Enterprise Cybersecurity(Apress,2015)

所需积分/C币:9 2015-06-28 09:44:09 21.27MB PDF
收藏 收藏

Enterprise Cybersecurity empowers organizations of all sizes to defend themselves with next-generation cybersecurity programs against the escalating threat of modern targeted cyberattacks. This book presents a comprehensive framework for managing all aspects of an enterprise cybersecurity program. It enables an enterprise to architect, design, implement, and operate a coherent cybersecurity program that is seamlessly coordinated with policy, programmatics, IT life cycle, and assessment. Fail-safe cyberdefense is a pipe dream. Given sufficient time, an intelligent attacker can eventually defeat defensive measures protecting an enterprise's computer systems and IT networks. To prevail, an enterprise cybersecurity program must manage risk by detecting attacks early enough and delaying them long enough that the defenders have time to respond effectively. Enterprise Cybersecurity shows players at all levels of responsibility how to unify their organization's people, budgets, technologies, and processes into a cost-efficient cybersecurity program capable of countering advanced cyberattacks and containing damage in the event of a breach.
Contents at a glance Foreword wXXv About the authors xxvii Acknowledgments ■■■■■■■■■■ XX AX Introduction… XXXI Part I: The cybersecurity challenge maa. Chapter 1: Defining the cybersecurity Challenge m mmmaaaa 3 Chapter 2: Meeting the Cybersecurity Challenge ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■口■■ 27 Part I: A New Enterprise Cybersecurity Architecture manama 45 Chapter 3: Enterprise Cybersecurity Architecture a amaIn 47 Chapter4: Implementing Enterprise Cybersecurity,,…,……71 Chapter 5: Operating Enterprise Cybersecurity aama. 87 Chapter 6: Enterprise cybersecurity and the cloud ann 105 Chapter 7: Enterprise Cybersecurity for Mobile and byODmmmn 119 PartⅢl; The art of cyberdefense,,…,,…,…131 Chapter 8: Building an effective Defense ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■口■■■■■■■■■■■口■■■■■■ 133 Chapter 9: Responding to Incidents ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ 157 Chapter 10: Managing a Cybersecurity Crisis mmmmmmmmmmmmmnn 167 CONTENTS AT A GLANC Part IV: Enterprise Cyberdefense Assessment ammann ■■■■■■■■■■■■■■■■■ 193 Chapter 11: Assessing Enterprise Cybersecurity mmmammmammmmmammammmmmmm 195 Chapter 12: Measuring a Cybersecurity Program ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■口■■■■■■■■■ 213 Chapter13: Mapping Against Cybersecurity Frameworks…,,,,…,,…231 Part V: Enterprise Cybersecurity Program mmammnm IaI 241 Chapter 14: Managing an Enterprise Cybersecurity Programma 243 Chapter 15: Looking to the Future 263 Part V: Appendices ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ 279 Appendix A: Common Cyberattacks mmR ERa R, 281 Appendix B: Cybersecurity Frameworks 297 Appendix C: Enterprise Cybersecurity Capabilities mmammmmmmmmmamama 311 Appendix D: Sample cybersecurity policy an uu335 Appendix E: cybersecurity Operational Processes 353 Appendix F: object Measurement 385 Appendix G: cybersecurity Capability Value Scales at ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ 409 Appendix H: Cybersecurity Sample Assessment mmaamammmmmnmmmamaam 431 Appendix l: Network segmentation mmmnmannn 459 Glossary. ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■ 467 Bibliography…,,,,,,,,,,,,,481 ndex ■■■■ 485 Introduction Interest in cybersecurity is on the rise. as our world becomes more and more interconnected and more and more online, the damage cyberthreats can do to our cyberworld is increasing dramatically, day by day For those of us old enough to remember life before personal computers--not to mention the Internet-it is staggering to consider how all of this connectivity has transformed our daily lives. Yet, as the online world developed in less than a generation, the ability to protect the online world has had even less time to develop and is still maturing Hardly a week goes by without an announcement of a cybersecurity breach or incident of some form or another, such as the following Personal information compromised Credit cards stolen Medical records lost Companies hacked Governments targeted cl r, the attackers perpetrating these crimes-and yes, most often these are criminal activities-seem to be acting with impunity compared to the defenders seeking to stop them. These hacks are occurring to major brand names, including Target, Home Depot, JP Morgan Chase, Sony, Apple, and many, many others. While many of the hacks hitting the headlines affect victims in the United States, the parties doing the hacking are in Russia, China, Korea, the Middle East, and elsewhere around the world. This problem is truly global If these hacks are happening to the biggest, most well-recognized and well-funded businesses and nations then what chance do the relatively smaller cybertargets have at protecting themselves? Anyone who is interested in cybersecurity or who is responsible for cybersecurity at an organization has certainly recognized that there is a long road ahead to achieving cybersecurity success against the threats mentioned here, however that success ends up being defined What is this book about? This book is about achieving enterprise cybersecurity success Does success mean computers never get compromised, malware never gets inside the enterprise, or breaches never occur? What success means depends on how an enterprise defines it. Cybersecurity professionals work with executive leadership to make business decisions on how good cybersecurity needs to be to defend the enterprise against information systems to protect the enterprise as needed to satisfy the business requiremenland cyberattackers. Good translates into various operational processes, cybersecurity capabilities INTRODUCTION Implementing a successful cyberdefense program against real-world attacks is what this book is about Often in cybersecurity, everyone knows what should be done, but resources to do it are not sufficient. As shown in Figure I-l, the reality is that the cybersecurity conundrum gets in the way of what needs to be done What cybersecurity professionals want to implement is more than what control frameworks specify and it is far greater than what the budget allows. Ironically, another challenge is that even when defenders get everything they want, clever attackers are extremely effective at finding and exploiting the gaps in those defenses, regardless of their comprehensiveness. The challenge is to spend the available budget on the right protections so that real-world attacks can be thwarted without breaking the bank The Cybersecurity Conundrum What the Defenders Request What the What the Frameworks Specify Attackers What the Budget Allows Exploit Figure I-1. Even though the cybersecurity conundrum presents significant challenges, this book is about implementing a successful cyberdefense program that works against real-world attacks, despite the challenges The cybersecurity business challenge is compounded by the fact that cyberthreats have to be looked at within the larger business context. The reality is cyberthreats are just one of many threats against the business and, from a budget perspective, are relatively small threats. Therefore, the enterprise has to prioritize limited resources to get the best possible security for the available budget. Cybersecurity will never be funded to do everything that is desired, or even mandated by available best practice cybersecurity frameworks Cybersecurity professionals are frustrated, in part, because they request resources to fight threats that are, from a business perspective, a rounding error on the bottom line. In other words the cyberbudget is a relatively small percentage of the organizations overall financial posture Cybersecurity needs to be planned around the idea of achieving only partial security, rather than being resourced to do everything perfectly all the time Ironically, the major cybersecurity frameworks lay out what the ideal practices should be, but have little if any, guidance on how to deploy a partial solution that is the best value for the cost when the funding is not adequate to achieve the ideal cybersecurity professionals must learn how to work with the business to find a new balance. Indeed, in a resource-constrained environment, cyberdefenders must consider how to build defenses that are only partially successful, but are wholly effective in the eyes of the business. This balance requires a new mindset powered by the following axioms of cyberdefense: Axioms of a“Next- Generation” Cyberdefense 1. Assume an intelligent attacker will eventually defeat all defensive measures 2. Design defenses to detect and delay attacks so that defenders have time to respond 3. Layer defenses to contain attacks and provide redundancy in protection 4. Use an active defense to catch and repel attacks after they start but before they can succeed With these axioms in mind, there is an acknowledged need for a framework that enables cybersecurity professionals to deploy balanced security with limited resources. Simply stated, cybersecurity professionals are not going to be able to implement the ideal solution This book presents a cybersecurity methodology for designing, managing and operating a balanced enterprise cybersecurity program that is pragmatic and realistic in the face of resource constraints and other real-world limitations. In this book, the reader will learn the following The methodology of targeted attacks and why they succeed The cybersecurity risk management process Why cybersecurity capabilities are the foundation of every successful cybersecurity p How to organize a cybersecurity program How to assess and score a cybersecurity program How to report cybersecurity program status against compliance and regulatory frameworks The operational processes and supporting information systems of a successful cybersecurity program How to create a data-driven and objectively managed cybersecurity program How cybersecurity is evolving and will continue to evolve over the next decade INTRODUCTION Who should read this book? This book is for anyone interested in modern cybersecurity, as depicted by Figure I-2 Who should read this book Enterprise Leadership Business CIO/IT Leadership Leadership CISO Business IT T Representatives Cybe Professionals Professionals Students Figure 1-2. This book should be read by everyone involved in or interested in successful enterprise cybersecurity Readers of this book include the following Enterprise leadership with oversight responsibility for information technology and cybersecurity concerns within an organization, business, or government agency. ChiefInformation Security Officer(CISO)or cybersecurity director who is responsible for overseeing a comprehensive cybersecurity program at his or her enterprise. Cybersecurity Professional who is responsible for managing, deploying, and operating effective cyberdefenses within the enterprise Chief Information Officer(CIO or Information Technology (Ir) Leadership who are responsible for deploying information technology solutions to deliver business value while also complying with regulatory and security requirements IT Professionals who are responsible for ensuring information technology solutions have adequate cybersecurity while also delivering value to the business or organization. Business or Organizational leadership who are responsible for achieving business objectives while using information technology systems and protecting sensitive and valuable information Business or Organization IT Representative who are responsible for delivering business capabilities using information technology and complying with cybersecurity requirements Students who are learning about business, information technology, or cybersecurity and who need to understand the challenges of delivering effective cybersecurity solutions INTRODUCTION Why Did the authors Write This book? The authors wrote this book based upon personal experiences fighting advanced persistent threats and other modern cyberadversaries Using the conventional cybersecurity architecture of perimeter defenses and endpoint protections was not adequate against the adversaries. The authors realized they needed more resources than were actually available. Not only did they need a new cyberdefense architecture, but they also needed an architecture to coordinate an entire cyberdefense program that allowed them to explain to business leaders what they were doing and why. The challenge to a cyberdefense program is about much more than buying cybersecurity technologies and deploying them Without budget, those technologies will never be purchased Without executive obtained Without good organization, clear communications are impossible ecutive backing will never be backing the budget will never materialize. Without clear communications, executive backing will never be Figure I-3 delineates how a successful cybersecurity program needs to facilitate the coordination of policy, IT life cycle, cybersecurity assessments, and programmatics. The IT life cycle consists of strategy engineering, and operation functions. Programmatics include the organization of people, budget, and technology. These major components work together to guide, build, and operate an enterprise cybersecurity program Elements of a Successful Cybersecurity program Policy dEEo People Strategy Budget Engineering Technology Operations Assessment Figure 1-3. A successful cybersecurity program effectively coordinates cybersecurity policy and assessment with the It' life cycle and cybersecurity programmatics a challenge is finding a single framework that can satisfy all these cybersecurity program needs. As the authors looked at major control frameworks and methodologies, they found themselves running into challenges that included the following Policy frameworks did not align well with how people are typically organized or with how cybersecurity is usually assessed Programmatic frameworks focus on business considerations and deal with cybersecurity at a high level of abstraction such that their guidance is not actionable, except in the most general of terms XXXV INTRODUCTION IT life cycle frameworks deal with cybersecurity in broad terms and generally do not consider how cybersecurity needs to be decomposed for management and reporting purposes. Assessment frameworks tend to group cybersecurity controls and capabilities in ways that are not aligned with how people or budgets are typically organized An Enterprise Cybersecurity Architecture As the authors looked at existing frameworks and methodologies they developed a set of requirements for an effective enterprise cybersecurity architecture that addresses the cybersecurity program needs they encountered. They observed that an effective cybersecurity architecture needs to include the following requirements It needs to tie together policy, programmatics, It life cycle, and assessments using a single framework for delegation and coordination It needs to break down enterprise cybersecurity into a number of sub-areas to communicate that there is more to effective cybersecurity than just firewalls and anti-virus software Sub-areas need to align relatively well with real-world skills of cybersecurity professionals, budgets supporting those professionals, and technologies purchased and maintained with the budgets Sub-areas need to enable quick and efficient reporting of cybersecurity status so that executives can understand the big picture of what is and is not working well Sub-areas need to support the business decision-making process and help leaders define strategy and prioritization To satisfy these requirements, the authors envision a new framework that they simply call the enterprise cybersecurity architecture. This framework partitions enterprise cybersecurity into 1l functional areas and then focuses on 113 capabilities within those functional areas, rather than specific products, technologies, or processes When the authors organize a cybersecurity program in accordance with this architecture, they can show an entire enterprise cybersecurity posture on a single slide. Users of this architecture can express enterprise cybersecurity needs and challenges to their leadership in straightforward and intuitive ways. This information helps enterprise leadership make informed business decisions regarding how to allocate scarce resources to protect the enterprise Figure I-4 depicts an early, simplified cybersecurity status dashboard that came out of the analysis of various control frameworks. Figure I-4 lists the ll functional areas of the enterprise cybersecurity architecture and then shows the overall status for each functional area along with a corresponding status of supporting capabilities. The figure shows the enterprise's entire cybersecurity posture on one slide. Showing this high-level, comprehensive status helps enterprise leadership envision areas for improvement. With this larger perspective, business leaders readily understand a single cybersecurity technology is not going to radically change the overall security posture. However, when the cybersecurity capabilities are taken in aggregate, they can make a significant difference

试读 127P Enterprise Cybersecurity(Apress,2015)
限时抽奖 低至0.43元/次
身份认证后 购VIP低至7折
  • 至尊王者

关注 私信
Enterprise Cybersecurity(Apress,2015) 9积分/C币 立即下载
Enterprise Cybersecurity(Apress,2015)第1页
Enterprise Cybersecurity(Apress,2015)第2页
Enterprise Cybersecurity(Apress,2015)第3页
Enterprise Cybersecurity(Apress,2015)第4页
Enterprise Cybersecurity(Apress,2015)第5页
Enterprise Cybersecurity(Apress,2015)第6页
Enterprise Cybersecurity(Apress,2015)第7页
Enterprise Cybersecurity(Apress,2015)第8页
Enterprise Cybersecurity(Apress,2015)第9页
Enterprise Cybersecurity(Apress,2015)第10页
Enterprise Cybersecurity(Apress,2015)第11页
Enterprise Cybersecurity(Apress,2015)第12页
Enterprise Cybersecurity(Apress,2015)第13页
Enterprise Cybersecurity(Apress,2015)第14页
Enterprise Cybersecurity(Apress,2015)第15页
Enterprise Cybersecurity(Apress,2015)第16页
Enterprise Cybersecurity(Apress,2015)第17页
Enterprise Cybersecurity(Apress,2015)第18页
Enterprise Cybersecurity(Apress,2015)第19页
Enterprise Cybersecurity(Apress,2015)第20页

试读结束, 可继续阅读

9积分/C币 立即下载