Hacking ebook cisojourney

317 29 0
  • Loading ...
    Loading ...
    Loading ...

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Tài liệu liên quan

Thông tin tài liệu

Ngày đăng: 05/11/2019, 21:30

The CISO Journey Life Lessons and Concepts to Accelerate Your Professional Development Internal Audit and IT Audit Series Editor: Dan Swanson A Guide to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0) Dan Shoemaker, Anne Kohnke, and Ken Sigler ISBN 978-1-4987-3996-2 A Practical Guide to Performing Fraud Risk Assessments Mary Breslin ISBN 978-1-4987-4251-1 Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program Sean Lyons ISBN 978-1-4987-4228-3 Data Analytics for Internal Auditors Richard E Cascarino ISBN 978-1-4987-3714-2 Fighting Corruption in a Global Marketplace: How Culture, Geography, Language and Economics Impact Audit and Fraud Investigations around the World Mary Breslin ISBN 978-1-4987-3733-3 Investigations and the CAE: The Design and Maintenance of an Investigative Function within Internal Audit Kevin L Sisemore ISBN 978-1-4987-4411-9 Internal Audit Practice from A to Z Patrick Onwura Nzechukwu ISBN 978-1-4987-4205-4 Leading the Internal Audit Function Lynn Fountain ISBN 978-1-4987-3042-6 Mastering the Five Tiers of Audit Competency: The Essence of Effective Auditing Ann Butera ISBN 978-1-4987-3849-1 Operational Assessment of IT Steve Katzman ISBN 978-1-4987-3768-5 Operational Auditing: Principles and Techniques for a Changing World Hernan Murdock ISBN 978-1-4987-4639-7 Securing an IT Organization through Governance, Risk Management, and Audit Ken E Sigler and James L Rainey, III ISBN 978-1-4987-3731-9 Security and Auditing of Smart Devices: Managing Proliferation of Confidential Data on Corporate and BYOD Devices Sajay Rai, Philip Chukwuma, and Richard Cozart ISBN 978-1-4987-3883-5 Software Quality Assurance: Integrating Testing, Security, and Audit Abu Sayed Mahfuz ISBN 978-1-4987-3553-7 The CISO Journey: Life Lessons and Concepts to Accelerate Your Professional Development Gene Fredriksen ISBN 978-1-138-19739-8 The Complete Guide to Cybersecurity Risks and Controls Anne Kohnke, Dan Shoemaker, and Ken E Sigler ISBN 978-1-4987-4054-8 Cognitive Hack: The New Battleground in Cybersecurity the Human Mind James Bone ISBN 978-1-4987-4981-7 The CISO Journey Life Lessons and Concepts to Accelerate Your Professional Development Gene Fredriksen CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2017 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Printed on acid-free paper International Standard Book Number-13: 978-1-138-19739-8 (Hardback) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright​ com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Library of Congress Cataloging‑in‑Publication Data Names: Fredriksen, Gene, author Title: The CISO journey : life lessons and concepts to accelerate your professional development / Gene Fredriksen Description: Boca Raton, FL : CRC Press, 2017 Identifiers: LCCN 2016043407 | ISBN 9781138197398 (hb : alk paper) Subjects: LCSH: Chief information officers | Computer security | Computer networks Security measures | Data protection Classification: LCC HF5548.37 F735 2017 | DDC 658.4/78 dc23 LC record available at https://lccn.loc.gov/2016043407 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents List of Figures .xi List of Tables xiii Prologue xv Foreword .xix Acknowledgments .xxi Author xxiii Section I INTRODUCTION AND HISTORY Introduction: The Journey .3 Learning from History? My First CISO Lesson: The Squirrel .9 The Big Question: How Did I End Up in Info Security? 10 Section II THE RULES AND INDUSTRY DISCUSSION A Weak Foundation Amplifies Risk 15 Patching: The Critical Link… 19 It’s about More Than Patching 21 Patching Myth One .21 Patching Myth Two .22 Patching Myth Three 22 Patching Myth Four .22 Scanning Required! 23 Misconception One 23 Misconception Two 24 Misconception Three 24 Misconception Four .24 Misconception Five 25 Environment Control 26 Tracking IT Assets .26 v vi  ◾ Contents Risk Management 27 Key Questions to Ask 33 If a Bad Guy Tricks You into Running His Code on Your Computer, It’s Not Your Computer Anymore 39 Worms, Trojans, and Viruses: What’s in a Name? 41 Myth One 41 Myth Two 42 Myth Three 42 Myth Four 43 Myth Five .43 Myth Six 44 Myth Seven 44 Myth Eight 45 Myth Nine 45 Myth Ten (and My Personal Favorite) 46 Attack Types Are Wide-Ranging 46 Social Engineering 47 There’s Always a Bad Guy Out There Who’s Smarter, More Knowledgeable, or Better-Equipped Than You 49 What about Your People? 56 Plan for the Worst .58 Not All Alerts Should Be Complex 61 What about Wireless? .61 Context-Aware Security 63 Suggested Reading 64 Know the Enemy, Think Like the Enemy 65 Monitoring What Leaves Your Network Is Just as Important as Monitoring What Comes In: Introducing the “Kill Chain” Methodology 73 Stack the Deck in Your Favor 78 Picking the Right Penetration Test Vendor .79 How Should Penetration Testing Be Applied? 79 Selecting a Vendor 80 Know the Business, Not Just the Technology 83 The Role of Risk Management within the Enterprise 84 Separation of Duties 86 Is There an Overlap between Legal, Compliance, and Human Resources? 90 A Model Structure 91 Risk Management/Organizational Management Interaction 92 Executive Steering Committee .93 Information Security Officer Committee .93 Contents  ◾  vii Information Security Department Staffing .94 The Compliance Arm of the CISO Office 96 Security Operations and Engineering .96 User Access and Administration .97 Advice for the New CISO 98 Tying Your Goals and Objectives to Company Goals .101 Conclusion 102 Technology Is Only One-Third of Any Solution 103 Let’s Look at Risk Management and the People, Process, and Technology Methodology 104 Safe Harbor Principles 106 Prevent .109 Detect 110 Respond 110 Recover 112 10 Every Organization Must Assume Some Risk 115 No Is Seldom the Answer 117 Strive for Simplicity 120 Risk Planning Is Just as Important as Project Planning 121 Dealing with Internal Audit 125 The Work 127 11 When Preparation Meets Opportunity, Excellence Happens 129 End-User Training and Security Awareness 130 Flashback to High School Memories… 132 Training Methods 132 New Hire Training 133 Awareness Seminars 135 Security Policy 143 Roles and Responsibilities .144 Company Board and Executives 144 Chief Information Officer 145 Information Technology Security Program Manager 145 Managers 145 Users 146 Formal Training .147 Brown Bag Lunches 147 Organizational Newsletters .148 Awareness Campaigns .148 Tests and Quizzes 149 Funding the Security Awareness and Training Program 149 Summary 150 viii  ◾ Contents 12 There Are Only Two Kinds of Organizations: Those That Know They’ve Been Compromised and Those That Don’t Know Yet 155 Loss Types 158 Consequences of Loss 158 How Can DLP Help? 158 Prevention Approach 159 PCI DSS Credit Card Guidelines 159 Guidelines 160 Credit Card Processing Procedures 161 Employee Loyalty Is a Factor 162 What Can You Do? 167 13 In Information Security, Just Like in Life, Evolution Is Always Preferable to Extinction 169 Security Strategic Planning .171 The Planning Cycle 172 Foundation/Strategy .172 Assessment and Measurement 172 Key Risk Identification 173 Develop the Strategic Plan 174 Process Inputs 175 Money, Money, Money… 179 Capital Expenditures .179 Operational Expenses 179 14 A Security Culture Is In Place When Talk Is Replaced with Action 181 Introduction 181 Training 183 Basics 185 Technology .187 Data Security 188 Productivity 190 Communication .192 E-mail .195 Morale 196 Metrics and Measures .197 Workplace .198 Conclusion 200 15 NEVER Trust and ALWAYS Verify 203 Trust Your Vendors: Home Depot 207 Nervous about Trusting the Cloud? 209 Does Your System Encrypt Our Data while They Are Stored on Your Cloud? 210 Contents  ◾  ix Does the Provider Have a Disaster Recovery Plan for Your Data? 210 Don’t Confuse Compliance with Security 211 Has the Potential Vendor Earned Certifications for Security and Compliance That Can Provide Assurance of Their Capabilities? 211 What Physical Security Measures Are in Place at the Supplier’s Data Centers? .212 Where Are My Data Being Stored? 212 Vendor Oversight Program Basics 213 Internal Trust 213 Section III SUMMARY 16 My Best Advice for New CISOs 221 Talking to the Board .223 Appendix A: The Written Information Security Plan 225 Appendix B: Talking to the Board .241 Appendix C: Establishing an Incident Response Program 253 Appendix D: Sample High-Level Risk Assessment Methodology 273 Index 279
- Xem thêm -

Xem thêm: Hacking ebook cisojourney , Hacking ebook cisojourney