Law and Cybersecurity

(06407)

Instructor: Dr. Mohamed Abdelwahab Saleh

March 8, 2025

Lecture 2: Management Aspects of Cyber Security

 Section 1

Cyber Security in Organizations

2 / 16
Contents

Cyber Security in Organizations

Organization of Cyber Security Teams

3 / 16
Terminology Used in Security of Organizations
▶ Computer Security:
▶ One of the oldest terms. It includes operating system
security, application security.
▶ Defense using anti-malware, access control, etc.
▶ Information Security:
▶ This term appeared as the integration between computer
security and network security.
▶ In addition to previous defenses, we use firewalls, intrusion
detection, security testing, etc.
▶ Information Assurance:
▶ This term has a more managerial rather than technical
aspects.
▶ It includes all aspects of IT security techniques and policies
at an organizational level.
▶ Defenses, in addition to previous ones, may include physical
security of information assets, policies, etc.

4 / 16
Terminology Used in Security of Organizations–Cont’d

▶ Cyber Security:
▶ This term is usually used to mean all of the previous terms.

Note about terminology

Sometimes the lines between different terms are not clearly
identified. For instance, people may use information security to
include aspects of information assurance. The most important
here is that you know the terms and understand/use them in
suitable context.

5 / 16
Information Assets

▶ An asset is whatever you own.

▶ An information asset is an asset that is related to the
organization’s owned information.
▶ An information asset may be physical, e.g., computer, router,
hard disk.
▶ An information asset may also be abstract, e.g., design of a
product, customers’ personal data, etc.
▶ Sometimes the term IT asset is used to mean information
asset (as we defined it).
▶ Sometimes also, “information asset” is used to mean total
knowledge at the organization’s possession.

6 / 16
Vulnerabilities and Threats

▶ A vulnerability is a weakness in the organization’s IT assets.

▶ This weakness may be a shortcoming of the asset itself, e.g.,

a bug in a database management system.
▶ It may also originate from insufficient security controls at the
organization, e.g., not using proper access control.
▶ According to ISO/IEC 27000:2012, a threat is “the potential
cause of an unwanted incident, which may result in harm to
a system or organization.”
▶ In other words a threat is the possibility of an attack.

7 / 16
Attack, Attack Surface and Attack Vector

▶ Attack:
An attack on an IT asset is an act done internally (in the
organization) or externally that is meant to do harm to this
asset.
▶ Attack Surface:
An attack surface includes all IT systems that are exposed
to attacks, i.e., it is the entry point of an attack.
▶ Attack vector:
An attack vector is a sequence of actions that are used to
execute an attack. Sometimes it is loosely used to mean
“attack method”.

8 / 16
Risk Management

▶ Risk is the possible harm or damage that may be caused if

an attack (vector) takes place.
▶ Risk analysis:
▶ Identify assets, vulnerabilities, threats, and possible attacks.
▶ Identify risks.
▶ For each risk, estimate risk potentiality (possibility) and
impact (effect on organization).
▶ Risks seriousness (severeness) is directly proportional to
both potentiality and impact.
▶ Design security measures (controls).

9 / 16
 Section 2

Organization of Cyber Security Teams

10 / 16
Managerial Positions Related to IT

▶ Chief Technology Officer (CTO):

Responsible for the use of technology to enhance the
company’s products and/or services, i.e., the focus is on the
products and customers.
▶ Chief Information Officer (CIO):
Responsible for the use of technology in the company’s
internal IT system, i.e., the focus is on the company’s
internals and employees.
▶ Chief Information Security Officer (CISO): Responsible for
securing the company’s IT systems, i.e., leading the security
teams.

11 / 16
The Cyber Security Color Wheel

1 Picture taken from hackernoon.com

12 / 16
The Red Team: The Attackers

▶ Vulnerability scanning.
▶ Penetration testing.
▶ Security testing.
▶ Black box testing.
▶ Ethical hacking.
▶ Social engineering.

13 / 16
The Blue Team: The Defenders

▶ System and network protection measures.

▶ Incident response.
▶ Cyber forensics.
▶ Operational Security.
▶ Employee awareness.

14 / 16
The Yellow Team: The Developers

▶ Software security requirements.

▶ Vulnerability avoidance and testing.
▶ Secure development.
▶ DevSecOps.
▶ Fixing bugs and handling error reports.

15 / 16
Other Teams: Purple, Orange, and Green

▶ Purple (Blue + Red)

Use attack results to improve defense.
▶ Orange (Yellow + Red)
Train developers and improve development process.
▶ Green (Yellow + Blue)
Improve defense by automation methods, by better
understanding of system architecture, and by integrating
security in the software design process.
▶ White (all colors):
Management, compliance, coordination, policies, etc.

16 / 16