Cybersecurity

​​​​​​​​​​​​​​​​​​

​​​​​​​​​​​​​​​​​Cybersecurity is one of the fastest growing and difficult to tackle security challenges in the world today and it requires every single internet user to be vigilant. However, a recent study by cybersecurity company Bromium shows that even cybersecurity professionals have admitted to ​hiding breaches, bypassing protocols, and paying ransoms, with up to 35% circumventing, disabling or bypassing their organization's security. This study shows how important widespread education on cybersecurity issues is to create an environment where everyone can create good habits and set up environments to protect ourselves and our organizations from th​ese threats.

The following ASIS-curated resources, including book excerpts, ASIS Council resources, recorded Seminar sessions, and U.S. government guidance, are available to help security professionals worldwide prevent or ​mitigate the effects of cyberthreats.

» Additional related resources include our Internet of Things spotlight «

Free Cybersecurity Resources ​

(All resources are free - login/creation of free account required)


View all past Security Spotlights


ASIS Councils Resources

Mirai Attack — Incident Summary and Recommendations
ASIS Council Leadership
November 4, 2016

In October 2016, a considerable portion of the United States and some parts of Europe were hit with massive distributed denial of service (DDOS) attacks. Hackers were able to effectively take down the internet by overloading the capacity of supporting providers. Their "army" was a multitude of smart devices (connected to the internet with default passwords) that had been infected with purpose-written malware. In response, ASIS Council Leadership released several resources to the public that are normally reserved for ASIS members:

» View the full summary and additional resources


ASIS International Seminar Sessions

Data Breaches and Digitization
Seminar Session 2117, September 2016
CSO Center for Leadership and Development
Speaker:

​Axel Petri, Senior Vice President Group Security Governance, Deutsche TeleKom AG

The speaker opens his remarks by posing this question: Whom do you trust and what would you be willing to pay for being secure? He asserts that security professionals have to influence how various groups would answer that question, including their bosses and society​​ as a whole. He asserts that the Internet has affected the perception of trust, and that everything that can be digitized and connected will be. As a result, he foresees the following trends:

  • Cyber is multidimensional and a part of warfare.
  • Political and industrial espionage, while not new, is affecting smaller and newer companies in unexpected ways.
  • Cyber criminals operate like a business, using conventional ways to attack through honeypots and malware purchased on the black market.

In response, security professionals should do a lot more to counter these threats through such avenues as education, funding, standardization, and encryption. He advocates public/private cooperation to develop cyber SWAT teams that can act immediately when an attack affects a government or company. Ultimately, he feels hopeful about the future of the Internet because the stakeholders have a common goal: “maintaining the Internet as the indispensa​ble and trusted backbone of our digital future.”


Cyber Risks to IoT and Building Controls
Seminar Session 3213, September 2016
Speakers:

Coleman Wolf, CPP, Security Lead, ESD Global, Inc.
Rodney Thayer, Convergence Engineer, Smithee, Spelvin, Agnew & Plinge, Inc.

After a review of resource documents that address open protocols and IT centric devices, the speakers focus on the drivers and underlying devices that pose IoT and business control system risks. A list of ten concerns includes the following:

  • System infrastructure is often hidden and out of mind for users, who don’t realize that devices on their computers can be hacked and do something that they were not intended to do.
  • Business control systems are moving toward greater complexity, more layering, and convergence.
  • Accidental failures may denigrate a s​ystem’s security, and hacking today is easier to do at low cost.

» View the associated handout for this seminar presentation


After the Data Bre​ach
Seminar Session 2212, September 2016
Speakers:

Richard Wright, CPP, Director of Global Security Operations, VDI, Inc.
Bruce Blythe, Chairman, R3 Continuum
Hart Brown, Vice President, Organizational Resilience, HUB International​
Rachelle Loyear, Director of Business Continuity Management, Charter Communications

After examining the business and personal costs of a data breach, the speakers describe a typical response from a legal and IT perspective, which includes auditing and investigating the scope of the breach, compliance initiatives, notifications, and credit monitoring. They conclude, however, that non-traditional responses must be a part of the solution. Using cases of recent breaches as examples, the speakers focus on three specifics:

  • Human factors, including stakeholder outrage, employee concerns, organizational stability, and the four components of a good crisis leader: empathy, expertise, commitment, and transparency.
  • Communications, including notifying affecte​d audiences in a timely way without rushing to conclusions, using clear and transparent messaging, and accessing cyber insurance resources and services.
  • Crisis response, including a coordinated crisis response team that identifies responsibilities and final authorities.

The goal is to prevent day-to-day incidents from becoming a full-blown crisis. Awareness is key: an informed user behaves responsibly and takes fewer risks. ​


​​Additional Seminar Session Excerpts
From the ASIS Seminar Archive​
​These curated CyberSecur​ity seminar sessions were first made available to members in early 2016:

  • Using Big Data​
    Big data is exploding on business networks, leaving many security practitioners wondering how to create a viable yet secure way to store but still access this vital information.
  • Preventing Data Breaches
    Using a case study approach, Robert Eggebrecht, BEW Global, walks through the process his company e​mployed to zero in on an insider who was responsible for the theft of $30,000 of intellectual property from his high-profile employer.
  • Evaluating a Provider’s Cloud Security
    Companies are increasingly moving large amounts of confidential data to the cloud, often without the knowledge of corporate IT and security staff. These managers must play catch-up to ensure the viability of the cloud service provider’s security processes.

Books

Protection Of Assets: Information Security
Appendices A–C

Selected appendices from ASIS International’s premier reference for security professionals and business managers involved with security, Protection of Assets, including the following:

  • Sample Policy on Information Asset Protection
  • Quick Reference Guide for Information Asset Protection
  • Sample Nondisclosure Agreements


​​Cyber-Physical Attacks
Butterworth-Heinemann; Elsevier, 2015
Author: George Loukas​
Chapter 4: Cyber-Physical Attacks on Industrial Control Systems
Excerpt courtesy of Elsevier.​

​This comprehensive chapter begins with a review of threats to supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs), and other systems used in critical infrastructures. The author asserts that these systems are matters of national security in most of the world. The chapter is separated into three sections:

  • A discussion of the most common of these systems, SCADA, and associated threats.
  • A real-world case study focusing on the Stuxnet attack against a uranium enrichment facility in Iran.
  • An examination of the target of state-sponsored attacks, the electric grid, using the Aurora Generator Test as an example.

The chapter is peppered with informative illustrations showing three generations of SCADA, with a fourth only a vision of IoT trends, for example, and re​plicating smart grid architecture with multiple sources of energy, power transmission, a distributed network, and multiple electricity consumers. The illustrations g​raphically show numerous of points of vulnerability​ in each system.


Government Documents and Reso​urces

“New NIST Guide Helps Small Businesses Improve Cybersecurity”
National Institute of Standards and Technology,
November 10, 2016
​​
This guide is written for small-business owners not experienced in cybersecurity and includes steps they can take to better protect their information systems. The publication walks users through a risk assessment process to help understand their vulnerabilities. Nine specific best practices show companies ways to protect their cyber assets, including:​

  • Limiting employee access to data and information.
  • Installing web and email filters.
  • Finding reputable cybersecurity contractors.

Security Management Articles

Security Management, a monthly benefit of ASIS membership, includes a column on cybersecurity in each issue. To review an archive of all articles in this category, log onto sm.asisonline.org and click on the cybersecurity tab. Articles are separated into five categories: cloud security, cybercrime, defenses, mobile security, and social engineering. Occasional features on these topics are included in many issues as well.​

The following stories are a sample of what’s been written lately.

Rise of the IoT Botnets,” February 2017
Author: Megan Gates, associate editor

This article chronicles how the Mirai botnet, using IoT devices, took down a major domain name server provider during three attacks in quick succession. While Internet users directed to the company’s servers were unable to reach affected sites initially, the company mitigated the third attack without affecting customers. But huge losses in revenue and sales were attributed to the attack. The Mirai botnet and others like it take advantage of the lack of security in IoT devices, such as DVRs and surveillance cameras, and consumers are largely unaware they their devices may be compromised. The article offers six steps organizations can take to reduce the risk to their IoT devices. Here’s a sample:

  • Keep IoT devices on an isolated network and control access to them.
  • Change all default user accounts and passwords for IoT devices. If they cannot be changed, block them.
  • Review corporate policies that allow employees to bring their own devices to work and connect them to the company network.

Cyber criminals will use more creative attacks through purchasing DDoS as a service, a growing industry.

Cyber Trends,” September 2016
Author: Megan Gates, associate editor

The article highlights major issues that will affect the cyber threat landscape in the near future, including a talent shortage, pressure from boards of directors that consider cyber risks their highest priority, and the increased use of encryption by Internet companies. The article also looks at how Brexit might affect data sharing and data privacy agreements among the United Kingdom, the European Union, and the United States.

How to Protect PII,” February 2016
Author: Lilly Chapa, assistant editor

Personally identifiable information (PII) is a hot commodity for malicious attackers. The information can be used alone or with other sources to identify, contact, or locate an individual. Companies may face large fines or legal action if the PII they hold is breached and a damaged reputation. The article advocates four ways to avoid these consequences, including educating employees, segregating duties, using content filtering, and establishing an incident response plan.

Smart and Secure,” January 2016
Author: Mark Tarallo, senior editor

Securing Smart Cities (SSC) is a not-for-profit global initiative. It aims to address the existing and future cybersecurity problems of smart cities where wireless sensors control an increasing amount of the infrastructure, from traffic lights to the water supply to waste management systems. The SSC initiative has five goals, including collaborating with partners to share ideas, promoting the benefits of introducing security early in a smart city project, and creating standards, guidelines, and other resources to improve smart city cybersecurity.

The Top Five Hacks From Mr. Robot—and How You Can Prevent Them,” October 21, 2016
Author: Megan Gates, associate editor
This article is only available on the magazine’s website.

The author contends that the television series Mr. Robot may be doing more to make Americans cyber aware than any official awareness campaign. The premise is straightforward: Elliot Alderson, a young cybersecurity engineer, is recruited by “Mr. Robot” to join a group of hactavists—fsociety—to target a company, E Corp. In the process, fsociety has used five hacks to attack the company: password cracking, zombie accounts, phishing, physical access, and DDoS attacks. The episodes highlight lessons learned on how to combat each type of attack.

The Cyber Incident Survival Guide,” July 1, 2016
Author: Megan Gates, associate editor

The worst has happened. Someone hacked your company's network, stealing thousands of documents and compromising customer and employee data in the process. And you're not sure what else the hackers had access to, if they are still in your network, or who is responsible.


ASIS Information Resources Center (IRC)
Security Databases & Library Catalog
(access to selected library materials may require ASIS membership)

A comprehensive review of the man​y international, nation, and local resources on cybercrime and cybersecurity has been compiled by the ASIS Information Resources Center (IRC). The PDF provides access to reports, essays, news, and opinions from thought leaders involved in creating policies and practices on such timely topics as the global st​ate of information security, big data breaches, the global cost of cybercrime, best practices in data protection, and the Internet of Things. To access these resources, sign in to the ASIS website and type Information Resources Center Cybercrime and Cybersecurity Information Sources into the search box.​​​ You may also view the members-only CyberSecurity IRC Guide curated ​in early 2016.

Additional resources on these and related topics can be obtained ​​from the IRC. Print items are available for use onsite in the IRC by ASIS International members. Go to the library’s web pages to navigate to the Security Database & Library Catalog.

For more help and search suggestions, email questions to the librarian or fill out our contact form.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

​​