Study Notes: Information Systems Security

Cybersecurity Professionals and Their Tasks

Cybersecurity protects systems, networks, and programs from digital attacks aimed at:

• Accessing, altering, or destroying sensitive data

• Extorting money (ransomware)

• Disrupting business operations

Tasks of Cybersecurity Professionals

1. Stay updated on technology and security threats

2. Analyze and evaluate threats

3. Conduct system checks for vulnerabilities

4. Implement security measures and protocols

5. Report to stakeholders

6. Promote security awareness in the organization

Four (4) Cybersecurity Career Paths

1. Security Architect

o Maintains company system security

o Anticipates hacker tactics (thinks like a hacker)

o Often former hackers (understand attacker mindset)

2. Security Consultant

o Advises on security measures

o Assesses threats and creates prevention plans

3. Ethical Hacker (White Hat Hacker)

o Penetrates systems legally to find vulnerabilities

o Helps prevent malicious attacks

4. Chief Information Security Officer (CISO)

o Oversees data and information security

 o Manages security operations, access control, and risk

Introduction to Risks, Threats, and Vulnerabilities

The Anatomy of a Cyberattack

1. Reconnaissance

o Hackers research the target (IPs, emails, vulnerabilities)

o Phishing emails to find weak points

2. Attack

o Gain access via stolen credentials (rainbow tables)

o Elevate privileges to admin level

o Steal, encrypt, or destroy data

3. Expansion

o Spread malware across the network

o Maintain persistence even after detection

4. Obfuscation

o Cover tracks (log cleaning, spoofing, Trojan commands)

o Avoid forensic detection

Seven (7) Cybersecurity Risks Impacting Organizations

1. Technology – Digital transformation introduces new vulnerabilities.

2. Supply Chain – IoT and third-party vendors increase attack surfaces.

3. Internet of Things (IoT) – Unsecured devices lead to breaches.

4. Business Operations – Increased connectivity = more vulnerabilities.

5. Employees – Insider threats due to lack of awareness.

6. Regulatory – Compliance must balance security and legal requirements.

7. Board of Directors – Must oversee proactive cybersecurity planning.

Cybersecurity Threats & Vulnerabilities

• Ransomware – Encrypts data for ransom.

• Malware – Malicious software for unauthorized access.

• Social Engineering – Manipulates users into revealing data.

• Phishing – Fraudulent emails to steal credentials.

• Crypting Services – Encrypts malware to evade detection.

• Crimeware – Malware sold on the Dark Web.

• Remote Administration Tools (RATs) – Gives hackers remote control.

• Keyloggers – Records keystrokes to steal passwords.

• Exploit Kits – Redirects users to malicious sites.

• Leaked Data – Sold on the Dark Web (credit cards, SSNs).

• Card Skimmers – Steals card data from ATMs/POS systems.

• Unpatched Systems – Outdated software = easy targets.

The CIA Triad (Core Principles of Security)

1. Confidentiality – Only authorized users access data (passwords, encryption).

2. Integrity – Data remains accurate and unaltered (hashing, backups).

3. Availability – Systems/data are accessible when needed (DDoS protection, redundancy).

Data Classification Standards

• Understanding – Identify data sensitivity and location.

• Creating – Collect and generate data.

• Storing – Secure data with proper access controls.

• Using – Process and analyze data securely.

• Sharing – Control distribution and access.

 • Archiving – Preserve data securely.

• Destroying – Securely erase data when no longer needed.

Study Notes: Security Concepts and Goals

1. Security Tactics: People, Processes, and Technology

1.1 People

• Employees are both a risk and a defense.

• Common attacks: Phishing emails, weak passwords.

• Best practices (Cyber hygiene):

o Use strong, unique passwords.

o Separate personal and work accounts.

o Avoid clicking suspicious links.

o Keep software up to date.

o Do not install unknown software.

o Report strange behavior immediately.

1.2 Processes

• Incident Response Plan: Quick recovery after attacks.

• Regular Backups: Test them to ensure recovery.

• Threat Intelligence: Stay updated with local/global threats.

• Prioritize Assets: Use access control and network segmentation.

1.3 Technology

• Integrated tools over isolated solutions.

• Deception Technology: Fake assets to mislead attackers.

• Security Fabric: Integration and automation for quick threat response.

2. Emerging Technologies in Cybersecurity

• Hardware Authentication: Used especially in IoT to verify device legitimacy.

• Cloud Security:

o Migration from on-premise to cloud-based tools.

o Includes virtual firewalls, IDS/IPS.

• Deep Learning (AI & ML):

o Detects anomalous behavior.

o Helps prevent advanced/persistent threats.

o Analyzes entities at macro and micro levels.

3. Five (5) Types of Cybersecurity

Type Description Examples

Critical Infrastructure Security Protects vital systems Power grids, hospitals

Application Security Protects software during development Antivirus, firewalls

Network Security Secures internal networks Passwords, firewalls

Cloud Security Secures cloud-stored data SaaS, IaaS

IoT Security Secures connected devices Smart home tech

4. Security Policy and Objectives

Security Policy

• Set of rules for protecting digital and physical assets.

• Should cover: user responsibilities, monitoring, training, and updates.

Security Objectives

1. Resource Protection – Only authorized users access data.

 2. Authentication – Verify identity (passwords, digital certificates).

3. Authorization – Ensure correct permissions are granted.

4. Integrity

o Data: Unchanged and untampered.

o System: Reliable and consistent performance.

5. Nonrepudiation – Proof of actions (digital signatures).

6. Confidentiality – Keep sensitive data private.

7. Auditing – Monitor/log both successful and failed access attempts.

5. IT Security Frameworks

1. NIST Cybersecurity Framework

• Components:

o Core – Defines common security activities.

o Tiers – Measure risk management maturity.

o Profiles – Customize security practices to organizational needs.

2. ISO/IEC 27000 Family

• For all industries; focuses on ISMS (Information Security Management System).

• 6 Steps:

1. Define security policy

2. Define ISMS scope

3. Risk assessment

4. Risk management

5. Choose control objectives

6. Prepare statement of applicability

3. PCI DSS (for Payment Security)

• Six (6) Principles:

 1. Secure networks

2. Protect card data

3. Vulnerability management

4. Access control

5. Monitor/test networks

6. Maintain security policies

6. Security Architecture

• Unified design to protect IT systems.

• Includes:

o Relationships & Dependencies – Interconnection of components.

o Benefits – Cost-effective, standard-based.

o Form – Catalogs, diagrams, and principles.

o Drivers – Risk, best practices, financial, legal requirements.

Key Phases:

1. Architecture Risk Assessment

2. Security Design & Architecture

3. Implementation

4. Operations & Monitoring