Advanced Persistent Threat by Paul Brager, Jr.
(Fireeye) Anatomy of Advanced Persistent Threats
FireEye. Promotional content from FireEye cybersecurity software company that describes advanced persistent threat (APT) attacks and contains a link to a video that illustrates how APTs work.
Application Risk Governance by Graeme Fleck
- (NIST 2017) Framework for Improving Critical Infrastructure CybersecurityNIST (2017). A set of voluntary industry standards and best practices designed to help organizations manage cybersecurity risks.
- (NIST 800) NIST 800 PublicationsNational Institute of Standards and Technology (NIST), US Department of Commerce, Computer Security Resource Center. A catalog of publications from the Computer Security Division and the Applied Cybersecurity Division of NIST.
- (OWASP 2014) OWASP - Open Web App Security ProjectOWASP (2014). OWASP is an independent open-source body that promotes best practices in software assurance. It is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
- (CERT) United States Computer Emergency Response Team (US-CERT)Best practice articles, knowledge, and tools from the US Computer Emergency Readiness Team, US Department of Homeland Security. A repository of best practices, articles, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software during each phase of its development.
- (ISACA 2015) DevOps Practitioner ConsiderationsISACA (2015). PDF. Centralized source of information and guidance in the growing field of auditing controls for computer systems. Registration required.
- (Jarzombek 2012) Software Assurance: Enabling Security and Resilience throughout the Software LifecycleJarzombek, Joe (2012). PDF. Slide deck about software assurance and the need to build security in from the start.
- (CIS) CIS ControlsCenter for Internet Security.
Audit by Terrie Diaz
- (Leader 2017) Audit cites town of Geneseo for lax cyber securityLeader, Matt (2017). Livingston County News.
Behavioral Monitoring by Holli Harrison
- (Zurkus 2015) User entity behavior analytics, next step in security visibilityZurkus, Kacy (2015). CSO Online.
- (Moore 2016) Prepare for the Inevitable Security IncidentMoore, Susan (2016). Gartner.
Biometrics by Stephen Simchak
- (Koren 2015) About Those Fingerprints Stolen in the OPM HackKoren, Marina (2015). The Atlantic.
- (Koerner 2015) Inside the Cyberattack That Shocked the US GovernmentKoerner, Brendan (2016). Wired.
- (Peterson 2015) OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thoughtPeterson, Andrea (2015). Washington Post.
Botnet by Tolu Onireti
- (Washington State) Botnet factsWashington State Attorney General. An introduction to botnets, including practical advice on preventing infection and removing malware.
- (Symantec) Bots and Botnets - A growing threatSymantec. An introduction to botnets and advice on protecting networks from infection.
- (Scoudis 2007) What are the best bot detection tools?Skoudis, Ed (2007). TechTarget Security. Introduction to anti-malware tools with a discussion about signature and heuristic detection techniques.
- (Hilton 2016) Botnet in the news - Dyn Analysis summary of Friday October 21st attackHilton, Scott (2016). Analysis of Distributed Denial of Service attack sustained by cloud infrastructure company, Dyn.
- (Gheorghe 2016) Inside the Million-Machine Clickfraud BotnetGheorghe, Alexandra (2016). Bitdefender Labs. An introduction to malware and click fraud.
Buffer Overflow Attack by Shawn Connelly
- (Claburn 2017) Intel Management Engine pwned by buffer overflowClaburn, Thomas (2017). The Register. Description of recent flaws in Intel processors that could leave those processors vulnerable to a buffer overflow attack.
- (Newman 2018) Meltdown and Spectre Patching has been a Total Train WreckNewman, Lily Hay (2018). Wired.
Business Continuity Plan by Dale Shulmistra
- (Olzak 2013) The elements of business continuity planningOlzak, Tom (2013). TechRepublic. Guidance on business continuity planning, including advice on recovering from natural disasters and man-made disruptive events such as cyberattacks.
- (NIST 800-34) Contingency Planning Guide for Federal Information SystemsAlso known as SP 800-34. PDF. This is the US National Institute of Standards and Technology (NIST) document designed to assist organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines. It includes a glossary and acronym list.
CISO by Todd Fitzgerald
- (Fitzgerald 2007) CISO Leadership: Essential Principles for SuccessFitzgerald, Todd and Micki Krause, editors (2007). Auerbach Publications. Describes practical, applicable, real-world skills for aspiring senior security executives.
- (Fitzgerald 2011) Information Security Governance Simplified: From the Boardroom to the KeyboardFitzgerald, Todd (2011). CRC Press. Describes how to implement an information security program.
- (Cobit) Cobit 5 for Information SecurityInformation Systems Audit and Control Association. Practical guidance for information security.
Confidentiality by Audrey Gendreau
- (GDPR) European Union Data Protection Regulations (EU GDPR)European Commission (2016). Summary of the European Union (EU) General Data Protection Regulation (GDPR). Updated 5/16/2019.
- (COPPA) Children’s Online Privacy Protection Act (COPPA)US Law (16 CFR Part 32). Covers how websites and other online services must handle the collection of information from -- and tracking of interactions with -- children under 13 years old.
- (CA 2003) Personal Information Protection Rules.California Code, Civil Code - CIV 1798.83. California rules governing privacy policies and the handling of personal information of residents to prevent unauthorized disclosure of their personally-identifiable information to third parties.
- (House of Representatives report 2016) Executive Summary of Review of the Unauthorized Disclosures of Former National Security Agency Contractor Edward SnowdenUS House of Representatives (2016). PDF. Unclassified Congressional report about the Snowden disclosures.
- (McCallister 2010) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)McCallister, Erika, et al. (2010). NIST SP 800-122. PDF. Guidelines for taking a risk-based approach to protecting the confidentiality of personally identifiable information.
- (Snowden, Edward) Biography and brief history of Edward Snowden.Wikipedia. Biography and brief history of Edward Snowden.
Controls by Mark Sears
- (NIST 800-53) NIST SP 800-53 Full Control ListUS National Institute of Standards and Technology (NIST). This is a complete list of Risk Management Framework (RMF) Security Controls with an assessment of the impact of each control.
- (Scholl 2017) How can you apply Risk Management Framework (RMF) Security Controls to your business.Chief Security Officer. Scholl, Frederick (2017). Review of National Institute of Science and Technology standards and recent improvements designed to align the specifications with private industry requirements.
Dark Web by Chris Vickery
- (Greenberg 2014) Hacker Lexicon: What is the Dark Web?Greenberg, Andy (2014). Wired. Introduction to the dark web.
- (Tigas 2016) A More Secure and Anonymous ProPublica Using Tor Hidden ServicesTigas, Mike (2016). ProPublica. Why and how ProPublica is using the dark web.
- (Bartlett 2015) How the mysterious dark net is going mainstreamBartlett, Jamie (2015). TED. Video with transcript. Presentation about the dark web.
Data Leak by Dennis Leber
- (O’Brien 2017) Giant Equifax data breach: 143 million people could be affectedO’Brien, Sara Ashley (2017). CNN Tech.
- (O’Sullivan 2017) The RNC Files: Inside the Largest US Voter Data LeakO’Sullivan, Dan (2017). Upguard. Describes the leak of personal information about 198 million US voters.
- (Fingas 2017) Data leak exposed millions of Time Warner Cable customersFingas, Jon (2017). Engadget.
- (Morabito 2017) Mystery Restaurant Accidentally Leaks Hilarious Notes About Its GuestsMorabito, Greg (2017). Eater.com. Link updated 5/16/2019.
- (Moneywatch 2017) HBO faces hacker threat: pay up, or suffer bigger data leakCBS Moneywatch (2017). CBS/AP.
- (Barrett 2017) Breaking Down HBO’s Brutal Month of HacksBarrett, Brian (2017). Wired.
- (Schiffer 2017) Why it took more than a week to resolve the huge Verizon data leakSchiffer, Alex (2017). Washington Post.
Encryption by John Armstrong
- (Ponemon 2017) 2017 Ponemon Cost of Data Breach StudyPonemon Institute (2017). Research report. Registration required.
Endpoint Security by Michael Dombo
- (FedTech 2017) Why Agencies Need to Protect Their Endpoints, and Not Just Their NetworksFedTech Magazine (2017). Discussion of the need for endpoint security and why protecting users from hackers while they use smartphones, tablets, and other mobile devices in the field is critical to secure networks from cybersecurity attacks.
- (Matteson 2017) Report: Companies are wasting massive amounts of money on ineffective security solutionsMatteson, Scott (2017). TechRepublic. Insights and costs of insecure endpoints and strategies for protecting systems from cyber threats.
Firewall by Sarah Granger
- (Great Firewall of China) The Great Firewall of ChinaComparatec. Online tool designed to determine whether a website (or other internet content) is available to those who reside in China.
General Data Protection Regulation (GDPR) by Regine Bonneau
- (EU GDPR) EU General Data Protection Regulation (GPDR) PortalEuropean Parliament regulations governing the processing of personal data.
- (EU GDPR News) Data protection reform - Parliament approves new rules fit for the digital eraEuropean Parliament News. Press Release. Data protection rules designed to give citizens back control of their personal data and create a high, uniform level of data protection across the European Union.
- (Wright 2017) Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security PractitionersWright, Benjamin (2017). PDF. Sans Institute (aka Escal Institute of Advanced Technologies).
- (Mediapro 2018) The GDPR Cheat Sheet for Cybersecurity ProfessionalsMediapro. PDF. Requirements for complying with the European Union General Data Protection Regulation (GDPR), including a discussion of the impacts on business. Registration required.
Hardening by Linda Maepa
- (Radichel 2014) Case Study: Critical Controls that Could Have Prevented Target BreachRadichel, Teri (2014). PDF. Case study about the Target data breach in 2014.
- (Meyer 2016) How a Bunch of Hacked DVR Machines Took Down Twitter and RedditMeyer, Robinson (2016). Describes how lack of hardening of internet-connected devices made it possible to mount a massive Distributed Denial of Service (DDoS) attack.
- (APTN News 2015) Hacker told F.B.I. he made plane fly sideways after cracking entertainment systemBarrera, Jorge Barrera (2015). APTN National News.
Identity Management by Evelyn de Souza
- (Rouse 2017) Identity management (ID management)Rouse, Margaret (2017). TechTarget. Discussion of the need for managing digital identities as well as details about the technologies needed to support identity management.
- (Ogrysko 2017) In the wake of the cyber sprint, OMB to develop new consolidated identity management guidance.Ogrysko, Nicole (2017). Federal News Radio. Discussion of updated guidelines for US government agencies and contractors issued by the US National Institute of Standards and Technology (NIST) as well as details about the Trump administration’s attempt to roll back agency reporting requirements.
- (Grimes 2017) The best identity management advice right nowGrimes, Roger A. (2017). CSO Online. The history of identity management and practical advice on reducing risk. Registration required.
Incident Response Plan by M.K. Palmore
- (Cichonski 2012) Computer Security Incident Handling Guide (NIST SP 800-61)Cichonski, Paul, et al. (2012). National Institute of Standards and Technology (NIST). PDF. Guidelines from the Information Technology Laboratory (ITL) at NIST for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.
- (Kral 2011) SANS Incident Handlers HandbookKral, Patrick (2011). Sans Institute (aka Escal Institute of Advanced Technologies). PDF. Report that provides the basic foundation for IT professionals and managers to be able to create their own incident response policies, standards, and teams. Includes an incident handler’s checklist (template) designed to help ensure that each of the incident response steps is followed during an incident.
- (US DHS 2009) Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response CapabilityUS Dept. of Homeland Security (2009). PDF. Recommendations to help companies that use industrial control systems prepare for and respond to a cybersecurity incident.
Insider Threat by Thomas Carey
- (US DHS 2016) Insider Threat Tip CardUS Dept. of Homeland Security (2016). PDF. Best practices for addressing organizational, behavioral, and technical security issues and mitigating insider threats.
- (Wallbank 2017) Businesses warned of insider cyber threatWallbank, Paul (2017). Financial Review. Discussion of insider threats and how financial gain, revenge, and desire for recognition drive insiders to intentionally disclose sensitive or personal information or take malicious actions against the organizations for which they work.
- (Tynan 2011) IT admins gone wild: 5 rogues to watch out forTynan, Dan (2011). InfoWorld. Advice on how to detect rogue insiders and minimize the damage they can do.
- (Verizon 2017a) Data Breach Digest: Perspective is RealityVerizon (2017). PDF. Statistics, metrics, and insight into the who, what, where, when, and how of data breaches and cybersecurity incidents. The case study titled Partner Misuse -- the Indignant Mole, is on page 24.
- (Disley 2001) Exclusive: Poo listed on ham ingredientsDisley, Jan (2001). Real-world example of an insider intentionally altering the content of a luncheon meat product label.
- (Papenfuss 2017) Washing Instructions On U.S.-Made Bag Apologize For ‘Idiot’ PresidentPapenfuss, Mary (2017). Huffington Post. Real-world example of an insider intentionally altering the care instructions label on a handbag.
Integrity by Daniel Ziesmer
- (NIST 800-12) NIST Special Publication 800-12: An Introduction to Information SecurityNational Institute of Standards and Technology (NIST) (1995, rev. 2017). US Department of Commerce. PDF. Introduction to information security principles that organizations can use to help understand the needs of their systems.
- (Rode 2012) Data Integrity in an Era of EHRs, HIEs, and HIPAA: A Health Information Management PerspectiveRode, Dan (2012). US Office for Civil Rights, Health and Human Services, National Institute for Standards and Technology Conference. PDF. Presentation slide deck covering confidentiality, integrity, availability, interoperability, standards, and security requirements for healthcare information.
- (ISO 27000 Overview) ISO/IEC 27000:2018. Information technology — Security techniques — Information security management systems — Overview and vocabularyISO (2018). International management systems standards for information security, also known as the Information Security Management System (ISMS) family of standards.
Kill Chain by Simon Puleo
- (Sager 2014) Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack PreventionSager, Tony (2014). PDF. An overview of the steps in the kill chain, including how to detect unknown attacks by integrating intelligence into sensors and management consoles.
Metrics by Keyaan Williams
- (Chew 2008) NIST Performance Measurement Guide for Information SecurityChew, Elizabeth, et al. (2008). National Institute of Standards and Technology (NIST). PDF. A guide to assist in the development of metrics to measure the effectiveness of security controls.
- (Jordan 2017) The Evil of Vanity MetricsJordan, Chris (2017). HelpNet Security. A critique that discusses the need for technical and business metrics in determining the cost of cybersecurity threat prevention and the cost of analyzing and responding to security events.
- (Hubbard 2014) How to Measure Anything: Finding the Value of Intangibles in BusinessHubbard, Douglas W. (3rd ed. 2014). Wiley. Book. Discusses how to measure things often considered immeasurable, including customer satisfaction, organizational flexibility, technology risk, and technology return on investment.
- (Knaflic 2015) Storytelling with Data: A Data Visualization Guide for Business ProfessionalsKnaflic, Cole Nussbaumer (2015). Wiley. Book. Covers the fundamentals of data visualization and how to communicate effectively with data.
- (Tenable 2018) Using Security Metrics to Drive ActionTenable Network Security. Recommendations and best practices for communicating with business executives and board members about cybersecurity issues. Registration required.
Multi-factor Authentication by Dovell Bonnett
- (Bonnett 2016) Making Passwords Secure - Fixing the Weakest Link in CybersecurityBonnett, Dovell (2016). Access Smart Media. Book. Debunks many of the myths of infallibility surrounding multi-factor authentication and other high-technology solutions in favor of a pragmatic approach to password management.
- (Stelmakowich 2017) Multi-factor authentication central to helping reduce data breaches: OstertagAngela Stelmakowich (2017).
- (Pahuja 2017) No passwords please: The need of a strong authentication protocol in the digital agePahuja, Anupam (2017). Moneycontrol. Discusses the importance of strong authentication to prevent identity theft and fraud.
- (Lilliestam 2016) Practical IT Security for EveryoneLilliestam, Emma (2016). YouTube. Video. Conference talk that provides security tips that are easy to install and use.
- (blackhat 2017) 2017 BlackHat Hacker SurveyThycotic (2017). Survey of attendees at the 2017 Black Hat Conference in Las Vegas.
- (Keeper 2017) Password Management Evaluation Guide for BusinessesKeeper Security, Inc. (2017). PDF.
Non-repudiation by John Falkl
- (Spacey 2016) 5 Examples of Non-repudiationSpacey, John (2016). Simplicable Business Guide.
Payment Card Industry Data Security Standard (PCI DSS) by John Elliott
- (PCI-DSS standard) Payment Card Industry Security Standards CouncilPCI Security Standards Council main website.
- (Visa PCI-DSS) Visa guidance on PCI DSSVisa. Website with information on PCI DSS for merchants who want to work with Visa.
- (Mastercard PCI-DSS) Mastercard guidance on PCI DSSMastercard. Website with information on PCI DSS for merchants who want to work with Mastercard.
Penetration Testing by Clarence Cromwell
- (Pellerin 2016) The Pentagon Opened up to Hackers and Fixed Thousands of BugsNewman, Lily Hay (2017). Wired. Details about the U.S. Department of Defense bug-bounty project called Hack the Pentagon in which the agency offers cash rewards to independent hackers who find and disclose software bugs and other vulnerabilities.
- (Steinberg 2017) Eight Myths Not to Believe About Penetration TestingSteinberg, Joseph (2017). Practical advice on adopting and investing in penetration testing. The author dispels several myths about the practice.
- (Solomon 2016) Only do penetration tests if your security program is up to it, say expertsSolomon, Howard (2016). IT World Canada. Discussion of the importance of an organization’s cybersecurity maturity as a critical success factor in adopting penetration testing.
- (MacMillan 2017) The Penetration Tester Who Your Boss Hires to Hack Your EmailMacMillan, Thomas (2017). New York Magazine. An interview with a white-hat penetration tester.
Phishing by Jeffrey Rogers
- (Dearden 2017) Hackers target Irish energy networks amid fears of further cyber attacks on UK’s crucial infrastructureDearden, Lizzie (2017). Independent. Investigative report on how a spear phishing attack targeted senior Irish energy network engineers.
- (Cofense 2016) 2016 Enterprise Phishing Susceptibility and Resiliency ReportCofense (2016). Examines the factors that lead to successful phishing campaigns and discusses how empowering employees to report suspected phishing incidents affects susceptibility. A 2017 version of this report, which reports similar results, is available at the same website.
- (InfoSec 2016) Top 9 Free Phishing SimulatorsInfoSec Institute (2016). Describes several types of phishing simulators designed to help employees detect possible phishing attacks.
- (PhishMe 2016) Phishme Q1 2016 Malware ReviewPhishMe (2016). PDF. Details malware trends recorded in the first quarter of 2016 and warns of dramatic increases in encryption ransomware attacks.
- (Wombat 2018) 2018 State of the PhishWombat Security (2018). An analysis of data from simulated phishing attacks. Registration required.
- (Northcutt 2007) Spear PhishingNorthcutt, Stephen (2007). Security Laboratory: Methods of Attack Series.
Physical Access Control by Chris Wynn
- (Norman 2017) Electronic Access ControlNorman, Thomas L. (2nd ed. 2017). Butterworth-Heinemann. Book. Covers virtually every aspect of electronic alarm and access control systems and includes insights into the challenges associated with installing, maintaining, and designing them, including valuable information on how to overcome those challenges.
- (Fennelly 2016) Effective Physical SecurityFennelly, Lawrence J. (5th ed. 2016). Butterworth-Heinemann. Book. Covers the latest international standards for risk assessment and risk management, physical security planning, network systems infrastructure, and environmental design.
Policy by Rodney Richardson
- (Wikihow Procedures) How to Write Policies and Procedures for Your BusinessWikiHow. Discusses at a high level how to craft written policies and procedures and to provide them in a format accessible to all employees.
- (PLAIN) Why Use Plain Language?US Government. The Plain Language Action and Information Network (PLAIN) is a group of federal employees from different agencies and specialties who support the use of clear communication in government writing.
Privacy by Jay Beta
- (Ingram 2018) Facebook says data leak hits 87 million users, widening privacy scandalIngram, David (2018). Reuters.
- (Rosinski 2018) Is Your Content Safe from Cybercriminals?Rosinski, David (2018). Astoria Software.
- (FTC 2017) Consumer Sentinel Network Data Book 2017: Reported Frauds and Losses by Age, Percentage Reporting a Fraud Loss and Median Loss by AgeUS Federal Trade Commission (2017). Documents cases of fraud involving financial loss by age group, as reported to the US Federal Trade Commission in 2017. Allows users to view the data at the national level (e.g., median loss from online fraud by age group) and by state (e.g., median loss online fraud by age group in Indiana).
- (Fletcher 2016) Cracking the Invulnerability Illusion: Stereotypes, Optimism Bias, and the Way Forward for Marketplace Scam EducationFletcher, Emma and Rubens Pessanha (2016). Institute for Marketplace Trust: Better Business Bureau. PDF. An overview of consumer survey responses collected by the Better Business Bureau in 2016 that show those most likely to be victims of cyber fraud tend to be younger and better educated.
Privilege by Emma Lilliestam
- (Rouse 2008) Principle of least privilege (POLP)Rouse, Margaret (2008). TechTarget. Discusses the principle of least privilege and its application to restricting access rights for people, systems, software applications, and devices connected to the Internet of Things. Includes video on how to address privileged user access.
- (Seltzer 2013) Excess privilege makes companies and data insecureSeltzer, Larry (2013). ZDNet. Research results that show most companies do a poor job of managing the permissions and privileges of users on their computers and networks.
- (Prince 2015) Excessive User Privileges Challenges Enterprise Security: SurveyPrince, Brian (2015). Security Week. Research results from the Privilege Gone Wild 2 survey that shows 47 percent of employees say they have elevated privileges not necessary for their roles.
Ransomware by Dave Kartchner
- (WannaCry 2017) WannaCry ransomware attackWikipedia. Describes the May 2017 WannaCry ransomware attack and provides details about the attack, the alleged attackers, the response, and the affected organizations.
- (Symantec 2017) Internet Security Threat Report (2019)Symantec (2019). Updated 5/16/2019. Original link unavailable. This is the latest. Discusses latest trends in cybersecurity.
- (Symantec 2018) Internet Security Threat Report (2018)Symantec (2018). Report covering known cyberattacks during 2017. Includes useful statistics, infographics, and links to ancillary materials. Registration required.
- (Verizon 2018) 2018 Data Breach Investigations ReportVerizon (2018). PDF. Detailed analysis of 53,000 cybersecurity incidents in 2017, including 2,216 confirmed data breaches.
Regulation by Vanessa Harrison
- (CSO 2012) The security laws, regulations and guidelines directoryCSO Magazine (2012). An international compendium of security laws, regulations, and guidelines with summaries and links to the full text of each law.
Risk Register by Bob Trosper
- (Trosper 2016) Good Enough Risk Register – TemplateTrosper, Bob (2016). Google Spreadsheet. Template for creating a risk register.
Sandboxing by Keirsten Brager
- (The Sandbox) Understanding the Sandbox Concept of Malware IdentificationThe Sandbox. Discusses the need for sandboxes -- designated, separate, and restricted environments (or containers) with tight control and permissions -- where computer code can run without causing damage.
- (Levy 2016) 2016: Time for Security to Take its Head out of the “Sand” (box)Levy, Israel (2016). Infosecurity Magazine. Examines an alternative approach to sandboxing, an endpoint protection approach known as containerization. Discusses the pros and cons of virtual containers as a cybersecurity tool.
Security Awareness by Justin Orcutt
- (Knowbe) Knowbe4Library of best practices, white papers, and free tools to help those attempting to develop cybersecurity awareness training programs.
- (Sans 2017) SANS 2017 Security Awareness ReportSANS Institute (2017). PDF. Registration required.
- (Amoroso) NIST Framework OverviewAmoroso, Edward G. New York University Tandon School of Engineering. Video. An introduction to the NIST framework and to many practical aspects of modern cybersecurity including awareness, compliance, assessments, and risk management. Registration required for the full course on Coursera.
- (Mediapro 2016) NIST Cybersecurity Framework Improves Security AwarenessMediapro (2016). PDF. Registration required.
Security Fatigue by Mary Frances Theofanos
- (Theofanos 2016) Cybersecurity Fatigue Can Cause Computer Users to Feel Hopeless and Act Recklessly, New Study SuggestsNational Institute for Standards and Technology. Theofanos, Mary F. (2016). Explores the concept of security fatigue. Argues for the need to develop awareness of the dangers and to help alleviate the fatigue users experience.
- (Stanton 2016) Security FatigueStanton, Brian et al. (2016). IT Pro Magazine, 18(5), pp. 26-32. PDF. Identifies the role security fatigue plays in security decisions. Provides three suggestions to minimize security fatigue.
Separation of Duties by Ron LaPedis
- (Pham 2017) How poor management helped an ABB employee steal $103 millionPham, Sherisse (2017). CNN Money. Video. Explores the story of how an employee of a major European company took advantage of lax cybersecurity and disappeared with $103 million of the firm’s money.
- (Gutierrez 2017) Probe of water district finds 'shocking' misuse of public assetsGutierrez, Melody (2017). SFGate. Story of how lack of oversight allowed employees to allegedly use hundreds of thousands of dollars in public funds for personal purchase.
- (Sorkin 2002) 2 Top Tyco Executives Charged With $600 Million Fraud SchemeSorkin, Andrew Ross (2002). New York Times. Story of how executives at Tyco were indicted for allegedly misappropriating $600 million in company funds.
- (Simmerman 2016) Former Credit Union Manager, Kathryn Sue Simmerman, Sentenced To Six And A Half Years In Prison For EmbezzlementUS Department of Justice (2016). Press release. Announcement of Kathryn Sue Simmerman sentence.
- (Singleton 2012) What Every IT Auditor Should Know About Proper Segregation of Incompatible IT ActivitiesSingleton, Tommie W. (2012). ISACA Journal, Volume 6, 2012. Discusses the importance of the concept known as separation of duties. Suggests a lack of separation can make it easier for malicious cybercriminals to perform misdeeds undetected.
Shadow Security by Iacovos Kirlappos
- (Kirlappos 2014) Learning from “Shadow Security”: Why understanding noncompliant behaviors provides the basis for effective security.Kirlappos, Iacovos, Simon Parkin, and M. Angela Sasse (2014). Workshop on Usable Security, San Diego, CA. PDF. Proceedings Paper. doi:10.14722/usec.2014.23. Analysis of in-depth interviews with employees of multinational organizations about security noncompliance. Reveals instances in which employees created alternative shadow security mechanisms that allowed them to complete their work and feel like they were working securely, despite not following official policies and procedures. Suggests that lessons learned from shadow security workarounds can be used to create more workable security solutions in the future.
- (Kirlappos 2015) “Shadow Security” as a tool for the learning organization.Kirlappos, Iacovos, Simon Parkin, and M. Angela Sasse (2015). ACM SIGCAS Computers and Society, 45 (1), 29-37. PDF. doi:10.1145/2738210.2738216.
- (Jon L 2017) People: the unsung heroes of cyber securityJon L. (2017), National Cyber Security Centre. Video. Discusses the need to make cybersecurity people-centered in order to defeat cybercriminals. Argues for the importance of exceptional user experiences to help make it easy for employees to comply with cybersecurity guidelines, rules, and regulations.
Situational Awareness by Danyetta Fleming Magana
- (Abrams 2017) Target to Pay $18.5 Million to 47 States in Security Breach SettlementAbrams, Rachel (2017). The New York Times. Details the $18.5 million settlement Target was ordered to pay as a result of a major data breach that exposed the names, credit card numbers, and other personal information about tens of millions of people in 2013. Includes details on the financial impact the breach had on the popular US-based retailer.
- (Kassner 2015) Anatomy of the Target data breach: Missed opportunities and lessons learnedKassner, Michael (2015). ZDNet. Examines how the Target data breach might have happened and what the retailer could have done to prevent the hack.
- (Stewart 2012) A Practical Guide to Situational AwarenessStewart, Scott (2012). WorldView. Discusses the basics of situational awareness and suggests how to help users develop a cybersecurity mindset (the “right level of awareness”) so they can spot threats and report them.
- (Jackson 2017) Why a Long-Term Data Strategy is Essential to Stopping Insider ThreatsJackson, William (2017). GovTech Works. Argues for a long-term strategy designed to safeguard personal and other sensitive information that strikes a good balance between access and cost.
Social Engineering by David Shipley
- (Beauceron) Social EngineeringBeauceron Security. Web page with resources and definitions related to social engineering.
- (Huffington Post 2017) MacEwan University defrauded of $11.8M in online phishing scamCanadian Broadcasting Corporation (2017). Describes how a Canadian university was defrauded of $11.8 million after staffers fell prey to an online phishing scam.
- (Verizon 2016) 2016 Data Breach Investigations Report: Executive SummaryVerizon (2016). PDF. Detailed analysis of more than 100,000 cybersecurity incidents in 2015, including 2,260 confirmed data breaches in 82 countries.
- (Alperovitch 2016) Bears in the Midst: Intrusion into the Democratic National CommitteeAlperovitch, Dmitri (2016). Crowdstrike. Analysis and findings identifying two separate Russian-intelligence-affiliated adversaries -- Cozy Bear and Fancy Bear -- present in the computer network of the US Democratic National Committee (DNC) in May 2016. Discusses details of the attacks and provides links to related articles on the subject.
Standards by Ulf Mattsson
- (ISO/IEC 27000) ISO/IEC 2700 family – Information security management systems.International Organization for Standardization (ISO) (2013). Home to the ISO/IEC 27000 family of standards, which provides a model for setting up and operating an information security management system.
- (CISQ) Consortium for IT Software Quality (CISQ)CISQ (2017). IT leadership group that develops international standards that enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership.
- (SoGP) The ISF Standard of Good Practice for Information SecurityInformation Security Forum (2018). Executive summary of the standard and information about topics including threat intelligence, risk assessment, security architecture, and enterprise mobility management. Registration required. Updated 5/16/2019.
- (ISO 15408) Common CriteriaHome for Common Criteria for Information Technology Security Evaluation and the companion Common Methodology for Information Technology Security Evaluation standards. Common Criteria standards are used to eliminate redundant evaluation activities, clarify terminology to reduce misunderstanding, and restructure and refocus evaluation activities to those areas where security assurance is gained.
- (FIPS) FIPS General InformationFIPS (2017). National Institute of Standards and Technology (NIST). Home of US Federal Information Processing Standards that includes a variety of online resources, publications, and access to a keyword searchable publication database.
Static Application Security Testing by Lucas von Stockhausen
- (BSIMM) BSIMM Framework: Building Security in Maturity ModelBSIMM. Details of 113 activities performed by mature security initiatives organized into practice areas.
Threat Modeling by John Diamant
- (Simpson 2008) Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use TodaySimpson, Stacy, editor (2008). SafeCode. PDF.
- (Diamant 2011) Resilient Security Architecture: A complementary Approach to Reducing VulnerabilitiesDiamant, John (2011). IEEE Security & Privacy. PDF. Article reprint expanding on the role of threat modeling/analysis. Note that this paper describes a threat analysis example that avoided more than 70 vulnerabilities; since this paper was published, further analysis has increased that number to more than 100. doi:10.1109/MSP.2011.88.
- (Diamant 2017) The New Attack Vector: ApplicationsDiamant, John and Jeff Misustin (2017). DXC Technology. PDF. White paper. Describes DXC CATA (Comprehensive Applications Threat Analysis), an example of a robust commercial threat modeling methodology delivered as a service.
Vulnerability Assessment by Jeff Schaffzin
- (ITBusinessEdge 2014) 10-Step Security and Vulnerability Assessment PlanITBusinessEdge (2014). Slide deck. Suggests security and vulnerability assessments be performed against all information systems on a pre-determined, regularly scheduled basis. Recommends third parties be retained periodically to ensure appropriate levels of coverage and oversight. (source: Info-Tech Research Group).
- (HIPAA) HIPAA OverviewUS Department of Health and Human Services (2015). Answers general questions regarding the Standards for Privacy of Individually Identifiable Health Information and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
- (PCI-DSS) PCI DSS (Payment Card Industry Data Security Standard) Compliance OverviewTechTarget (2017). Overview of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholders’ personal information.
- (General Data Protection Regulation) GDPR (EU General Data Protection Regulation)Frequently asked questions regarding GDPR.
Zero-day Vulnerability by James McQuiggan
- (BBC 2017) ‘NSA malware’ released by Shadow Brokers hacker groupBBC News (2017).
- (Sheth 2017) ‘The ultimate cyberweapon for espionage’: The ‘Petya’ cyberattack is exploiting a powerful NSA toolSheth, Sonam (2017). Business Insider. Discusses the Petya cyberattack that exploited a powerful cyberweapon created by the US National Security Agency (NSA).