IT for Management:

On-Demand
Strategies for
5 Performance, Growth,
and Sustainability
Dr. Ebadati
Ph.D. (Computer Science),
Cybersecurity
Chapter

Delhi
and Risk
Management
Technology
Learning Objectives (1 of 5)
 The Face and Future of Cyberthreats

Figure 5.1: Number of 2016 U.S. Data Breaches by Industry Sector. The number of cyberthreats in which
data records have been stolen by hackers has increased at an alarming rate.
 Cyberthreat Terminology
• Cyberthreat is a threat posed by means of the Internet (a.k.a. cyberspace) and the
potential source of malicious attempts to damage or disrupt a computer
network, system, or application.
• Vulnerability is a gap in IT security defenses of a network, system, or application
that can be exploited by a threat to gain unauthorized access.
• Incident is an attempted or successful unauthorized access to a network, system,
or application; unwanted disruption or denial of service; unauthorized use of a
system for processing or storage of data; changes to a system without the owner’s
knowledge, instruction, or consent.
• Data Breach is the successful retrieval of sensitive information by an individual,
group, or software system.
Figure 5.2 The three objectives of data and information systems security
 2016 Biggest Data Breaches Worldwide
Company Type of Breach Records Breached

Anthem Insurance Identity theft—healthcare records 78.8 million

Turkish General Identity theft—malicious outsider 50 million

(government agency)
Directorate

Korean Identity theft—malicious insider 43 million

Pharmaceutical Info.
Center
U.S. Office of Personally Identifiable Information 22 million
(PII) (government agency)
Personnel
Management
Experian Identity theft—malicious outsider 15 million
(credit bureau)
 Major Sources of Cyberthreats (1 of 2)
Unintentional cyberthreats can be caused by
o Human error (a majority of internal security issues)
• Poorly designed systems
• Faulty programming
• Neglecting to change passwords
• Unaware users
o Environmental hazards
• Natural disasters
• Faulty HVAC systems
o Computer systems failure
• Poor manufacturing or maintenance
 Major Sources of Cyberthreats (2 of 2)
• Some intentional forms of cyberthreats are:

• Hacking

• Phishing

• Crimeware

• Distributed Denial of Service (DDoS)

• Insider and Privilege Misuse

• Physical Theft
 Intentional Cyberthreats: Hacking
• Hacking: is broadly defined as intentionally accessing a computer without
authorization or exceeding authorized access. There are three types of
hackers.
• White Hat: Computer security specialist who breaks into protected systems
and network to test and assess their security.
• Black Hat: Person who attempts to find computer security vulnerabilities
and exploit them for personal and/or financial gain, or other malicious
reasons.
• Gray Hat: Person who may violate ethical standards or principles, but
without the malicious intent ascribed to black hat hackers.
• Hacktivist: is short for hacker-activist, or someone who performs hacking to
promote awareness, or otherwise support a social, political, economic, or
other cause.
 Intentional Cyberthreats: Spear Phishing

• Spear phishers often target select groups of people with

something in common
• Trick user into opening an infected email
• Emails sent that look like the real thing
• Confidential information extracted through seemingly
legitimate website requests for passwords, user IDs, PINs,
account numbers, and so on.
 Intentional Cyberthreats: Crimeware
• Malware: refers to hostile or intrusive software, including computer
viruses, rootkits, worms, Trojan horses, ransomware, and other
malicious programs used to disrupt computer or mobile operations,
gather sensitive information, gain access to private computer
systems.
• Spyware: is tracking software that is not designed to intentionally
damage or disable a system but to monitor or track activities.
• Adware: is software that embeds advertisement in the application
• Ransomware: is a type of malware that is designed to block access to a
computer system until a sum of money has been paid.
 Intentional Cyberthreats: Variants
• Malware Reinfections, Signatures, Mutations, and Variants

• Malware is captured in backups or archives. Restoring the

infected backup or archive also restores the malware.

• Malware infects removeable media, and could reinfect a host

years later when it accessed again.

• Most antivirus (AV) software relies on signatures to identify and

then block malware.
 Intentional Cyberthreats: Botnets
• A botnet is a group of external attacking entities and is
a totally different attack method/vector from malware,
which is internal to the system.
• A group of infected computers, called zombies, can be
controlled and organized into a network of zombies on
the command of a remote botmaster (also called a bot
herder).
 Intentional Cyberthreats: Denial of Service Attacks

• Distributed Denial-of-Service (DDoS): crashes a network or website by

bombarding it with traffic (i.e., requests for service) and effectively denies service to
all those legitimately using it, leaving it vulnerable to other threats
• Telephony Denial-of-Service (TDoS): floods a network with phone calls and
keeps the calls up for long durations to overwhelm an agent or circuit and prevent
legitimate callers, such as customers, partners, and suppliers, from using network
resources
• Permanent Denial-of-Service (PDoS): prevents the target’s system or device
from working. Instead of collecting data or providing some on-going perverse
function, its objective is to completely prevent the target’s device(s) from
functioning.
 Intentional Cyberthreats: Internal Threats

• Internal threats from employees can be some of the most challenging

to defend against
• Data tampering is a common means of internal attack

• Refers to an attack during which someone enters false or

fraudulent data into a computer, or changes/deletes existing data

• Data tampering is extremely serious because it may not be

detected; the method often used by insiders and fraudsters
 New Attack Vectors
• Attack Vector is a path or means by which a hacker can gain
access to a computer or network server in order to deliver a
malicious outcome.
• Mobile devices and apps, social media, and cloud services
introduce even more attack vectors for malware, phishing, and
hackers.
• Malicious (rogue) apps can serve up Trojan attacks, other
malware, or phishing attacks.
• Found in Google Play Store for Andriod phones.
 The Face and Future of Cyberthreats Review
1. Define and give an example of an intentional threat and an unintentional
threat.
2. Why might management not treat cyberthreats as a top priority?
3. Describe the differences between distributed denial-of-service (DDoS),
telephony denial-of-service (TDoS), and permanent denial-of-service (PDoS).
4. Why is social engineering a technique used by hackers to gain access to a
network?
5. List and define three types of malware.
6. What are the risks caused by data tampering?
7. Define botnet and explain why they are dangerous.
8. Why is Ransomware on the rise? How might companies guard against
ransomware attacks?
Learning Objectives (2 of 5)
 Cyberattack Targets and Consequences
• Managers make the mistake of underestimating IT
vulnerabilities and threats, and appear detached from
the value of confidential data (even high-tech companies).
• Targets for cyberattacks include critical infrastructure,
theft of intellectual property, identity theft, BYOD, and
social media.
• These attacks can be “high profile” or “under the radar”.
 High Profile and Under the Radar Attacks

• Advanced Persistent Threats (APT)

• Launched by attacker through phishing to again access to enterprise’s network

• Designed for long-term espionage

• Profit-motivated cybercriminals often operate in stealth mode to continue long-term

activities
• Hackers and hacktivists, commonly with personal agendas, carry out high-profile
attacks to further their causes.

• Anonymous and LulzSec are two hacker groups who have committed daring data
breaches, data compromises, data leaks, thefts, threats, and privacy invasions.
 Critical Infrastructure Attacks

Figure 5.3 U.S. Critical Infrastructure Sectors.

Critical infrastructure is defined as systems and assets so vital to the country that their incapacity or
destruction would have a debilitating effect.
 Theft of Intellectual Property
• Intellectual Property: is a work or invention that is the result of
creativity that has commercial value.
• Includes copyrighted property such as a blueprint, manuscript or a
design, and is protected by law from unauthorized use by others.
• Intellectual property, can represent more than 80% of a company’s
value.
• Losing customer data to hackers can be costly and embarrassing but
losing intellectual property, commonly known as trade secrets, could
threaten a company’s existence.
 Identity Theft

• One of the worst and most prevalent cyberthreats is identity

theft.

• Made worse by electronic sharing and databases

• Businesses reluctant to reveal incidents in which their

customers’ personal financial information may have been
stolen, lost, or compromised
 Bring Your Own Device (BYOD)
• Bring Your Own Device (BYOD): employees providing their own (mobile)
devices for business purposes to reduce expenses through cut purchase
and maintenance costs.

• Roughly 74% of U.S. organizations are using or planning to use BYOD

• Cuts business costs by not having to purchase and maintain

employees’ mobile devices

• Security risk: mobile devices rarely have strong authentication,

access controls, and encryption even though they connect to mission-
critical data and cloud services. Could also be lost or stolen.
 Social Media Attacks
• Social networks and cloud computing increase vulnerabilities by
providing a single point of failure and attack for organized criminal
networks.

• FBI: social media-related events have multiplied over the past five
years.

• Pricewaterhouse Coopers found that more than one in eight

enterprises has suffered at least one security breach due to a social
media-related cyberattack.

• Facebook scams were the most common form of malware distributed in

2015.
 Networks and Services Increase Exposure to Risk
• Time-to-exploitation is the elapsed time between when vulnerability is
discovered and when it is exploited

• Launched by attacker through phishing to again access to enterprise’s network

• Designed for long-term espionage

• Profit-motivated cybercriminals often operate in stealth mode to continue long-term

activities
• Hackers and hacktivists, commonly with personal agendas, carry out high-profile
attacks to further their causes.

• Anonymous and LulzSec are two hacker groups who have committed daring data breaches,
data compromises, data leaks, thefts, threats, and privacy invasions.
 Cyberattack Targets and Consequences Review
1. What is a critical infrastructure?
2. List three types of critical infrastructures.
3. How do social network and cloud computing increase
vulnerability?
4. Why are patches and service packs needed?
5. Why is it important to protect intellectual property?
6. How are the motives of hacktivists and APTs different?
7. Explain why data on laptops and computers need to be encrypted.
8. Explain how identity theft can occur.
Learning Objectives (3 of 5)
 Cyber Risk Management
• Risk is the probability of a threat successfully exploiting a vulnerability and the
estimated cost of the loss or damage.

• Factors leading to an increased risk of cyberattack:

• Interconnected, interdependent, wirelessly networked business
environment
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be computer hacker
• International organized crime taking over cybercrime
• Lack of management support
 IT Defenses
• Some essential defenses organizations can institute to defend again
cyberattacks
• Antivirus Software: designed to detect malicious codes and prevent users
from downloading them.
• Intrusion Detection Systems (IDSs): scans for unusual or suspicious traffic
(passive defense)
• Intrusion Prevention Systems (IPSs): is designed to take immediate action—
such as blocking specific IP addresses—whenever a traffic-flow anomaly is
detected (active defense)
• Security is an ongoing, unending process
Figure 5.7 Basic IT security concepts
 Security Defenses for Mobiles
• Biometric Control is an automated method of verifying the
identity of a person, based on physical or behavioral
characteristics

• The most common biometrics are a thumbprint or

fingerprint, voice print, retinal scan, and signature.
• Mobile biometrics can significantly improve the security of physical
devices and provide stronger authentication for remote access or cloud
services.
• Voice biometrics are an effective authentication solution across a
wide range of consumer devices including smartphones, tablets, and
TVs.
 Additional IT Defenses: Do-Not-Carry Rules

• U.S. companies, government agencies, and organizations may impose

rules that assume mobile technologies will inevitably be compromised.

• Only “clean” devices are allowed to be brought inside

• Devices are forbidden from connecting while abroad

• Some individuals carry no electronics on trips for compliance

 Business Continuity Planning
• Business continuity refers to maintaining business functions or
restoring them quickly when there is a major disruption

• A business continuity plan covers business processes, assets,

human resources, business partners

• Keeps the business running after a disaster occurs

• Covers fires, earthquakes, floods, power outages, malicious

attacks, and other types of disasters
Figure 5.8
 Cyber Risk Management Review
1. Explain why it is becoming more important for organizations to make cyber risk
management a high priority?
2. Name four U.S. Government Regulations that relate to cyber risk management.
3. What is the purpose of Rogue Application Monitoring?
4. Why is a mobile kill switch or remote wipe capability an important part of managing
cyber risk?
5. Why does an organization need to have a business continuity plan?
6. Name the three essential cybersecurity defenses.
7. Name three IT defenses.
8. Why do companies impose do-not-carry rules?
Learning Objectives (4 of 5)
 Defending Against Fraud
• Crime

• Violent crime involves physical threat or harm

• Nonviolent crime uses deception, confidence, and trickery by

abusing the power of their position or by taking advantage of the
trust ignorance, or laziness of others, otherwise known as fraud.
• Fraud

• Occupational fraud refers to the deliberate misuse of the assets of

one’s employer for personal gain.
 Occupational Fraud Prevention and Detection
• Corporate Governance

• Enterprise-wide approach greatly increases the prevention and detection of

fraud
• Intelligent Analysis

• Forms insider profiling to find wider patterns of criminal networks.

• Anomaly Detection

• Audit trails from key systems and personnel records used to detect
anomalous patters, such as excessive hours worked, deviations in patterns
of behavior, copying huge amounts of data, attempts to override controls,
unusual transactions, and inadequate documentation about a transaction.
 Internal Controls (IC)
• A process to ensure that sensitive data are protected and accurate
designed to achieve:

• Reliability of financial reporting, to protect investors

• Operational efficiency

• Compliance with laws, regulations, and policies

• Safeguarding of assets
 Cyber Defense Strategies
• The major objectives of Defense Strategies are:

• Prevention and deterrence

• Detection

• Contain the Damage (damage control)

• Recovery

• Correction

• Awareness and compliance

• Auditing can provide an additional layer of safeguards.
 Defending Against Fraud Review

1. What defenses help prevent occupational fraud?

2. What level of employee commits the most occupational fraud?
3. What is the purpose of internal controls?
4. What federal law requires effective internal controls?
5. Explain the concepts of Intelligence Analysis and Anomaly Detection.
6. Name the major categories of general controls.
7. Explain authentication and name two methods of authentication.
8. What are the six major objectives of a defense strategy?
Learning Objectives (5 of 5)
 Frameworks, Standards, and Models

• Current Frameworks and standards have been developed to address

compliance:

• Enterprise Risk Management (ERM)

• Control Objectives for Information and Related Technology (COBIT)

• Industry Standards, for example, Payment Card Industry Data Security

Standard (PCI DSS)
 Enterprise Risk Management Framework (ERM)

• Risk-based approach to managing an enterprise

• Developed by the Committee of Sponsoring Organizations of
the Treadway Commission (COSO) ERM
• Integrates internal control, the Sarbanes-Oxley Act mandates,
and strategic planning
• Consists of eight components, listed in Table 5.13 of book
 Figure 5.11 COBIT 5 Principles
COBIT 5 is the leading framework for the governance and security of IT
 Industry Standards: Payment Card Industry Data Security
Standard (PCI DSS)

• Created by Visa, MasterCard, American Express, and Discover

• Requires merchants and card payment providers to make
certain their Web applications are secure
• Improves customers’ trust in e-commerce
• Increase the Web security of online merchants
• Penalties for noncompliance are severe
Figure 5.12 IT security defense-in-depth model.
 Frameworks, Standards, and Models Review
1. Who created the Enterprise Risk Management Framework (ERM)? What is its
purpose?
2. What are the 5 principles of COBIT 5? Explain.
3. Why do industry groups have their own standards for cybersecurity? Name one
standard.
4. Are measurements of direct costs sufficient to reflect total damage sustained by a
cyberattack?
5. What 4 components comprise the IT Security Defense-in-Depth model?
6. What are the 4 steps in the IT Security Defense-in-Depth IT security model?
7. Explain why frameworks, standards, and models are important parts of a
cybersecurity program.
Best Wishes
Do you have any questions?

dr.ebadati@live.com

ebadati.com

Omid Ebadati