CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger

Table of contents

1. Copyright
2. Preface
3. About the Author
4. Introduction
   1. Purpose and scope
   2. Motivation
   3. References
5. 1. What Technology Giveth It Taketh Away
   1. From the printing press to the information age
      1. The printing press
      2. The new information age
   2. The ‘dark side of high tech’
   3. References
6. 2. CyberAttack: It’s a Dangerous World for Information Systems
   1. Cyberwar
      1. A very short history of war
      2. What is cyberwar?
   2. Cyberterror
      1. Methods and tactics of cyberterrorists
   3. Cybercrime
   4. From cyberwar to cybercrime – get the ‘low hanging fruit’
   5. The blended threat
   6. The asymmetric effects of cyberattacks
   7. Porous perimeters, compromisable software – or both?
   8. If we know about the vulnerabilities, why are exploits still successful?
   9. References
7. 3. The Human Factor: The Underrated Threat
   1. Are people the problem?
   2. Who are the attackers?
      1. Types of attackers
      2. Motivations for attack
   3. Most likely forms of attack
      1. Distributed Denial of Service (DDoS) attacks
      2. Domain Name Service (DNS) attacks
      3. Web defacements and semantic attacks
      4. Viruses, worms and Trojans
      5. Botnets
      6. Infrastructure attacks
      7. Compound attacks
   4. Sometimes it’s just human error
   5. People are also the solution!
8. 4. Transition from an Environment of ‘FUD’ to a Standards-Based Environment
9. 5. Establishing a Culture of CyberSecurity
   1. The foundation is in the organizational culture
   2. Using the cultural web for creating a culture of cybersecurity
   3. A culture of cybersecurity starts at the top
      1. Business strategy and cybersecurity – can they be aligned?
      2. Making cybersecurity a part of the process
      3. Instilling a sense of participation
   4. References
10. 6. Increasing Internationalism: Governance, Laws, and Ethics
    1. Information globalism equals increased exposure
    2. Ubiquitous Interconnectivity = Globalized Vulnerabilities
    3. Following the lead of good governance
    4. The proliferation of laws
    5. Ethics in an information society and a minimum standard of due care in cybersecurity
    6. References
11. 7. Standards: What Are They and Why Should We Care?
    1. What are standards?
    2. How are standards developed?
    3. The importance of terminology
    4. Standards-based process improvement
    5. Focus on consensus-based cybersecurity
    6. Standards provide a level playing-field for co-ordination and co-operation
    7. If standards are so good, then why is it so hard?
12. 8. From CyberWar to CyberDefence: Applying Standards in an Environment of Change and Danger
    1. Moving beyond compliance and reaction
    2. A quick look at relevant standards
    3. Take four steps forward
       1. Step One: Plan
          1. One: Establish cybersecurity governance – think in boardroom terms
          2. Information Security Governance: Guidance for Boards of Directors and Executive Management.
          3. Two: Execute risk assessment – what is the tolerance for risk?
             1. 1. Identify Information System Characteristics
             2. 2. Identify Potential & Certain Threats
             3. 3. Identify Potential & Certain Vulnerabilities
             4. 4. Determine Likelihood
             5. 5. Identify Potential Business Impacts
             6. 6. Determine Unmitigated Risk
             7. 7. Identify Existing Controls and Countermeasures
             8. 8. Determine Residual Risk
             9. 9. Make Controls Recommendations
          4. Three: Develop cybersecurity strategy and plan – create a standards roadmap
          5. Four: Implement risk management
          6. Five: Identify security metrics and benchmarks – measures of success
             1. 1. Phase One: Identify Cybersecurity Metrics
             2. 2. Phase Two: Identify Efficiencies and Inefficiencies in the Cybersecurity Programme
             3. 3. Phase Three: Cybersecurity Metrics Programme Continuity
       2. Step Two: Do
          1. Six: Establish cybersecurity operations – from planning to execution
          2. Seven: Establish minimum essential cybersecurity practices – what are critical programme elements?
       3. Step Three: Check
          1. Eight: Collect and analyze metrics – is it just statistics?
          2. Nine: Determine compliance – more than just checking the box
          3. Ten: Evaluate performance against established standards – check the benchmark
       4. Step Four: Act
          1. Eleven: Sustain cybersecurity programme – it is not a one act play
          2. Twelve: Identify necessary improvements – moving towards a state of cybersecurity maturity
    4. The future is ‘ROSI’
    5. References
    6. Making the case for cybersecurity assurance
       1. Presenting the cybersecurity assurance case
       2. There is no such thing as ‘perfect’ assurance
       3. The future of cybersecurity assurance cases
    7. References
13. 9. Conclusion: Where Do We Go From Here?
    1. Cybersecurity programme roadmap
14. 1. Gap Analysis Areas of Interest
15. 2. Standards Crosswalk
16. Definitions
17. Acronyms
18. ITG Resources
    1. Other Websites
    2. Pocket Guides
    3. Toolkits
    4. Best Practice Reports
    5. Training and Consultancy
    6. Newsletter