Chapter 1: Cybersecurity - A World of Experts and Criminals

Originally, the term hacker described individuals with advanced programming skills. Hackers used these
programming skills to test the limits and capabilities of early systems. These early hackers were also involved in the
development of early computer games. Many of these games included wizards and wizardry.
Overview of the Cybersecurity Domains

There are many data groups that make up the different domains of the “cyber world”. When groups are able to collect
and utilize massive amounts of data, they begin to amass power and influence. This data can be in the form of
numbers, pictures, video, audio, or any type of data that can be digitized.
Companies such as Google, Facebook, and LinkedIn, could be considered to be data domains in our cyber world.
Extending the analogy further, the people who work at these digital companies could be considered cybersecurity
experts. The word ‘domain’ has many meanings. Wherever there is control, authority, or protection, you might consider
that 'area' to be a domain. In many respects, cybersecurity experts have to protect their domains according the laws
of their own country.

A look inside these domains reveals how they are constructed. At a fundamental level, these domains are strong
because of the ability to collect user data contributed by the users themselves. This data often includes users’
backgrounds, discussions, likes, locations, travels, interests, friends and family members, professions, hobbies, and
work and personal schedules. Experts create great value for organizations interested in using this data to better
understand and communicate with their customers and employees
The data collected within the Internet is considerably more than just the data that the users contribute voluntarily.
Cyber domains continue to grow as science and technology evolve, enabling the experts and their employers (Google,
Facebook, LinkedIn, etc.) to collect many other forms of data. Cyber experts now have the technology to track
worldwide weather trends, monitor the oceans, as well as the movement and behavior of people, animals and objects
in real time.
New technologies, such as Geospatial Information Systems (GIS) and the Internet of Things (IoT), have emerged.
These new technologies can track the health of trees in a neighborhood. They can provide up-to-date locations of
vehicles, devices, individuals and materials. The data collected by GIS and IoE poses a tremendous challenge for
cybersecurity professionals in the future. The type of data generated by these devices has the potential to enable
cyber criminals to gain access to very intimate aspects of daily life.
Who Are the Cyber Criminals?

Attackers are individuals or groups who attempt to exploit vulnerabilities for personal or financial gain. Cyber criminals
are interested in everything from credit cards to product designs, and anything with value.

Amateurs: Amateurs, or script kiddies, have little or no skill, often using existing tools or instructions found on the
Internet to launch attacks

Hackers: This group of criminals breaks into computers or networks to gain access for various reasons. The intent of
the break-in determines the classification of these attackers as white, gray, or black hats.

Organized Hackers: These criminals include organizations of cyber criminals, hacktivists, terrorists, and state-
sponsored hackers. Cyber criminals are usually groups of professional criminals focused on control, power, and
wealth. Hacktivists publically publish embarrassing information about their victims. State-sponsored attackers gather
intelligence or commit sabotage on behalf of their government. These attackers are usually highly trained and well-
funded. Their attacks focus on specific goals that are beneficial to their government. Some state-sponsored attackers
are even members of their nations’ armed forces.

Thwarting Cyber Criminals

Thwarting the cyber criminals is a difficult task and there is no such thing as a “silver bullet.” However, company,
government and international organizations have begun to take coordinated actions to limit or fend off cyber criminals.
The coordinated actions include:
• Creating comprehensive databases of known system vulnerabilities and attack signatures (a unique arrangement of
information used to identify an attacker’s attempt to exploit a known vulnerability). Organizations share these
databases worldwide to help prepare for and fend off many common attacks.

• Establishing early warning sensors and alert networks. Due to cost and the impossibility of monitoring every network,
organizations monitor high-value targets or create imposters that look like high-value targets. Because these high-
value targets are more likely to experience attacks, they warn others of potential attacks.

• Sharing cyber intelligence information. Business, government agencies and countries now collaborate to share critical
information about serious attacks to critical targets in order to prevent similar attacks in other places. Many countries
have established cyber intelligence agencies to collaborate worldwide in combating major cyberattacks.

• Establishing information security management standards among national and international organizations. The ISO
27000 is a good example of these international efforts.

• Enacting new laws to discourage cyberattacks and data breaches. These laws have severe penalties to punish cyber
criminals caught carrying out illegal actions.

Common Threats to End Users

Threats and vulnerabilities are the main concern of cybersecurity professionals. Two situations are especially critical:

• When a threat is the possibility that a harmful event, such as an attack, will occur.

• When a vulnerability makes a target susceptible to an attack

For example, data in the wrong hands can result in a loss of privacy for the owners, can affect their credit, or jeopardize
their career or personal relationships. Identity theft is big business.

Threats to Internet Services

There are many essential technical services needed for a network, and ultimately the Internet, to operate. These
services include routing, addressing, domain naming, and database management. These services also serve as prime
targets for cyber criminals.

Criminals use packet-sniffing tools to capture data streams over a network. This means that all sensitive data, like
usernames, passwords and credit card numbers, are at risk. Packet sniffers work by monitoring and recording all
information coming across a network. Criminals can also use rogue devices, such as unsecured Wi-Fi access points.

Domain Name Service (DNS) translates a domain name, such as www.facebook.com, into its numerical IP address.
If a DNS server does not know the IP address, it will ask another DNS server. With DNS spoofing (or DNS cache
poisoning), the criminal introduces false data into a DNS resolver’s cache. These poison attacks exploit a weakness
in the DNS software that causes the DNS servers to redirect traffic for a specific domain to the criminal’s computer,
instead of the legitimate owner of the domain

Packets transport data across a network or the Internet. Packet forgery (or packet injection) interferes with an
established network communication by constructing packets to appear as if they are part of a communication. Packet
forgery allows a criminal to disrupt or intercept packets. This process enables the criminal to hijack an authorized
connection or denies an individual’s ability to use certain network services. Cyber professionals call this a man-in-the-
middle attack.

Over the last decade, cyberattacks like Stuxnet proved that a cyberattack could successfully destroy or interrupt critical
infrastructures. Specifically, the Stuxnet attack targeted the Supervisory Control and Data Acquisition (SCADA)
system used to control and monitor industrial processes. SCADA can be part of various industrial processes in
manufacturing, production, energy and communications systems.

Threats to People’s Way of Life

Cybersecurity is the ongoing effort to protect networked systems and data from unauthorized access. On a personal
level, everyone needs to safeguard his or her identity, data, and computing devices. At the corporate level, it is the
 employees’ responsibility to protect the organization’s reputation, data, and customers. At the state level, national
security and the citizens’ safety and well-being are at stake.

Cybersecurity professionals are often involved in working with government agencies in identifying and collecting data.

The Emergence of the Internet of Things

The Internet of Things (IoT) is the collection of technologies that enable the connection of various devices to the
Internet. The technological evolution associated with the advent of the IoT is changing commercial and consumer
environments. IoT technologies enable people to connect billions of devices to the Internet. These devices include
appliances, locks, motors, and entertainment devices, to name just a few. This technology affects the amount of data
that needs protection. Users access these devices remotely, which increases the number of networks requiring
protection.

The Impact of Big Data

Big data is the result of data sets that are large and complex, making traditional data processing applications
inadequate. Big data poses both challenges and opportunities based on three dimensions:

• The volume or amount of data

• The velocity or speed of data

• The variety or range of data types and sources

There are numerous examples of big corporate hacks in the news. Companies like Target, Home Depot and PayPal
are subjects of highly publicized attacks. As a result, enterprise systems require dramatic changes in security product
designs and substantial upgrades to technologies and practices.

Using Advanced Weapons

Software vulnerabilities today rely on programming mistakes, protocol vulnerabilities, or system misconfigurations.
The cyber criminal merely has to exploit one of these. For example, a common attack involved constructing an input
to a program in order to sabotage the program, making it malfunction. This malfunction provided a doorway into the
program or caused it to leak information.

There is a growing sophistication seen in cyberattacks today. An advanced persistent threat (APT) is a continuous
computer hack that occurs under the radar against a specific object. Criminals usually choose an APT for business or
political motives. An APT occurs over a long period with a high degree of secrecy using sophisticated malware.

Algorithm attacks can track system self-reporting data, like how much energy a computer is using, and use that
information to select targets or trigger false alerts. Algorithmic attacks can also disable a computer by forcing it to use
memory or by overworking its central processing unit. Algorithmic attacks are more devious because they exploit
designs used to improve energy savings, decrease system failures, and improve efficiencies.

Finally, the new generation of attacks involves intelligent selection of victims. In the past, attacks would select the low
hanging fruit or most vulnerable victims. However, with greater attention to detection and isolation of cyberattacks,
cyber criminals must be more careful.

Broader Scope and Cascade Effect

Federated identity management refers to multiple enterprises that let their users use the same identification
credentials gaining access to the networks of all enterprises in the group. This broadens the scope and increases the
probability of a cascading effect should an attack occur.

A federated identity links a subject’s electronic identity across separate identity management systems. For example,
a subject may be able to log onto Yahoo! with Google or Facebook credentials. This is an example of social login

The National Cybersecurity Workforce Framework

 The Workforce Framework categorizes cybersecurity work into seven categories.

Operate and Maintain includes providing the support, administration, and maintenance required to ensure IT system
performance and security.

Protect and Defend includes the identification, analysis, and mitigation of threats to internal systems and networks.

Investigate includes the investigation of cyber events and/or cyber crimes involving IT resources.

Collect and Operate includes specialized denial and deception operations and the collection of cybersecurity
information.

Analyze includes highly specialized review and evaluation of incoming cybersecurity information to determine if it is
useful for intelligence.

Oversight and Development provides for leadership, management, and direction to conduct cybersecurity work
effectively.

Securely Provision includes conceptualizing, designing, and building secure IT systems.

Within each category, there are several specialty areas. The specialty areas then define common types of
cybersecurity work.

Chapter 2: The Cybersecurity Cube

John McCumber is one of the early cybersecurity experts, developing a commonly used framework called the
McCumber Cube or the Cybersecurity Cube. This is used as tool when managing the protection of networks, domains
and the Internet. The Cybersecurity Cube looks somewhat like a Rubik's Cube.

The Principles of Security

The first dimension of the cybersecurity cube identifies the goals to protect cyberspace. The goals identified in the
first dimension are the foundational principles. These three principles are confidentiality, integrity and availability. The
principles provide focus and enable the cybersecurity expert to prioritize actions when protecting any networked
system.

Confidentiality prevents the disclosure of information to unauthorized people, resources, or processes. Integrity refers
to the accuracy, consistency, and trustworthiness of data. Finally, availability ensures that information is accessible
by authorized users when needed. Use the acronym CIA to remember these three principles.

The States of Data

Cyberspace is a domain containing a considerable amount of critically important data; therefore, cybersecurity experts
focus on protecting data. The second dimension of the Cybersecurity Cube focuses on the problems of protecting all
of the states of data in cyberspace. Data has three possible states:

• Data in transit

• Data at rest or in storage

• Data in process

The protection of cyberspace requires cybersecurity professionals to account for the safeguarding of data in all three
states.

Cybersecurity Safeguards

The third dimension of the Cybersecurity Cube defines the skills and discipline a cybersecurity professional can call
upon to protect cyberspace
 The Cybersecurity Cube identifies the three types of skills and disciplines used to provide protection. The first skill
includes the technologies, devices, and products available to protect information systems and fend off cyber criminals.
Cybersecurity professionals have a reputation for mastering the technological tools at their disposal. Cybersecurity
professionals must also build a strong defense by establishing policies, procedures, and guidelines that enable the
users of cyberspace to stay safe and follow good practices. Finally, users of cyberspace must strive to become more
knowledgeable about the threats of the cyberspace and establish a culture of learning and awareness.

The Principle of Confidentiality

Confidentiality prevents the disclosure of information to unauthorized people, resources and processes. Another term
for confidentiality is privacy. Organizations restrict access to ensure that only authorized operators can use data or
other network resources. For example, a programmer should not have access to the personal information of all
employees. Methods used to ensure confidentiality include data encryption, authentication, and access control.

Protecting Data Privacy

Organizations collect a large amount of data. Much of this data is not sensitive because it is publicly available, like
names and telephone numbers. Other data collected, though, is sensitive. Sensitive information is data protected from
unauthorized access to safeguard an individual or an organization. There are three types of sensitive information:

• Personal information is personally identifiable information (PII) that traces back to an individual. Figure 2 lists this
category of data.

• Business information is information that includes anything that poses a risk to the organization if discovered by the
public or a competitor. Figure 3 lists this category of data.

• Classified information is information belonging to a government body classified by its level of sensitivity. Figure 4 lists
this category of data

Controlling Access

Access control defines a number of protection schemes that prevent unauthorized access to a computer, network,
database, or other data resources. The concepts of AAA involve three security services: Authentication, Authorization
and Accounting. These services provide the primary framework to control access.
The first “A” in AAA represents authentication. Authentication verifies the identity of a user to prevent unauthorized
access. Users prove their identity with a username or ID. In addition, users need to verify their identity by providing
one of the following as shown in Figure 1:

• Something they know (such as a password)

• Something they have (such as a token or card)

• Something they are (such a fingerprint

For example, if you go to an ATM for cash, you need your bankcard (something you have) and you need to know the
PIN. This is also an example of multifactor authentication. Multifactor authentication requires more than one type of
authentication. The most popular form of authentication is the use of passwords.

Authorization services determine which resources users can access, along with the operations that users can
perform, as shown in Figure 2. Some systems accomplish this by using an access control list, or an ACL. An ACL
determines whether a user has certain access privileges once the user authenticates. Just because you can log onto
the corporate network does not mean that you have permission to use the high-speed color printer. Authorization can
also control when a user has access to a specific resource. For example, employees may have access to a sales
database during work hours, but the system locks them out after hours.

Accounting keeps track of what users do, including what they access, the amount of time they access resources,
and any changes made. For example, a bank keeps track of each customer account. An audit of that system can
reveal the time and amount of all transactions and the employee or system that executed the transactions.
Cybersecurity accounting services work the same way. The system tracks each data transaction and provides auditing
results. An administrator can set up computer policies as shown in Figure 3 to enable system auditing.

Laws and Liability

Confidentiality and privacy seem interchangeable, but from a legal standpoint, they mean different things. Most privacy
data is confidential, but not all confidential data is private. Access to confidential information occurs after confirming
proper authorization. Financial institutions, hospitals, medical professionals, law firms, and businesses handle
confidential information. Confidential information has a non-public status. Maintaining confidentiality is more of an
ethical duty.

Principle of Data Integrity

Integrity is the accuracy, consistency, and trustworthiness of data during its entire life cycle. Another term for integrity
is quality. Data undergoes a number of operations such as capture, storage, retrieval, update, and transfer. Data must
remain unaltered during all of these operations by unauthorized entities.

Methods used to ensure data integrity include hashing, data validation checks, data consistency checks, and
access controls. Data integrity systems can include one or more of the methods listed above.

Data integrity is a fundamental component of information security. The need for data integrity varies based on how an
organization uses data. For example, Facebook does not verify the data that a user posts in a profile. A bank or
financial organization assigns a higher importance to data integrity than Facebook does. Transactions and customer
accounts must be accurate. In a healthcare organization, data integrity might be a matter of life or death. Prescription
information must be accurate

Integrity Checks

An integrity check is a way to measure the consistency of a collection of data (a file, a picture, or a record). The
integrity check performs a process called a hash function to take a snapshot of data at an instant in time. The integrity
check uses the snapshot to ensure data remains unchanged. checksum is one example of a hash function. A
checksum verifies the integrity of files, or strings of characters, before and after they transfer from one device to
another across a local network or the Internet. Checksums simply convert each piece of information to a value and
sum the total.

Common hash functions include MD5, SHA-1, SHA-256, and SHA-512. These hash functions use complex
mathematical algorithms. The hashed value is simply there for comparison. For example, after downloading a file, the
user can verify the integrity of the file by comparing the hash values from the source with the one generated by any
hash calculator. Accurate backups help to maintain data integrity if data becomes corrupted. An organization needs
to verify its backup process to ensure the integrity of the backup before data loss occurs.

Authorization determines who has access to an organization’s resources based on their need to know. For example,
file permissions and user access controls ensure that only certain users can modify data. An administrator can set
permissions for a file to read-only. As a result, a user accessing that file cannot make any changes.

The Principle of Availability

Data availability is the principle used to describe the need to maintain availability of information systems and services
at all times. Cyberattacks and system failures can prevent access to information systems and services. For example,
interrupting the availability of the website of a competitor by bringing it down may provide an advantage to its rival.
These denial-of-service (DoS) attacks threaten system availability and prevent legitimate users from accessing and
using information systems when needed.

Methods used to ensure availability include system redundancy, system backups, increased system resiliency,
equipment maintenance, up-to-date operating systems and software, and plans in place to recover quickly
from unforeseen disasters.

Five Nines
 People use various information systems in their day-to-day lives. Computers and information systems control
communications, transportation and the manufacturing of products. The continuous availability of information systems
is imperative to modern life. The term high availability, describes systems designed to avoid downtime. High availability
ensures a level of performance for a higher than normal period. High availability systems typically include three design
principles (Figure 1):

• Eliminate single points of failure

• Provide for reliable crossover

• Detect failures as they occur

The goal is the ability to continue to operate under extreme conditions, such as during an attack. One of the most
popular high availability practices is five nines. The five nines refer to 99.999%. This means that downtime is less than
5.26 minutes per year.

Organizations can ensure availability by implementing the following:

• Equipment maintenance

• OS and system updates

• Backup testing

• Disaster planning

• New technology implementations

• Unusual activity monitoring

• Availability testing

Types of Data Storage

Stored data refers to data at rest. Data at rest means that a type of storage device retains the data when no user or
process is using it. A storage device can be local (on a computing device) or centralized (on the network). A number
of options exist for storing data.

Direct-attached storage (DAS) is storage connected to a computer. A hard drive or USB flash drive is an example of
direct-attached storage. By default, systems are not set up to share direct-attached storage.

Redundant array of independent disks (RAID) uses multiple hard drives in an array, which is a method of combining
multiple disks so that the operating system sees them as a single disk. RAID provides improved performance and
fault tolerance.

A network attached storage (NAS) device is a storage device connected to a network that allows storage and retrieval
of data from a centralized location by authorized network users. NAS devices are flexible and scalable, meaning
administrators can increase the capacity as needed.

A storage area network (SAN) architecture is a network based storage system. SAN systems connect to the network
using high-speed interfaces allowing improved performance and the ability to connect multiple servers to a centralized
disk storage repository.

Cloud storage is a remote storage option that uses space on a data center provider and is accessible from any
computer with Internet access. Google Drive, iCloud, and Dropbox are all examples of cloud storage providers.

Challenges of Protecting Stored Data

 Organizations have a challenging task in trying to protect stored data. In order to improve data storage, organizations
can automate and centralize data backups.

Direct-attached storage is vulnerable to malicious attacks on the local host. Stored data may also include backup
data. Backups can be manual or automatic. Organizations should limit the types of data stored on direct-attached
storage. In particular, an organization would not store critical data on direct-attached storage devices.
Network storage systems offer a more secure option. Network storage systems including RAID, SAN and NAS provide
greater performance and redundancy. However, network storage systems are more complicated to configure and
manage. They also handle more data, posing a greater risk to the organization if the device fails. The unique
challenges of network storage systems include configuring, testing, and monitoring the system

Methods of Transmitting Data

Data transmission involves sending information from one device to another. There are numerous methods to transmit
information between devices including:

• Sneaker net – uses removable media to physically move data from one computer to another

• Wired networks – uses cables to transmit data

• Wireless networks – uses radio waves to transmit data

Organizations will never be able to eliminate the use of a sneaker net.

Wired networks include copper-wired and fiber optic media. Wired networks can serve a local geographical area (Local
Area Network) or they can span great distances (Wide Area Networks).

Wireless networks are replacing wired networks. Wireless networks are becoming faster and able to handle more
bandwidth. Wireless networks expand the number of guest users with mobile devices on small office home office
(SOHO) and enterprise networks.

Both wired and wireless networks use packets or data units. The term packet refers to a unit of data that travels
between an origin and a destination on the network. Standard protocols like Internet Protocol (IP) and Hypertext
Transfer Protocol (HTTP) define the structure and formation of data packets. These standards are open source and
are available to the public. Protecting the confidentiality, integrity, and availability of transmitted data is one of the
most important responsibilities of a cybersecurity professional.

Challenges of Protecting Data In-Transit

The protection of transmitted data is one of the most challenging jobs of a cybersecurity professional. With the growth
in mobile and wireless devices, cybersecurity professionals are responsible for protecting massive amounts of data
crossing their network on a daily basis. The cybersecurity professional must deal with several challenges in protecting
this data:

• Protecting data confidentiality – cyber criminals can capture, save and steal data in-transit. Cyber professionals
must take steps to counter these actions.

• Protecting data integrity – cyber criminals can intercept and alter data in-transit. Cybersecurity professionals deploy
data integrity systems that test the integrity and authenticity of transmitted data to counter these actions.

• Protecting data availability - cyber criminals can use rogue or unauthorized devices to interrupt data availability. A
simple mobile device can pose as a local wireless access point and trick unsuspecting users into associating with the
rogue device. The cybercriminal can hijack an authorized connection to a protected service or device. Network security
professionals can implement mutual-authentication systems to counter these actions. Mutual-authentication systems
require the user to authenticate to the server, and requests the server to authenticate to the user.

Forms of Data Processing and Computation

The third state of data is data in process. This refers to data during initial input, modification, computation, or output.
Protection of data integrity starts with the initial input of data. Organizations use several methods to collect data, such
 as manual data entry, scanning forms, file uploads, and data collected from sensors. Each of these methods pose
potential threats to data integrity. An example of data corruption during the input process includes data entry errors or
disconnected, malfunctioning, or inoperable system sensors. Other examples can include mislabeling and incorrect
or mismatched data formats.

Data modification refers to any changes to the original data such as users manually modifying data, programs
processing and changing data, and equipment failing resulting in data modification. Processes like encoding/decoding,
compression/decompression and encryption/decryption are all examples of data modification. Malicious code also
results in data corruption.
Data corruption also occurs during the data output process. Data output refers to outputting data to printers, electronic
displays or directly to other devices. The accuracy of output data is critical because output provides information and
influences decision-making. Examples of output data corruption include the incorrect use of data delimiters, incorrect
communication configurations, and improperly configured printers

Challenges of Protecting Data In-Process

Protecting against invalid data modification during processing can have an adverse impact. Software errors are the
reason for many mishaps and disasters. For example, just two weeks before Christmas, some of Amazon’s third-party
retailers experienced a change in the advertised price on their items to just one cent. The glitch lasted for one hour.
The error resulted in thousands of shoppers getting the deal of a lifetime and the company losing revenue.

Protecting data during processing requires well-designed systems. Cybersecurity professionals design policies and
procedures that require testing, maintaining, and updating systems to keep them operating with the least amount of
errors.

Software-based Technology Safeguards

Software safeguards include programs and services that protect operating systems, databases, and other services
operating on workstations, portable devices, and servers. Administrators install software-based countermeasures or
safeguards on individual hosts or servers. There are several software-based technologies used to safeguard an
organization’s assets:

• Software firewalls control remote access to a system. Operating systems typically include a firewall or a user can
purchase or download software from a third party.

• Network and port scanners discover and monitor open ports on a host or server.

• Protocol analyzers, or signature analyzers, are devices that collect and examine network traffic. They identify
performance problems, detect misconfigurations, identify misbehaving applications, establish baseline and normal
traffic patterns, and debug communication problems.

• Vulnerability scanners are computer programs designed to assess weaknesses on computers or networks.

• Host-based intrusion detection systems (IDS) examine activity on host systems only. An IDS generates log files and
alarm messages when it detects unusual activity. A system storing sensitive data or providing critical services is a
candidate for host-based IDS.

Hardware-based Technology Safeguards

There are several hardware-based technologies used to safeguard an organization’s assets:

• Firewall appliances block unwanted traffic. Firewalls contain rules that define the traffic allowed into and out of a
network.

• Dedicated Intrusion Detection Systems (IDS) detect signs of attacks or unusual traffic on a network and send an alert.

• Intrusion Prevention Systems (IPS) detect signs of attacks or unusual traffic on a network, generate an alert and take
corrective actions.

• Content filtering services control access and transmission of objectionable or offensive content.
 Network-based Technology Safeguards

There are several network-based technologies used to protect the organization’s assets:

• Virtual Private Network (VPN) is a secure virtual network that uses the public network (i.e., the Internet). The security
of a VPN lies in the encryption of packet content between the endpoints that define the VPN.

• Network access control (NAC) requires a set of checks before allowing a device to connect to a network. Some
common checks include up-to-data antivirus software or operating system updates installed.

• Wireless access point security includes the implementation of authentication and encryption.

Cloud-based Technology Safeguards

Cloud-based technologies shift the technology component from the organization to the cloud provider. The three main
cloud computing services include:

• Software as a Service (SaaS) allows users to gain access to application software and databases. Cloud providers
manage the infrastructure. Users store data on the cloud provider’s servers.

• Infrastructure as a Service (IaaS) provides virtualized computing resources over the Internet. The provider hosts
the hardware, software, servers, and storage components.

• Platform as a Service (PaaS) provides access to the development tools and services used to deliver the applications.

Cloud service providers have extended these options to include IT as a Service (ITaaS), which provides IT support
for IaaS, PaaS, and SaaS service models. In the ITaaS model, an organization contracts with the Cloud provider for
individual or bundled services.

Cloud service providers use virtual security appliances that run inside a virtual environment with a pre-packaged,
hardened operating system running on virtualized hardware.

Policies

A security policy is a set of security objectives for a company that includes rules of behavior for users and
administrators and specifies system requirements. These objectives, rules, and requirements collectively ensure the
security of a network, the data, and the computer systems within an organization.

A comprehensive security policy accomplishes several tasks:

• It demonstrates an organization’s commitment to security.

• It sets the rules for expected behavior.

• It ensures consistency in system operations, software and hardware acquisition and use, and maintenance.

• It defines the legal consequences of violations.

• It gives security staff the backing of management.

a security policy typically includes:

• Identification and authentication policies - Specifies authorized persons that can have access to network
resources and outlines verification procedures.

• Password policies - Ensures passwords meet minimum requirements and are changed regularly.

• Acceptable use policies - Identifies network resources and usage that are acceptable to the organization. It may
also identify ramifications for policy violations.
• Remote access policies - Identifies how remote users can access a network and what is remotely accessible.

• Network maintenance policies - Specifies network device operating systems and end user application update
procedures.

• Incident handling policies - Describes how security incidents are handled.

One of the most common security policy components is an acceptable use policy (AUP). This component defines
what users can and cannot do on the various system components. The AUP should be as explicit as possible to avoid
misunderstanding. For example, an AUP lists specific websites, newsgroups, or bandwidth intensive applications that
users cannot access using company computers or the company network

Standards

Standards help an IT staff maintain consistency in operating the network. Standards documents provide the
technologies that specific users or programs need in addition to any program requirements or criteria that an
organization must follow. This helps IT staff improve efficiency and simplicity in design, maintenance, and
troubleshooting. One of the most important security principles is consistency. For this reason, it is necessary for
organizations to establish standards. Each organization develops standards to support its unique operating
environment. For example, an organization establishes a password policy. The standard is that passwords require a
minimum of eight upper and lowercase alphanumeric characters, including at least one special character. A user must
change a password every 30 days, and a password history of 12 previous passwords ensures that the user creates
unique passwords for one year.

Guidelines

Guidelines are a list of suggestions on how to do things more efficiently and securely. They are similar to standards,
but are more flexible and are not usually mandatory. Guidelines define how standards are developed and guarantee
adherence to general security policies.

Some of the most helpful guidelines make up an organization’s best practices. In addition to an organization’s defined
best practices, guidelines are also available from the following:

• National Institute of Standards and Technology (NIST) Computer Security Resource Center (Figure 1)

• National Security Agency (NSA) Security Configuration Guides (Figure 2)

• The Common Criteria standard (Figure 3)

Using the password policy example, a guideline is a suggestion that the user take a phrase like "I have a dream" and
convert it to a strong password, Ihv@dr3@m. The user can create other passwords from this phrase by changing the
number, moving the symbol, or changing the punctuation mark.

Procedures

Procedure documents are longer and more detailed than standards and guidelines. Procedure documents include
implementation details that usually contain step-by-step instructions and graphics.

The figure shows an example of the procedure used to change a password. Large organizations must use procedure
documents to maintain the consistency of deployment that is necessary for a secure environment.

Overview of the Model

Security professionals need to secure information from end-to-end within the organization. This is a monumental task,
and it is unreasonable to expect one individual to have all of the requisite knowledge. The International Organization
for Standardization (ISO)/International Electrotechnical Commission (IEC) developed a comprehensive framework to
guide information security management. The ISO/IEC cybersecurity model is to cybersecurity professionals what the
 OSI networking model is to network engineers. Both provide a framework for understanding and approaching complex
tasks.

Cybersecurity Domains

ISO/IEC 27000 is an information security standard published in 2005 and revised in 2013. ISO publishes the ISO
27000 standards. Even though the standards are not mandatory, most countries use them as a de facto framework
for implementing information security.
The ISO 27000 standards describe the implementation of a comprehensive information security management system
(ISMS). An ISMS consists of all of the administrative, technical and operational controls to keep information safe within
an organization. Twelve independent domains represent the components of the ISO 27000 standard. These twelve
domains serve to organize, at a high level, the vast areas of information under the umbrella of information security.
The structure of the ISO cybersecurity model is different from the OSI model in that it uses domains rather than layers
to describe the categories for security. The reason for this is that the ISO cybersecurity model is not a hierarchical
relationship. It is a peer model in which each domain has a direct relationship with the other domains. The ISO 27000
cybersecurity model is very similar to the OSI model in that it is vital for cybersecurity specialists to understand both
of these models to be successful.

Control Objectives

The twelve domains consist of control objectives defined in the 27001 part of the standard. The control objectives
define the high-level requirements to implement a comprehensive ISM. An organization’s management team uses the
ISO 27001 control objectives to define and publish the organization’s security policies. Control objectives provide a
checklist to use during security management audits. Many organizations need to pass an ISMS audit in order to earn
a designation of ISO 27001 compliant.

Certification and compliance provide confidence for two organizations that need to trust each other’s confidential data
and operations. Compliance and security audits prove that organizations are continuously improving their information
security management system.

Controls

The ISO/IEC 27002 defines information security management system controls. Controls are more detailed than
objectives. Control objectives tell the organization what to do. Controls define how to accomplish the objective.

Based on the control objective, to control access to networks by using the appropriate authentication mechanisms for
users and equipment, the control would be:

Use strong passwords. A strong password consists of at least eight characters that are a combination of letters,
numbers and symbols (@, #, $, %, etc.) if allowed. Passwords are case-sensitive, so a strong password contains
letters in both uppercase and lowercase.

Cybersecurity professionals recognize the following:

• Controls are not mandatory, but they are widely accepted and adopted.

• Controls must maintain vendor-neutrality to avoid the appearance of endorsing a specific product or company.

• Controls are like guidelines. This means that there can be more than one way to comply with the objective.

The ISO Cybersecurity Model and the CIA Triad

The ISO 27000 is a universal framework for every type of organization. In order to use the framework effectively, an
organization must narrow down which domains, control objectives, and controls apply to its environment and
operations.

The ISO 27001 control objectives serve as a checklist. The first step an organization takes is to determine if these
control objectives are applicable to the organization. Most organizations generate a document called the Statement
of Applicability (SOA). The SOA defines which control objectives that the organization needs to use.
Different organizations place greater priority on confidentiality, integrity, and availability depending on the type of
industry. For example, Google places the highest value on user data confidentiality and availability and less on
integrity. Google does not verify user data. An organization tailors its use of the available control objectives and
controls to best meet its priorities with regard to confidentiality, integrity and availability.
The ISO Cybersecurity Model and the States of Data

Different groups within an organization may be responsible for data in each of the various states. For example, the
network security group is responsible for data during transmission. Programmers and data entry people are
responsible for data during processing. The hardware and server support specialists are responsible for stored data.
The ISO Controls specifically address security objectives for data in each of the three states.

The ISO Cybersecurity Model and Safsseguards

The ISO 27001 control objectives relate directly to the organization’s cybersecurity policies, procedures and guidelines
which upper management determines. The ISO 27002 controls provide technical direction. For example, upper
management establishes a policy specifying the protection of all data coming in to or out of the organization.
Implementing the technology to meet the policy objectives would not involve upper management. It is the responsibility
of IT professionals to properly implement and configure the equipment used to fulfill the policy directives set by upper
management.