Cyber Security: Essential principles to secure your organisation
eBook - ePub

Cyber Security: Essential principles to secure your organisation

  1. 69 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Cyber Security: Essential principles to secure your organisation

About this book

Cyber Security – Essential principles to secure your organisation takes you through the fundamentals of cyber security, the principles that underpin it, vulnerabilities and threats, and how to defend against attacks.

Organisations large and small experience attacks every day, from simple phishing emails to intricate, detailed operations masterminded by criminal gangs, and for every vulnerability fixed, another pops up, ripe for exploitation.

Cyber security doesn't have to cost vast amounts of money or take a short ice age to implement. No matter the size of your organisation, improving cyber security helps protect your data and that of your clients, improving business relations and opening the door to new opportunities.

This pocket guide will take you through the essentials of cyber security – the principles that underpin it, vulnerabilities and threats and the attackers who use them, and how to defend against them – so you can confidently develop a cyber security programme.

Cyber Security – Essential principles to secure your organisation:

  • Covers the key differences between cyber and information security;
  • Explains how cyber security is increasingly mandatory and how this ties into data protection, e.g. the Data Protection Act 2018 and the GDPR (General Data Protection Regulation);
  • Focuses on the nature of the problem, looking at technical, physical and human threats and vulnerabilities;
  • Explores the importance of security by design;
  • Gives guidance on why security should be balanced and centralised; and
  • Introduces the concept of using standards and frameworks to manage cyber security.

No matter the size of your organisation, cyber security is no longer optional – it is an essential component of business success and a critical defence against the risks of the information age. The only questions left are to decide when and where your journey will begin.

Start that journey now – buy this book today!

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Cyber Security: Essential principles to secure your organisation by Alan Calder in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
ITGP
Year
2020
Print ISBN
9781787782099
eBook ISBN
9781787782112
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

CHAPTER 1: INFORMATION SECURITY AND CYBER SECURITY

The terms ‘information security’ and ‘cyber security’ are often used interchangeably, when in fact they refer to different (albeit related) things.
Information security is concerned with ensuring the confidentiality, integrity and availability (C, I and A) of all information held by an organisation, irrespective of whether the information is electronic or in hard-copy format. As a result, information security generally involves considering physical and environmental controls alongside technological ones (lockable filing cabinets, key-code doors, etc.).
Cyber security is a subset of information security and is concerned with the same things, but where information security takes a generalist approach, cyber security focuses specifically on electronic information (including the physical aspects of defending that information). New cyber risks emerge almost daily, and the successful organisation must do all it can to stay ahead of the curve.

Laws, regulations and contracts

The days of cyber security as an afterthought are long past. Today’s organisations collect, use and store more information than ever before, and the global regulatory system is beginning to catch up.
The introduction of the EU General Data Protection Regulation (GDPR) in 2018 marked a major milestone for data protection and privacy laws across the globe. Most of us remember the flood of ‘we need your consent’ emails that arrived in our inboxes in the days leading up to (and after) the GDPR took effect, but those emails were only the tip of the iceberg.
The GDPR places a wide range of security and privacy obligations on organisations that process EU residents’ data and is supported by a regime of significant financial penalties (up to 4% of annual turnover or €20 million, whichever is greater). The Regulation also requires organisations based outside of the EU that process data on EU residents to appoint an EU representative, extending the reach of those obligations and penalties far beyond the EU’s physical borders.
Another law that may be relevant is the Directive on security of network and information systems (NIS Directive). This places specific cyber security and business continuity obligations on digital service providers and operators of essential services such as power and water, with a view to mitigating the disruption that could occur as the result of a major cyber security incident.
While many organisations still grapple with the GDPR and NIS Directive, new laws such as the California Consumer Privacy Act (CCPA) or the Brazilian General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais) are being introduced around the world, and further legislation is expected in the coming years. The increasing regulatory focus on data protection, privacy and continuity of key services inevitably leads to a greater focus on cyber security, as so much of the information held by organisations is in electronic formats, and the majority of essential services rely on electronic infrastructure.
It’s not just laws that mandate effective cyber security. Cyber security obligations in contracts are increasingly common, as organisations begin to recognise the risks posed by information sharing between suppliers and partners. If your organisation takes card payments, for example, banks will expect you to adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS), while many government contracts mandate a minimum level of cyber security to enter the tendering process.

CHAPTER 2: THREATS AND VULNERABILITIES

Risk is an inevitable part of life. Every time you do something in which the outcome is uncertain, you take a risk, whether it’s something simple like crossing the road, or something complex like undergoing surgery. Risk is a function of uncertainty – without uncertainty, there is no risk.
Different business fields approach risk in different ways, but the general principles remain the same: the likelihood of an adverse event is mapped against the effect that event would have were it to occur. If the outcome is severe and the likelihood high enough, then it is sensible to take steps to protect against it – usually by reducing the damage caused by the outcome, or by reducing the likelihood that it will occur in the first place.
Cyber security risk derives from a combination of threats and vulnerabilities: vulnerabilities are exploited by threats to achieve certain goals, such as accessing a secure network or installing malware. This does not mean that cyber security risk is limited to deliberate actions by malicious actors – a leaky roof of a server room (vulnerability) can be ‘exploited’ by a rainstorm (threat), with potentially catastrophic results.
Threats and vulnerabilities can take many forms. A database that fails to properly sanitise user inputs, for instance, might be exploited by an attacker using an SQL injection to gain access to sensitive data, while unpatched software might allow an attacker to install malware, with any number of nasty results – wiping files or holding them to ransom, to name just two.
Software and hardware are always evolving, and the same is true for vulnerabilities – each advance brings new security challenges. Even longstanding, trusted software or hardware is not immune. In 2018, major computer chip manufacturers were stunned to discover that their processors had major security flaws (named ‘Meltdown’ and ‘Spectre’) at the hardware level since 1995 – processors that are believed to be in almost every modern computer across the globe.1
Cyber threat actors come in all shapes and sizes too. While our first thought may be of the ‘nerd’ locked in a bedroom writing code for a prank, the reality is very different. Organised crime gangs, ‘hacktivists’ pushing a political agenda, and even state-supported actors all represent potential threats, irrespective of the size of your organisation.
Perhaps the most pervasive threat actor is something you can’t live without – your employees. Even discounting ‘insider threats’ (the term used to describe employees who are actively looking to harm their organisation in some way, often because they are unhappy), many cyber security incidents are caused inadvertently by employees who lack awareness of the risks. According to a report by Verizon, 34% of data breaches in 2019 involved internal actors.2

Technical threats

When we think about cyber security, technical threats are usually the first thing that comes to mind. The news abounds with stories of vast data breaches that are eventually traced to some obscure vulnerability in hardware or software, and phishing emails carrying malware drop into millions of inboxes every day, all over the world. Every inch of progress towards security is a hard-fought battle, and to fight effectively, you need to understand the enemy’s weapons.

Malware

Malware has existed in one form or another since computers became commonplace. Self-replicating software was conceived in the 1940s, and one of the first viruses, known as Creeper, was created in the early 1970s, infecting US government computers and displaying “I’m the Creeper, catch me if you can” on the screen.
Since then, there has been an explosion of malware. Sites on the dark web offer a vast array of malware programs for sale, and new malware appears daily, taking advantage of the latest vulnerabilities in a never-ending arms race between the malicious actors who craft it and the cyber security professionals who defend against it. ‘Malware’ as a category encompasses a range of malicious programs, each of which operates differently.

Virus

Viruses are self-replicating programs designed to spread from computer to computer and deliver a payload. Viruses are not standalone programs – they are bits of code that need to be hidden in other programs to function and replicate. When the user runs the ‘host’ program, the virus infects the system and does its work.
Once it has infected a system, the virus has two goals: replicate itself as much as possible and deliver the payload – ideally without being spotted. Some of the earliest viruses were called ‘boot sector’ viruses, because they infected sections of a drive that are read when a computer is booted up, making them hard to detect, and were often spread through the sharing of floppy discs (which were still in common use at the time).
Some of the most common viruses of the Internet era are macro viruses – viruses written in the scripting language found in Microsoft® Office and embedded in Office files, such as Excel spreadsheets or Word documents. Opening the document allows the virus to infect the system, with potentially catastrophic results. Emails featuring infected Office documents have been a common attack vector since the early 1990s, so much so that ‘don’t open suspicious attachments’ has become a cyber security maxim.

Worms

If the principal characteristic of a virus is that it is a self-replicating program that must be embedded in another program to function, then a worm is a virus with that limitation removed. Worms do not need to be embedded in other programs and can replicate without user interaction, making them especially dangerous.
One of the best-known worms in recent years is Stuxnet. Discovered in 2010, this highly complex worm targeted industrial control systems in an Iranian nuclear facility, changing the speed of uranium enrichment centrifuges until a large number broke from the strain. Commonly believed to have been developed by US and Israel intelligence agencies, Stuxnet is considered by some the world’s first “cyber-weapon of geopolitical significance”.3

Ransomware

Ransomware exploded into the public consciousness with the WannaCry attack on the NHS in 2017, which affected up to 70,000 devices including hospital equipment.4 Other major organisations such as FedEx and Renault were also affected, along with a number of universities and government institutions across the globe.
Ransomware is a payload, usually transmitted by self-replicating worms or Trojans, that encrypts or otherwise prevents access to the user’s files until a ransom is paid (usually in Bitcoin). Some ransomware will take a copy of the user’s files and threaten to publish them, but the effect is the same – pay up or lose out.
Before the 2017 WannaCry attacks (which occurred worldwide, not just in the UK), ransomware primarily targeted individual consumers. The 2017 attacks marked the beginning of a shift in focus, with 81% of ransomware attacks in 2018 targeting organisations, not consumers.5

Trojan horses

Trojan horses, or just ‘Trojans’, are a type of malware that pretend to be something else. The name comes from the ancient Greek story about the fall of Troy.
Trojans generally masquerade as legitimate programs to trick you into activating them, though some can spread on their own without user interaction. One of the most common attack vectors is email, as Trojans can be embedded in seemingly innocuous attachments such as spreadsheets or Word files. Once activated, the Trojan sends spoof emails to everyone in the address book, further spreading the infection.
Trojans can carry almost any kind of payload, but keyloggers and ‘backdoors’ that allow access to sensitive ...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. About the Author
  5. Contents
  6. Introduction
  7. Chapter 1: Information security and cyber security
  8. Chapter 2: Threats and vulnerabilities
  9. Chapter 3: Security by design
  10. Chapter 4: Human threats
  11. Chapter 5: Physical threats
  12. Chapter 6: Third-party threats
  13. Chapter 7: Securing the organisation
  14. Chapter 8: Incident response and management
  15. Chapter 9: Standards and frameworks
  16. Chapter 10: Conclusion
  17. Further reading