Cyber security 1
What is assume breach?
Assume breach is a modern security mentality that presupposes intrusion into the net- work or compromise of computers on the network has already happened. While this may seem like a pessimistic outlook, assume breach requires the IT professional to ask the question, "Are we protected from this attack?" even when it can only be launched from inside the network. This is a useful position from which to design new implemen- tations for computer networks and for information systems. The assume breach men- tality allows the business to more easily react and recover from true breaches that occur. It is unrealistic to think that an organization will never experience a security inci- dent that makes it past firewalls and intrusion detection mechanisms. This modern strategy allows the organization to play out what-if scenarios and determine whether internal security protections and procedures depend on only a few critical first-layer defenses.
What is avaliability?
Data and functions are accessible where and when they are needed by authorized per- sons. The IT owner should considerthe following questions: Can a business process not be carried out without this information system or its data? Would there be penalties for missing data, and are there laws prescribing its availability? Will the lack of data be harmful to a person, such as lacking a record of their birth or educational achieve- ments?
What is data protection?
Data are a type of asset, but, like other intangibles, their value can be hard to quantify. The value of a set of data can depend in part upon its secrecy. For instance, the secret formula for a soft drink may be of great value to its manufacturer or their competitors. Value might also depend upon utility; while a decade's worth of weather conditions in Cote d'Azur is publicly available, the combined information is valuable to a weather- predicting application only if it is correct. Security decisions around data should account for an understanding of their content, use, and location. An organization in possession of data may have ethical or legal responsibilities for how that data is treated. If data originated elsewhere, the data han- dling standards may be set higher than the receiving organization would normally require.
What is integrity?
Data are correct, complete, and up to date; functions that process data are reliable and trustworthy. If this is not the case, the changes to the data must be obvious. To deter- mine the strictness of integrity needed, an IT owner can consider the following ques- tions: What is the harm if this data is inaccurate, or if conclusions based on this data are inaccurate? Would someone make a medical misdiagnosis or perform the wrong treatment? Would an organizational merger based on faulty data be disadvantageous? Would a person applying for a home loan be turned down or get a worse mortgage rate than their credit history would warrant? Integrity of data determines their utility to guide decisions. Data that are not confidential may still need strong integrity controls.
What is confidentiality?
Data are only known to authorized persons; functions are only used by authorized per- sons. To determine the strictness of confidentiality needed, an IT owner can consider the following questions: What is the harm if these data are published on a roadside billboard or in a newspaper? Would the organization have legal trouble as a result, or would they lose contracts and trust from their customers? Would the personally identi- fiable information (PII) principal be embarrassed or be subject to higher likelihood of identity fraud? Would their rights to privacy be violated?
What is defence in depth?
Defense in depth assumes that one layer of security (such as malware protection or rigorous patching) is not sufficient. Instead, the organization creates a set of interrela- ted controls to stop an attacker at many different levels of activity, even an attacker who has already penetrated the network. Defense in depth begins with the recognition that a firewall is not sufficient to keep out an intruder and goes on to assume that any one area of protection may fail, thus, another layer of protection must be available to protect assets. For example, information on the end user's workstation should be pro- tected in several different ways. It is necessary to have virus protection, rigorous soft- ware patching, authorization and identification control, and encryption of any sensitive data. If a user's workstation is mobile, then there must be the ability to protect the workstation from physical theft. By having these several types of controls, the defense in depth strategy protects both access to functionality and physical access to the user's computer. The user can then protect their machine from malicious network attacks through rigorous patching and virus protection. Finally, if there is access to machines either physically or through the network, the data themselves are encrypted and only those who need them have access to the encryption keys. This is merely one example of defense in depth, but the basic philosophy can be used to design protections for all of the organization.
What are DOS and DDOS attacks?
Denial of service and distributed denial of service (DOS/DDOS) Denial of service (DOS) attacks aim to paralyze networks and, by extension, the services offered in networks. This is typically achieved by bombarding a service offered in the network with so many requests that it can no longer comply with regular requests. In connection with DoS attacks, data rates of over 300 Gigabits per second are often observed. In distributed DoS attacks (DDoS), a DoS attack is carried out by several par- ticipants simultaneously. DDoS attacks can also be executed by a botnet, which is a group of network devices that can be remotely controlled. In most cases, the owners do not even know that their devices are part of a botnet. Unfortunately, it is difficult to protect against DoS attacks. Services can rarely distin- guish regular requests from attacks when the target is a publicly offered service. There- fore, it is especially important to completely disable unnecessary network services. If a service is overloaded by only one or a few attackers, protection against a denial of service attack can be prevented with the help of simple traffic-deny lists, which are enforced by a firewall. Another possible countermeasure against overloads is load bal- ancing, where the affected service is executed on several IT devices. The latter measure would also be effective to prevent some DDoS attacks.
What is document theft?
Document theft is another effective and old-fashioned data attack. Whenever an intruder can enter an office or a shared public space with a printer, they may find documents to which they should not have access. It is normal for users to print many documents but retrieve them only when there is another reason to leave their desks, or even to forget about the print-out altogether. Yet there might be no other mechanism in place to protect their document, leaving it available for anyone who passes by to peruse. One does not normally find it suspicious to see someone standing at a printer looking at the documents that might belong to them. Nor does it seem unusual to see a person remove documents from a printer.
What are business competitors?
Even the most honest business finds it worthwhile to understand their competitors' goals, financial situation, level of skill, and future plans. Some organizations move past honest competition and into illegal methods of gathering data. It is not unusual for business competitors to perform information-gathering by collecting publicly available data, luring away top talent, or consulting research professionals to estimate the strat- egies and financial moves of their industry leaders for the next several years. However, some organizations find that they can efficiently gather data using network intrusions and physical intrusions into a competitor's space. Once inside, the rewards of a suc- cessful intrusion may include all the above. As a bonus, theft of intellectual property from the compromised network may grant the dishonest organization the benefit of months or years of research without the investment that is normally required.
What are attacks?
Exploits are methods of attacking vulnerabilities. Exploits may be a direct result of the vulnerability, such as guessing a short and uncomplicated or default computer pass- word. They may be deliberately constructed, such as a complex automated software installation triggered when a user visits a risky website. For most purposes, the word exploit can be understood to mean attack for IT, whether talking about the object ("an exploit exists for this flaw") or the activity ("an attacker can exploit this flaw").
What is a security strategy?
For most organizations, security strategy is merely choosing the approaches to informa- tion security that best suit their budget, legal or contractual requirements, and types of data to be protected. Security strategies are not meant to stand alone; an organization will choose several security strategies in order to implement a full program with ade- quate protection.
What is CIA triad concept?
Implementation of security in information technology is usually based around the con- cepts of confidentiality, integrity, and availability (CIA). These three concepts express the need for planning an IT system that is reliably functional, where the accuracy of data is preserved, and when the information is available to those with both need and permission to access it. A well-secured system incurs a low amount of business risk. The organization can perform necessary functions using this IT without anticipation of technical, reputational, or legal issues. Needs for confidentiality, integrity, and availabil- ity vary with different information systems and data collections, even inside the same businesses. Some security practices, such as reviewing data access regularly, can rea- sonably be applied to all information systems. Others, such as requiring a physical token to access a computer, are only needed when misuse of the information system would cause harm to the organization. IT owners and users should be able to define and explain broad considerations for each aspect of CIA.
What are valuable assets?
In business, the term "asset" is used to describe anything with utility to the organiza- tion. Assets may be tangible or intangible. A chair is an asset, but so are employees, computers, and the data that are stored on the computer. All assets have a value, some more quantifiable than others, and people are, without exception, the most valuable assets of a business. The lives of the workers are valuable, but so are their skills, their privacy, and their goodwill toward the organization. Data are also valuable; many organ- izations now make money solely because of their ability to process or generate data. Physical assets are the easiest to quantify in value, as they may be leased, sold, or pur- chased. One intangible asset with considerable value is the reputation of the organization. Peo- ple and businesses support an organization based, in part, upon their trust in its repu- tation. This applies to most organizations, whether they are commercial, charitable, or community-based; however, the impact of reputation varies widely. For professional consulting organizations, who sell services and trust, a reputation may be critical to maintaining business. For a soda manufacturer, purchasing decisions depend upon consumer appeal and name recognition, and even minor damage to the reputation of the organization may have a significant impact on sales. Reputational value and the part that it plays in gaining support is therefore difficult to quantify.
What is malware?
Malware is a portmanteau made of the term "malicious software," and both can be used interchangeably. Malware is the name for several different types of software with undesirable effects. Most malware is installed and run without the user's knowledge. In the case of a computer worm, it may be run without any activity. Currently known types of malware are viruses, worms, Trojan horses, spyware, and ransomware. Ransomware is the youngest and most sophisticated malware categorization, but all have the poten- tial to cause significant damage to an organization.
What are nation-state actors?
Nation-state actors are groups of governmental employees, and often military person- nel, who are hired and empowered by their governments to perform cross-border net- work crimes. These personnel are trained professionals whose daily work is to perform sophisticated attacks on other governments' networks. Occasionally, it is also in the interest of these government hackers to attack their victim's contractors. It is rare for nation-state actors to perform attacks against small businesses. Instead, they concen- trate on large organizations that either directly influence the workings of a government, the foreign government itself, or the economic health of that government in some fash- ion. Recently, there have also been attacks on organizations that manage governmental health data, whether it be public or private. It should be assumed that the goal of these attacks is not the sale of this information on the criminal networks, but instead, the use by the home government.
Who are opportunists?
Opportunists are criminals who do not specifically plan a long-term strategy to attack a single organization, sector, or type of person. Instead, an opportunist sees an opening for exploitation of vulnerability and acts on it with agility. Opportunists rely upon organizations and people to be careless in the execution of their security responsibili- ties; therefore, the opportunist must have a ready ability to exploit a situation. Opportunists do not specifically aim to make a steady career from the opportunities they exploit. Instead, their less-planned attacks are agile, spontaneous, and difficult to predict. An opportunist cannot cause a great deal of damage, but their methodology is not dependent upon long-term outcome.
What is privacy protection?
Privacy is the right for any entity to control the distribution and confidentiality of their information (NIST, n.d.). Violations of personal privacy cause significant distress and potential harm; this should be counted among the highest of organizational concerns. Personal privacy data includes, but is not limited to, national identifiers (Social Security numbers), birthdates, individual physical and email addresses, gender and sexual pref- erence, spousal information, medical conditions, political affiliations, and financial information. Privacy protection is addressed by many of the same precautions as gen- eral data protection. Additional measures needed for privacy protections are deter- mined based upon the type of private information involved.
What are relevant protection goals?
Relevant protection goals include the concepts of 1) confidentiality, 2) integrity, 3) and availa- bility, as well as 4) protection targets.
What is risk?
Risk is the likelihood of an undesirable event and the result if that event occurs. The potential for harm, damage, or loss is unavoidable. Each day, humans must face risk to take any action; this also applies to making any IT decision. The goal of IT security is to reduce the amount of risk to a tolerable level. To do this, one must understand the nature of risk, what influences risk, and how risk is estimated. Risk exists when there is an asset, a vulnerability, and a threat.
What is risk treatment?
Risk treatment is the set of decision and actions that follow risk discovery. Any reac- tion to a risk can be categorized as risk treatment. Ignoring the risk, correcting the risk, accepting the risk, insuring against the risk loss (risk transference), or finding an indi- rect method to lower the risk (risk mitigation), are all ways to treat risk. Although it may seem counterintuitive that accepting risk is considered treatment, not all risks are severe enough to merit change. If a risk is within the threshold of an organization's tol- erance, it is said to be within the risk appetite. Risk appetite is specific to the organiza- tion, and often it is different for different departments within the organization. It should be noted that ignoring risk is an inadequate strategy for almost any scenario; its potential legal, security, and financial ramifications far outweigh the immediate gains.
What is shoulder surfing?
Shoulder surfing is the surprisingly effective attack of looking over the shoulder of a target to view sensitive information. A common scenario for shoulder surfing is when the attacker watches the victim enter a personal identification number into an ATM or unlock their phone with a numeric code. This attack is not limited to access codes and passwords; intruders may find great value in simply viewing confidential information in presentations or documents of those whom they pass behind in a public space such as an airport, café, or train. Shoulder surfing requires physical access to the target, but it does not require physical interaction. Unless the victim is particularly observant, shoul- der surfing often goes unnoticed. The difficulty of using the stolen information depend- ends on the target of the activity. For instance, if a person is typing sensitive informa- tion, the information itself may be sufficient for the theft to be complete. If the input information is one of several components needed for the attack (like the aforemen- tioned personal identification number for an automatic teller or a mobile phone), addi- tional actions may be required. The criminal may need to obtain the credit card or a clone of the card, or they may require access to the person's phone. Access need not be permanent, but it must be long enough for the criminal to perform their intended action. Although the above combination of shoulder surfing and theft is more difficult to per- form in rapid succession, planning ahead for the physical theft is not as necessary as one might believe. It is not unusual to exit a public space or an office with a bag con- taining a laptop. People are not often stopped and asked to prove that a cellphone or laptop is legitimately their own.
What is technology theft?
Stationary IT devices (e.g., desktops and external hard disk arrays) and mobile IT devi- ces (e.g., laptops, notebooks, tablets, smartphones, and USB sticks) store organization information. For this reason alone, they should not fall into the hands of unauthorized persons. Also, in spite of the constant drop in the price of IT equipment, the material damage caused by equipment theft can be significant. In the home or workplace, theft protection can be supported by observing the clean-desk principle, which implements the tasks of tidying up and locking. Order makes it easier to track items in your work- space and see that none are missing; keeping order by securely storing materials not in use also reduces the risk of IT equipment falling into the hands of unauthorized per- sons. Digital equipment and sensitive documents not actively in use should not be visi- ble to casual visitors of a workspace. In addition, mobile IT devices, including mobile phones, should be locked away (e.g., in a cupboard, drawer, or roller container) if they are not required for the current work task. During longer absences, for example, at the end of a working day, the rooms and containers that house IT devices should be locked. Keys should be removed from the locks and kept separately.
What is advanced persistent threat?
The advanced persistent threat (APT) is any type of network criminal who has a reason to use stealth and planning to achieve their goals. Characteristics of the APT attacker are: stealth, usage of new or unannounced vulnerabilities, technical skills, and long- term goals. APT intruders do not attempt to gain access, perform their tasks, and stop using the computers quickly, as with many other patters of criminal hacker behavior. Instead, they attempt to enter the network undetected, remain in the network for as long as possible without discovery, and execute only subtle activities. This usually man- ifests in attacks that are deliberately below detection thresholds for any sort of net- work detection that the organization uses. The advanced persistent threat, once it has infiltrated the network, will find computers open to compromise. It then uses these computers as a base for its operations. This broad footprint inside an organization aids in the effort to create a long-lasting and uninterrupted presence. The goals vary depending on the type of criminal acting as the advanced persistent threat. In the case of the competitor, they may choose to move data outside of the vic- tims' network and into their own, targeting financial or legal information. The organized criminal may choose to exfiltrate personal health or financial information and sell it on unmonitored internet sites that were established for such criminal purposes. The nation-state actor, which is the most common type of advanced persistent threat, may choose any number of activities, including sabotaging the networks; retrieval of data, such as classified documents or documents that would cause reputational harm to the organization; theft of intellectual property; or simply watching network and computer traffic, providing a virtual base to spy on the organization that they have infiltrated. Advanced persistent threat actors commonly use "zero-day exploits." Zero-day exploits are attacks that have not yet been recognized by the general security or hacker com- munities or by the impacted software manufacturers. They are rarely detected by net- work or virus intrusion detection methods. Though indicators of compromise might be available, the indicato
What is organised crime?
The traditional picture of organized crime is of those who deal in physical crimes. Human trafficking, illegal drugs, and extortion have long been known to be in-person activities. However, with the advent of the internet and the poor protection of data assets, the ability to perform these same crimes with a digital component should not be underestimated. Human traffickers routinely use the internet to perform sales or arrange time with their victims. Likewise, those who trade in illegal drugs can do every- thing from advertise their substances to accurately plan caravan routes for the move- ment of illegal substances across country borders. Finally, the collection of information for extortion becomes a great deal simpler when private data are available on unpro- tected networks and computers. Organized crime has found new methods of business by buying and selling personal and financial data on unindexed sites on the internet. Transactions that bring in only small amounts each are not worthwhile on their own. However, when data are sold in bulk, the small price of each transaction adds up to a substantial amount.
What are threats?
Threats in cyber security and data protection include threats to operations, as well as threats to data security. Threats include hazards, such as natural disasters and acci- dents, as well as malicious individuals or groups who have an interest in stealing data or otherwise damaging assets. In the scope of this course book, most of the threats identified are the aforementioned persons and groups with malicious intent. This is because disasters and hazards that are not directed by humans are well understood as risks to the business and are covered in other types of education, such as business risk management. Entities that invest in criminal activities may be referred to by a wide variety of terms. Some are labeled specifically out of necessity, such as governments, intelligence agen- cies, activists, and organized crime rings. The terms used most commonly throughout this text are as follows: criminals, criminal hackers, malicious actors or bad actors, malicious organizations, criminal organizations, and attackers. All of these terms should be understood to mean the same entity or type of entity. Unless otherwise specified, these terms are generalized to all the different types of attackers. If one such type of attacker is meant to be differentiated, they will be specifically named. One should also understand that the different types of attackers have different motivations. It is possible, although less likely, that an attacker is motivated by idealism or a desire for bragging rights (or other types of fame). Some attackers are moved by organiza- tional gain, as with patriotism. Most often, the attacker is motivated by financial gain. This is substantiated by the fact that one rarely sees data theft that is not accompanied by the attempted sale of this data in unindexed "dark web" forums.
What are vulnerabilities?
Vulnerabilities are identifiable weaknesses in technology, physical constructs, people, or procedures that create an opportunity to attack. For instance, a computer that is connected to the internet prior to proper security procedures is vulnerable to many attacks. If that same computer has been through security procedures, it will have fewer vulnerabilities and fewer attacks will succeed. Likewise, an employee who holds open doors for people they do not know presents a vulnerability. If that employee is informed that unauthorized persons are entering the building due to this behavior, they may choose not to repeat the action, thereby lowering the vulnerability to a physi- cal intrusion. For software and hardware, most organizations rely upon the supplier to provide "cures" for vulnerabilities. These "cures" are called patches, updates, or upgrades. Pro- cedural and awareness vulnerabilities are usually the responsibility of the organization itself. These can be repaired by training organizational users and revising procedures, although, as is always the case with humans, the success of the repair is highly dependent upon the will to change.
What are logical attacks?
Well known logical attacks that pose a threat to the protection of data and cyber secur- ity include 1) phishing, 2) malware, 3) denial of service (DoS), 4) and distributed denial of service (DDoS).
What is risk management?
When determining how to handle risk, it is important to first understand how wide- spread risk is in the organization. The activities around discovering, quantifying, treat- ing, and reporting on risks is called risk management. In large organizations, or in organizations where data is highly regulated, a formal risk management program may be required. A formal risk management program will often involve operational and financial executives, legal counsel, public relations, IT managers, and IT security per- sonnel. In a smaller organization, risk management may be informal—a general under- standing of who needs to be informed or when a decision must be made that involves a potential loss of money, functionality, or goodwill.
What is data compromise?
When information is inappropriately changed, or when someone accesses it without proper authorization, the data has been com- promised. Data com- promise is com- monly understood as a result of attacks on cyber security.
Who are professional criminal hackers?
While opportunists act in an agile and less-planned fashion, professional criminal hackers or groups of criminal hackers will often coordinate a strategy to ensure that the results of their criminal activities are as profitable as possible. Professional crimi- nal hackers make their entire living from performing computer and network crime; they may work independently or perform activities at the request of others for an exchange of funds (criminal hackers for hire). The professional computer criminal is also not to be confused with loose-knit idealist groups, such as Anonymous, which is comprised of volunteer members who do not know each other well but instead act due to a common goal. These groups of profes- sional hackers perform activities that ultimately lead to the exchange of money for their skill in unlawfully penetrating networks. While these professional criminals share characteristics with nation-state actors and hackers for organized crime, they lack the patriotic or organizational affinity that defines the other two groups.
What are types of physical attacks that pose threat to the protection of data?
physical attacks that pose a threat to the protection of data and cyber security include 1) technology theft, 2) shoulder surfing, 3) and document theft.
What is phishing?
Phishing is a type of social engineering attack that uses email, social media, or text messages. In the message, the scammer describes a fictional situation and hopes the recipient will provide data in a suggested response. The response might require that the recipient provide private data or directs the recipient to take a form of action, such as electronically sending money. Phishing scams often have a type of emotional impact to prey upon greed, fear, or sympathy. Examples of phishing are • pretending to be royalty of a far-away country, hoping for someone to assist with moving assets out of the country; • sending emails stating that a person's social security number has been compro- mised, and it will be "shut down" unless they verify by giving personal information; and • posing as a friend who was robbed while traveling and now needs funds to return home. Phishing scams will impart a sense of urgency, inciting the victim to act immediately. These scams remain popular because they require a low investment relative to the potential reward. Judged individually, a phishing attempt is unlikely to succeed. How- ever, phishing attempts are rarely individually distributed. Automation, such as mass emails or text messages, make it possible for the criminal to send thousands of phish- ing attacks at a once for little effort and expense. Phishing therefore offers a potential return for little work, providing a high return on investment for each success.
What are some security strategies?
Some of the most popular security strategies, which demonstrate how strategies complement each other and overlap, are 1) defense in depth, 2) encryption everywhere, and 3) assume breach.
What are common protection goals?
1) legal compliance. The organization should perform at least the minimum protective activities that ensure it operates in a legal manner. 2) contractual obligations. Many commercial organizations rely upon contracts to man- age their business relationships. These contracts will include requirements for per- formance in order for the organizations to continue their relationship and the exchange of money. Cyber security, data protection, and operational targets are often the subject of the performance requirements. 3) personal privacy. Even in the absence of legal requirements, organizations should strive to keep private, personal data safe from needless disclosure. 4) personal physical safety. Any human, in any relationship with the organization, should be protected from physical harm caused by the action or inaction of the organization. 5) operational performance. Most operations have an expected uptime and output. The success of the organization will often depend on meeting or exceeding operational performance goals. Protecting all resources needed to meet these performance goals should be a priority of the organization. 6) reputation. The impairment of an organization's reputation can have a long-lived impact on their ability to attract clients and consumers. Further, reputation is a sig- nificant factor in attracting high-performing workers. 7) financial impact. Although it is not the most critical protection factor, financial impact is often widely visible. IT incidents in any form can deeply affect the health of an organization, especially in combination with the contractual and legal impacts.
What are the relevant concepts of cyber security?
1) valuable assets 2) data protection 3) privacy protection 4) vulnerabilities 5) attacks 6) threats, and risk, including risk management and treat- ment.
How does risk come about?
A common scenario in IT is a missing computer patch. Suppose that twenty heavily used servers in an organization are missing a patch that protects from a particular attack. Those servers host personal sensitive data and there is a known attack that works on servers without the patch. Most successful attacks force the servers to stop functioning. Very rarely, the attack allows quick creation of a new administrator account. This attack is actively being used on the internet. The assets are the servers, both the data they store and their ability to function. The vulnerability in this case is that some servers do not have current security patches installed. The threat is the attack that creates new accounts or stops servers from func- tioning. The risk of failing to patch consists of the value of the information, the function of the vulnerable servers ,and how likely it is that the attack will infect computers with- out being noticed. Risk is quantified using a rough calculation of asset value, vulnera- bility severity, and likelihood of threat being realized. The asset value is high; if twenty servers with personal data were compromised, this could harm humans whose data is stored there. Additionally, the organization and the data owners might face penalties for inadequate data protection. The vulnerability severity is also high, as there is an exploit actively spreading. There are two different possible bad outcomes: The servers may be compromised when the exploit is attemp- ted, or they may unexpectedly shut down and take time to recover. We see in this scenario two different risks, with two different severities. The first of these is data compromise, in which the asset value and the vulnerability severity are high. The likelihood of the threat being realized is low or moderate. Overall, this calcu- lation would be a low or moderate risk. If data collection were the only concern, the data owner might not see this as a reason to act with urgency. They may reasonably choose to schedule installation of the missing patches later. The other risk scenario is that of data unavailability. In this case, the asset value and vulnerability severity remain high, the likelihood of the servers becoming unavailable is high, a
What is encryption everywhere?
A part of protecting information in any information security strategy is encryption. Encryption everywhere is the concept that data are vulnerable in storage and in transit. This strategy protects data that are transmitted over the internet and the local intranet, data that are stored in databases or on the servers, and files on workstations. When encryption first became available for data storage and transmission, businesses had a legitimate concern that encryption and decryption of data would impose too heavy a burden on the computers' processors. As computer processors have become much faster, and computers have become able to hold more data in memory, this concern is no longer valid. Several of the original types of available encryption are now obsolete or considered weak or easily broken. An organization should choose encryption that is considered to still be effective for as long as the information needs protection and it must provide decryption access only to those who need it. Encryption decisions should consider the type of encryption and the location of the data, as well as the question of who should possess encryption keys. More technical units of this course book go into detail about the types of encryption and how to manage an encryption program for your organiza- tion. It suffices to say here that encryption is no longer a burden on the processing power of the computer and all data should be encrypted unless there is a specific rea- son to choose otherwise.
Who are threat actors?
A threat is any source that might cause the loss of use of an asset. For cyber security, it is important to understand the threat actors, which are people and groups who attack information systems and network. Threat actors are differentiated by their motivations, attack goals, and behaviors. Most attackers are, in some way, driven by financial gain. Those who are not have similarly strong motivations, such as patriotism or loyalty to a cause. Threat actors whose work is primarily computer-based are often simply called "hackers" in the media and casual parlance, but this is a misnomer. The term "hacker" can be used for anyone who enjoys finding workarounds or disassembling technolo- gies. This misleading use of language should be avoided, as many law-abiding hard- ware and software enthusiasts consider themselves to be hackers.
What are standards and regulations in data security?
Almost every industry has specific standards that apply to cyber security. Standards and regulations for personally identifiable health data and financial data tend to be the strongest, with the highest penalties for breaches. Outside of health and finance, regulation is often lacking. For this reason, standards, which can be optional, are often enforced by contract. Common security standards relate to the protection of personal private data, protection of networks, protection of data received by the client or vendor with whom the contract is shared, or to the individual who provides their personal information. These contractual agrements often focus on common national and inter- national standards for cyber security and information protection systems. These stand- ards are often used by private industry, providing a commonly understood and publicly available benchmark. Including international or national standards in contracts is good practice, as providing a private detailed information security requirement risks a miss- ing requirement that the common standard would cover.