Table of Contents
Reading Time: 6 minutes
The purpose of this article is to provide to you a comprehensive overview about cyber security and its importance for organisations and society nowadays. We will be also talking about its security domains, current cyber threats risking corporations’ environments, challenges faced by organisations to protect themselves from cyber attacks and cyber security defences and best practices that can be implemented to mitigate their risks.
Further details about how those cyber security defences and best practices are being implemented in the workplace will be discussed at a later time in the portal.
I hope you enjoy the reading and please kindly send your thoughts (either in English or Portuguese) about this article and suggestions of new topics to [email protected] if you like.
1. CYBER SECURITY DEFINITION
My first contact with cyber security took place in Brazil in 1998, where I got introduced to Checkpoint Firewall-1 and had the opportunity to work with such technology for many years to come. At that time the terminology cyber security wasn’t as popular between organisations and security professionals as it is today. Instead, the world used to use the terminology information technology security (IT security) or electronic information security to refer to the area, which is still commonly being used by some bodies, organisations and professionals nowadays.
Despite the change on the name to describe the field, its definition remains the same, which in a nutshell refers to the combination of technologies, processes, and best practices implemented by organisations to protect their employees, customers, technical infrastructure (e.g., networks, servers, desktops, mobile devices, electronic systems, etc.), data, information, and programs from malicious attacks, damage, or unauthorised accesses.
2. THE IMPORTANCE OF CYBER SECURITY FOR ORGANISATIONS
Cyber security has never been more crucial for organisations than today.
The significant cases regarding of sophisticated cyber attacks targeting companies’ critical infrastructures, their employees, and customers’ data, information, and secrets have increased dramatically compared to 5 years ago. As a result, large, medium and small businesses have been advised by governments and some private bodies to adhere to their security and privacy regulations, legislation, and standards to ensure security controls are in place to protect the systems, data, and information they are dealing with on their daily basis. Although this will not stop malicious actors’ attempts to infiltrate into organisations’ infrastructures, it will undoubtedly make their goals less achievable.
Cyber criminals have been knocking on organisations’ “doors” every single day, hour, minute and second. And the reason for that varies depending on the criminals’ motivation and industry. For instance, cyber criminals may target universities to steal intellectual property assets and negotiate them in the dark web afterwards, as universities, by nature, maintain a rich database with such type of information. Another example would be criminals targeting financial organisations to steal money from banks’ clients to fund their criminal activities, such as terrorism, child pornography, and drug trafficking. Or simply to acquire products through e-commerce to satisfy their urges, by using somebody else’s credit card details. Furthermore, state sponsored cyber criminals may target foreign governments aiming to get access to their military top secret information to benefit the nations which have hired them for such evil purpose.
The list of cyber criminals’ motivations is quite extensive and needs organisations’ attention to understand their risks and countermeasures they must implement to comply with regulations, legislation, and standards such as APRA CPS 234, Privacy Act 1988, Sarbanes Oxley, HIPAA, GDPR, LGPD, PCI DSS, etc, to avoid heavy penalties, protect their environments, reputation, and make cyber criminals’ lives harder.
All this combined no doubt will improve confidence in companies’ reputation and trust for business partners, customers, stakeholders and employees.
3. CYBER SECURITY DOMAINS AND THEIR FUNCTIONS
Cyber security is divided into several distinct domains and the approach organisations will take to implement and manage them will be crucial to achieve the success of a cyber security program. As of today, as per the International Information Systems Security Certification Consortium (ISC)2, these domains are as following:
3.1 Security and Risk Management
The Security and Risk Management domain covers the following:
- Understand, adhere to, and promote professional ethics
- Understand and apply security concepts
- Evaluate and apply security governance principles
- Determine compliance and other requirements
- Understand legal and regulatory issues that pertain to information security in a holistic context
- Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)
- Develop, document, and implement security policy, standards, procedures, and guidelines
- Identify, analyse, and prioritize
- Business Continuity (BC) requirements
- Contribute to and enforce personnel security policies and procedures
- Understand and apply risk management concepts
- Understand and apply threat modelling concepts and methodologies
- Apply Supply Chain Risk Management (SCRM) concepts
- Establish and maintain a security awareness, education, and training program
3.2 Asset Security
The Asset Security domain covers the following:
- Identify and classify information and assets
- Establish information and asset handling requirements
- Provision resources securely
- Manage data lifecycle
- Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
- Determine data security controls and compliance requirements
3.3 Security Architecture and Engineering
The Security Architecture and Engineering domain covers the following:
- Research, implement and manage engineering processes using secure design principles
- Understand the fundamental concepts of security models (e.g., Biba, Star Model, Bell-LaPadula)
- Select controls based upon systems security requirements
- Understand security capabilities of Information Systems (IS) (e.g., memory protection, Trusted Platform Module (TPM), encryption/decryption)
- Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
- Select and determine cryptographic solutions
- Understand methods of cryptanalytic attacks
- Apply security principles to site and facility design
- Design site and facility security controls
3.4 Communication and Network Security
The Communication and Network Security domain covers the following:
- Assess and implement secure design principles in network architectures
- Secure network components
Implement secure communication channels according to design
3.5 Identity and Access Management (IAM)
The Identity and Access Management (IAM) domain covers the following:
- Control physical and logical access to assets
- Manage identification and authentication of people, devices, and services
- Federated identity with a third-party service
- Implement and manage authorization mechanisms
- Manage the identity and access provisioning lifecycle
Implement authentication systems
3.6 Security Assessment and Testing
The Security Assessment and Testing domain covers the following:
- Design and validate assessment, test, and audit strategies
- Conduct security control testing
- Collect security process data (e.g., technical and administrative)
- Analyse test output and generate reports
- Conduct or facilitate security audits
3.7 Security Operations
The Security Operations domain covers the following:
- Understand and comply with investigations
- Conduct logging and monitoring activities
- Perform Configuration Management (CM) (e.g., provisioning, baselining, automation)
- Apply foundational security operations concepts
- Apply resource protection
- Conduct incident management
- Operate and maintain detective and preventative measures
- Implement and support patch and vulnerability management
- Understand and participate in change management processes
- Implement recovery strategies
- Implement Disaster Recovery (DR) processes
- Test Disaster Recovery Plans (DRP)
- Participate in Business Continuity (BC) planning and exercises
- Implement and manage physical security
- Address personnel safety and security concerns
3.8. Software Development Security
The Software Development Security domain covers the following:
- Understand and integrate security in the Software Development Life Cycle (SDLC)
- Identify and apply security controls in development environments
- Assess the effectiveness of software security
- Assess security impact of acquired software
- Define and apply secure coding guidelines and standards
Maintaining cyber security is a hard task for organisations of all sizes, especially nowadays that the threat landscape is constantly changing. To help these organisations to keep up with that, a more proactive and adaptive approach is needed. For instance, the National Institute of Standards and Technology (NIST), ISO (in the 27000 series of IT Security standards), and the CIS (formerly SANS Top 20 security controls guidance) recommend organisations making continuous monitoring and real-time assessments as part of a risk assessment framework to protect their environments against known and unknown cyber threats.
The definition and detail about how organisations have been implementing those domains within their workplace will be discussed at a later time in the portal.
Cyber Security Enthusiastic and founder of the WeCyberYou! platform.
Edson is a Cyber Security enthusiast who has been working in the Cyber Security space for over 20 years, assisting organisations from different industries, such as Consulting, Financial, Education, Telecommunication, and State and Federal Government, in Australia and Brazil, to protect their environments and reputations from internal and external cyber threats.
He holds a degree in System Analysis, a postgraduate degree in Cyber Security and the CISSP and CISM certifications.
He is currently working as a Senior Information Security Manager in Australia assisting private and public organisations to protect their environments and reputations from malicious code and actors.