access termination 141
add-ins and extensions 134, 147
administration rights usage 60
Amazon 17, 21, 28, 29, 55, 127
Amazon Web Services 19
antivirus software 61, 101, 121, 130, 131, 145, 153
Apple 28, 34, 85, 126, 129–31, 134, 135, 148, 151
applications 11, 19, 32, 59–62, 84, 85, 89, 116, 129–30
banking 128
control 141
email 125
layer attacks 89
social media 14
software 64
user 117
VoIP 152
website 76
artificial intelligence (AI) 32
assets 85, 99, 100, 101, 104, 114, 115
asymmetric encryption 134, 135
authentication 7, 8, 32, 47, 59, 84, 141, 152
availability 3, 7–8, 11, 12, 60, 84, 101, 114, 117
awareness 66, 67, 93, 115, 131, 146, 149, 150, 152, 155, 156–61
backups 58, 61, 117, 118, 126, 144–5
bait and switch 88
banking applications 128
brand and reputation impacts 72
bring your own device (BYOD) 60, 62, 146, 147
brute force attacks 84, 90, 92, 143
buffer overflow attacks 90
business continuity 110, 112, 114–16, 138, 149
institute (BCI) 114
management 114
Management Professional Practices 115
strategy 41
Technical Professional Practices 115
business email compromise (BEC) fraud 81
business targets 41
capability maturity models 38
cellular network attacks 93
Centre for the Protection of National Infrastructure (CPNI, UK) 42, 48, 49, 168, 170
chemical plant targets 42
Children’s Online Privacy Protection Act (COPPA, US) 27
cold standby systems 117
communications targets 43
compromised systems 147
computer emergency response teams (CERTs) 169
computer security incident response teams (CSIRTs) 169
confidentiality 7, 8, 11, 60, 101, 134, 152, 166, 168
conflict of ideals 9
connectivity 3, 49, 56, 64, 92, 118
contingency planning 149
control types/implementation 109, 121, 122, 123
credit cards 34
criminals 27, 32, 40, 47, 77, 80, 81, 83
cyber 16, 18, 40, 42, 56, 89, 95
critical infrastructure (CI) 23, 25, 42–53, 78, 164
customer expectations 36
criminals 16, 18, 40, 42, 56, 89, 95
harassment/cyber bullying 16, 21–2, 25
incursion 23
security see cyber security
stalkers/stalking 22
trolls/trolling 22
Cyber Essentials scheme (UK) 36, 37, 39, 187
cyber security
advice 186–8 (Appendix B)
capabilities 38
cyber harassment/cyber bullying 16, 21–2
financial burden 38
law 189–93 (Appendix C)
main principles 38
National Cyber Security Centre (NCSC) 48, 49, 56, 122, 132, 143, 186, 188
organisational security 138–54
relationships with other security 11–12
SANS Institute Sliding Scale 122–3
training 161–2, 194–6 (Appendix D)
Cyber Security Information Sharing Partnership (CiSP) 168, 169
dark patterns 20–1, 33, 66, 87–9
data
analytics 35
biometric 11
centre 54, 59, 67, 68, 108, 116, 119
database 8, 9, 29, 32, 41, 91, 130
exif 32
GDPR 5, 11, 30, 31, 33, 36, 37, 64, 174, 192–3
genetic 11
journey 6
personal 5, 7, 10, 37, 64, 90, 193
protection 7, 27, 36, 37, 64, 72, 138–40, 160, 174
retention 140
sets 10
use 27
user 61
Data Protection Act (DPA) 11, 140, 190
deception 26
decision-making 5
Defense Advanced Research Projects Agency (DARPA) 56
denial of service (DoS) 18–19, 48
device locking 129
Diamond Model of Intrusion Analysis 123
Digital Operational Resilience Act (DORA) 64, 65
Digital Services Act (EU) 21
directive policies 138, 139, 140–1
disaster recovery 112, 114, 116–19, 120, 138, 149
distributed denial of service (DDoS) 18–19
email 31, 91–2, 125–6, 150, 152–3
emergency services targets 45
encryption 28, 93, 126, 129, 134–6, 146, 151–2
‘end of life’ storage media 62
end point devices 65
end-to-end encryption 28
enforced subscriptions 88
espionage 15, 20, 23–4, 56, 75, 79, 81–2
exif data 32
Facebook/Meta 6, 7, 15, 27, 35, 37, 69, 88, 94, 127
failures 7, 8, 38, 58, 60, 63, 73, 103, 112–14
Federal Bureau of Investigation (FBI) 28
fire prevention 119
firewalls 64, 84, 89, 108–9, 118, 121, 122, 130–1, 143, 150–1, 153, 154
food production targets 48
forms of payment 34
freedom 15
freedom of information 139, 140
friend spam 88
F-Secure 4
General Data Protection Regulation (GDPR) 5, 11, 30, 31, 33, 36, 37, 64, 174, 192–3
good practice 36, 60, 63, 66, 123, 139, 150, 151, 168, 186–8 (Appendix B)
Great Firewall of China 26
hacking 5, 17–18, 56, 59, 61, 76, 77, 82–5, 101, 103
Health Insurance Portability and Accountability Act (HIPAA, US) 36
heating, ventilation and air conditioning (HVAC) 54, 67, 100
Herod clause 4
home entertainment systems 35, 63
hot standby systems 117
identity theft 71
impact scales 102
implied consent 30
incident response 41, 49, 149, 168, 169
individual internet user steps 124, 133–4
individual targets 40
industrial espionage 20, 56, 81, 82
information
acquired 29
business 63
classification 140, 151, 163, 165, 166
confidential 66
credit card 3
organisation’s 122, 138, 139, 148, 155, 161
personal 3, 4, 29, 33, 35, 68–70, 83, 94, 126–7, 140, 146
retention 140
security 7–12, 38, 59, 72, 110, 139, 158
security triad 7
Information Commissioner’s Office (UK) 30
information sharing and analysis centres (ISACs) 169–70
integrity 7, 8, 11, 60, 71, 101, 134, 135, 139, 152, 164, 166
intellectual property (IP) 41, 71, 72, 146
theft 4, 19–20, 44, 50, 82, 126
international standards 36, 38–9, 139, 173
Internet Protocol cameras 65
internet search 27, 28, 29, 34, 55
Internet Service Providers’ Association 29
intrusion detection systems (IDSs) 18, 61, 79, 85, 86, 153–4
investigative journalists 76–7, 82–3
Investigatory Powers Act (UK) 29, 190–1
iRobot 28
ISO/International Electrotechnical Commission (IEC) 27001 36, 39, 167, 174–8
Java 131
knowledge 7, 9, 17, 23, 29, 37, 89
legal compliance 36
likelihood or probability 101–2
likelihood scales 103
location 3, 4, 6, 10, 32, 33, 52, 59, 85, 108, 124, 137
malicious damage 81
Management Professional Practices 115
misdirection 88
mobile devices 60, 93, 137, 146, 147
National Cyber Security Centre (NCSC) 48, 49, 56, 122, 132, 143, 186, 188
National Security Agency (NSA) 27, 83
network protocol attacks 91
operating systems 11, 61, 64, 84, 87, 117, 126, 129–30, 134, 145, 147, 151
operational failures 73
organisational impacts 58, 71–3
password management 59, 66, 132, 142, 143
Payment Card Industry Data Security Standard (PCI DSS) 36
peer-to-peer (P2P) networking 19, 140–1
people-related vulnerabilities 66–7
peripherals 147
personally identifiable information (PII) 10, 27, 37, 93, 94
physical access 6, 67, 85, 123, 153
physical and environmental vulnerabilities 67–8
physical security 111, 123–4, 153, 175
pirated software 126
Plan–Do–Check–Act cycle 110–11, 110, 114
policy, process and procedure vulnerabilities 59–63
poor coding practice 63, 64, 101
privacy 3, 8–9, 24, 29, 33, 37, 81, 124, 139
psychological cyber warfare 25–6
qualitative and quantitative assessments 102–3
quality assurance 64
ransom/ransomware 48, 49, 56, 72, 79, 80, 87, 91, 92, 94
retention of emails 31
right to be forgotten 36
risk
assessment 62, 103, 104, 106, 108, 114, 115
cyber-attackers, for 16, 24, 25, 47, 95–6
environment 99
management 36, 38, 99–111, 114, 121
reduction 108
roach motels 88
roadblocks 88
rogue update attacks 91
Roomba 28
rule of least privilege 133
sabotage 25
Safe EU–US Privacy Shield agreement 37
SANS Institute Sliding Scale of Cyber Security 122–3
scams 4, 14, 40, 77, 80, 94, 125, 128
Schrems, Max 37
screen locking 133
script kiddies 17, 18, 75, 76, 84, 100
Secure Socket Shell (SSH) key 152
security
cyber see cyber security
information 7–12, 38, 59, 72, 110, 139, 158
practices 18, 36, 38, 149, 155
services 4, 24, 27, 28, 31, 32, 34, 81, 123, 190
security agency surveillance 79
Security information exchanges (SIEs) 168, 169–70
security triad 7
service set identifiers (SSIDs) 59, 92, 136, 146
shared information
shared network resources 144
single points of failure (SPoFs) 64
small-to-medium enterprise (SME) 36–9, 48, 68, 120, 122, 140, 157
smartphones 4, 5, 8, 31–3, 40, 85, 93, 123, 125, 143
smoke detection 119
social engineering 18, 66, 67, 90, 94, 103, 125, 159
social media 14, 15, 21, 22, 41, 86, 93–4, 128, 191
social networks 6, 63, 69, 127–8
standards 38–9, 173–85 (Appendix A)
storage area networks (SANs) 145, 153
store loyalty schemes 33
Supervisory Control and Data Acquisition (SCADA) 25, 47, 57
surveillance 24, 27–35, 79 see also cyber surveillance
Target (chain store) 18
target(s) 16–19, 22, 25–7, 40–57, 75, 78, 80–2, 85–7, 94
academia and research 56
Bluetooth 93
business 41
cellular network 93
chemical plant 42
communications 43
critical national infrastructure (CNI) 42–53
emergency services 45
food production 48
individual 40
manufacturing and industry 56–7
water 53
targeted surveillance 27
Technical Professional Practices 115
technical security 18, 111, 129–35
technical vulnerabilities 63–5
terms and conditions 4, 5, 32–4, 192
terrorists 4, 24, 27, 32, 75, 77–8, 81
text messaging/messages 21
Traffic Light Protocol (TLP) 163, 165
training 38, 67, 117, 149, 152, 155, 156, 158–62
Transport Layer Security (TLS) key 152
trolling 22
Trump, President Donald 22, 31, 32, 34, 47, 69, 85, 125
trust 9, 70, 83, 135, 163, 164, 166, 167
Twitter 6, 15, 22, 69, 88, 94, 127
unacceptable use 63
user access rights 59
User Account Control (UAC) 130
virtual private networks (VPNs) 136, 153
Voice over Internet Protocol (VoIP) applications 152
Vtech 5
vulnerabilities 99–101, 104, 115, 147, 156, 163, 169
Bluetooth 137
hacktivists 76
Java 131
physical and environmental vulnerabilities 67–8
policy, process and procedure 59–63
technical vulnerabilities 63–5
‘zero-day’ 145
warm standby systems 117
warning, advice and reporting points (WARPs) 168
website defacement 17
‘Weeping Angel’ 35
WhatsApp 28
whistleblowing 83