CYB I

CYB 4301, Cybersecurity and Crime 1

Course Learning Outcomes for Unit I At the end of this unit, you should be able to:

1. Examine the relevance of cybersecurity to digital crimes. 1.1 Describe concepts and terms associated with information security and privacy. 1.2 Characterize the threats to information security and privacy. 1.3 Explore mechanisms used to protect information security and privacy.

Required Unit Resources Chapter 1: Information Security Overview (ULO 1.1, 1.2) Chapter 2: Privacy Overview (ULO 1.3)

Unit Lesson Lesson: Security and Privacy (ULO 1.1, 1.2, 1.3)

Security and Privacy As you begin your career in cybersecurity, you will be faced with the tough challenges presented by securing networks and data while ensuring sensitive data remains protected and private. You will defend your network against actors seeking to breach the security mechanisms protecting your network and ultimately gain access to your organization’s sensitive data; thus it is imperative that you understand the fundamentals of security and privacy, and that is what this unit is about. By laying the groundwork of the basic principles surrounding security and privacy, you will be equipped to defend your network and data. Chapter 1 of the textbook provides the importance and relevance of cybersecurity. Let’s start by defining some basic terminology. Grama (2022) defines information security as “to protect government, corporate, and individual information as a good business practice” (p. 4) and notes that legal statutes transform good business practices into mandatory business requirements. We have a good understanding of information security, but how does that relate to cybersecurity? Are the two not one in the same, with cybersecurity the modern re-branding of information security? Not at all. Cybersecurity is a subset of information security. For our purposes, cybersecurity can be defined as protecting the information and information systems we rely on every day in the modern world. Consider how information technology has transformed every aspect of modern life from the way we bank to the way we shop to the way we navigate. Critical infrastructure such as emergency response, financial systems, power generation, supply chains, transportation, and water delivery and purification are all reliant on an information technology infrastructure. We carry cellphones that are many times more powerful than the desktop and minicomputers that came before. We are surrounded by the Internet of Things (IoT), devices that surpassed the number of human beings on the planet in the past decade and are projected to exceed 29 billion in number by the close of this decade (Vailshery, 2022). We are part of a digital society supported by a multitude of information systems comprising a larger unifying network known as the Internet. These systems support our modern way of life, drive our economy, and sustain our civilization. They must be protected, and you are taking the first steps to join that effort. What an exciting and purposeful opportunity! But let’s not get too far ahead. We should begin at the beginning, by laying the groundwork to equip you for the task ahead.

UNIT I STUDY GUIDE

Security and Privacy

CYB 4301, Cybersecurity and Crime 2

UNIT x STUDY GUIDE

Title

Models help us to understand concepts and relationships. A useful model in the field of cybersecurity is the Confidentiality, Integrity, and Availability (C-I-A) Triad. Confidentiality ensures that information is accessed only by authorized personnel with a validated purpose and need to know. Integrity ensures data is accurate and protects against unauthorized changes. Finally, availability means that information systems and data are reliably accessible when needed (Grama, 2022). Note that privacy is a somewhat elusive concept to define because it exists apart from technology (Grama, 2022). Ask a friend how they think about privacy, and you might hear non-technical views like freedom from surveillance or the right to pursue happiness. But over the past few years, people have awakened to how data about them is used and sold. Technology plays a large part in that discussion and in how to exercise greater control over personal data. This could include mobile carriers and advertising companies reselling data about you, your shopping habits and choices, what you drive, how often you make calls and to whom, and even your movements in the physical world. For these reasons, cybersecurity professionals consider privacy as a subset of confidentiality. Lab 2: Creating a Privacy Impact Assessment will provide you the opportunity to assess privacy using a theory-based exercise. You cannot effectively defend against what you do not understand, and the resources provided to you will be finite. That makes developing an understanding of the risks as a cybersecurity practitioner a fundamental requirement. What are the things you should be concerned about? As Gramma (2022) observed, “Protecting information is not easy” (p. 24). Gramma (2022) outlined multiple important and interrelated areas. First, you must know what threats are present and applicable to your organization, industry sector, and geopolitical area. You must also have a good understanding of our environment, ranging from routers, switches, firewalls, and intrusion detection systems; server, desktop and mobile systems and devices; network connection points; and even the physical buildings and the people assigned. All these items have weaknesses which can be exploited by an adversary. Once you know the threats and the vulnerabilities in your environment, you can begin to address the specific risks involved. Dealing with risk involves a range of responses including acceptance, mitigation, and transfer. For example, to deal with the threat of a data breach, you might consider a known weakness in specific Microsoft Windows operating system (OS) that allows a remote attacker to gain root level privilege on workstation within your environment. Because you previously performed an IT Asset Inventory (the subject of Lab 1 in this unit), you realize that you have a certain number of workstations on a vulnerable version of the

CYB 4301, Cybersecurity and Crime 3

UNIT x STUDY GUIDE

Title

OS. Armed with this knowledge, you make a recommendation to your manager to patch the vulnerable systems. The scenario described above is just a single attack vector. Adversaries may employ other techniques such as social engineering, a direct interaction with people to gain access they would not normally have. Another is phishing, an indirect interaction like spoofing an email message, to send an unsuspecting person to an attacker’s website or deliver a piece of malware, malicious logic (virus), or plant a backdoor for later access to your network. Consider how much easier it is for an attacker to be let in the front door as an invited guest than it is to break a door down and forcibly enter. The former allows the attacker to bypass network defenses and potentially raise little suspicion from security tools.

Crowdstrike Crowdstrike, a well-respected cybersecurity firm, can also provide useful insights for the defender through their annual Global Threat Report (GTR). The GTR is published in partnership with Gartner to summarize and attach analytical significance to Crowdstrike’s experience responding to cybersecurity incidents over the past calendar year. Significantly, Crowdstrike observed two important items related to this course. One of the four types of threat activity cataloged by Crowdstrike is financially motivated eCrime activity representing a 5% growth from 2020. Crowdstrike also highlighted Ransomware as the leading concern for activity in 2021 representing an 81% increase in data-related leaks for 2021 (Crowdstrike, 2022). Crowdstrike’s findings underscore the many challenges cyber personnel must address. Not only is the adversary’s sophistication improving, but the financial incentive and effectiveness of ransomware attacks has attracted gangs, organized crime, and rogue nationl states. Cyber criminals have discovered that sensitive and proprietary information (e.g., social security numbers, credit card transactions, bank account information, intellectual property) is valuable (Symantec, 2015). Denying access to information using strong encryption, in effect creating a locked box in which only the attacker has the key, provides the leverage that entices the victim to pay the ransom fee. Cyber criminals have found another way to ramp up the pressure on the victim, threatening to release sensitive and sometimes embarrassing information. When these tactics are combined with the short time limits on payment, the pressure is incredible. With a good appreciation for the threats and concerns involved, what mechanisms can be used to protect information security and privacy? Defenders must justify recommended protections and garner the resources to implement risk mitigating solutions. Fortunately, laws and regulations serve as a primary mechanism for organizations and practitioners. To be clear, laws and regulations are not optional, and violations carry severe penalties, imprisonment, and other repercussions. Thus, laws and regulations form the basis of security policies and will help you to establish compliance while providing a strong justification for your recommendations.

Conclusion To ensure the security and privacy of the network, you must stay vigilant and informed. Threats are not static, but ever-changing. When one tactic is no longer effective, cyber criminals adapt. You must adapt, too. You should stay informed, learn from your industry peers, and leverage threat intelligence. When you hear about a new attack, you need to be able to understand how the attack works on both a conceptual and technical level, right down to the protocols, ports, and services the attack uses as an attack vector. You may not always have a patch available, but you can always take mitigating actions against the risk of an attack.

References Crowdstrike. (2022). 2022 Global Threat Report. https://go.crowdstrike.com/rs/281-OBQ-

266/images/Report2022GTR.pdf Grama, J. L. (2022). Legal and privacy issues in information security (3rd ed.). Jones and Bartlett.

https://online.vitalsource.com/#/books/9781284231465

CYB 4301, Cybersecurity and Crime 4

UNIT x STUDY GUIDE

Title

Symantec. (2015). Internet security report. https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347931_GA-internet-security-threat- reportvolume-20-2015-appendices.pdf

Vailshery, L. (2022, November 22). IoT connected devices worldwide 2019-2030 | Statista. Statista.

https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/