Cybersecurity is one of the fastest growing and difficult to tackle security challenges in the world today and it requires every single internet user to be vigilant. However, a recent study by cybersecurity company Bromium shows that even cybersecurity professionals have admitted to hiding breaches, bypassing protocols, and paying ransoms, with up to 35% circumventing, disabling or bypassing their organization's security. This study shows how important widespread education on cybersecurity issues is to create an environment where everyone can create good habits and set up environments to protect ourselves and our organizations from these threats.
The following ASIS-curated resources, including book excerpts, ASIS Council resources, recorded Seminar sessions, and U.S. government guidance, are available to help security professionals worldwide prevent or mitigate the effects of cyberthreats.
» Additional related resources include our
Internet of Things spotlight «
Free Cybersecurity Resources
(All resources are free - login/creation of free account required)
View all past Security Spotlights
- "Rise of the IoT Botnets" - February 2017
- "Cyber Trends" - September 2016
- "How to Protect PII" - February 2016
- "Smart and Secure" - January 2016
- "The Top Five Hacks from Mr. Robot—and How You Can Prevent Them" October 2016
- "The Cyber Incident Survival Guide" - July 2016
ASIS Councils Resources
Mirai Attack — Incident Summary and Recommendations
ASIS Council Leadership
November 4, 2016
In October 2016, a considerable portion of the United States and some parts of Europe were hit with massive distributed denial of service (DDOS) attacks. Hackers were able to effectively take down the internet by overloading the capacity of supporting providers. Their "army" was a multitude of smart devices (connected to the internet with default passwords) that had been infected with purpose-written malware. In response, ASIS Council Leadership released several resources to the public that are normally reserved for ASIS members:
» View the full summary and additional resources
ASIS International Seminar Sessions
Data Breaches and Digitization
Seminar Session 2117, September 2016
CSO Center for Leadership and Development
- Axel Petri, Senior Vice President Group Security Governance, Deutsche TeleKom AG
The speaker opens his remarks by posing this question: Whom do you trust and what would you be willing to pay for being secure? He asserts that security professionals have to influence how various groups would answer that question, including their bosses and society as a whole. He asserts that the Internet has affected the perception of trust, and that everything that can be digitized and connected will be. As a result, he foresees the following trends:
- Cyber is multidimensional and a part of warfare.
- Political and industrial espionage, while not new, is affecting smaller and newer companies in unexpected ways.
- Cyber criminals operate like a business, using conventional ways to attack through honeypots and malware purchased on the black market.
In response, security professionals should do a lot more to counter these threats through such avenues as education, funding, standardization, and encryption. He advocates public/private cooperation to develop cyber SWAT teams that can act immediately when an attack affects a government or company. Ultimately, he feels hopeful about the future of the Internet because the stakeholders have a common goal: “maintaining the Internet as the indispensable and trusted backbone of our digital future.”
Cyber Risks to IoT and Building Controls
Seminar Session 3213, September 2016
- Coleman Wolf, CPP, Security Lead, ESD Global, Inc.
- Rodney Thayer, Convergence Engineer, Smithee, Spelvin, Agnew & Plinge, Inc.
After a review of resource documents that address open protocols and IT centric devices, the speakers focus on the drivers and underlying devices that pose IoT and business control system risks. A list of ten concerns includes the following:
- System infrastructure is often hidden and out of mind for users, who don’t realize that devices on their computers can be hacked and do something that they were not intended to do.
- Business control systems are moving toward greater complexity, more layering, and convergence.
- Accidental failures may denigrate a system’s security, and hacking today is easier to do at low cost.
» View the associated handout for this seminar presentation
After the Data Breach
Seminar Session 2212, September 2016
- Richard Wright, CPP, Director of Global Security Operations, VDI, Inc.
- Bruce Blythe, Chairman, R3 Continuum
- Hart Brown, Vice President, Organizational Resilience, HUB International
- Rachelle Loyear, Director of Business Continuity Management, Charter Communications
After examining the business and personal costs of a data breach, the speakers describe a typical response from a legal and IT perspective, which includes auditing and investigating the scope of the breach, compliance initiatives, notifications, and credit monitoring. They conclude, however, that non-traditional responses must be a part of the solution. Using cases of recent breaches as examples, the speakers focus on three specifics:
- Human factors, including stakeholder outrage, employee concerns, organizational stability, and the four components of a good crisis leader: empathy, expertise, commitment, and transparency.
- Communications, including notifying affected audiences in a timely way without rushing to conclusions, using clear and transparent messaging, and accessing cyber insurance resources and services.
- Crisis response, including a coordinated crisis response team that identifies responsibilities and final authorities.
The goal is to prevent day-to-day incidents from becoming a full-blown crisis. Awareness is key: an informed user behaves responsibly and takes fewer risks.
Additional Seminar Session Excerpts
From the ASIS Seminar Archive
These curated CyberSecurity seminar sessions were first made available to members in early 2016:
Using Big Data
Big data is exploding on business networks, leaving many security practitioners wondering how to create a viable yet secure way to store but still access this vital information.
Preventing Data Breaches
Using a case study approach, Robert Eggebrecht, BEW Global, walks through the process his company employed to zero in on an insider who was responsible for the theft of $30,000 of intellectual property from his high-profile employer.
Evaluating a Provider’s Cloud Security
Companies are increasingly moving large amounts of confidential data to the cloud, often without the knowledge of corporate IT and security staff. These managers must play catch-up to ensure the viability of the cloud service provider’s security processes.
Protection Of Assets: Information Security
Selected appendices from ASIS International’s premier reference for security professionals and business managers involved with security, Protection of Assets, including the following:
- Sample Policy on Information Asset Protection
- Quick Reference Guide for Information Asset Protection
- Sample Nondisclosure Agreements
Butterworth-Heinemann; Elsevier, 2015
Author: George Loukas
Chapter 4: Cyber-Physical Attacks on Industrial Control Systems
Excerpt courtesy of Elsevier.
This comprehensive chapter begins with a review of threats to supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs), and other systems used in critical infrastructures. The author asserts that these systems are matters of national security in most of the world. The chapter is separated into three sections:
- A discussion of the most common of these systems, SCADA, and associated threats.
- A real-world case study focusing on the Stuxnet attack against a uranium enrichment facility in Iran.
- An examination of the target of state-sponsored attacks, the electric grid, using the Aurora Generator Test as an example.
The chapter is peppered with informative illustrations showing three generations of SCADA, with a fourth only a vision of IoT trends, for example, and replicating smart grid architecture with multiple sources of energy, power transmission, a distributed network, and multiple electricity consumers. The illustrations graphically show numerous of points of vulnerability in each system.
Government Documents and Resources
“New NIST Guide Helps Small Businesses Improve Cybersecurity”
National Institute of Standards and Technology,
November 10, 2016
This guide is written for small-business owners not experienced in cybersecurity and includes steps they can take to better protect their information systems. The publication walks users through a risk assessment process to help understand their vulnerabilities. Nine specific best practices show companies ways to protect their cyber assets, including:
- Limiting employee access to data and information.
- Installing web and email filters.
- Finding reputable cybersecurity contractors.