is something for
everyone. The diversity of roles requires a great diversity of skills. Those skills can range from
strategic analysis and anticipating the evolving landscape of IT businesses to vigilance and
patience in system monitoring roles. Keep in mind that there is a lot of education and training
available.
I'm too old or too young to work in this industry.

A good litmus test for the diversity of a team is to check how many decades are covered by the
team’s composition. A good team will have a diverse range of experiences and life views.
Cybersecurity needs to look at problems with both a fresh set of eyes and an experienced view.
Whether you think approaches are great or bad, you’ve probably got half of the solution and a
great voice to add to the dialogue.
What do you think?
Here is a question to think about. Please type your answer in the box. Reflecting and typing an
answer is a good way to process your thoughts. Your answer is just for you and is only saved in
this course for you. Be sure to click Save Text.
At this point in your learning, what assumption do you have about the cybersecurity industry? At
the end of the course, you can revisit this section to see if you still have this assumption.

Save Text
Laws and ethics
Cyber crime is quite a new concept, having only developed within the last 30 years. Before that,
people who used computers maliciously had to be prosecuted using a combination of theft and
telegraphy acts, which were not that applicable.
Today, a wide-ranging set of international laws have been created to govern the use of
computing technologies and protection of the information residing within them. Everyone is
affected by these laws and it is important that all cybersecurity professionals have a basic
understanding of them.
This lesson will provide a quick overview of common types of laws and the importance of
considering ethics.
Important Note
Laws are not the same across the world. They can vary greatly by country. You should check and
abide by the relevant laws for the country you live in and/or travel to. Some governments have
written their laws to be more prohibitive than others so that a legal action in one may be illegal in
another.
If you are in doubt, seek legal advice.
Common types of computer misuse laws
Let's review some common features or concepts that are mirrored around the world in computer
misuse laws.
Unapproved use or control of a computer device
 Many laws prohibit unauthorized or unapproved access or use of a computing device.
 This catch-all barrier means that hijacking computers through technical material or by
forcing access to a person’s account is banned.
 These laws can catch people for circumventing broken controls such as authentication.

EXAMPLE
Placing a fake log-in screen on a website to steal a set of user passwords and using them to spy
on someone’s account.
Preventing others from legitimate use
 These laws attempt to cover attacks on availability of computer resources, such as
networking capabilities.
  Actions that degrade the quality of service for others, or prevent it entirely, will usually
be covered within these laws.

EXAMPLE
Overloading a server or networking switch by sending it too many packets of information to
process.
Aiding other criminals or designing malware
 These laws refer to helping others commit computer misuse offenses, such as being an
accomplice.
 One such manner of helping others could be by writing malicious software, commonly
known as malware.
 These laws are intended to be used to help with breaking up criminal gangs.

EXAMPLE
Producing a program which allows remote access to a machine without the owner’s awareness.
In addition to the laws concerning computer misuse, you will find that a couple of cyber crime
offenses overlap with data protection laws and traditional property laws. Should a cyber crime
result in theft of intellectual property, this may be examined as a case of theft.
The golden rule before trying anything in IT security is to get the correct permissions in place
from the owner before experimenting on a device. It is also important to know exactly what you
are doing to avoid unintentional side effects.
Discussion on ethics
As the laws vary across the world, ethics do too. There is a lively debate about many aspects of
ethics within cybersecurity. For instance, is it permissible for organizations to leave booby-
trapped files within their infrastructure awaiting an attacker to trigger one? Many could argue
that this is ethically sound, although under most legal frameworks, it would be argued that such
an action is illegal since the trapped files would be considered malware. Then there are the
ethical dilemmas around using techniques from the security industry to target criminals. Could a
retaliation be justifiable or defensible? What about the rules for military action or governments?
You can see there are ethical dilemmas and they have been going on for as long as the industry
has existed. These debates are a good sign of a healthy industry reaching maturity and its
participants displaying integrity by considering these important issues.
To illustrate the complexity of the laws and ethics of cybersecurity, this diagram shows how the
areas of legality and ethics could be seen to overlap.

Activity
Do a quick internet search for computer laws in your country. Are there computer laws to abide
by? If so, what are they?
Please type your answer in the box. Your answer is just for you and is only saved in this course
for you. Be sure to click Save Text.

Save Text
Do a quick internet search for computer laws in your country, and then list and describe some of
these laws. When finished, remember to select Save Text.

Save Text
Threat actor groups
Module overview
This module focuses on the "offensive" side of cybersecurity, meaning the cyber attackers and
their techniques. How do they hack? What could go wrong? You will learn about these topics:
 Types of cyber attacker groups
 Types of cyber attacks
 Steps in a typical cyber attack sequence, using the Lockheed Martin Cyber Kill Chain
framework
 Attacker tactics and techniques, using the MITRE ATT&CK matrix
 How the cyber crime economy works
 Social engineering and common social engineering attacks
 Open source intelligence (OSINT) and common sources that cyber attackers use
 Technical scanning methods
 High profile case studies of cyber attacks to recognize what is possible and going on in
the world
Learning objectives
After completing this module, learners should be able to:
 Compare and contrast the five main types of threat actor groups
 Describe common types of cyber attacks
 Explain the overall structure of a typical cyber attack by discussing each step in the
Lockheed Martin Cyber Kill Chain framework
 Use the MITRE ATT&CK matrix to identify attacker tactics and techniques
 Summarize how the cyber crime economy works
 Define social engineering and describe common social engineering techniques
 Describe open source intelligence (OSINT) and common sources that attackers use
 List typical technical scanning techniques and discuss the information that each provides
 Summarize the details and lessons learned from several high-profile cyber attacks
Threat actor groups
Cybersecurity professionals must be aware of the different types of threat actor groups, or cyber
attacker groups. These are diverse groups and they vary substantially in motivation, resources,
and techniques. Let's review and compare the five main types of cyber attacker groups.
Group 1: Script kiddie
The first group is the least advanced, the script kiddie. The term "script kiddie" refers to someone
who uses programs, frequently basic hacking tools, without truly understanding what is going on
behind the scenes. They may display a basic understanding of networking and programming, but
lack technical skills as well as patience or strategic intent.
SUMMARY
 In practice, this demographic is mostly teenagers or young adults, who are self-taught via
forums, videos, and experimentation.
 For many, the main motivations for their hacking efforts are reputation, status in the eyes
of the hacking community, entertainment, or settling grudges.
 From a resourcing standpoint, script kiddies rely on off-the-shelf penetration testing tools
and publicly available exploits.
 In most cases, they are very underfunded. They tend to display little trade-craft
knowledge beyond that of basic proxies or disposable accounts.
 From a defensive standpoint, organizations must ensure that their patching schedule is
effective. Should an easy exploit be developed, it is very likely that it will be deployed at
some point. Defenses must be sufficient to ensure that another target appears easier which
should be a sufficient deterrent.

Profile of a script kiddie

Who are they? What is their objective?

Self-taught individuals, typically teenagers Seek reputation enhancement or attack for fun

What resource do they have? How do you protect against them?

Little funding, little or no technical expertise Ensure patching schedule is effective and
and assistance, may use free tools written by basic perimeter defenses are up to date
others

Group 2: Hacktivist
The second group is the hacktivist. Hacktivist is a term which combines "hacker" and "activist".
Hacktivists seek a political or economic change and will use hacking to achieve it.
SUMMARY
 The key, defining attribute of hacktivists is that they are driven by ideological reasons.
 The group of people who make up hacktivist groups ranges greatly. Like the script kiddie
group, they are filled with impressionable amateurs, but when causes align on a highly
topical issue, they are joined by more experienced members within the security
community.
 The motivations of hacktivist groups are defined by their aims, which vary enormously.
Generally, it involves supporting one cause the individuals believe in. This could be a
side in the Middle East conflict, political activities, and so on.
 The most famous example of this group would be the hacking collective
called Anonymous. Anonymous is a decentralized international hacktivist group that is
known for cyber attacks against several governments, government institutions and
government agencies, and corporations.
 Hacktivists use a range of basic tools which can be very effective when done at scale.
Denial of Service (DoS) programs are a notable example in this area.
 While a single script kiddie poses little threat, several hundred launching parallel attacks
can be significantly more challenging to deal with.
 As an organization, being astute is very important. Should an organization operate
business in a sensitive area (e.g., animal testing, political causes), then it is possible it
may come under a sustained attack from hacktivists at some point. Having good defenses
will not be enough to deter all attacks, so organizations should plan methods to cope with
a sustained attack.

Profile of a hacktivist

Who are they? What is their objective?

Driven idealists forming loose coalitions Want to bring about a change

What resource do they have? How do you protect against them?

 Operate at scale with varying tools and Ensure defenses can cope with an extended
biggest attribute is size disruptive attack

Group 3: Criminal gang

As long as there is easy money to be made, criminals will always be a problem for society. The
internet’s creation has created a new method for criminals to prey on victims with an
unprecedented scale, range, and ease. Rather than run risks in person, aspiring criminals can send
out millions of infected emails from halfway around the world and secure a ransom from a
victim before transferring funds into cryptocurrencies to evade conventional policing methods.
Capturing these criminals is extremely taxing and, due to international laws, securing a
prosecution is near impossible. Sadly, most criminals are aware of these facts.
SUMMARY
 This is the fastest growing group and as a result, it is the broadest.
 Within the group, there are a range of activities. Gangs could be running ransomware
attacks (where a victim is forced to pay to secure access back to their resources),
committing extortion (where the threat of a large attack secures protection money),
committing conventional theft of customer data or intellectual property, and so on.
 Being a cyber-based criminal is a full-time and potentially quite lucrative proposition.
Gangs can range from a few individuals all the way to multinationals with hundreds of
members. Within each gang, there are frequently specialists and they can trade
information on the dark web. Consequently, criminal gangs are quite advanced and well-
organized.
 From a resourcing standpoint, criminal gangs frequently develop and deploy their own
malware. They even in some cases rent access to others who may be less technical. Like
all software sales, they advertise, host reviews, and even have tech support. Criminal
gangs have access to substantial amounts of infrastructure, such as servers and domains.
 To protect against a criminal gang, effective defenses should exist for critical assets.
While discovering ransomware on an employee’s laptop may be inconvenient for the
company, discovering ransomware on a production sever could be devastating.
 From a financial perspective, the criminals will always adopt the quickest and easiest get-
rich-quick scheme.
 Profile of a criminal gang

Who are they? What is their objective?

Groups of people in national and international Driven by financial motivations

teams

What resource do they have? How do you protect against them?

Broad range of tools and equipment, bought Need to have a fully trained workforce with
and traded on the dark web protections around critical assets and back-
ups

Group 4: Nation state hacker or advanced persistent threat (APT)

The next group, and one that receives the most media attention, perhaps unduly, is the nation
state attackers. Many military organizations around the word now consider cyberspace a fifth
sphere of conflict alongside sea, land, air, and space. Many nations have demonstrated the ability
to project power across national borders to a great and expanding variety of consequences.
SUMMARY
 The role of nation state hackers is to provide a strategic advantage to their respective
country. This may range from reconnaissance and information collection (e.g., traditional
spying/signals intelligence) all the way to information subversion and manipulation.
 Members of these organizations are well-educated or trained and cover a range of
backgrounds. They work full-time and typically work on the cutting edge within their
respective fields.
 Their motivations are typically aligned closely with political or strategic objectives. A
recent example of this were the Russian activities concerning the 2016 US presidential
election. The aim was to interfere with the election as well as increase political and social
discord.
 From a resourcing standpoint, nation state hackers have access to advanced research,
dedicated infrastructure teams, and tremendous political support.
  Protection against determined nation state hackers is tremendously challenging for
organizations. Doing so effectively requires fully capable and coordinated security
defenses.

Profile of a nation state hacker

Who are they? What is their objective?

Highly trained and educated specialists Follow strategic, multi-year plans on a wide
range of issues

What resource do they have? How do you protect against them?

Very large budgets, cutting-edge tooling, and Incredibly difficult; need fully coordinated
leading-edge research defenses around every aspect of the
organization

Group 5: Malicious insider

The final group that is arguably the most concerning, is that of the malicious insider. The insider
refers to a member within an organization that either intentionally or otherwise acts against it.
SUMMARY
 Malicious insiders can either start with a negative mindset within an organization or
become resentful after a period of time.
 Motivations vary greatly and can cover just about everything, with financial interests and
bitterness being two of the most common. In other cases, notoriety or fame can be
motivators.
 A common example of an insider is an employee being blackmailed into allowing
someone access to the employee's corporate accounts. Another common example is a
disgruntled employee who steals corporate secrets before being fired. Perhaps the most
famous insider attack of all time was Edward Snowden, who stole a large amount of
National Security Agency (NSA) files from the US before giving them to WikiLeaks.
 Insiders do not usually rely on technical skills to execute their attacks. While some may
shoulder surf or use social engineering to gain access from others, typically they use their
own corporate access and permissions.
  Defense against insiders is best achieved by vetting employees, effective management,
and then technical controls. Resorting to technical controls is frequently seen as a “get
out of jail free card” for many companies and it frequently fails because you are, after all,
trying to stop users who are extremely familiar with the system. In many cases, there are
a lot of warning signs before somebody launches an inside attack. For instance this could
be working alone, expressing resentment, failing in quality of work, or doing unexplained
activities. Picking up on these signs is very important.

Profile of a malicious insider

Who are they? What is their objective?

Staff members who work against an Seek revenge or have financial motives
organization's own interests, either
deliberately or accidentally

What resource do they have? How do you protect against them?

No budget or resources required; use granted Monitor staff carefully and ensure
access organization's culture is effective to prevent
issues

Note: Sometimes these descriptions of the types of cyber attackers are not always precise. In
operations, hacktivists might recruit script kiddies and nation state hackers might recruit criminal
gangs. Also, some cyber attackers will disguise their work to appear less advanced than they are.
These facts can make it difficult to attribute threats to the correct party.
Offensive security researcher
You’ve learned about five common types of cyber attackers who have personal motivations or
threatening, often illegal motivations. But, there are also individuals out there who are
considered offensive security researchers. An offensive security researcher chooses to use, and
monetize, their skill set for good, rather than criminal or exploitative activity. Often called
“ethical hackers,” they take on a real hacker mindset to use the same methods as real-life
attackers, but with the goal of testing and fortifying systems to help clients and consumers be
better protected from the real thing.
Working in cybersecurity today
Here are two leading cybersecurity experts who use their skill sets to offer valuable and often
highly-paid advice and knowledge to organizations around the world.

Brian Krebs Georgia Wiedman

Brian is a celebrated journalist who
investigates cyber crime. He kicked off his
career as a reporter for The Washington Post,
where he wrote for the Security Fix blog from
1995 to 2009 and pushed the boundaries of
cyber security reporting. Today, he owns the
hugely popular blog Krebs on Security and
was named 2019’s “Cyber Security Person of
the Year” by CISO MAG.
Fun fact: Brian’s interest in cybersecurity
was ignited after his entire home network was
taken captive by a Chinese hacking group.
Georgia is a serial entrepreneur in the
cybersecurity space and has worked as a
penetration tester, security researcher,
speaker, trainer, and author. She has gained a
large following through her work in
smartphone exploitation and mobile device
security as the founder and CTO of Shevirah.
Fun fact: Georgia is an angel investor and
has spoken and trained audiences around the
world at venues like the NSA, West Point,
and Black Hat.

This is the end of the lesson. Be sure to select the "I've checked it out" box to take a mini quiz
to check your understanding of this lesson. You will be presented with three scenarios to then
identify the correct type of cyber attacker group. This is required for lesson completion.

Stephen Nguyen was laid off last month from his executive-level position at an industrial
chemical company. He worked in the research and development (R&D) department. He
downloaded his latest project's information onto a personal USB flash drive. He is bitter about
losing his job and considering selling the USB drive to another company's R&D department.
Which type of cyber attacker group could he represent?
Monica da Silva is an employee at an aeronautics company. She noticed her laptop has started to
become unresponsive ever since she went on a business trip to a foreign country. She remembers
being asked to hand the device over while at an airport and she thinks that is when the problems
started. Which type of cyber attacker group could this represent?

Monica da Silva is an employee at an aeronautics company. She noticed her laptop has started to
become unresponsive ever since she went on a business trip to a foreign country. She remembers
being asked to hand the device over while at an airport and she thinks that is when the problems
started. Which type of cyber attacker group could this represent?

Types of cyber attacks

There are many methods in which a cyber attacker can enter and exploit a system. Often, attacks
are not technical at all, but rather an exploitation of how humans interact with the system in a
flawed and vulnerable way. In this lesson, we have selected common types of cyber attacks. This
is a representative sample to provide you with a few illustrative examples, rather than a
comprehensive list. Let's examine these in greater depth.
Denial of service (DoS) attack
 A DoS attack is any type of attack that causes a complete or partial system outage.
 The means to perform a DoS attack can range from causing a system to crash to making
it unreachable or incapable of continuing work due to abnormal levels of forwarded
network traffic.

EXAMPLE
An attacker could send a maliciously formatted file to a server that causes it to overload. An
example of this is a billion laugh attack, in which an XML file references itself, expanding to a
considerably larger file.
Distributed denial of service (DDoS) attack
 A DDoS attack is a DoS attack that comes from more than one source at the same time.
  The machines used in such attacks are collectively known as “botnets” and will have
previously been infected with malicious software, so they can be remotely controlled by
the attacker.
 According to research, tens of millions of computers are likely to be infected with botnet
programs worldwide.

EXAMPLE
An attacker could send a large number of page requests to a web server in a short space of time,
overloading it. A similar impact is observed with ticket sales websites where a spike in user
demand can overload systems.
Phishing attack
 A phishing attack is the practice of sending messages that appear to be from trusted
sources with the goal of gaining personal information or influencing users to do
something.
 It combines social engineering and technical trickery.
 Unsuspecting users open the email and may provide protected information or download
malware.

EXAMPLE
An attacker could send an email with a file attachment or a link to a fake website that loads
malware onto a target's computer.
Spear phishing attack
 Spear phishing attacks are a very targeted type of phishing activity.
 Attackers take the time to conduct research into targets and create messages that are
personal and relevant, and thus likely more effective.

EXAMPLE
An attacker collects a target's details from social media and calls the target pretending to be a
representative from the bank. The attacker advises the account is compromised and asks the
target to transfer money to a "safe" bank account. The attack is convincing because of the
attacker's apparently legitimate knowledge.
Malware
  Malware is a catch-all term for malicious software. It is any software designed to perform
in a detrimental manner to a targeted user without the user's informed consent.
 It often triggers secretly when a user runs a program or downloads a file, which can often
be unintentional.
 Once active, malware can block access to data and programs, steal information, and make
systems inoperable.

EXAMPLE
Within the various types of malware, you will find examples related to their function, such
as keyloggers (which captures a victim's keystrokes) or ransomware (which holds a victim's
files captive in exchange for a ransom payment).
Man in the middle (MitM) attack
 A MitM attack occurs when hackers insert themselves in the communications between a
client and a server.
 This allows hackers to see what’s being sent and received by both sides.

EXAMPLE
An attacker could set up a "free" WiFi hot spot in a popular public location. Anyone who
connects to that WiFi network could have their communications examined by the attacker, who
may redirect victims to fake log-in screens or insert advertisements over webpages.
Domain name system (DNS) attack
 DNS is one of the core protocols used on the internet.
 Basically, the DNS protocol allows a computer to resolve a domain to an IP address,
which allows a user to, for example, reach BMW’s main website by typing “bmw.com”
instead of writing an IP address that is hard to remember.
 DNS is used almost everywhere. As a core protocol of the internet, lots of attack vectors
directly target DNS, including DNS spoofing, domain hijacking, and cache poisoning
(just to name a few).

EXAMPLE
In 2016, the DNS service provided by a company called Dyn was attacked. This resulted in
major outages across most of the US, leaving millions of Americans unable to access or use
internet services.
Structured query language (SQL) injection
 SQL allows users to query databases.
 SQL injection is the placement of malicious code in SQL queries, usually via web page
input. A successful attack allows common commands to be run. This can include deleting
the database itself!
 SQL injection is one of the most common web hacking techniques.

EXAMPLE
In the UK, two teenagers managed to target TalkTalk's website in 2015 to steal hundreds of
thousands of customer records from a database that was remotely accessible.

This represents a handful of the many types of cyber attacks impacting organizations and
individuals today. You will find DoS attacks on organizations are commonly reported in the
news, phishing attacks are the most effective on a personal basis, and malware attacks are
increasing in number and constantly evolving.
Activity
Fact: No person, organization, or country is immune to the dangers of cyber attacks.
In this activity, you can put on your explorer hat to access the following real-time maps and
statistical visualizations of cyber attacks occurring around the world. Take a moment to access
each site. It may take a moment to load. Check out the statistics. See just how many attacks are
being documented across the globe! Right now!

1. Go to the Kapersky  Navigate around the interactive world map to click

Cyberthreat Real-Time Map and visit a specific country to view its latest data.
 Find the most attacked countries!
View larger
 You can change the language at the top of the web
page.
 Roll-over the color-coded types of threats and
attacks.
 2. Go to the Fortinet Threat  Watch the attack details that scroll at the bottom of
Map the screen.
 Figure out where most attacks are happening
View larger
right now, before your eyes!
 This is a sub-set of data. Select ? to view the legend
of types of attacks displayed. Select i to learn more.

3. Go to the Bitdefender
Cyberthreat Real-Time Map
View larger
 View the live attacks happening across the map for
the selected country locations.
 Check out the various instances of spam, threats,
and attacks!
 Notice that there is an "attack country" and "target
country".

This is the end of the lesson. Be sure to select the "I've checked it out" box to take a mini quiz
to check your understanding of this lesson. You will be presented with three descriptions to then
identify the correct type of cyber attack that it represents. This is required for lesson completion.

 This attack involves sending an email to an individual that appears to be from a trusted
source, but instead has the intention of getting personal information, such as a password.
What type of cyber attack is this?
 This attack involves causing a system to partially crash and be unable to perform work at
normal levels. What type of cyber attack is this?
 This attack involves software designed to perform in a detrimental manner to a target,
without the target's consent. It can block access to data and programs, steal information,
and make systems inoperable. What type of cyber attack is this?

Structure of a cyber attack

As computer systems change so do the ways in which they can be compromised. For example, a
cyber attack may rely on a computer running an outdated version of a web browser to be
vulnerable to a specific piece of malware. Once the software is patched, that attack cannot be
repeated in the exact same manner. However, while individual techniques may evolve with time,
the overall structure of a typical cyber attack can be examined. In this lesson, we'll review a
couple of ways this has been done over the years so you have a basic understanding.
Note: This is meant to provide you with a quick overview and you can choose to explore more if
you would like.
Introducing the Lockheed Martin Cyber Kill Chain® framework
Lockheed Martin Corporation is an American global aerospace, defense, security, and advanced
technologies company. Researchers at Lockheed Martin determined that there are parallels
between the typical U.S. military concept of a "kill chain" and intrusions within digital networks.
The word "chain" is used here to indicate a set of steps that must be completed in order, in which
each step depends on the previous step's completion. Here is a walk-through of the seven steps in
the Cyber Kill Chain framework so you understand a typical cyber attack sequence.
Source: Lockheed Martin, the Cyber Kill Chain® framework
1. Reconnaissance: During this stage, the attacker gathers information about the target.
This can be achieved through probing digital servers, speaking with people close to the
target, or just reading the news!
2. Weaponization: Once a specific vulnerability has been identified, a piece of malware is
designed to exploit it. This process can range from downloading a sample of a database,
purchasing a tool from a 3rd party, or developing something custom.
 3. Delivery: The chosen malware must be sent to the target in some manner. Despite
progress over the years, the most common method is still via email. Other methods can
include website downloads and infected or modified USB devices.
4. Exploitation: Once malware is given to the target, it activates and performs a series of
instructed steps. How this occurs is highly variable and depends on many details about
the programs and operating system in use. This process is known as "exploiting a
vulnerability" and the software used to do it is known as exploit code or an exploit.
5. Installation: The malware attempts to get some element of persistence within the target
system. This can be achieved through the creation of back doors, which can include
creating new accounts, installing remote access programs, or introducing new
vulnerabilities into the system. These factors mean that if the original vulnerability is
patched, it is too late for the defender as the attacker’s access remains.
6. Command and Control (C2): A method for the attacker to communicate with the
compromised systems must be established. This enables instructions and upgrades to be
sent to the target and for data to be sent back to the attacker. This can be done using
websites, direct connections, and even Twitter.
7. Actions on Objectives: Once all the previous steps have been completed, the attacker is
free to complete the original intent. This could range from stealing data, modifying data,
or destroying key system elements.
Introducing the MITRE ATT&CK matrix
MITRE is an American non-profit organization dedicated to solving problems for a safer world.
It brings forward innovative ideas in a variety of areas including cyber threat sharing and cyber
resilience. MITRE collected a set of tactics, techniques, and procedures (TTP) that cyber
attackers have been using to develop ATT&CK. It stands for Adversarial Tactics, Techniques,
and Common Knowledge. It is pronounced as "attack". This collected knowledge is presented in
a matrix to help organizations examine cyber attacks in a simplified form. The ATT&CK
matrix is open and available to any person or organization for use at no charge.
The following graphic is a sample of the ATT&CK matrix. You can see it is quite
comprehensive.
 View larger
The column headers identify an attacker tactic. Each tactic can be considered as
an attacker's objective. Then, the list under each column are the many techniques that the
cyber attacker can use to achieve the tactic or objective. These link to more information.

EXAMPLE
A cyber attacker may want to gain credentialed access to a system. This is a tactic. In this
scenario, if the attacker identifies poor logging and no account lockouts are in use, the attacker
could choose to use the Brute Force technique. In this technique, a program is run, which can
try millions of username and password combinations until a successful one is identified. Should
the chosen technique be unsuccessful, an attacker can simply switch to another approach and
continue trying.
Importance of understanding cyber attacks
During a cyber attack, attackers can be quite persistent. It is rare that a single interruption to their
attack will cause them to give up. Instead, it can be quite helpful to view cyber attacks as part of
a longer campaign. Many attacks can last for months with attackers spreading their influence and
defenders trying to identify and stop them. Good defenders will attempt to anticipate an
attacker's next move and frameworks such as the MITRE ATT&CK matrix help them to achieve
this.
Activity
Find an attacker tactic and techniques that intrigues you by visiting the MITRE ATT&CK
matrix.
Please type your answer to each question in the boxes. Your answers are just for you and are
only saved in this course for you. Be sure to click Save Text.
1. First, select the column headings to read the details to better understand a few tactics. Then,
pick one tactic you want to explore and study it. Which tactic did you pick and how would you
explain it to someone who is not familiar with this topic?

Save Text

2. Once you have done this, examine two techniques that attackers utilize to achieve your
selected tactic. What are the advantages of each technique and is one technique "easier" than the
other?

Save Text

Funding and profitability of cyber crime

While some cyber attackers are motivated by activism or national interest, the main driver of
cyber crime is profitability. In this lesson, we'll examine a few methods of how cyber criminals
make and use their money.
Underground ecosystem
The first element that is vital to the cyber crime economy is a thriving international marketplace
made up of hundreds of forums, platforms, and systems. Within this market environment,
criminals buy and sell data, identities, and tools to make profit. For example, a very common
area of interest is money laundering. Should cyber criminals steal some money from a victim,
they need to have a method to make the stolen money usable and ideally untraceable. They can
do this by using a 3rd party specialist in an outsourcing-like manner.
Like a traditional economy, specialism drives efficiencies and allows criminals to focus on what
they each do best.
Initial cash injection
So, with a marketplace set up, how do criminals get money? Below are three general methods by
which they can achieve this.

Stolen from victim
 The most direct method is criminals attempting to steal
money from their targeted victim.
 While this can be done through compromising banking
systems or compromising accounts, the most common
manner is through fraud or deception.
 These scams are often the "tech support scam" or other
similar tricks intended to persuade a victim to give the
criminal a financial benefit such as giving away bank details
and personal information.

Criminal for hire
 Sometimes criminals offer their services to carry out illegal
tasks to regular people and organizations.
 This is commonly done using a denial of service (DoS) attack
that attempts to overload key parts of a service. For instance,
a criminal may offer the ability for an organization or
individual to disable a competitor or rival.
 In this model, the criminal does not take money from the
victim. Instead, the criminal gets paid by the organization or
individual.
 Another example of this is computer misuse in a mercenary
style. Imagine a person hiring a criminal to steal a
competitor’s key intellectual property or destroy a rival's
databases.
 Extorted from victim  In this model, the criminal gains the ability to disrupt a victim
by disabling key systems or threatening to divulge sensitive
data.
 In recent years this has become popular with the advent of
ransomware. In a ransomware attack, a victim's key systems
and files are encrypted in such a manner that renders them
inoperable. To restore the systems and files, the victim is
asked to pay the criminal a ransom to receive the decryption
key.
 Other extortion themed approaches can include threatening to
divulge organization or customer data such as embarrassing
executive emails or customer databases.

Cryptocurrency
Over the last few years, there has been a rapid increase in cryptographically controlled currencies
called cryptocurrencies. The original cryptocurrency, Bitcoin, proposed a new method for
monetary exchange based on a shared ledger called a Blockchain. This concept has been built
upon by subsequent new currencies that have been built in recent years.
When using an anonymous ledger outside of government control, payments are designed to be
near impossible to regulate or block. This makes cryptocurrencies unbelievably useful for money
laundering or for other criminal marketplace activities.
One notable consequence of cryptocurrencies was the rapid growth of ransomware. In this
business model, the victim has to pay the attacker. When this was originally done with monetary
substitutes such as gift cards, the process was slow and unreliable. Now, with the use of
cryptocurrencies, it is easier for victims to make concealed payments.
The ecosystem in action
Let's look at a hypothetical case study drawing all of the monetary elements together. In this
scenario, we'll follow an attack campaign across the life cycle. Follow the money trail!
 1. The first stage of the journey involves a criminal gang producing a piece of malware which records
keystrokes and screen shots.
2. The malware authors buy a list of known email addresses from another party and send out the
malware as an email attachment. The objective is for the malware to work on the victims' machines
so their banking details and other passwords can be stolen and sent to the malware authors. At this
point, their work is done. They have a list of passwords and banking logins.
3. Now, the malware author may attempt to "cash out" themselves or sell the details to another gang to
finish the process.
4. The criminal gang can attempt to login using the credentials and make transfers to money mules
they have worked with previously. In this case, the mules are typically gullible or desperate
individuals who have agreed to allow a stream of money through their accounts in exchange for
payment.
5. To finish the process, the criminal gang could force the mules to buy and transfer cryptocurrencies
to accounts controlled by the gang. As soon as this done, the campaign is complete. Should law
enforcement investigate the crime, the trail often ends with only the money mule being traceable.

Social engineering
In this course, you are learning about the importance of people when designing secure systems.
People, whether they are employees or customers, are often mismanaged in security
environments. They may be given confusing or contradictory advice, prevented from following
good practices, or just become fatigued. All of this puts people in a vulnerable position to
potentially be taken advantage of by a prospective cyber attacker. In this lesson, we’ll highlight
social engineering and techniques that attackers use. Rather than hacking a system, let’s examine
how they hack the individual instead!
What is social engineering?
Social engineering is the art of making someone do what you want them to do. It overlaps
heavily with academic fields involving psychology, biology, and even mathematics!
In cybersecurity, social engineering is the use of deception to manipulate individuals into
divulging confidential or personal information that could then be used for fraudulent purposes.
Basically, how could someone trick another person into giving up something that is private?
Social engineering attacks are the dark art of using social interactions to trick someone into
making a security mistake.
Social engineering tactics can be employed in-person, over the phone, or online through
websites, email, and social media.
Once an attacker can make an individual perform a certain action, then the attacker can gain
access to sensitive systems, steal assets, or advance a more complex attack. This notion of
focusing on persuading or tricking people may sound unreliable. But, there are many case studies
that show social engineering is an incredibly powerful technique for attackers.

EXAMPLES
Effective social engineering tactics can result in defrauding vulnerable individuals of their
savings through scams and confidence tricks. For organizations with physical buildings, social
engineering also includes tailgating, or closely following, individuals in order to gain access to
secure areas.
Why does social engineering work?
Social engineering works because humans are imperfect. There are two key elements to this: our
decisions are irrational and our decision making is flawed. Let’s look at each in greater detail.
Irrational behavior
We can all exhibit irrational behavior as shown by making decisions that do not further our long-
term interests. If everyone was focused and logical, then we would not have vices. For instance,
no one would play the lottery and we would eat healthy all the time. This is very far from the
case.
In social engineering, drivers for short term gratification or greed can be utilized to manipulate a
target. These targets are putting themselves at risk and often committing crimes unknowingly.

EXAMPLES
This is best shown when criminals persuade young adults to act as money launderers for gangs.
There are also many other get-rich-quick schemes online. The victims in this case are baited into
the scheme with false promises.
There are also cases where idleness is a great asset for social engineering. Taking shortcuts and
the tendency to avoid rules are quite effective to use as a social engineering tactic on a target.

EXAMPLES
Within certain organizations, employees might skip a long business process like verifying caller
identities or getting the right levels of approvals to grant access rights.
Flawed decision making
Human decision making varies greatly throughout the day and depends on changing
circumstances. For instance, the colors on display in a room, the presence of other people, the
amount of noise, and the temperature all have a measurable, biological impact on individuals and
change their decision-making processes. Attackers benefit from affecting a target’s decision
making to achieve a result.

EXAMPLES
Attackers use time restrictions to create a sense of urgency. In addition, attackers may confuse a
target by impersonating a trusted authority figure or even pretend to be a potential love interest.
When an attacker builds up a false reason to engage with a target this tactic can be labelled
as pretexting.
All these factors impact a target's ability to make a good decision or even identify they are being
manipulated in the first place.
What makes a good social engineering attack?
A good social engineering attack typically has a few common elements.
1. It is well researched. If a social engineering attack is attempting to impersonate a
member of a company, then attackers will make use of the company letterhead, jargon, or
 format to help build credibility. Not all methods are equally effective against everyone.
Cyber attackers research to determine the best driver.
2. It is delivered confidently. In person, good social engineers are prepared, confident, and
reassure targets. Knowing when to launch an attack and how to develop a rapport with
the target is important. Usually a high value social engineering attack is built up over a
series of exchanges lending credibility and reducing inhibitions with each exchange.
Rushing these can backfire and be a way in which cyber attackers reveal themselves
through desperation.
3. The attack feels plausible and realistic. The best social engineering attacks are often the
ones where the victim does not even know they’ve been tricked.
How can you defend against social engineering?
It is important for individuals as well as employees to be aware and guard against these common
social engineering attacks.
Aside from trusting nobody ever, there is a simple rule to defend against social engineering
attacks designed to trick individuals like you. Essentially, the golden rule is that if something
seems too good to be true, it probably is. So, if you are ever faced with a financial windfall out of
the blue, a head hunting request, or a prize from a competition you did not enter, then be aware,
inquisitive, and do not be blinded by the benefit.
In addition, don't be afraid to challenge others who make unusual requests or appear out of place.
If an unknown colleague makes a strange request or you see someone loitering in a restricted
area, you can often ask for details or report your suspicions, as appropriate. Just because
someone claims to have been sent by an executive from the head office and they are in a hurry to
get by you into a building, you can pause to check. Often the cost of verification is far less than
letting an imposter into your office!
Beware of phishing
Specifically addressing the very common phishing email attacks, here are some tips to help you
detect phishing emails, whether personal or business-related.
1. Consider if you were expecting the email. Does it make sense that the sender chose to
contact you? Is it too good to be true or pressuring you to act quickly?
2. Always check the sender email address. Is it from someone or a company that you
recognize?
 3. Look for the salutation. Is it addressing you with a generic greeting such as "Dear valued
member" instead of your name?
4. Search for any language or grammar errors in the email. Does it have poor grammar or a
lot of spelling errors?
5. Determine what the email is requesting. Is it asking you to visit a fake or "spoof"
website? Call a fake customer service number? Open attachments that you did not
request?
6. Look for the red flags of a fake request (e.g., asks for your bank information or password)
that is typically part of the phishing email. Secondly, don't click on a link without
verifying the URL it points to.
o Does the URL include a non-secure link? To know if it is a secure link, check that
the URL begins with "https".
o Does the URL direct you to a completely different website? Some URLs
intentionally try to look like legitimate ones, for instance this is a fake URL for
PayPal: www.paypall.accountlogin.com/signin. Notice the misspelling of
"PayPal".
Important Note
If you receive an email that you believe could be phishing, don’t respond in any way and do not
click any links or open any attachments. Most email services have a method to report an email as
spam.
If you are in any doubt, you can get in touch with the sender via a trusted channel such as a
previously saved contact phone number or access the service web address from your records.
Activity
Put on your detective hat and let's say you received this email from Facebook. Take a moment to
read and study the email. What signs do you see that indicate this is a phishing email?
There are three giveaways that indicate this is a phishing email attempting to get information
from you.
1. It does not use your personal account name.
2. It is an unusual request.
3. The provided link is completely incorrect. Notice the misspelling of "facebook";
facebo0k.com is a known and reported phishing URL.
 Open source intelligence

Open source intelligence (OSINT) has become a major area of interest over the last decade, both
within government activities and the private sector. The term "open" is used to refer to
intelligence operations using publicly available information, such as information found on the
open web, blogs, and websites. OSINT is all information that can be easily collected without any
active collection methods, such as hacking, wiretaps, and so on. In this lesson, we will examine
the benefits of OSINT, sources, and a few areas of concern for organizations and individuals.
You will better understand how attackers can collect information about a targeted organization or
individual.
Open source investigations can be conducted by journalists, researchers, and malicious attackers.
Here, we will focus on attackers using these approaches as part of a reconnaissance stage for a
larger attack.
Comparing OSINT with alternative options
Traditional forms of information gathering such as bugging phones, satellite images, and signal
intelligence intercepts tend to be very expensive, complex, and often illegal. In comparison,
using open information can be virtually free and considerably easy to acquire.

EXAMPLE
What if a journalist wants to locate where a member of a political party is at any given time? On
one hand, they could attempt to illegally place a piece of malware on the individual's mobile
phone to acquire GPS co-ordinates. On the other hand, it may be far simpler to keep a close eye
on the individual's Twitter account. All it would take is for one of the politician’s aides to post a
location tagged message or a photo with a recognizable landmark and they would have their
answer. While this example seems simple, the same techniques have been used by military units
to track their counterparts in foreign countries.
Another benefit of open source intelligence is that a lot of it is undetectable to the target.

EXAMPLE
What if an attacker wants to gather information about the control systems inside a power station?
If they try to scan the power plant's external network, the attacker may be detected and have the
secrecy of their infrastructure compromised. Alternatively, if the attacker finds a system engineer
discussing sensitive plans online, while the blogging platform might have access records, the
company would not.
Sources of open information
An attacker is about to embark on collecting basic information about an organization or
individual, where might the attacker start? Here are some common sources to provide you with
illustrative examples. There are many more possible sources and new ones are being discovered
all the time.
Expand each section to learn more about the sources.

Company website

 Although it might seem too obvious, a company’s website can be revealing in terms of
what information it chooses to make publicly available.
 It can reveal helpful information such as points of contact, external social media profiles,
building addresses, and much more.
 Companies might make mistakes with the information they make public, which means
information can be placed into the public domain that may be more detailed than the
company might like.
 Searches can be augmented with some advanced search features often referred to as
"Google hacking" to find more advanced information and unintentionally revealed files.
 There are also options to retrieve a company’s legacy website, such as using
the Wayback Machine. This can be a powerful tool for attackers to determine what a
website was being used for at certain times.

Media and news

 If someone has already done the hard work, then why repeat the effort? There are very
good journalists who are skilled at processing open information.
 While it is unlikely that attackers will find an exact match for what they are looking for,
it’s likely some articles might provide help for further investigations.
  Other sources of pre-processed or foundational information may include industry
analysts, rating agencies, and other assessing bodies.

Social media

 In the era of social media, people are happy to share information and make it widely
available.
 Social media information can be pieced together quite effectively to get an accurate
perspective about an individual's personal and work life. For example, employees have
been known to share photos of ID badges, network diagrams, and even sticky notes with
passwords.
 For cyber attackers, even small pieces of information can add credibly to a social
engineering attack.
o For example, if an attacker finds out that a target recently attended a conference,
then the attacker could start a spear phishing email to share the attacker found the
target's name on the attendee list and wants to follow-up.

Government or public records

 Many countries around the world keep detailed records of both citizens and companies.
These sources of information can be highly valuable for cyber attackers.
o For example, a set of hospital records may identify an individual's place and date
of birth and an electoral roll may identify someone’s address. The availability of
this type of information is a key reason why those facts should never form part of
a security process without other safeguards.
 For companies, many stock exchanges require a certain amount of financial information
to be made available.
o For example, in the UK companies must provide information to Companies
House to operate. All of this information can be of interest to a cyber attacker.
Good rules for gathering open information
 If you are conducting an investigation using open information, here are a few simple guidelines
to follow. As you become more experienced, you will learn additional tips and tricks, but this
should be a good starting point.

1. Get lots of information: Quantity is valuable

 The more information, the better.
 Analyst tools that look for links between data sets operate better with more information.
Keep in mind: You never know what the key piece of information will be, so save everything initially
before refinement.

2. Get a range: Build a picture from many perspectives

 Do not rely on a single source.
 Not everything online is true! As a rule of thumb, a single source is easy to falsify (e.g., a social
media profile with lots of flattering photos), however falsifying multiple sources is much more
difficult to manage.
Keep in mind: If you discover a target has deleted or attempted to conceal information, then this very fact
can be of interest.

3. Do not get stuck: Be prepared to fail and do not get frustrated

 While open source intelligence is very powerful, there are many dead ends and there is an element
of luck about what a target may choose to share.
 You may need to switch to a different approach or a new area to explore.
Keep in mind: Successful investigations can take teams of trained researchers weeks to complete.

Note: There will be many occasions during an investigation where open information is not
obtainable. Some organizations and individuals will not have as much public information as
others, for instance due to good operational security.
Why is open source intelligence an area of interest for everyone?
We live in a highly connected world where oversharing is a frequent occurrence. Everyone
should be aware that what they share online is virtually permanent.
Even small pieces of information can be combined into revealing something of external interest.
This process is called information aggregation. While an individual’s place of work,
commuting information, and typical evening plans may be innocuous in isolation, together they
can be used to map someone’s life out.

EXAMPLE
This would be problematic in an organization where say hypothetically 100 employees could
each reveal 1% of a sensitive piece of information. If the disclosures are combined by an external
party, then significant breakthroughs or additional discoveries may be possible to achieve.
For organizations, the OSINT techniques that cyber attackers employ are important to consider
when designing information management policies. The bottom line is that information leakage is
bad for organizations. Organizations must take action to ensure that as little information as
possible is unintentionally disclosed and made vulnerable for collection. Since having
information publicly accessible is frequently essential, the scope of the information shared
should be logged and understood.
Activity
One of the best ways to get started with open source intelligence is through trial and error. Try
looking yourself up online! What open source intelligence could someone find out about you?
 Spend a few minutes now to open new internet browser windows to access Google, social
media sites, and so on to run a few searches on your name.
o If possible, use a fresh web browser with no cookies or history to avoid being
steered back to sites based on your previous activity. This can be done using new,
private or incognito internet browser windows.
 Could someone find your address, place of work, or other personal information? How
private is your social media?
 Once you’ve done this, you could try asking a friend or family member to repeat the
process to see what they find that you did not, and what approaches they took.
What can you conclude? There is no need to overshare. It is important for you to be aware.

Technical scanning
Technical scanning techniques are an essential part of network administration and for network
analysis at organizations. Here, we will turn our attention to how attackers collect information
about computers and networks. While investigating a target machine on a network, an attacker
may want to learn more information about the technical configuration. This could include details
such as:
 What services are running on the machine?
 What operating system is in use?
 Are any of the services vulnerable to well known exploits?
In this lesson, you will be introduced to technical scanning techniques and what attackers use
them for. We will focus on how scanning can be used by a malicious outsider during the
reconnaissance stage of an attack.
Ping test
What is it?
In a ping test, a scanning machine sends an Internet Control Message Protocol (ICMP) packet to
the target machine’s Internet Protocol address (IP address). This outbound packet is called
an echo request packet. A packet is a small amount of formatted data, analogous to the digital
version of a postcard. If the target machine replies with an echo reply packet, then the scanning
machine knows the target machine is most likely active and switched on.
This diagram shows a phone "pinging" two IP addresses on its local network and waiting for a
response.

What information does it provide?

This is a basic test. It is commonly used by organizations to debug networking issues. It
identifies the status of a machine. It also provides an indication of how "far" into a network the
machine is located by using a property known as a packet's "time to live" (TTL). Every router
which forwards the packet onwards decreases the time to live by one.

EXAMPLE
If a packet starts with a time to live of 120 and reached the destination with 108 left, then it went
through 12 stages. This feature can be used in the next scan. A ping test can be started using the
command ‘ping target_name’ on Windows machines.
A ping test tells attackers and defenders if a machine is responsive and, when repeated in a
sweep, how many devices are on a network.
Traceroute
What is it?
A traceroute between two computers can be calculated by sending out packets that have either
increasing or decreasing "times to live" (TTL). When a packet is in transit and its "time to live"
is decreased to zero, the machine processing the packet sends back an error message to the
source point indicating the destination was not reached.
This diagram shows a device mapping out its connection between itself and a destination
address. A physical analogy for this process is skimming a series of stones on a lake with
increasing hops each time.

What information does it provide?

This behavior can be used to map out a network and determine how many switches and routers
exist between you and your destination.

EXAMPLE
Imagine a target is 12 hops away. If a packet with a "time to live" of 11 is sent towards the target,
it will fail at the final routing step. An error message packet will be returned to the scanner, but
in doing so, it will reveal the IP address of the router 11 steps away. As the "time to live" is
reduced down to one over a few new tests, a complete list of the network nodes between the
scanner and the target can be produced. A traceroute can be started by using the
command 'tracert target_name’ on Windows machines.
Port scanning
What is it?
In networking, applications make themselves accessible externally through advertising services
on digital ports. You can imagine this as floors of a building. The IP address would set the
building and each of the floors would be a different port number.
Most port scanning is based around the idea of attempting to open a connection with a certain
number of ports on the target machine. Should the port start accepting a connection, the finding
is noted by the scanning device and the connection is rejected. A port that accepts a connection is
defined as being "open".
This diagram shows a machine scanning a server by systemically testing ports to see if a service
is available on each one. After four attempts, the scanner has identified four ports that are
rejecting connections and would be defined as "closed" ports.
What information does it provide?
By working through the list of "well known" ports on a target device, a scanner can often work
out what the machine is being used for. Within the Transmission Control Protocol (TCP), there
are 65,536 total ports of which the first 1,024 are "well known" ports. A "well known" or
"system" port has a specific application associated with it that is agreed upon internationally. A
common scanner, such as Network Mapper (Nmap), typically scans the most common 1,000
ports for a given protocol. This includes some "well known" ports and others will be higher
numbered user-related ports (1,024 - 49,151).

EXAMPLE
The TCP port 80 is typically set aside for http applications or web servers. The fact that it is
"open" on a target machine may be of interest to an investigator, since it shows a web-based
application may be in use.
Network vulnerability scanning
What is it?
Another form of testing is vulnerability scanning. There are two main methods:
1. Certain actions are done to exploit the vulnerability, to determine if it exists on the target
system. This is often known as dynamic scanning if done in real time.
2. The version numbers of software (e.g., a version of Apache or MySQL) are compared
against a database containing known application vulnerability information.
Important Note
Please be aware that dynamic scanning may automatically perform actions which are illegal in
certain countries. You should only scan targets for which you have the owner’s consent. A
network vulnerability scan will often be interpreted as the planning stage of an attack.
What information does it provide?
Network vulnerability scanning is a powerful tool for both organizations to identify
vulnerabilities in their own network and for attackers to find potential victims. Certain
organizations periodically run such scans to identify mistakes which have been introduced in
order to remediate them.

EXAMPLE
A scanner may attempt to connect to a server and check if it is running an outdated version of an
application. If the application is out-of-date with a known vulnerability, then the scanner may
attempt to exploit the vulnerability to confirm its existence and report this finding.
Search engine for the internet
Another tool for technical scanning is the Shodan search engine. It describes itself as the world's
first search engine for internet-connected devices. It is of interest to malicious attackers and
security researchers alike. It offers a vast catalogue of collected scan results spanning billions of
records. These stored records can be used to track applications at scale around the world.
CHECK THIS OUT!
If you are interested in researching and spending more time on the topic of scanning, you can
explore a popular port scanning site called Network Mapper (Nmap). It is a free and open-source
network scanner. You can start exploring the Intro, Reference Guide, or other online materials.
Go to Nmap
I've checked it out!
Nmap: Discover your network
Nmap ("Network Mapper") is a free and open source utility for network discovery and security
auditing. Many systems and network administrators also find it useful for tasks such as network
inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap
uses raw IP packets in novel ways to determine what hosts are available on the network, what
services (application name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and dozens of other
characteristics. It was designed to rapidly scan large networks, but works fine against single
hosts. Nmap runs on all major computer operating systems, and official binary packages are
available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap
executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible
data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff),
and a packet generation and response analysis tool (Nping).
Nmap was named “Security Product of the Year” by Linux Journal, Info World,
LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies,
including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne
Ultimatum.

Case studies
Cyber attacks are in the news on a daily basis, impacting individuals and organizations, whether
in the public or private sector. In this lesson, we will review three high profile case studies of
cyber attacks so you can understand the extent of what is possible and going on in the world.
Each case study focuses on a different type of threat actor. These three case studies are part of an
ever-growing catalogue of security breaches in the international landscape. As a participant
within the security community, it is important to learn from examples to guide future decision
making.
Stuxnet
Introducing cyber weapons

When Stuxnet was identified in 2010, it was one of the most advanced and targeted malware collections
observed within the security community. Stuxnet was designed to target a specific industry control system
 and modify key settings. It is widely accepted that the malware was designed to target centrifuges used
within Iranian uranium processing, which is a precursor for nuclear bomb production.

Entities related to this attack

Source: StuxNet : A malware that gave the 4th dimension to war, Medium by Shayan Anwar, July 2019
Here are a few considerations that made this attack particularly interesting.
 Stuxnet used four previously unidentified vulnerabilities, a pair of compromised digital certificates
and concealed itself at a very low level within computing systems. Technically speaking, it was
considerably more advanced than any previous malware.
 The malware was spread through infected USB drives. A common mistake within cybersecurity is
to assume that if a system is not connected to the wider internet, an adversary could not introduce
malware into the local network.
 The authors of the malware were persistent. Their targeted campaign went on for months as they
kept tweaking and upgrading the tools they were using.
In many respects, Stuxnet was the definitive example of a cyber weapon being deployed to achieve a
tangible military and political objective. It has set the international expectations for future cyber weapons
in the future.

Equifax
Preventable large-scale data breach exposes hundreds of millions of people

In 2017, the US credit rating agency, Equifax, was hacked. After the organization failed to apply a
security patch to a database, a group of hackers were able to gain access to Equifax’s network. Within the
network was a set of administrative credentials stored without encryption or basic access controls. Once
the attackers had the administrative credentials, they could control most systems and did so undetected for
months. According to the US Federal Trade Commission, the attackers stole at least 147 million names
and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and
expiration dates. [1]
 This case study was made notable for both the impact and scale of the data breach and the basic mistakes
made within the organization which made it possible. Due to the scale of the breach, it placed the idea of
data breaches into US attention.
[1] Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data
Breach, Federal Trade Commission, Press Release, July 2019

National Security Agency

An insider leaks highly sensitive, damaging information

In 2013, a National Security Agency (NSA) subcontractor named Edward Snowden released a significant
amount of classified information. He was able to access the information because of his job role, and with
few technical tools and techniques.
Once the files were made public, the impact to the US and its international allies was considerable. The
leaked files included technical capability overviews, guidance on operations, and other highly sensitive
material. Several business arrangements between the NSA and US companies were bought under a high
degree of scrutiny as a result.

This is a well known example of a malicious insider. While a public figure for the cost of the damages has
not been made available, the general understanding was the data breach was the most damaging set of
leaks the US had ever suffered.

SolarWinds
A large-scale supply chain attack affects thousands of organizations

SolarWinds developed software used to manage IT systems, including a product called Orion. In 2020, it
was discovered that SolarWinds had been compromised and that malware had then been spread to
thousands of SolarWinds’ customers. The attackers compromised SolarWinds’ update process so when
customers updated Orion, they installed the malware as well.
This attack was noteworthy as it highlighted how trusted relations within supply chains can be used by
 prospective attackers. By compromising SolarWinds, the attacker was able to gain access to thousands of
other organizations.

Looking beyond SolarWinds, large-scale supply chain attacks remain thankfully rare. Despite supplier
compromises such as this case study, patching software is still recommended as a routine step.
Sources:
 Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global
Victims With SUNBURST Backdoor, Mandiant, December 2020
 Dealing with the SolarWinds Orion compromise, National Cyber Security Centre, January 2021

Activity
Take a few minutes to investigate a cybersecurity incident of your choosing for your own short
case study, like those above. You can search online or access this "List of cyberattacks"
Wikipedia online article for a list of many recent, well-known cases that may be of interest to
you and provide a start.
Please type your answer to each question in the boxes. Your answers are just for you and are
only saved in this course for you. Be sure to click Save Text.
1. Which cybersecurity incident did you choose for your case study?

Save Text

2. What type of attack was it and how was it completed?

Save Text

3. What were the consequences and what can the cybersecurity community learn from the event?
Save Text

Cyber Security on the defence

Financial impacts
Module overview
You have learned about the basics of cybersecurity and the various types of threats an
organization may face. This module focuses on the "defensive" side of cybersecurity, meaning
organizations and their techniques and tools. How do they detect, protect against, and respond to
attacks? You will learn about these topics:
 Financial impacts of cyber crime to organizations
 Security maturity
 A security strategy approach that organizations can use to defend against cyber attacks
using the 10 Steps to Security by the National Cyber Security Centre
 Common approaches organizations take to:
o Prevent cyber attacks
o Detect cyber attacks
o Respond and recover from cyber attacks
 Key properties for secure communications
 Symmetric and asymmetric cryptography
 Threat intelligence sources and benefits for organizations
Learning objectives
After completing this module, learners should be able to:
 List some of the financial impacts of cyber crime on organizations
 Define security maturity
 Summarize how organizations can defend against cyber attacks by following the National
Cyber Security Centre’s 10 Steps to Security
 Describe strategies that organizations can take to prevent cyber attacks
  Discuss methods that organizations use to detect cyber attacks
 Explain the basic concepts of cyber attack incident response
 Discuss the three key properties of secure communication
 Define symmetric and asymmetric cryptography
 Explain what threat intelligence is and describe its benefits and sources
Cost of data breaches
First, let's learn about how detrimental cyber attacks can be to organizations and get a better idea
about what the cost can be. The cost of cyber crime to organizations can be both hard to predict
in advance and very damaging.
The annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by
IBM Security, analyzes data breach costs reported by hundreds of organizations around the
world and across industries. According to the 2022 report, the average global total cost of a
data breach is $4.35M. The cost of a data breach has increased by 14.8% since 2015. Review
this diagram to learn more key facts about the costs of data breaches. The amounts are in US
dollars.

Source: Cost of a Data Breach Report 2022, IBM Security, study conducted by the Ponemon
Institute
Data breaches can cause devastating financial losses and affect an organization’s reputation for
years. The biggest contributor to these costs was lost business. This is something which can
linger for years after an attack. In addition, there are regulatory fines and remediation costs that
may impact an organization.
These rising costs from direct impacts and fines act as a key driver for the cybersecurity industry.
Over the next few years as other parts of the world adopt similarly tough data standards to
Europe, it is likely the number of high profile cases will increase significantly.
Facing the challenge of rising attacks
Hiscox is a global specialist insurer. The Hiscox Cyber Readiness Report 2021 gauges how
prepared businesses are to combat cyber attacks. The annual report surveyed over 6,000
professionals across eight countries who are responsible for their firm’s cybersecurity. It found
that the cost and number of attacks is on the rise. Here are some important findings:
  The proportion of firms reporting attacks rose from 38% in 2020 to 43% in 2021, with
many suffering multiple attacks.
 The hackers’ favorite targets were the technology, media and telecoms (TMT), financial
services, and energy sectors.
 Businesses have radically reoriented their IT budges. The average firm now devotes more
than a fifth (21%) of its IT budget to cybersecurity.
 16% of the firms reporting cyber attacks had to deal with a ransomware demand and just
over half of those targeted (58%) paid a ransom, either to recover data or to prevent
publication of sensitive information.
You can see cyber attacks are an unavoidable cost of doing business today. Organizations have
some way to go before they are cyber ready and they need to develop security strategies.
A good metaphor for a cyber attack is that of a pollutant in the environment. The accumulation
of attacks is something everyone must deal with, they cannot be ignored forever, and the
problem gets worse with inaction

Security strategy
To combat cyber attacks and protect themselves, organizations must outline and implement a
security strategy. It is two sides of the same coin: How can the organization mitigate threats as
well as increase preparedness for a breach? In this lesson, we'll explore security maturity, ten
steps to consider implementing for an organization's security strategy, and additional
considerations.
The journey of security maturity
Like individuals, organizations change over time. This is reflected within cybersecurity as a level
of maturity or experience. It is important for an organization to consider where it is today and
where it wants to strategically be in the future in terms of its journey of security maturity.
Certain organizations may not have focused on cybersecurity and may be immature from a
system perspective. Then, there are mature organizations that are typically more "battle
hardened" because they have had cybersecurity as a priority for a longer period.
The following table provides examples to help understand how mature an organization's security
might be across a few metrics.
Area Sign of less maturity Sign of more maturity

Processes Processes may be ad hoc or not formally Processes are documented, reviewed, measured,
documented. and tested.

Leadership No or few cybersecurity roles are formally set up. Clear job descriptions and top-down leadership
Employees may have cybersecurity as a secondary supports the cybersecurity strategy.
consideration alongside their core role. Little
formal leadership exists.

Tools Little investment in tooling exists. Some Cybersecurity tools are procured alongside other
cybersecurity tools may be used if they are free or software and part of a structured budget.
bundled within other software packages.

Culture Few people think about cybersecurity. Cybersecurity is a key part of the organization’s
culture.

Note: Rather than an obvious yes or no, it is important to highlight that cybersecurity maturity is
a scale. An organization may show development in one area while not being mature in another
area.
CHECK THIS OUT!
If you would like to learn more, here is additional information about five security maturity levels
offered and described by NIST's Program Review for Information Security Assistance, or
PRISMA.
Security Maturity Levels - Program Review for Information Security Assistance (PRISMA)
Starting point for organizations
It can be difficult for organizations to decide where to start with cybersecurity and where to best
focus their available resources, such as employees, capital, and time. One approach is to consider
following the 10 Steps to Cyber Security offered by the The National Cyber Security Centre in
the UK. This guidance aims to help organizations manage their cybersecurity risks by breaking
down the task of protecting the organization into 10 steps. Adopting these security measures
reduces the likelihood of cyber attacks occurring, and minimizes the impact to an organization
when incidents do occur.
It begins with establishing an effective risk management approach. This first step and the nine
other steps are displayed in the following diagram. You’ll learn more about a couple of the steps
in more detail in this module, such as monitoring and incident management.
Enlarge or download this diagram and take a couple of minutes to review the 10 steps so you
have an overview.

Review the online guide of the 10 Steps to Cyber Security

Marketplace for the security industry
Another consideration for organizations starting out with a cybersecurity strategy is that they
rarely need to start from scratch or work in isolation to achieve their objectives. Much has been
created and developed already! There is a vast marketplace in the industry for security products
and services. Most large organizations have products from various cybersecurity vendors. For
example, they may have a data loss prevention system on a database to prevent theft of
information produced by one vendor and a firewall produced by another. These many and varied
companies each contribute to a vibrant ecosystem supported by a range of standard authorities,
charities, and government entities.
Security Maturity Levels
The Program Review for Information Security Assistance (PRISMA) project was last
updated in 2007; NIST Interagency Report (IR) 7358 and the corresponding PRISMA tool
continue to serve as useful resources for high-level guidance and as a general framework, but
may not be fully consistent with changes to requirements, standards and guidelines for securing
systems. The PRISMA project is being incorporated into the NIST Cybersecurity Risk Analytics
and Measurement project, and research to support updates will begin in FY24. For questions or
comments regarding the NIST Cybersecurity Risk Analytics and Measurement project, please
contact [email protected].

The PRISMA review is based upon five levels of maturity: policy, procedures, implementation,
test, and integration. A brief description of each level is provided below.
The PRISMA team assesses the maturity level for each of the review criteria. A higher maturity
level can only be attained if the previous maturity level is attained. Therefore, if there is an
implementation, but there isn't a policy for a specific criteria, none of the maturity levels are
attained for the specific criteria.
Back to Top

IT Security Maturity Level 1: Policies

 Formal, up-to-date documented policies stated as "shall" or "will" statements exist and
are readily available to employees.
 Policies establish a continuing cycle of assessing risk and implementation and use
monitoring for program effectiveness.
 Policies written to cover all major facilities and operations agency-wide or for a specific
asset.
 Policies are approved by key affected parties.
 Policies delineate the IT security management structure, clearly assign IT security
responsibilities, and lay the foundation necessary to reliably measure progress and
compliance.
  Policies identify specific penalties and disciplinary actions to be used if the policy is not
followed.
Back to Top

IT Security Maturity Level 2: Procedures

 Formal, up-to-date, documented procedures are provided to implement the security
controls identified by the defined policies.
 Procedures clarify where the procedure is to be performed, how the procedure is to be
performed, when the procedure is to be performed, who is to perform the procedure, and
on what the procedure is to be performed.
 Procedures clearly define IT security responsibilities and expected behaviors for
o asset owners and users
o information resources management and data processing personnel, management,
and
o IT security administrators.
 Procedures contain appropriate individuals to be contacted for further information,
guidance, and compliance.
 Procedures document the implementation of and the rigor in which the control is
applied. .
Back to Top

IT Security Maturity Level 3: Implementation

 Procedures are communicated to individuals who are required to follow them.
 IT security procedures and controls are implemented in a consistent manner everywhere
that the procedure applies and are reinforced through training.
 Ad hoc approaches that tend to be applied on an individual or case-by-case basis are
discouraged.
 Policies are approved by key affected parties.
 Initial testing is performed to ensure controls are operating as intended.
Back to Top
IT Security Maturity Level 4: Test
 Tests are routinely conducted to evaluate the adequacy and effectiveness of all
implementations.
 Tests ensure that all policies, procedures, and controls are acting as intended and that they
ensure the appropriate IT security level.
 Effective corrective actions are taken to address identified weaknesses, including those
identified as a result of potential or actual IT security incidents or through IT security
alerts issued by FedCIRC, vendors, and other trusted sources.
 Self-assessments, a type of test that can be performed by agency staff, by contractors, or
others engaged by agency management, are routinely conducted to evaluate the adequacy
and effectiveness of all implementations
 Independent audits such as those arranged by the General Accounting Office (GAO) or
an agency Inspector General (IG), are an important check on agency performance, but are
not viewed as a substitute for evaluations initiated by agency management.
 Information gleaned from records of potential and actual IT security incidents and from
security alerts, such as those issued by software vendors are considered as test results.
Such information can identify specific vulnerabilities and provide insights into the latest
threats and resulting risk.
 Vulnerabilities and provide insights into the latest threats and resulting risk. Evaluation
requirements, including requirements regarding the type and frequency of testing, are
documented, approved, and effectively implemented.
 The frequency and rigor with which individual controls are tested depend on the risks that
will be posed if the controls are not operating effectively.
Back to Top

IT Security Maturity Level 5: Integration

 Effective implementation of IT security controls is second nature.
 Policies, procedures, implementations, and tests are continually reviewed and
improvements are made.
 A comprehensive IT security program is an integral part of the culture.
 Decision-making is based on cost, risk, and mission impact.
 The consideration of IT security is pervasive in the culture.
 There is an active enterprise-wide IT security program that achieves cost-effective IT
security.
 IT security is an integrated practice.
 Security vulnerabilities are understood and managed.
 Threats are continually reevaluated, and controls adapted to changing IT security
environment.
 Additional or more cost-effective IT security alternatives are identified as the need arises.
 Costs and benefits of IT security are measured as precisely as practicable.
 Status metrics for the IT security program are established and met.