Practical Foundations in Cybersecurity
  • 🖌️Practical Foundations in Cybersecurity
  • 1. IT career planning
    • IT career paths – everything you need to know
    • Job roles in IT and cybersecurity
    • How to break into information security
    • The Security Operations Center (SOC) career path
    • The GRC analyst role
    • How to get started in cryptography
    • How to get CCNA certification
  • 2. Introduction to cybersecurity
    • Confidentiality, integrity, and availability of information
    • Information security definition
    • Risk, threat, vulnerability
      • Threat landscape
    • Common cyber attacks (CCNA security fundamentals)
    • How to respond to a security incident
    • How to secure your data
    • Risk mitigation
  • 3. Cybersecurity GRC
    • Introduction
    • Cybersecurity GRC
  • 4. Networking fundamentals
    • Introduction
    • How data flow through the Internet
  • 5. Network Security Basics
    • Introduction
    • Network security basics
  • 6. Foundations in ethical hacking
    • Introduction
    • Ethical assessment of teaching ethical hacking
    • The ethical teaching of ethical hacking
    • Professional ethical hacking body of knowledge
      • The ethics of ethical hackers
      • The penetration testing process
      • What do ethical hackers do?
    • Who are ethical hackers?
  • 7. Special topics
    • Ethics and philosophy
    • Organizational communication (Karl Weick)
    • Working with recruiters
    • Prepare for an infosec interview
Powered by GitBook
On this page
  • Threat landscape in Canada
  • Threat in businesses
  • Threat/risk in higher education (industry in focus)
  • References
  1. 2. Introduction to cybersecurity
  2. Risk, threat, vulnerability

Threat landscape

• Threat landscape in Canada

• Threat in businesses

• Threat/risk in higher education (industry in focus)

Threat landscape in Canada

Societal level threats Cyberwarfare/cyberattacks on critical infrastructure Cyberwarfare/cyberattacks on public service institutions – on essential services and sensitive information

Business level threats Businesses face an increasing risk of cybercrime, especially data breaches from commercial espionage, commercial data theft, and social engineering schemes.

Individual level threats Canadians face a rising cyber risk of falling victim to cybercrime, especially identity theft. State and business surveillance Political interference -malicious online influence activity

Table 1: Cybersecurity Threats Facing Individuals, Businesses, and Society (CSE, 2018)

Canada’s cybersecurity threat landscape

Threat in businesses

Business-level threats: businesses face an increasing risk of cybercrime, especially data breaches from commercial espionage, commercial data theft, and social engineering schemes.

Key information security threats to businesses:

• DoS and other network attack techniques against information confidentiality, integrity, and availability.

• A combination of social engineering and malware, especially ransomware.

• Identity theft through social engineering and phishing schemes.

Threat/risk in higher education (industry in focus)

According to EDUCAUSE, a U.S. based nonprofit association that helps higher education elevate the impact of IT, with community of over 100,000 members spanning 45 countries, information security was the number one IT governance issue in 2016. The top higher education information security risks that were a priority for IT in 2016 were 1) phishing and social engineering; 2) end-user awareness, training, and education; 3) limited resources for the information security program (i.e., too much work and not enough time or people); and 4) addressing regulatory requirements (Grama & Vogel, 2017).

Information Security Risk in Higher Education (Adapted from EDUCAUSE, 2019)

1) Phishing and Social Engineering

“Over the past two decades, phishing scams have become more sophisticated and harder to detect.” While traditional phishing messages “sought access to an end user’s institutional access credentials (e.g., username and password),” today “ransomware and threats of extortion are common in phishing messages, leaving end users to wonder if they have to actually pay the ransom.”

2) End-User Awareness, Training, and Education

End-user awareness, training, and education “is critical as campuses combat persistent threats and try to make faculty, students, and staff more aware of the current risks.” While “the majority of U.S. institutions (74%) require information security training for faculty and staff, those programs tend to be leanly staffed with small budgets.”

3) Limited Resources for the Information Security Program

The 2015 EDUCAUSE Core Data Service survey covering all US higher education institutions showed that about 2 percent of total central IT spending is allocated for information security and that there is 0.1 central IT information security FTEs per 1,000 institutional FTEs (full time equivalents). About 55% of surveyed respondents said the security awareness budget for 2016 was less than 5K; and about 25% said they do not know; 15% said between 5-25k; and 7% said between 25-50k; and less than 1% said between 50 and 100K. “With limited resources, higher education institutions must be creative and collaborative in addressing information security awareness needs.”

4) Addressing Regulatory Requirements

The regulatory environment impacting higher education IT systems is complex. Data protection in higher education IT systems is governed by a patchwork of different federal and/or state laws rather than by one national data protection law. Student data are traditionally protected by the Family Educational Rights and Privacy Act of 1974 (FERPA) “although some types of student data, when it is held in healthcare IT systems, may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).” In addition, some types of student and institutional employee financial data may be protected by the Gramm Leach Bliley Act (GLBA). State laws may have data-breach notification requirements, and contractual agreements may have their own list of security technological controls that must be implemented and validated in IT systems. (Grama & Vogel, 2017)

References

Professional ethical hacking body of knowledge

PreviousRisk, threat, vulnerabilityNextHow to respond to a security incident

Last updated 5 months ago