Dan Shoemaker

The relevant statistic for this book is that only twenty-nine percent of the annual, overall loss to cyber exploits is attributable to purely electronic attacks. The remaining human and physical exploits account for seventy-one percent. Hence, it is self-evident that effective cyber-protection requires an appropriately tailored and synergistic electronic, human, and physical security control system. The problem is that the industry doesn't view it that way. Over the past thirty years, cyber protection has been viewed as a purely electronic computer-based problem. That thinking might even have made sense before the advent of sophisticated social engineering and other kinds of non-electronic attacks. But now that significant losses from exploits such as insider theft or phishing can occur, any cyber defence that relies solely on an electronic solution is, almost by definition, doomed to failure. That is because the modern adversary is smart. That is why reconnaissance is the hacker's first principle. Before any attack begins, the aim is to identify the places in the defence that are insufficiently secured or lack appropriate controls. Hence, in practical terms, investing in intricate electronic solutions is a waste of time. That's because they only encourage your adversary to try something else. Saltzer and Schroeder called this phenomenon the "work factor." In practical terms, the work factor principle means that the hacker will follow the path of least resistance. So, it is irrelevant whether the attack is elegant or brute force—if it succeeds in breaching the protection. Consequently, if there are robust electronic elements protecting your system, the intruder will simply go to exploits like social engineering, subverting an insider, accessing an unattended endpoint, or simply stealing the device. A proper defence requires all the fort's walls to be present and properly designed and implemented. So, robust human and physical controls must also be integrated into the solution. That requirement—e.g., no apparent gaps in the defence—is the justification for this book. The book will present the basic principles of holistic security. Holistic security is based on developing a complete architecture of synergistic controls tailored to specifically address the actual concerns of a given protection target. It is a strategic reconnaissance design and implementation process, not a head-down focus on deploying electronic controls.

The relevant statistic for this book is that only twenty-nine percent of the annual, overall loss to cyber exploits is attributable to purely electronic attacks. The remaining human and physical exploits account for seventy-one percent. Hence, it is self-evident that effective cyber-protection requires an appropriately tailored and synergistic electronic, human, and physical security control system. The problem is that the industry doesn't view it that way. Over the past thirty years, cyber protection has been viewed as a purely electronic computer-based problem. That thinking might even have made sense before the advent of sophisticated social engineering and other kinds of non-electronic attacks. But now that significant losses from exploits such as insider theft or phishing can occur, any cyber defence that relies solely on an electronic solution is, almost by definition, doomed to failure. That is because the modern adversary is smart. That is why reconnaissance is the hacker's first principle. Before any attack begins, the aim is to identify the places in the defence that are insufficiently secured or lack appropriate controls. Hence, in practical terms, investing in intricate electronic solutions is a waste of time. That's because they only encourage your adversary to try something else. Saltzer and Schroeder called this phenomenon the "work factor." In practical terms, the work factor principle means that the hacker will follow the path of least resistance. So, it is irrelevant whether the attack is elegant or brute force—if it succeeds in breaching the protection. Consequently, if there are robust electronic elements protecting your system, the intruder will simply go to exploits like social engineering, subverting an insider, accessing an unattended endpoint, or simply stealing the device. A proper defence requires all the fort's walls to be present and properly designed and implemented. So, robust human and physical controls must also be integrated into the solution. That requirement—e.g., no apparent gaps in the defence—is the justification for this book. The book will present the basic principles of holistic security. Holistic security is based on developing a complete architecture of synergistic controls tailored to specifically address the actual concerns of a given protection target. It is a strategic reconnaissance design and implementation process, not a head-down focus on deploying electronic controls.

Implementing Cybersecurity provides the complete strategic understanding requisite to allow a person to create and use the RMF process recommendations for risk management. This will be the case both for applications of the RMF in corporate training situations, as well as for any individual who wants to obtain specialized knowledge in organizational risk management. It is an all-purpose roadmap of sorts aimed at the practical understanding and implementation of the risk management process as a standard entity. It will enable an "application" of the risk management process as well as the fundamental elements of control formulation within an applied context.The Cybersecurity Body of Knowledge explains the content, purpose, and use of eight knowledge areas that define the boundaries of the discipline of cybersecurity. The discussion focuses on, and is driven by, the essential concepts of each knowledge area that collectively capture the cybersecurity body of knowledge to provide a complete picture of the field.How to Build a Cyber-Resilient Organization presents a standard methodology approach to cyber-resilience. Readers will learn how to design a cyber-resilient architecture for a given organization as well as how to maintain a state of cyber-resilience in its day-to-day operation. Readers will know how to establish a state of systematic cyber-resilience within this structure and how to evolve the protection to correctly address the threat environment. This revolves around the steps to perform strategic cyber-resilience planning, implementation and evolution. Readers will know how to perform the necessary activities to identify, prioritize and deploy targeted controls and maintain a persistent and reliable reporting system.Supply Chain Risk Management presents the concepts of ICT supply chain risk management from the perspective of NIST IR 800-161. It covers how to create a verifiable audit-based control structure to ensure comprehensive security for acquired products. It explains how to establish systematic control over the supply chain and how to build auditable trust into the products and services acquired by the organization. It details a capability maturity development process that will install an increasingly competent process and an attendant set of activities and tasks within the technology acquisition process. It defines a complete and correct set of processes, activities, tasks and monitoring and reporting systems.

The Complete Guide to Cybersecurity Risks and Controls presents the fundamental concepts of information and communication technology (ICT) governance and control. In this book, you will learn how to create a working, practical control structure that will ensure the ongoing, day-to-day trustworthiness of ICT systems and data. The book explains how to establish systematic control functions and timely reporting procedures within a standard organizational framework and how to build auditable trust into the routine assurance of ICT operations.The book is based on the belief that ICT operation is a strategic governance issue rather than a technical concern. With the exponential growth of security breaches and the increasing dependency on external business partners to achieve organizational success, the effective use of ICT governance and enterprise-wide frameworks to guide the implementation of integrated security controls are critical in order to mitigate data theft. Surprisingly, many organizations do not have formal processes or policies to protect their assets from internal or external threats.The ICT governance and control process establishes a complete and correct set of managerial and technical control behaviors that ensures reliable monitoring and control of ICT operations. The body of knowledge for doing that is explained in this text. This body of knowledge process applies to all operational aspects of ICT responsibilities ranging from upper management policy making and planning, all the way down to basic technology operation.

The book provides the complete strategic understanding requisite to allow a person to create and use the RMF process recommendations for risk management. This will be the case both for applications of the RMF in corporate training situations, as well as for any individual who wants to obtain specialized knowledge in organizational risk management. It is an all-purpose roadmap of sorts aimed at the practical understanding and implementation of the risk management process as a standard entity. It will enable an "application" of the risk management process as well as the fundamental elements of control formulation within an applied context.

A Guide to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0) presents a comprehensive discussion of the tasks, knowledge, skill, and ability (KSA) requirements of the NICE Cybersecurity Workforce Framework 2.0. It discusses in detail the relationship between the NICE framework and the NIST’s cybersecurity framework (CSF), showing how the NICE model specifies what the particular specialty areas of the workforce should be doing in order to ensure that the CSF’s identification, protection, defense, response, or recovery functions are being carried out properly.The authors construct a detailed picture of the proper organization and conduct of a strategic infrastructure security operation, describing how these two frameworks provide an explicit definition of the field of cybersecurity. The book is unique in that it is based on well-accepted standard recommendations rather than presumed expertise. It is the first book to align with and explain the requirements of a national-level initiative to standardize the study of information security. Moreover, it contains knowledge elements that represent the first fully validated and authoritative body of knowledge (BOK) in cybersecurity.The book is divided into two parts: The first part is comprised of three chapters that give you a comprehensive understanding of the structure and intent of the NICE model, its various elements, and their detailed contents. The second part contains seven chapters that introduce you to each knowledge area individually. Together, these parts help you build a comprehensive understanding of how to organize and execute a cybersecurity workforce definition using standard best practice.

This book presents a standard methodology approach to cyber-resilience. Readers will learn how to design a cyber-resilient architecture for a given organization as well as how to maintain a state of cyber-resilience in its day-to-day operation. Readers will know how to establish a state of systematic cyber-resilience within this structure and how to evolve the protection to correctly address the threat environment. This revolves around the steps to perform strategic cyber-resilience planning, implementation and evolution. Readers will know how to perform the necessary activities to identify, prioritize and deploy targeted controls and maintain a persistent and reliable reporting system.

The book presents the concepts of ICT supply chain risk management from the perspective of NIST IR 800-161. It covers how to create a verifiable audit-based control structure to ensure comprehensive security for acquired products. It explains how to establish systematic control over the supply chain and how to build auditable trust into the products and services acquired by the organization. It details a capability maturity development process that will install an increasingly competent process and an attendant set of activities and tasks within the technology acquisition process. It defines a complete and correct set of processes, activities, tasks and monitoring and reporting systems.

The book presents the concepts of ICT supply chain risk management from the perspective of NIST IR 800-161. It covers how to create a verifiable audit-based control structure to ensure comprehensive security for acquired products. It explains how to establish systematic control over the supply chain and how to build auditable trust into the products and services acquired by the organization. It details a capability maturity development process that will install an increasingly competent process and an attendant set of activities and tasks within the technology acquisition process. It defines a complete and correct set of processes, activities, tasks and monitoring and reporting systems.

The book provides the complete strategic understanding requisite to allow a person to create and use the RMF process recommendations for risk management. This will be the case both for applications of the RMF in corporate training situations, as well as for any individual who wants to obtain specialized knowledge in organizational risk management. It is an all-purpose roadmap of sorts aimed at the practical understanding and implementation of the risk management process as a standard entity. It will enable an "application" of the risk management process as well as the fundamental elements of control formulation within an applied context.

The Complete Guide to Cybersecurity Risks and Controls presents the fundamental concepts of information and communication technology (ICT) governance and control. In this book, you will learn how to create a working, practical control structure that will ensure the ongoing, day-to-day trustworthiness of ICT systems and data. The book explains how to establish systematic control functions and timely reporting procedures within a standard organizational framework and how to build auditable trust into the routine assurance of ICT operations.The book is based on the belief that ICT operation is a strategic governance issue rather than a technical concern. With the exponential growth of security breaches and the increasing dependency on external business partners to achieve organizational success, the effective use of ICT governance and enterprise-wide frameworks to guide the implementation of integrated security controls are critical in order to mitigate data theft. Surprisingly, many organizations do not have formal processes or policies to protect their assets from internal or external threats.The ICT governance and control process establishes a complete and correct set of managerial and technical control behaviors that ensures reliable monitoring and control of ICT operations. The body of knowledge for doing that is explained in this text. This body of knowledge process applies to all operational aspects of ICT responsibilities ranging from upper management policy making and planning, all the way down to basic technology operation.

A Guide to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0) presents a comprehensive discussion of the tasks, knowledge, skill, and ability (KSA) requirements of the NICE Cybersecurity Workforce Framework 2.0. It discusses in detail the relationship between the NICE framework and the NIST’s cybersecurity framework (CSF), showing how the NICE model specifies what the particular specialty areas of the workforce should be doing in order to ensure that the CSF’s identification, protection, defense, response, or recovery functions are being carried out properly.The authors construct a detailed picture of the proper organization and conduct of a strategic infrastructure security operation, describing how these two frameworks provide an explicit definition of the field of cybersecurity. The book is unique in that it is based on well-accepted standard recommendations rather than presumed expertise. It is the first book to align with and explain the requirements of a national-level initiative to standardize the study of information security. Moreover, it contains knowledge elements that represent the first fully validated and authoritative body of knowledge (BOK) in cybersecurity.The book is divided into two parts: The first part is comprised of three chapters that give you a comprehensive understanding of the structure and intent of the NICE model, its various elements, and their detailed contents. The second part contains seven chapters that introduce you to each knowledge area individually. Together, these parts help you build a comprehensive understanding of how to organize and execute a cybersecurity workforce definition using standard best practice.