Cyber Security
Cyber Security
Cyber Security
I will introduce the course and examine the importance of cyber security, a topic that has
become familiar to just about everyone in recent years. Hardly a day goes by without news
media reporting on the latest cyber attack, whether it's conducted by criminal or
government organizations. Cyber security is the name we give to the study of methods we
can use to reduce the likelihood of such attacks, however they originate and whatever their
motivation. This course is intended to introduce you to the basics of cyber security, what it
is, how we can define it, and how we can go about trying to improve the security properties
of organizations, as well as our personal lives. We will consider how we might formally
define cyber security in the next module. But, for the moment, we can think of it as trying
to address any threat deriving from our use of, and dependence on, information and
communications technology. If you think about it for a moment, this not only includes using
the smart phones, tablets, and desktop computers that we use for work, personal, business,
or leisure, but all the aspects of everyday life that depend on the use of information
technology. The pervasiveness of information technology means that cyber security issues
affect all Internet-connected systems and devices that we use. This includes vehicles for
private and public transport, the infrastructure delivering power and water into our homes,
and almost every aspect of our working lives, including the operation of factories, transport,
and offices worldwide. We depend on information and communications technologies in
almost every aspect of our lives, so cyber security has become a fundamental necessity for
us all. At the same time, we know that our information processing systems are vulnerable
to attack in a huge variety of ways. It is tempting to suggest that the Internet-connected
world is the problem, and we should reconsider how we engage with this highly
interconnected world. But, in the main, it's impossible to go back, and in reality, we almost
certainly don't want to. Modern information and communication technologies bring huge
benefits in increasing efficiency, enabling home working, and providing us with many
previously undreamt of forms of communication and interpersonal interaction. If we accept
that information and communications is here to stay, what are we going to do about the
major security threats we all face? In this course, we will introduce some of the techniques
that can be used to reduce these threats. It is important to realize that providing security is
not just about more and better technology. The ways in which this technology is used, and
the skills and knowledge of the people using it, is at least, if not more important. Ultimately,
it is all about people. If it wasn't for people, we wouldn't be using the technology that gives
rise to the cyber threat. Without involving these same people, we can't hope to achieve the
level of cyber security that we wish to have. Finally, we have to be aware that this is a war
we will never win. Technology evolves, and so does the cyber threat. We must continue to
develop our responses to the threats as they evolve to try to stay one step ahead, or at
least not fall too far behind.
Key ideas in the literature
There has been a huge amount written about cyber security, ranging from scholarly articles
looking at very specialised aspects of security technology to articles in the popular media
describing yet another successful cyber attack on a major company. Use your favourite
internet search tool to look for examples of recent cyber attacks on commercial
organisations. Can you see any trends? Make a note of these in your study journal. The
Information Commissioner’s Office in the UK was set up to help protect the information
privacy rights of UK citizens and is involved in helping to enforce data privacy law in the UK.
As part of its activities, it investigates potential breaches of privacy law. It provides public
reports of the investigations it conducts and of prosecutions made. Often privacy law
breaches arise because of poorly implemented cyber security, and so the work of the ICO
provides an interesting view of the current cyber security landscape.
Go to the ICO website and look at the information there on data security incident trends.
You may also be interested in looking at reports on specific cases, such as major legal
actions taken against Facebook and British Airways.
Governments and government agencies worldwide publish annual reports on the state of
cybersecurity, which you are recommended to read to gain a broader understanding of
current trends and issues in cyber security.
The UK Government Department for Digital, Culture, Media and Sport (DCMS) publishes a
well-respected annual survey of cyber security breaches. The 2021 survey is available at:
Department for Digital, Culture, Media & Sport ‘Cyber security breaches survey
2021’, GOV.UK (2021).
In 2022 the UK National Cyber Security Centre (NCSC) published a review of the UK cyber
security industry – it is available here:
Department for Digital, Culture, Media & Sport ‘Cyber security sectoral analysis
2022’, GOV.UK (2022).
If these links are broken, please let us know via the Student Portal.
What do you want from this course?
Cyber security is undoubtedly a subject of importance to almost all of us. Unless we live
completely off-grid, producing our own food and not relying on basic services such as mains
water, drainage, and electricity, we are at risk of a cyber attack. We therefore all need to
have some basic awareness of cyber risks, so that we can reduce the chances that we are
mistakenly victims of such an attack.
More than is, there is an ever-increasing need for cyber security expertise in commerce and
industry. Very few jobs today don’t involve interacting with the cyber world in some way,
and knowledge and understanding of cyber security issues may very well enhance your
chances of getting a new position, as well as enabling you to do your current job more
effectively and with less risk.
What level of knowledge are you looking to gain from this course? Do you want to learn
more about cyber security for your career – if so, perhaps you might be interested in
studying further online?
Take a few minutes to express in the discussion forum what you hope to gain from this
course, and take the opportunity to engage with your fellow students.
We probably all have experience of how serious the impact of the loss of cyber security can
be. Perhaps you or a close friend have been the victim of identity fraud, or you've fallen
victim to a phishing attack, or maybe you just clicked on a link in an email and found your
computer infected with malicious software. Such sad events are commonplace and can be
serious for an individual. However, when it happens to a large organization which is not
well-protected, the results can be truly devastating, for example, resulting in loss of
business and possible huge fines by regulators. Of course, fraud by criminals is hardly a new
thing, and many cyber attacks use the same kinds of techniques as more traditional fraud.
In a way, there is little difference between deception through a phone call and deception in
an email or other electronic message. A large part of ensuring cyber security, both for an
individual and for an organization, involves many of the same approaches that we use to try
to reduce the risk of conventional fraud, including education and the raising of awareness.
Nonetheless, there are also important differences. There are a wide range of technical tools
that can be used to reduce risk and increase resilience to attack. It's also important to be
aware that cyber security must address a number of different types of threat actor,
including criminals, organized crime, activists of various types, and nation-states. The old
days when the most common threat was merely from curious computer experts wanting to
show off their capabilities are long behind us. While the techniques used to conduct attacks
may be very similar regardless of the actor, the motivations are likely to be very different.
Hence, understanding what assets are most at risk requires thinking about the reasons for,
and objectives of, a possible attack.
For example, criminals may well focus on valuable information assets, for example, large
sets of personal data that can be used for further criminal activities, such as fraudulent
payments, identity theft, and so on. Criminals may also seek to hold companies to ransom
by encrypting valuable corporate data and then withholding the means to decrypt the data
until the ransom is paid. A further possibility would be to blackmail an organization which
has suffered a security breach by threatening to reveal the breach to the media. Of course,
this would only be an issue in a case where the organization wishes to keep the breach
secret to prevent embarrassment. Hostile nation-states are likely to target somewhat
different aspects of information processing. There are many well-publicized cases where so-
called cyber warfare has accompanied physical warfare. Cyber warfare typically focuses on
the denial of legitimate access to information and communications resources, with the
goals of crippling the operation of organizations and governments. Political activists may
have rather different targets, such as organizations conducting activities of which they
disapprove. In this case, they're likely to either disrupt operations, deny access, or try to
gain access to sensitive information, which they can then release to embarrass the
organization. We can learn a lot about current trends in cyber security and the underlying
cyber threat from the popular media. While attacked organizations are often reluctant to
reveal full details of what has been compromised and how, the broad-brush details of the
goals of the attack are likely to be made public. By looking at reported events over a period,
you can begin to get an idea of the typical goals of cyber attacks. This leads naturally to
thinking about how cyber attacks are conducted. Typical sources of cyber threats include
weaknesses in technology, implementation, design and configuration issues, as well as our
own vulnerabilities as human beings. As we've just discussed, many cyber attacks exploit
the same human frailties that non-IT frauds exploit, including our willingness to trust
superficially reliable information, such as the source of an email, and the fact that when
under pressure, we often make decisions without being as careful as we might be. When a
single click on a link in a fraudulent yet apparently genuine email can bring disaster, it is
hardly surprising that cyber attacks are so commonplace. It's also important to think about
the sorts of damage a cyber attack causes. In general, and we will discuss this further in the
next lesson, there are three main types of damage that can be caused. Of course, in some
cases, attacks can cause damage of more than one type. Stop the video for a moment and
take a few minutes to think about the types of damage that can be caused by a cyber
attack.
Play video starting at :6:45 and follow transcript6:45
Welcome back. A wide range of damage can be caused. I next want to explore three general
categories. First, a cyber attack can cause loss of availability of data and systems, either
temporarily or permanently. This could occur in a wide variety of ways. For example,
malicious software could be deployed, which either overwrites data or software or causes
hardware to stop functioning, for example, by preventing a computer from rebooting.
Alternatively, distributed denial of service attacks are very common. These are where very
large numbers of requests are sent to a server which cause it to become unavailable while it
tries to deal with these requests. Second, an attack could result in the loss of confidentiality
of important data, including personal data. Again, such attacks can come about in a wide
variety of ways, including via vulnerabilities in software and human error, for example,
resulting from a phishing attack. Third and perhaps least obviously, an attack can give rise to
a loss of integrity of information with the effect that important corporate or personal data
are modified in an unauthorized way. As a result, information critical to the operation of an
organization will no longer be reliable.
Play video starting at :8:36 and follow transcript8:36
The final part of the cyber security big picture, and perhaps the most important part, is
what we do to prevent these attacks and hence minimize the risk that the damage occurs.
In an organizational context, measures that are put in place to enhance cyber security are
commonly referred to as security controls. There are many different types of security
control. Controls include both the technical, such as installing firewalls of gateways to
computer networks, using encryption to protect data in transit or when stored, or setting
up individual user accounts and passwords, and the procedural, such as having defined
vetting requirements for staff recruitment, requiring certain key tasks to be logged, and
using internal and external audits to monitor the effectiveness of other controls. We often
refer to the set of all the systems, procedures, and processes we set up to provide security
as the Information Security Management System, or ISMS. One key, almost universally
agreed, the principle is that the selection of security controls within the ISMS should be
based on a risk assessment, that is a detailed understanding of the risks that an
organization faces and their significance. This then enables security controls to be selected
and implemented in a rational way, meaning that always limited resources are used to
address the most significant risks. Finally, and this is a key issue, do you think it is possible
to be absolutely secure so that no attacks are possible? That is, if you have an unlimited
budget, can you prevent all attacks? Clearly, that would be ideal. Stop the video for a
moment and take a few minutes to think about this question.
Play video starting at :11:13 and follow transcript11:13
Hello again. It is absolutely key to realize that achieving 100 per cent security is
impossible. Even the best-run organizations with the largest security budgets will suffer
security breaches. Using risk management language, the security controls we implement
will reduce security risks, but some residual level of risk will remain. That is, in the words
of the proverb, to err is human. We cannot eliminate errors; we can only minimize the
impact of an error. This can at least partly be achieved by the notion of defence in depth,
where two or more layers of protection are applied so that even if one fails, a serious
breach can be avoided. The other key conclusion is that we need to monitor what's going
on so that if a breach does occur, we can detect it early and rectify the problem. It goes
without saying that this is all easier said than done. We will return to all these themes later
in this course.
serious the impact of the loss of cyber security can be.: Added to Selection. Press [CTRL + S]
to save as a note
Goals of security
As was discussed in the previous lesson, cyber security is the name we give to the study of
methods we can use to reduce the likelihood of cyber attacks, however they originate and
whatever their motivation. Cyber attacks are directed at damaging information assets, i.e.
information and information processing resources. Again as we described in the first lesson,
this damage can take three main forms: unauthorized disclosure of data, unauthorized
modification of data, and loss of availability of data or data processing resources. In this
lesson, we turn our attention to trying to capture the goals of cyber security. Before
proceeding further, it's worth exploring a little more the notions of attacks and attackers.
Cyber security is typically concerned with addressing damage to information assets arising
from malicious behavior rather than from other causes such as accidents, natural disasters,
etc. This is why we refer to cyber attacks, i.e. acts carried out by malicious parties with the
goal of causing some damage to information assets. Of course, the borderline between
deliberate and accidental damage is sometimes a little fuzzy. The measures we need to put
in place to mitigate threats often address both. An obvious example is the use of backups of
data to protect against both deliberate or accidental deletion of, or damage to, data. Our
discussion of the types of damage that can be caused raises an important question. Since
we refer to unauthorized access to data, what do we mean by authorized? For an individual,
this is clear. We will have our own purposes for storing and processing data. Typically these
don't need to be formally specified; we will know what we want to happen to the data.
However, at least in an organization of any size, the notion of authorisation needs to be
made more formal. We conventionally say that actions are authorized if they're in
accordance with the security policy in force, i.e. the agreed set of rules governing security
for that organization. Please stop the video for a moment and think about how such a
security policy might be expressed.
Play video starting at :3:26 and follow transcript3:26
An organization will typically have a high level security policy, signed by a member of the
senior management team, setting out the overall rules and principles governing cyber
security for the organization. This relatively brief document should be accessible to
everyone in the organization. Beneath this, there will typically be a number of more
detailed policies setting out rules for handling various aspects of how cyber security is
managed within the organization. Of course, the very detailed implications of policies
should be reflected in the configuration of computer systems, such as the access control
settings for data. As a result, we could define the goal of cyber security as being to do
whatever possible to ensure that the security policies of the organization are maintained.
Of course, this is a rather abstract and high level definition. To make things more specific,
we need to think about the threats to the correct application of our security policies. This
then leads naturally to the subject of risk management, briefly mentioned in the previous
module. Risk management involves understanding the value of the assets we wish to
protect, and the magnitude of the various threats these assets face. The process of
cataloging these risks and understanding their seriousness is known as risk assessment, a
key part of risk management. Risk assessment enables prioritization so that an organization
can make informed choices about how to spend an inevitably limited security budget on
security controls. Please stop the video again for a moment or two and think about how you
might decide -which risks should be given the highest priority.
Play video starting at :5:52 and follow transcript5:52
There are two aspects of a risk that need to be assessed. Firstly, how likely is the risk to
occur? Some risks, such as the risk of a user clicking on a link in a phishing email and
thereby causing damage are likely to be high. Other risks, such as a terrorist incident
causing damage to systems are, we might hope, much lower. All else being equal, we
should prioritize those risks which are more likely to occur. However, all else is not equal.
It's necessary to consider the amount of damage that can be caused if a risk is realized. This
could, for example, be quantified in financial terms or simply rated qualitatively, e.g., high,
medium, or low. That is risks with higher impact, are clearly higher priority than those with
a lower impact. Thus we need to combine both aspects of a risk in order to obtain an overall
assessment of its seriousness. This notion of risk assessment and the use of this assessment
to help the selection of security controls, suggests another more practice- focused
definition for the goal of cybersecurity. That is, the goal is to select an appropriate set of
security controls to minimize the risks facing our information assets.
Play video starting at :7:41 and follow transcript7:41
However we choose to define our goals, it's important to appreciate that managing
cybersecurity is a job that never ends. New threats and risks are constantly emerging, both
because of newly devised methods of attack and newly discovered vulnerabilities in existing
systems, and because our systems change and evolve over time. We cannot afford to relax
if we wish to maintain our cyber security goals. This means we need to continuously
monitor both the effectiveness of our security controls in preventing security breaches and
the changing security landscape and update our risk assessment and our security controls
as appropriate. This monitoring includes a range of types of auditing, ranging from formal
paper-based audits to penetration tests, where authorized security experts attempt to
breach cyber security using the methods employed by hackers.
Addressing threats
Providing cyber security involves implementing security controls to prevent damage to
information assets. In this video I describe how security controls can address the wide range
of cyber threats we all face.
As briefly mentioned at the beginning of this lesson, security controls should be chosen to
address the risks identified as being most serious in a risk assessment.
Part of conducting a risk assessment involves cataloging all the security risks that threaten
the information assets.
This catalog of risks is often referred to as a risk register and once the risk assessment is
complete, each of the risks in the risk register will have an associated estimation of its
seriousness.
Having identified the risks and prioritized them, it's necessary to decide how to treat them,
i.e. to do something about them.
There are four main ways to approach a risk. First and perhaps most obviously we can
implement security controls to try to reduce the level of risk; this is called risk modification.
We also often talk about mitigation of risks when we're implementing ways of reducing
them.
For example, if the risk is that sensitive data in a database will be disclosed to unauthorized
parties, we could decide to keep all the data encrypted to make it unreadable even if it falls
into the wrong hands.
Another approach which could be used in combination with encryption is that we could
require all users accessing the sensitive data to be authenticated using both a password and
a security token,
an example of dual-factor authentication where the identity of a user is verified in two
independent ways.
Implementing both of these example controls would be an example of defense in depth, i.e.
where multiple controls are put in place to ensure that even if one is breached, the cyber
security goals are upheld.
Second, for some risks a decision can be made to live with the risk in unmodified form; this
is known as risk acceptance.
For example the asset at risk may be of low value so that the impact of the risk being
realized is small or the likelihood of the risk is very small.
If the cost of implementing a security control to reduce the risk is greater than the cost of
damage if the risk occurs then it's unlikely it will be worth the bother. Before proceeding,
pause the video for a moment and see if you can think of two more ways in which we can
deal with an identified risk.
The other two possibilities come to mind less immediately.
A third possibility is risk sharing, where one or more 3rd parties bear some of the risk.
This could, for example, involve an insurance policy where an organization pays an annual
fee to an insurance company who will reimburse the organization if the risk is realized. We
use this approach in our everyday lives to share serious risks, e.g. by taking out insurance in
case our house burns down or we're involved in a car accident.
Another approach would be to subcontract some operations to a 3rd party such as a cloud
provider, and, depending on the contract, the cloud provider may have to pay
compensation if, for example, the level of service is below the agreed level, which might
occur because of a cyber-attack.
The final possibility is known as risk avoidance.
In this case it may be decided that the risk is significant, but yet the value of the asset to the
organization is not high.
In such a case, the organization could decide to stop engaging in the activity that bears the
risk.
For example, if the risk relates to a database of personal data and the legal penalties for
security breaches to this database are high, but yet the value to the organization is small,
then the organization could decide to delete the database altogether.
It's important to note that this is different to risk modification where the risk still exists but
has been reduced. In the case of risk avoidance, the risk disappears altogether.
Whatever approach is taken after the risk treatment decision, there will still be a residual
risk, i.e. the burden of risk that remains after the treatment has been applied.
Of course, if risk avoidance is adopted, this residual risk will be zero, but otherwise, there
will still be some positive level of risk.
No security control is perfect,
so after risk modification, a level of risk will remain, albeit hopefully smaller than before
implementing the control.
Similarly, if the risk is shared, then some level of risk will remain, for example that the 3rd
party with whom the risk is being shared, defaults on their obligations.
This residual risk will need to be made explicit and formally accepted by the responsible
person.
There are many ways to modify risks, that is, there are many types of security controls.
In the last lesson in this module, we'll look in greater detail at a range of types of security
control.
For the moment, we'll just observe that there are two main categories of security control,
namely preventive controls and reactive controls.
Preventive controls are probably the ones we think of first.
These are measures designed to prevent cyber security breaches or at least make them
less likely to occur.
For example: using a password manager enables us to set up a unique, strong password for
every website we engage with, thereby reducing the risk of password compromise and
unauthorized access to our resources; setting up our phone or tablet so that after a short
period of inactivity it will require unlocking; using a fingerprint scan or facial recognition
reduces the risks arising from a lost or stolen device; and performing regular backups
protects against the case where data is deliberately or accidentally corrupted or deleted.
Reactive controls are perhaps a little less obvious.
Such controls are designed to deal with the situation after a security breach has occurred.
There are many types of reactive controls, such as intrusion detection systems that are
designed to detect unauthorized activity within a system.
A network intrusion detection system will monitor network traffic to look for unusual
patterns which may indicate an ongoing attack, and a host intrusion detection system will
look for unusual behavior within a system.
Incident management systems enable users to report possible cyber security breaches and
for them to be handled in a timely and organized way with key actions logged for later
auditing and learning of lessons.
Predefined reporting procedures enable an organization to make a coherent response to an
incident, including notifying regulatory and law enforcement bodies in a timely and
appropriate way.
The exact nature of the reporting required will depend on the nature of the breach. Stop
the video again to think about which types of control are more important: preventive or
reactive? Also, if we do a good enough job by implementing enough preventive controls, do
we need to bother with reactive controls because cyber security breaches will never occur?
The simple answer to the first question is that both are vital. Of course we need to try to
prevent security breaches, but in an organization it's also vital to be able to detect security
breaches when they occur so that problems can be rectified.
An undetected breach can lead to long-term compromise for an organization, with secret
information being stolen over a long period of time.
For the second question, the answer is that, as briefly discussed in the first lesson, 100%
security is not possible. No matter how much resource is invested in preventive security
controls, security breaches will occur.
Of course, we want to try to minimize the number and seriousness of breaches, but we
need to be prepared for them. Thus we cannot only invest in preventive controls.
In our first class, we introduced the mind-map of cybersecurity to give everyone a sense of
the breadth of specializations in the field of cybersecurity. In this lecture, we're going to
focus on the first topic, the fundamental goals of cybersecurity. Ultimately, all of the efforts
that you see mapped out on the mind-map diagram are working towards the same general
goals, which are referred to as the CIA Triad. What CIA stands for Confidentiality, Integrity,
and Availability, and in this lesson, we'll review each of these concepts and how they each
play a guiding role in the design of an effective cyber-security strategy. Our first goal is
confidentiality, which means preserving restrictions on information disclosure so that
access is limited only to authorized users and services. We only want the people who are
authorized to see certain information, only have certain access. For example, personal
health information, which is sometimes referred to as PHI, or personally identifiable
information, sometimes referred to as PII. This would be things like social security numbers
and various identifying information, birthdays, addresses, and stuff like that, as well as
various types of sensitive government or classified information, are all concerned with
maintaining the confidentiality of sensitive data. All those various forms of data are
sensitive for different reasons, and, therefore, the confidentiality of that information is of
primary importance. Many of these categories of sensitive information are the result of
extensive regulation, which we are going to cover in an additional lecture coming up. The
second goal of the triad is integrity, which addresses the concern that sensitive data has
not been modified or deleted in an unauthorized or undetected manner, so databases are
a good example here. Databases are a key technology that our hyper-connected world
depends on, and tampering with database information for fun or for profit has been a
common attack technique for decades. It's also common for integrity issues to arise by
mistake, which leads to principals concerned with not over-scoping access levels or
privilege levels, not letting users be administrators because then they could delete and
change and modify files however they see fit. The final goal is availability, which addresses
ensuring timely and reliable access to and the use of information. We all know that today's
world runs on interconnecting technology, yet most people don't know, and they are
unaware of how that interconnectivity actually works. This isn't any different from other
technologies that we have come to depend on, for example, electricity or clean tap water.
However, the Internet is able to function as a result of numerous underlying protocols that
have to work in tandem with each other. When availability issues arise in those underlying
technologies, it can be equally as disruptive as a business system or a website just being
taken offline. That is an overview of the CIA Triad as it is traditionally drawn. However, with
the rise of IoT or Internet of Things devices, the CIA Triad has begun to be modified in
popular representations as a CIAS triad. So the three original goals are still just as important
when it comes to technologies like smart TVs, doorbell cameras, Internet-enabled baby
monitors and toys, things like that. However, many IoT devices control machinery or
manufacturing equipment. So when issues arise with these new technologies, there is a
distinct and very real concern for human safety, and safety addresses reducing risks
associated with embedded technologies or IoT technologies that could fail or somehow be
manipulated by nefarious actors. Some industries and some use cases are going to be more
concerned with certain aspects of confidentiality, integrity, availability, and or safety.
However, there's a lot of overlap, a significant amount of overlap between all of them.
When we think back to the mind-map of cybersecurity that we talked about in our very first
lecture, it becomes clear that aligning these overarching goals across that dizzying number
of special activities and technologies in the landscape of cybersecurity is going to be
critically important if we have any shot of trying to reach these goals that we originally set
out for.
Welcome to module 1 activity! In each module of this course, we will be diving into a case
study to understand how the concepts and tools introduced in the video lectures apply to
cybersecurity practitioners in the real world.
Carefully read the instructions below before completing the reading. One you have
completed the comprehension questions and case study prompt, advance to the next
section where your responses will be peer-reviewed and you will review responses from
other students in the course community. Remember to follow the Coursera Honor Code
and to only submit work you have written on your own.
Step-By-Step Assignment Instructions
less
Reading Instructions
For this assignment, you only need to read the “Overview” section of the article. As you are
reading you may come across cybersecurity terms that you will need to look up such as
"botnet", "SSH brute-force", and “distributed denial-of-service attack.”
Reading: N. Kim, T. Herr, and B. Schneier, (2020). The reverse cascade: Enforcing security on
the global IoT supply chain.
Reading Comprehension Questions
As you read, answer the following comprehension questions:
1. What is the primary reason why IoT devices have such poor security?
2. “Why is there a sudden increase in attacks against IoT devices?
You will not be required to submit your answers to the above comprehension questions,
however, answering these questions will help you answer the graded case study prompt
below.
Case Study Prompt
Recall the following excerpt from the reading:
“Much more recently, the US Defense Department’s Cybersecurity Maturity Model
Certification (CMMC) program adopted a requirement for prime vendors—large
firms with many subsidiary suppliers—to be responsible for the adoption of good
supply-chain security practices by their suppliers. In the CMMC model, rather than
force the DoD to map complex supply chains two or three steps removed from the
end product, prime vendors are leveraged to enforce standards directly on their
supply chains.”
For this case study, you will play the role of a cybersecurity contractor who has been hired
to work on the US Defense Department’s Cybersecurity Maturity Model Certification
(CMMC) program. Your first job is to articulate the goals the CMMC program will set out to
achieve.
Instructions: Carefully follow the steps below to complete the case study. You will be
prompted to write and submit your response for each step when you continue to the "My
submission" tab.
Step 1
Choose one IoT device mentioned in the readings, for example:
Medical devices
Toys
Small and large appliances
Home thermostats
Traffic signals
Step 2
Pick two of the following CIAS goals:
Confidentiality
Integrity
Availability
Safety
If you are having trouble remembering the relevant considerations of each of these goals,
you can go back and review the video lecture in the last module.
Step 3
Explain how the two goals you chose from the CIAS goals (for example: Confidentiality &
Safety) relate to the security consideration for the IoT device you chose (for example:
medical devices).
Given that this is the first week of the course we are not looking for an overly technical
answer. You should not need to do additional research to come up with your response.
Focus on the novel risk IoT devices pose in the field of cybersecurity (i.e. bringing
cybersecurity risk into the physical world) and how this increased risk relates to the goals of
cybersecurity outlined by the CIAS goals.
Step 4
Peer-review: Continue to the next section and review the responses of other students in the
course community.
Example Submissions
less
Case Study Prompt
Step 1
Choose one IoT device mentioned in the readings, for example:
Medical devices*
Toys
Small and large appliances
Home thermostats
Traffic signals
*We chose medical devices for this response, but you could have chosen any item from
this list.
Step 2
Pick two of the following fundamental goals outlined by CIAS:
Confidentiality*
Integrity
Availability
Safety*
*We chose Confidentiality and Safety as our CIAS goals, but you could have chosen any
two goals from this list.
Step 3
Explain how the two goals you chose from the CIAS framework (for example: Confidentiality
& Safety) relate to the security consideration for the IoT device you chose (for example:
medical devices).
Answer: We chose medical devices as our IoT device category. We also decided to
demonstrate how the CIAS goals of Confidentiality and Safety relate to the unique security
risks posed by security compromised medical devices:
Confidentiality: Medical devices pose a unique threat to the CIAS goal of
confidentiality given the immense importance of maintaining the privacy of
protected health information (PHI). The standards of security mandated by the
Health Insurance Portability and Accountability Act (HIPAA), which includes
maintaining the confidentiality of personal health information, are usually ensured
by and enforced on stakeholders such as health care providers, insurance providers,
and business associates. IoT devices, especially those that are low-cost and used
outside of these controlled environments, are much more vulnerable to attacks
which could lead to the loss of this protected health information to malicious actors.
Safety: The line between the goals of confidentiality and safety become blurred
given the prevalence of IoT technology. Protected information obtained without
consent is a violation of the goal of confidentiality, however, in the context of
medical devices, this confidentiality risk becomes a physical health risk. The goal of
integrity is also interconnected with the goal of safety when discussing medical
devices because the data stored on such devices can inform and determine decisions
related to medication, diagnostics, and other sensitive health considerations. For
example, if this data is corrupted, this can in turn directly influence how this medical
information is used by the targeted person and their health providers.
Step 4
Continue to the next module and compare your responses with the example answer
provided by the course instructor.
And more
The CIAS Triad
CIAS Triad
Confidentiality
Integrity
Availability
Safety
Where the CIA Triad addresses the privacy, adequate access and
correctness of data, the CIAS Triad addresses those concerns plus both
individual & public safety.
Cars
Thermostats
Drones
Fire-prevention systems
Electric
Gas
Water
Nuclear
etc.
Medical Systems
Hospitals
Pharmacy
Transportation System
Automobiles
Aviation
Shipping (on water)
Space
etc.
Military
Elections
Conclusion
Suggestions
If you have ways that this can be improved, please let me know. This is
meant to be beneficial to the public, and I’d love to see it improved.
IoT
Cybersecurity
Security
Technology
Security Governance
The process of cybersecurity governance and give an overall explanation and viewpoint of
what cybersecurity governance is and how it's organized. Stephen Covey has a famous
quote and in it he says, "The main thing is to keep the main thing the main thing." What
does that mean? In this context at the end of the day most businesses are not in the
business of assessing cybersecurity risk, of evaluating threats, of evaluating vulnerabilities,
and they're not in the business of selecting, implementing or tracking controls and security
countermeasures. However, these activities are critically important to whatever the main
thing of the business happens to be, and thus they have to be aligned in a complementary
fashion, they have to support whatever the main thing of the business is. Despite a constant
stream of security breaches and lawsuits, FTC rulings and headlines, it is still the case that
the market just does not inherently reward security for security’s sake. Every decision to
spend money on security is a decision to not invest money in other areas of the business
that ultimately drive the bottom line.
his alignment occurs through several key processes that you'll recognize from our
cybersecurity mind-map in an earlier lecture, and that includes things like risk management,
configuration, identity management, access control, vulnerability and supply chain
management, and incident response, disaster recovery. These are all clearly ideas that
complement the main thing of the business, but if you were to spend too much time doing
them or they were not closely aligned with the overall purpose and structure and main
thing of the business, then we can quickly spin off into a rabbit hole that is wasting time and
money and resources and not helping to drive the governance of the organization. Broadly,
governance is a top-down approach to managing a business. There's various forms of
governance of a business. As a result, cybersecurity governance is the top-down approach
of managing security activities and ensuring that they're all aligned to the business. To recall
from previous lectures, just how easy it is to fall down the numerous rabbit holes in this
vast landscape of cybersecurity disciplines. Without that strategic alignment and
management security programs with otherwise good intentions can easily miss the mark in
terms of supporting the overall goals of an organization. Also recall that cybersecurity
vulnerabilities are essentially a function of rapidly changing technology and business
landscapes, and today the reality is that businesses are essentially inseparable from their IT
infrastructure, from their IT solutions and architecture, and cybersecurity as a result is an
inherent aspect of IT and its integration into the business. Therefore, the top-down
structure of aligning IT efforts with the overall goal the business would encompass and
subsume cybersecurity governance as well. They all have to be integrated and aligned with
whatever the main thing of the business happens to be. A good mental model that I like to
use for helping people understand this idea is the difference between precision and
accuracy. Not only are there many exciting rabbit holes to explore within cybersecurity but
they are very expensive and time consuming. As a result, investing time and resources into
cybersecurity capabilities that are not aligned with the business can result in amazing
capabilities, but they don't necessarily provide value to the business. They're very precise,
like you might see on the left-hand side of the diagram here. All the efforts are very close
together, so they're very consistent, very coherent, they are very precise. Doesn't
necessarily mean that they are on target like the group of dots on the right here, even
though it is a less precise group of dots it is overall much closer to the goal, much closer to
the main thing that we're going for by trying to be on the center of the target. The goal of
security governance is to drive not only the precision of time and investments, we want to
be as precise as possible, but to fundamentally ensure that those efforts are as accurate as
possible and aligned with the main thing of the business. This is a big domain and in some
ways it is the least technical of any domain across cybersecurity. However, just to give some
context to its importance, both of the premier cybersecurity management and governance
certifications that exist on the market, CISSP from (ISC)_2 and CISM from ISACA, both
include governance as the very first domain that you have to understand in their study
guides, in their material, in their testing domains. Both of them start with this idea at the
very beginning before they get into other advanced topics. In the next lecture we'll take a
closer look at the frameworks that emerge from the need of cybersecurity governance and
how we can start to see taking this large top-down idea and actually applying it to the
business and it's operations.