C727 - Cybersecurity Management I - Strategic

Availability

Availability, pillar number 3, is the set of practices and tools designed to ensure timely access to data. If your computer is down, availability is compromised. If your Internet connection is moving at a snail's pace, availability is compromised. How do you ensure availability? In one word? Backup. In two words? Redundancy and backup.

Type of Controls and examples

Preventive Security guards, locked doors, and firewalls Detective Intrusion detection system, motion detectors, and security cameras Corrective Data restoration, system patch installation, and software upgrades Compensating Redundant network connection, battery backup, and system isolation

Maturity (CH1)

Concept relating to the current or future state, fact, or period of evolving development, quality, sophistication, and effectiveness (not necessarily age dependent).

Disclosure of information could cause:

Disclosure of information could cause: Exceptionally grave prejudice Serious harm Harm Disadvantage

FUD (CH2)

Fear, Uncertainty, and Doubt

Confidentiality

In general, there are three accepted degrees of confidentiality: top secret, secret, and confidential.

capabilities

capabilities. I like to look at capabilities as the set of competencies and the measure of competency throughput. Did I lose you here? Okay. Let's simplify! Think of capabilities as your capacity to generate value. Better? Okay, good! Now, how do you generate value with your capacity? Well, you are competent enough, and have enough bandwidth to apply your competency to value creation. In short, you're capable!

You are the CIO for an organization and have been tasked with designing several information system controls for your department. What should you consider first during your design? -IT Budget -IT vision -Organization Strategy -Oragnization budget

-Organization Strategy To be effective, controls implemented by management must first align with the organization's governance and strategy, which is set by the board of directors.

COBIT 5 enablers (CH1)

COBIT 5 is an information security management system (ISMS) backed by ISACA, an international professional association serving a broad range of IT governance professionals and a framework accepted by many assurance and governance professionals. --- begins with principles, policies, and frameworks as mechanisms acting as hand-rails guiding desired behavior for day-to-day management. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving cybersecurity objectives aligned to enterprise objectives. Organizational structures are the key decision-making entities in an enterprise. Culture, ethics, and behavior of individuals and of the enterprise are a key success factor in governance and management activities. Information is organization pervasive and includes all information produced and used by the enterprise. Information is not only required to keep the organization running and well governed, but is often the key product of the operational enterprise. Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services. People, skills, and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions. Note that portions of this text are presented both in this course and in Cybersecurity Management II - Tactical.

To properly protect the confidentiality of data, which of the following is most important to define? -Acceptable use policy -Data Classification -Risk appetite -Encryption algoriths

Data Classification Every organization will approach data confidentiality differently but will require some sort of data classification (e.g., public, confidential, secret, top secret). Without having an established classification scheme, and subsequent proper labeling of the data, it is very difficult to effectively implement data confidentiality.

An organization discovers a system administrator with their cloud service provider has gained unauthorized access to company data stored in the cloud. What is the best method to protect company data stored in the cloud? -Data encryption -Service-level agreements -Acceptable use policy -Invitation to tender (ITT)

Data encryption Using appropriate data encryption methods to protect data from unauthorized access is the best security control in this scenario. Service-level agreements generally relate to uptime and availability, and acceptable use policies will define approved and unapproved actions employees can take. The ITT is sent to vendors when seeking a service provider.

Maturity model (CH1

A simplified system that "road-maps" improving, desired, anticipated, typical, or logical evolutionary paths of organization actions. The ascending direction implies progression increases organization effectiveness over time (albeit subject to stasis and regression).

Advanced persistent threat (APT

An APT says what it does and does what it says—it's a coordinated, persistent, resilient, adaptive attack against a target. APTs are primarily used to steal data. They can take a long time to research, plan, coordinate, and execute, but when they succeed, they are frequently devastating. You definitely do not want to be on the receiving end of one, and if you are, you had best have a very strong incident response plan in place.

Cyber Space

An interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.

Preventative contros

Antivirus, anti-malware application Cyber security Awareness training Data Loss Prevention Firewall Gateways IPS A-log in screen

governance strategy responsibility.

Board of directors Strategy definition Executive team Strategy implementation Operations team Strategy execution

Competencies

Competencies are the skill sets that we bring to the table. If you're a litigation law firm, a core competency would be engaging as many experienced litigators as you can afford. That's a core competency. Engaging real estate attorneys, as excellent as they may be, will not help you much in litigation.

Conditions

Conditions are the environments in which competencies exist. Markets can be conditions. Geography can be a condition. Technology can also be a condition, and so can cybersecurity. Jay's point about "not always under your control" is abundantly clear when you think of market conditions.

Conduct

Conduct refers to the set of actions that we take both within our company and within the conditions we operate in to accomplish our goals. Conduct can be ethical or unethical, legal or illegal, but it can also speak to company culture and work behavior. Conduct can have profound implications on the way you achieve your goal. The term "cost of doing business" hides a lot of conduct decisions within it, as does "risk acceptance."

Question : A business process owner informs you that a security patch breaks the functionality of his server, and he cannot install this patch in production. The patch mitigates a vulnerability present in the web browser that can be exploited when visiting malicious websites. What is the best compensating control if the patch is not deployed? A Disable internet access for this system. B Install antivirus software. C Enable intrusion detection. D Use file integrity monitoring software.

Explanation: Answer A is correct. Generally, servers should not be used for browsing the internet as a best practice. Disabling the ability for this server to reach the internet would be the best compensating control for a vulnerability that is exploited by browsing malicious internet websites.

The CISO has asked you to identify a solution for securing BYOD assets. The solution needs to protect data on the device, protect data on the corporate network from the device, and enforce pass codes on the device. Which type of solution will you likely recommend? A Data encryption on the device B End-user agreement C Network segmentation D Mobile device management

Explanation: Answer D is correct. A mobile device management (MDM) solution allows the organization to have a level of control over personal devices accessing corporate data. MDM policies can require pass codes, allow specific configurations, enable data encryption, and allow remote wipe of the device if it is lost or stolen.

Corrective Control

Focus on repairing damage during or after an attack -Vulnerability patching -Backup (is ultimate corrective control

Here are the five functions of the NIST Cybersecurity Framework

Identify Develop understanding of risks, assets, and capabilities. Protect Create plans and actions for putting adequate controls in place. Detect Identify and classify an attack against assets. Respond Perform activities and actions as the result of an attack. Recover Bring systems and processes back to normal.

Integrity

Integrity is the set of practices and tools (controls) designed to protect, maintain, and ensure both the accuracy and completeness of data over its entire life cycle. How do you achieve integrity? You do it by implementing digital signatures, write‐once‐read‐many logging mechanisms, and hashing.

Brute force attack

If there is any elegance in hacking a system, then this method lacks it. A brute force attack, much like a brute, doesn't use any brains, only force—in this case, computing force. So, if I wanted to guess your password with a brute force attack, I would use a very fast computer to try every single combination possible of the number—a task that can take a large amount of time or a startlingly brief amount, depending on the complexity of the password. For example, a 4‐digit numerical PIN takes only a few hours to crack by brute force. (If you would like to test your own password or PIN to determine how long it would take for a brute force attack to crack it go to Passfault Demo, an open web application security project (OWASP) site, and give it a try.)

Safety

Finally, term number 4: safety. It is the newest pillar in cybersecurity, but one whose impact is potentially the most critical. This is where cybersecurity incidents could result in injuries, environmental disasters, and even loss of life. You may be a user of a connected medical device, potentially putting you at mortal risk if that device is hacked. Or, you may be in a connected car, plane, or train. Or, you may be in charge of a business that is responsible for water purification for thousands of people, or of a utility that millions of people rely on for life‐sustaining services like electricity.

Dissalowed BYOD

Risk Avoidance

ISO 31000:2009 (CH1)

Risk management—Principles and guidelines

threat

the impending prospect of something bad happening A threat is a combination of a threat agent and an action. An example of a threat would be a script kiddie exploiting a cross-site scripting vulnerability on a website. The script kiddie is the threat agent performing the action (exploiting the vulnerability).

attack

the realization of a threat

Detective Control

Motion Sensors IDS SIEM Antivirus, Anti-malware and IPS are considered both Preventative and Detective

Phishing attack:

Phishing and spear phishing are attacks that use social engineering methods. Social engineering in this context is just a fancy word for lying. Hackers convince a victim that the attacker is a trusted entity (such as a friend, established business, institution, or government agency) and trick the victim into giving up their data willingly. The goal of these attacks is to gain your trust so that you divulge sensitive information to the attacker. The degree of sophistication of such attacks varies, from the infamous appeals for bank information from Nigerian princes, to emails that appear to be from a bank or the Internal Revenue Service, to extremely sophisticated cons that can trick even the best‐prepared and skeptical victim.

Cybersecurity

Protecting information assets by addressing threats (risks) to information processed, stored, and transported by internetworked information systems (ISACA) or protecting computers, networks, programs, and other digital data and digital assets from unintended or unauthorized threats while optimizing opportunities.

Question : A system administrator has been assigned the responsibility of securing a newly deployed system. As part of her tasks, she disables unneeded ports, protocols, and services, removes unnecessary software, and enables secure communication protocols for system management. What is this an example of? -Reducing the attack surface -Turning on system security -Implementing ISO 27001 -Preventing a denial of service

Reducing the attack surface The attack surface references the potential areas of vulnerability within a system that an attacker may launch an attack against. By reducing the attack surface (such as removing unneeded services or software), the potential attacker has less of a "surface" to attack, making a successful breach more difficult and increasing the overall security posture of the system.

What are the main types of threats to big data? Select two. A Regulatory compliance B Privacy breaches C Denial of service D Ransomware

Regulatory compliance B Privacy breaches The large amount of data aggregation in big data increases the potential risk for privacy breaches while the global trend toward data regulation increases compliance requirements.

Compensatory Controls

Types of controls you put in place when you know that all your other controls cannot mitiage one or more risks all the way down to a desired level. -Segregation of duties -hot failover site -

Enterprise-wide risk management (ERM) (CH1)

Typically synonymous with risk management for all sectors; also used to emphasize an integrated and holistic "umbrella" approach delivering objectives by managing risk across an organization, its silos, its risk specialist, and other subfunctions and processes.

There are four steps, outlined in this section, that boards can take to respond to risk. They are as follows:

Use a "five lines of assurance" approach. Include top objectives and specific owners. Establish a risk management framework. Require regular reporting by the CEO.

Controls are actions that mitigate risk: (prevent, detect, correct, or compensate against risk.)

*Preventive controls are designed to prevent the attack from reaching the asset in the first place. A nondigital preventive control might be a pair of big burly guys, armed to the teeth, who physically guard your assets. Digital preventive controls include, as we already discussed, cybersecurity awareness training as well as more technical controls like firewalls, intrusion prevention systems (IPS; designed to both detect and thwart an attack). *Detective controls are designed to identify that an attack is occurring, including what kind of an attack, where it came from, what it used, and, if you're lucky, who may be behind it. For example, motion detectors that set off sirens waking up the aforementioned big burly guys and send them to go chase the intruder are detective controls. These days, these motion detectors can take the form of sophisticated cameras, detecting motion, plus capturing images and sounds. Digital detective controls include antivirus and antimalware systems, as well as intrusion detection systems (IDS; designed to detect abnormal patterns in networks or systems and raise the alarm). *Corrective controls are designed to minimize the damage from an attack. Examples include restoring from backup, patching the systems with the latest security fixes, upgrading to the latest version of applications and operating systems, and the like. *Compensating controls are designed to compensate for the failure or absence of other controls and mitigate the damage from an attack. Examples include having a hot failover site (a geographically separate site that mirrors your environment, available the instant you need it), isolating critical systems from the Internet (aka air‐gapping), and, in general, backup and disaster recovery plans that can keep the lights on while everyone else is in the dark

Which scenario is an accurate example of a potential threat to availability? -Jane sends an email to Bob pretending to be Alice. -You are unable to access a file that you are not authorized to open. -John successfully intercepts and reads an email from Alice to Bob. -Your favourite website says it is down for planned maintenance.

-Your favourite website says it is down for planned maintenance. Despite being planned downtime, the website is still unavailable to you when you visit, which impacts the availability of the service. Pretending to be someone else in an email impacts integrity, as the email source has been spoofed and the sender is not verified. Intercepting someone else's email is an example of a confidentiality breach, as John has been able to read a message intended for Bob. Not being able to access a file seems like it could be an availability issue, however availability relates to a service that is down for authorized users. A file that cannot be accessed by an unauthorized user is a security control working as intended.

What is a framework?

According to our friends at Merriam‐Webster, it is a basic conceptual structure (of ideas). I like to think of frameworks as playbooks. A good framework should be comprehensive, flexible, adaptable, and straightforward to implement. Although not a complete list by any means, some of the better‐known frameworks are: COSO (Committee of Sponsoring Organizations of the Treadway Commission), ITIL (Information Technology Infrastructure Library), BiSL (Business Information Service Management Library), CMMI (Capability Maturity Model Integration), COBIT (Control Objectives for Information and Related Technology), TOGAF (The Open Group Architecture Framework), and PMBOK (Project Management Body of Knowledge), which is more focused to the project management discipline but still overlaps with IT management and good management practices in general.

How to limit the affect of Ransomware and data loss?

Back Up Data Regularly Perform and test regular data backups that are perhaps daily, weekly, or monthly to an online backup service to limit the impact of data or system loss and to speed up the recovery process in the event of an attack.

Five Lines of Assurance- Responsibilities:

Board of directors Ensures overall risk is efficiently managed. Internal audit Provides independent information on risk management and residual risk. Specialist units Designs and helps maintain risk management processes. CEO and C-suite Builds and maintains risk management processes and assigns risk owners. Work units Owns risk and reports risk status of their assigned functions.

Common Terminalogy

Botnet A master computer instructs hundreds of slaves to perform an attack. Rootkit An incident handler runs an operating system command that gives false output. Trojan An attacker attaches malicious code to a popular free downloadable utility. Zero-day An attacker exploits a vulnerability that only he knows about.

ENISA has noted these four key trends that influence the activities of threat agents, still holding true today:

Consumerization of cybercrime: Just as Lowe's and Home Depot made home renovations more available to the masses, new tools are making cybercrime broadly accessible. There are many do‐it‐yourself hacking kits available for purchase or even free download. It is also fairly easy to hire a hacker to attack a target. Worse: There are both franchising opportunities and affiliate programs for cybercriminals as well as exciting new commercial avenues like ransomware‐as‐a‐service whereby you can get your own custom ransomware kit for little money up front for a percentage of the extorted profits. A financial win‐win for everyone involved, unless, of course, you're one of the victims. All this leads to: Low barriers to entry for technical novices: If you're motivated, you can start your career as a cybercriminal easily. There are hacker universities in which you can get training, and when you purchase some of the ready‐made hacking kits you can even get expert tech support! Dark net mystique: The dark net is now like how the Internet was in the 1990s. It is perceived as being used only by dangerous geeks, and normal users are discouraged from peeking in. For that matter, one has to jump through a whole set of technical hoops to gain access, further making the dark net an excellent hideout for cybercriminals. Low rates of attributions: It remains practically impossible to arrest cybercriminals. Even after major cyberevents, commercial or espionage related, no meaningful attributions were made, and practically no arrests. This makes being a cybercriminal a low‐risk/high‐reward line of work.

Threat Agents

Cybercriminals Motives: "Show me the money," plain and simple. Insiders (e.g., employees) Motives: money and revenge, not necessarily in that order. Nation‐States Motives: cyberwarfare or intellectual property theft, competitive intelligence gathering, etc. Corporations Motives: cyber‐corporate‐warfare or intellectual property theft, competitive intelligence gathering, etc. Hacktivists Motives: activism of one sort or another, often but not always altruistically motivated (freedom of speech, fight against injustice, etc.). Cyber‐Fighters Motives: nationally motivated "patriots" like the Yemen and Iranian Cyber Army. Cyberterrorists Motives: to create fear, chaos. Terrorist by any other name. Script Kiddies Motives: young people "hacking for the fun of it" and causing havoc, be it intentional or not.

Cybersecurity (CH2)

Cybersecurity is the ongoing application of best practices intended to ensure and preserve confidentiality, integrity, and availability of digital information as well as the safety of people and environments

Denial of Service (DoS) attack

DoS attacks come in two flavors: single‐source and distributed. A single‐source DoS attack occurs when one computer is used to drown another computer with so many requests that the targeted one can't function while a distributed DoS (DDoS) attack achieves the same result through many (meaning thousands or millions of) computers. In DDoS attacks, the computers are usually under the coordinated control of a botnet (see "A Brief Cyberglossary of Terms" in the next section), working together to overwhelm a target with requests, rendering the target computer inoperable. Of late, this type of attack has gotten more and more press because instead of using compromised computers as part of the botnet, the hackers have been using any digital device (such as nanny cameras, thermostats, etc.) that is connected to the Internet. Most of these devices lack even the most rudimentary security, and too many users don't bother changing the default password, further contributing to the ease of compromising these devices and using them as bots.

Which is the best option against Ransomware?

Employee Traning Security awareness training is the best method for preventing ransomware attacks. The other options provide additional layers of security but end-user education should be required for all employees and provided to help secure the organization from attacks.

Barriers to Board face

Lack of senior management ownership of IT security. Failure to link cybersecurity assessments to key organization objectives. Omission of cybersecurity from entity-level objectives and strategic plans. Too much focus on internal controls. Lack of reliable information on residual risk status.

Man‐in‐the‐Middle attack

In this type of an attack, the hacker intercepts the communication between two systems, replacing it with his own, eventually leading to his gaining control of both systems. For example, a man‐in‐the‐middle attack can be used to gain access to credentials and to then fake normal operations while the attacker compromises the target.

Governance

Governance is the collective set of principle‐guided actions that when applied guide a company to the fulfillment of its goals. Governance is the collective set of principle‐guided actions while management is the application of these principle‐guided actions into the company's operations.

Question : Which framework provides requirements for implementing an information security management system (ISMS)? -Business Model for Information Security (BMIS) -ISACA COBIT 5 -National Institute of Standards and Technology (NIST) Cybersecurity Framework -International Organization for Standardization (ISO) 27001

International Organization for Standardization (ISO) 27001 The ISO 27001 framework defines high-level requirements for an organization to be certified against (if desired) when developing an information security management system (ISMS). Guidance on implementation of the requirements can be found in ISO 27002.

IOT

IoT devices generally have a higher level of inherent risk so it is important to keep them segregated on the network from critical corporate data in the event the device is compromised. Policies concerning IoT devices should include allowed and prohibited actions and uses as required for business operation. Placing an IoT device externally facing on the internet or not using data encryption would increase the risk level associated with the device and should not be included.

The NIST organization is responsible for developing security frameworks and guidelines for the implementation of a wide array of security controls, technologies, and concepts. What does NIST stand for? -National Institute of Security Technologies -National Institute of Standards and Technology -National Institution for Security Tools -National Institute of Standards and Techniques

National Institute of Standards and Technology

Executive managmenet for your organization is concerned with the possibility that employees may bring their own device to the office and plug it into the corporate network What is an appropriate corrective control to implement to addressing this concern? a Intrusion detection systems B Network access control C Multifactor authentication D Network isolation

Network isolation Network isolation separates certain devices on the network and prevents them from reaching internal resources until approved. This action corrects the action of an unknown device being plugged into the network.

Cybersecurity negliegence

Not legally defined as yet; remains unclear as to the standard of care required or steps to secure data that must be "reasonable" or "appropriate"—taking the relevant circumstances into account—in order to avoid liability.

Authentication Factors -Somewhere You Are -Context-Aware Authentication

Somewhere You Are: The somewhere-you-are factor identifies a subject's location based on a specific computer, a geographic location identified by an Internet Protocol (IP) address, or a phone number identified by caller ID. Controlling access by physical location forces a subject to be present in a specific location. Geolocation technologies can identify a user's location based on the IP address and are used by some authentication systems. Context-Aware Authentication: Many mobile device management (MDM) systems use context-aware authentication to identify mobile device users. It can identify multiple elements such as the location of the user, the time of day, and the mobile device. Geolocation technologies can identify a specific location, such as an organization's building. A geofence is a virtual fence identifying the location of the building and can identify when a user is in the building. Organizations frequently allow users to access a network with a mobile device, and MDF systems can detect details on the device when a user attempts to log on. If the user meets all the requirements (location, time, and type of device in this example), it allows the user to log on using the other methods such as with a username and password.

The Six Steps of the Risk Management Framework (RMF)

Step 1: Categorize the system and the information that is processed, stored and transmitted by the system. Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring and supplementing as needed. Step 3: Implement the security controls and document how they are deployed. Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system. Step 5: Authorize system operation based upon a determination that the level of risk is acceptable. Step 6: Monitor and assess selected security controls in the system on an ongoing basis and reporting the security state of the system to appropriate organizational officials.

When it comes to cybersecurity the main standards that apply are (alphabetically):

The European Telecommunications Standards Institute (ETSI) TR 103 family of standards The IASME standards for small and medium‐sized enterprises (IASME stands for Information Assurance for Small and Medium‐sized Enterprises) The Information Security Forum (ISF) Standard of Good Practice (SoGP) The International Society for Automation (ISA) ISA62443 standards for industrial automation and control systems The Internet Engineering Task Force (IETF) via their Request For Comments (RFC) 2196 memorandum The Information Systems Audit and Control Association, now known only as ISACA, through their COBIT framework and Cybersecurity Nexus (CSX) resources The Institute for Security and Open Methodologies (ISECOM) with their Open Source Security Testing Methodology Manual (OSSTMM) and the Open Source Cybersecurity Playbook The ISO 27000 family of standards (ISO 27000-ISO27999) The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) The North American Electric Reliability Corporation (NERC), which via its Critical Infrastructure Protection (CIP) family of standards addresses electric systems and network security

The NACD produced a well-researched, readable, and succinct "Cyber Risk Oversight" guide (CH3)

The NACD guidance distilled what the authors believe directors should do to five core principles: Directors need to understand and approach cybersecurity as an enterprise risk management (ERM) issue, not just an IT issue. (Authors' note: This is the key principle.) Directors should understand the legal implications of cyber risks as they relate to their organization's specific circumstances. Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda. Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.1

In 2014 the National Association of Corporate Directors (NACD) in the United States recognized the emerging need for director guidance following a flurry of major scandals involving breaches of information technology (IT) security. The NACD produced a well-researched, readable, and succinct "Cyber Risk Oversight" guide. This report is available without charge by registering at NACD

The NACD guidance distilled what the authors believe directors should do to five core principles: Directors need to understand and approach cybersecurity as an enterprise risk management (ERM) issue, not just an IT issue. (Authors' note: This is the key principle.) Directors should understand the legal implications of cyber risks as they relate to their organization's specific circumstances. Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda. Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.1

Who is responsible for setting the overall risk appetite of the organization? -Board of directors -Internal audit -CISO -CIO

The board of directors should dictate the risk appetite, or the amount of risk the organization is willing to accept. Management (such as the CISO and CIO) is responsible for ensuring risk is maintained at or below tolerance levels.

When making risk-based decisions, what is the most important factor to consider? -The strategy and objectives of the organization -The objective to have a high level of computer security -The budget allocated for security controls -The available time of personnel to implement controls

The strategy and objectives of the organization Risk-based decisions must be aligned to the strategic goals and value creation objectives of the organization. Resources (budget and availability) are also important factors but can be allocated and prioritized based on risk. Achieving a high level of computer security may not always be feasible as the cost of controls may outweigh the realized benefits

NIST CSF Standard: identify, protect, detect, respond, and recover

The identify function is where you develop an understanding of what your risks are, what your assets are, and what your capabilities are. Protect is your set of plans and actions that put in place the right controls (remember: controls do stuff) to protect the assets. Detect is the set of plans and actions that you will use to identify, classify, etc., an attack against your assets. Respond is the set of activities that you engage in response to an attack. Finally, recover refers to whatever plans or protocols you have in place to bring things back to normal after an attack.

Pillars of Security CIA and Safety

The pillars of cybersecurity used to be a triad: confidentiality, integrity, and availability. Safety is the newest member of the roster, making it a lovely quartet, and introduced to address everyday‐life threats posed by the Internet of Things (IoT).

An incident handler assigned to the security operations center receives an alert about an attack on the organization's website. Upon further investigation, she finds that a script kiddie has successfully used a cross-site scripting attack to deface the website. What is the threat agent in this scenario? -The script kiddie exploiting the vulnerability -The script kiddie -The cross-site scripting vulnerability -The incident handler

The script kiddie A threat is a combination of a threat agent and an action. An example of a threat would be a script kiddie exploiting a cross-site scripting vulnerability on a website. The script kiddie is the threat agent performing the action (exploiting the vulnerability).