Index
- Accenture, 25–26
- accountability, breaches and, 98. See also data breaches
- Active Cyber Defense Certainty (ACDC) bill, 106–107, 113, 114
- active defense, 101–116
- definition of, 104–107
- ethics of, 111–115
- examples of, 105
- hacking back and, 107–112
- affect bias, 52
- agile enterprises, 69–70
- air gaps, 8. See also cyber hygiene
- Apple, 120–121
- artificial intelligence (AI), 5, 71, 75, 141–145
- Assante, Michael, 10–11
- asset-intensive industries, 9, 10
- Atlanta, GA, 2
- audits, 64. See also data breaches, preparation for
- auto-updates, 77–78
- awareness training, 79–80. See also employees
- backup systems, 17, 20. See also data breaches, preparation for
- behavioral economics, 49–57
- behavioral science, 75–77, 79–80
- Berinato, Scott, 23–37, 101–116
- best practices, and cybersecurity, 8–9
- biases, 75–76, 78
- big data, 126. See also privacy; machine learning
- Blau, Alex, xi–xvi, 49–57, 73–83
- boards of directors
- cybersecurity and, 39–48, 69
- lack of expertise on, 44, 46
- recommendations for, 46–47
- Bochman, Andy, 1–22, 101–102, 110
- Bostrom, Nick, 142. See also artificial intelligence (AI)
- Bourdon, Bill, 93–100
- brain-computer interfaces, 144. See also artificial intelligence (AI)
- breaches. See data breaches
- Buffett, Warren, 69
- Burt, Andrew, 117–124, 125–130
- business disruptions, 36. See also trends, in cybersecurity
- business exposure, 61–62, 64–65. See also risk management
- calendar commitments, 77–78
- Cambridge Analytica, 127. See also privacy
- CCE. See consequence-driven, cyber-informed engineering (CCE) methodology
- Cheng, J. Yo-Jud, 39–48
- chief executive officers (CEOs), 9, 18–19, 52–53, 55, 60–66. See also C-suite
- chief financial officers (CFOs), 61. See also C-suite
- chief information officers (CIOs), 61. See also C-suite
- chief information security officers (CISOs), 53, 54, 61, 62–63. See also C-suite
- chief operating officers (COOs), 18–19. See also C-suite
- chief risk officers (CROs), 61, 62–63
- chief vulnerability officers, 64
- China, 132, 134–137
- CIE. See cyber-informed engineering
- Cisco Systems, 46, 135
- Citrix Systems, 135
- cloud computing, 5
- Cold War 2.0, 135
- consequence-driven, cyber-informed engineering (CCE) methodology, 12–19
- generating mitigation and protection options, 17–19
- identifying crown jewel processes, 14–15
- illuminating likely attack paths, 16–17
- mapping digital terrain, 15–16
- overview of, 12–13
- consequence prioritization, 14. See also risk management
- Cook, Tim, 118, 120–122
- Coreflood malware, 113, 114
- credit card data, 29–30
- criminal syndicates, 1, 20, 60
- critical infrastructure attacks, 27
- C-suite
- accountability of, 98
- cyber risk metrics and, 59–66
- mistakes by, following data breaches, 93–100
- risk agility and, 70
- customer data, xiii–xv, 29–30
- customers, failure to notify, following breach, 94–95. See also data breaches
- customer service, 95–96. See also data breaches
- customer trust, 117–124
- cyberattackers. See hackers
- cyberattacks, xiii
- AI-enabled, 141–142
- common targets for, 29–32
- containment of, 63–64
- cost of, 4–5, 26, 33–37, 46, 62, 73–74
- defenses against, 69–70
- detection of, 63
- high-profile, 9, 60, 70
- increase in, 1–2, 7, 24, 27, 60, 68–69
- mistakes following, 93–100
- pathways for, 31
- preparation for, 63, 68–72
- simulated, 64
- success ratio for, 27–29
- threat of, 46–47
- trends in, 23–37
- See also data breaches
- cyber hygiene
- approaches to, 8
- limitations of, 7–11, 101
- cyber-informed engineering (CIE), 12
- cyber risk, 68
- C-suite and, 59–66
- exposure to, 61–62
- cyber safety culture, 19–20
- data, xiii
- big, 126
- credit card, 29–30
- customer, xiii–xv, 29–30
- data breaches, xiii, 122
- contingency plans for, 44
- cost of, 73–74
- danger of, 126, 128
- detection of, 6–7
- high-profile, 9, 70
- mistakes following, 93–100
- notification laws, 95
- preparation for, 19–20
- top sources of, 31, 32
- trends in, 23–37
- underreported, 70
- See also cyberattacks
- data encryption, 8. See also cyber hygiene
- data privacy, 120, 125–130. See also privacy
- data protection, 117–124
- data security, xiv–xv, 118
- default options, 77
- Denning, Dorothy, 103–105, 107–109, 112–115
- digital technologies
- benefits of, 7
- complexities of, 6–7
- mapping, 15–16
- reducing dependency on, 12–21, 36–37, 110
- susceptibility to cyberattacks, 4
- vulnerabilities of, 5–7
- Disparte, Dante, 67–72
- emotional appeals, 51–52. See also investment, in cybersecurity
- employees
- bad habits of, 73–83
- comparing with peers, 78–79
- cyberattacks by, 70–71
- feedback for, 79–80
- interaction between IT department and, 90–91
- internal security tests for, 89
- simple rules for, 85–92
- training, 67–72, 73–83, 88–89
- trusted, 18
- as weakest link, 54–56, 68, 85–86
- energy companies, cost of cybercrime for, 35
- Equifax, 2, 74, 94, 96–98
- ethics
- of active defense, 111–115
- of hacking back, 111–113
- executives. See C-suite
- external threats, 28, 46, 55
- Facebook, 120, 127
- failures, cybersecurity, 143–144. See also data breaches
- Federal Information Security Modernization Act (FISMA), 50
- feedback systems, 79–80
- financial decision makers, appealing to emotions of, 51–52
- financial impact, of cyberattacks, 4–5, 26, 33–37, 46, 62, 73–74
- firewalls, 8, 50
- foot dragging, 94–95. See also data breaches
- foreign adversaries, xii, 1, 11, 20, 60, 131–132
- Furlow, Chris, 67–72
- future world, xi–xii
- General Data Protection Regulation (GDPR), xiv–xv, 61, 95
- German Federal Intelligence Service (BND), 134
- Germany, 33, 132, 134, 136
- Google, 120, 136
- governments, trade policies of, 131–139
- Groysberg, Boris, 39–48
- hackers, xii
- end goals of, 14
- external, 28, 46, 55
- internal, 27, 55, 70–71
- sophisticated, 10–11
- types of, 27, 28, 60
- understanding mindset of, 19
- hacking back, 101–116
- hardware
- inventory of, 8, 9
- mapping, 15–16
- Hogg, Jason J., 59–66
- Home Depot breach, 70
- Huang, Keman, 131–139
- Huawei, 136–138
- human behavior, as biggest cyber threat, 74–76, 85–86
- human-centered defenses, 68–72
- IBM, 74
- Idaho National Lab (INL), 2, 3, 12–19
- ideas 42, 51, 76
- incident-response plans, 63–64, 95
- industrial companies
- boards of directors of, 44
- threats to, 3–5
- industrial control systems, 2–3
- information
- cost of losses, 36
- withholding, 94–95
- See also data
- information security regulations, xiv–xv, 61, 71
- infrastructure sector, threats to, 3–5
- internal threats, 27, 55, 70–71
- international trade, 131–139
- internet, xi, 1–22
- internet of things, 5, 132
- investment, in cybersecurity, 24, 35–37, 67–72, 74. See also underinvestment, in cybersecurity
- Iran, 11, 132
- issue, cybersecurity as ongoing, 50–51
- IT departments, 90–91
- IT industry, 44
- Johnson, Simon, 131–139
- Kaspersky Lab, 134
- Lee, Robert M., 103–105, 107, 109–110
- Lin, Patrick, 110–111
- LinkedIn, 137
- Lockheed Martin, 16
- Lysne, Olav, 118–120, 122
- machine learning, 5, 71, 126
- Madnick, Stuart, 131–139
- malware, 2, 74, 103, 108–109, 110, 113, 132
- Mao Zedong, 106
- Marriott breach, 128
- Mayer, Marissa, 95
- McAfee, 135
- mental models, 50–53
- Mirai malware, 74
- mission-critical systems, security for, 2–3
- mistakes, following data breach, 93–100
- mitigation measures, 17–19
- Moore’s Law, 69
- multi-factor authentication, 87
- My Friend Cayla, 132, 134, 136
- Natanz nuclear facility, 132
- National Institute of Standards and Technology (NIST), 8, 50, 87
- national security, 2, 118–119
- National Security Agency, 5
- nation-states, 1, 11, 60, 131–132
- NetBotz, 134
- North American Free Trade Agreement (NAFTA), 136
- North Korea, 5, 20
- NotPetya malware, 2, 4, 5
- oil companies, 2, 11, 14
- Opower, 78–79
- organized crime, 1, 20, 60
- orthogonality thesis, 142
- overconfidence, 53–54. See also underinvestment, in cybersecurity
- passive defense, 105
- password policies, 86–87
- passwords, xii, 8
- penetration testing, 55
- Perry, Matt, 23–37
- personal information, 29–30
- Petya malware, 74
- phishing attacks, 80, 86, 88–89
- Phishme, 80
- Plan B, 20. See risk management
- planning, scenario. See risk management
- PlayStation Network (PSN) breach, 97, 98
- policies, cybersecurity, 86–87
- Ponemon Institute, 7, 26
- present bias, 78. See also employees, bad habits of
- privacy
- cybersecurity and, 125–130
- regulations, 122
- rights, 120, 128–129
- protection measures, 17–19
- psychology, 50, 75–76
- public sector
- attacks on, 28
- cost of cybercrime for, 35
- ransomware, 27, 60, 110–111
- regulations, xiv–xv, 61, 71, 95, 122
- return, on cybersecurity investment, 49–50
- risk agility, 69–70
- risk management, xii, 51, 69
- CEE methodology for, 12–19
- risk metrics, 59–66
- ROI. See return, on cybersecurity investment
- Russia, 5, 20, 132, 135, 137
- SANS Institute, 8, 11
- Saudi Aramco, 11
- scenario planning. See risk management
- Securities and Exchange Commission (SEC), 94
- security patches, 8–10, 75–78
- security policies, 86–87
- security technology, 68, 71, 74, 75
- security trends, 23–37
- senior executives. See C-suite
- sense something, do something, 70. See also employees, training
- Shamoon virus attack, 11
- social proof, 78–79
- software
- inventory of, 8, 9
- mapping, 15–16
- trust and, 117–124
- updating, 8–10, 75–78
- vulnerabilities of, 117–118
- Sony, 97, 98
- Sony Pictures, 60
- staff, cybersecurity, 8. See also employees
- Strawser, Bradley J., 104, 112
- Stuxnet attack, 132
- success metrics, 53
- superintelligent AI (SAI) systems, 143–144
- SWIFT banking hack, 70
- Target breach, 70, 73–74, 94
- targets
- commonly compromised, 29–30, 32
- identification of, 14–15
- likely attack paths for, 16–17
- multiple, 31
- vulnerability of, 28
- teachable moments, 88–89. See also employees, training
- technological innovations, xi–xii, 75
- technology, 68, 71, 74, 75
- Telegram, 136
- terrorist groups, 1, 20
- threats, xii, xv, 1–22
- current, 3–5
- danger of, 46–47
- external, 28, 46, 55
- human, 68, 74–76
- increase in, 5–7, 60, 69
- internal, 27, 55, 70–71
- sources of, 68
- understanding, 61–62
- top executives. See C-suite
- trade policy, 131–139
- training, 67–72, 79–80, 88–89
- transparency, 60, 96–97
- trends, in cybersecurity, 23–37
- tripwires, 17, 68
- trust, 117–124
- Ukraine, 5
- underinvestment, in cybersecurity, 49–57. See also investment, in cybersecurity
- understanding, cybersecurity, xii–xv
- unintended inferences, 126–128
- United Kingdom, 137–138
- United States
- cost of cybercrime in, 33
- trade policy and, 132, 134–135
- U.S. economy, 1, 2
- user behavior, 73–83. See also employees, training
- user data, 29–30
- utility companies, 2
- best practices and, 9–10
- cost of cybercrime for, 35
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.