Skip to content

References

Advanced Persistent Threat by Paul Brager, Jr.

  • (Fireeye) Anatomy of Advanced Persistent Threats

    FireEye. Promotional content from FireEye cybersecurity software company that describes advanced persistent threat (APT) attacks and contains a link to a video that illustrates how APTs work.

Application Risk Governance by Graeme Fleck

  • (NIST 2017) Framework for Improving Critical Infrastructure Cybersecurity

    NIST (2017). A set of voluntary industry standards and best practices designed to help organizations manage cybersecurity risks.

  • (NIST 800) NIST 800 Publications

    National Institute of Standards and Technology (NIST), US Department of Commerce, Computer Security Resource Center. A catalog of publications from the Computer Security Division and the Applied Cybersecurity Division of NIST.

  • (OWASP 2014) OWASP - Open Web App Security Project

    OWASP (2014). OWASP is an independent open-source body that promotes best practices in software assurance. It is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

  • (CERT) United States Computer Emergency Response Team (US-CERT)

    Best practice articles, knowledge, and tools from the US Computer Emergency Readiness Team, US Department of Homeland Security. A repository of best practices, articles, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software during each phase of its development.

  • (ISACA 2015) DevOps Practitioner Considerations

    ISACA (2015). PDF. Centralized source of information and guidance in the growing field of auditing controls for computer systems. Registration required.

  • (Jarzombek 2012) Software Assurance: Enabling Security and Resilience throughout the Software Lifecycle

    Jarzombek, Joe (2012). PDF. Slide deck about software assurance and the need to build security in from the start.

  • (CIS) CIS Controls

    Center for Internet Security.

Audit by Terrie Diaz

Behavioral Monitoring by Holli Harrison

Biometrics by Stephen Simchak

Botnet by Tolu Onireti

Buffer Overflow Attack by Shawn Connelly

Business Continuity Plan by Dale Shulmistra

  • (Olzak 2013) The elements of business continuity planning

    Olzak, Tom (2013). TechRepublic. Guidance on business continuity planning, including advice on recovering from natural disasters and man-made disruptive events such as cyberattacks.

  • (NIST 800-34) Contingency Planning Guide for Federal Information Systems

    Also known as SP 800-34. PDF. This is the US National Institute of Standards and Technology (NIST) document designed to assist organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines. It includes a glossary and acronym list.

CISO by Todd Fitzgerald

Confidentiality by Audrey Gendreau

Controls by Mark Sears

Dark Web by Chris Vickery

Data Leak by Dennis Leber

Encryption by John Armstrong

Endpoint Security by Michael Dombo

Firewall by Sarah Granger

  • (Great Firewall of China) The Great Firewall of China

    Comparatec. Online tool designed to determine whether a website (or other internet content) is available to those who reside in China.

General Data Protection Regulation (GDPR) by Regine Bonneau

Hardening by Linda Maepa

Identity Management by Evelyn de Souza

Incident Response Plan by M.K. Palmore

  • (Cichonski 2012) Computer Security Incident Handling Guide (NIST SP 800-61)

    Cichonski, Paul, et al. (2012). National Institute of Standards and Technology (NIST). PDF. Guidelines from the Information Technology Laboratory (ITL) at NIST for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.

  • (Kral 2011) SANS Incident Handlers Handbook

    Kral, Patrick (2011). Sans Institute (aka Escal Institute of Advanced Technologies). PDF. Report that provides the basic foundation for IT professionals and managers to be able to create their own incident response policies, standards, and teams. Includes an incident handler’s checklist (template) designed to help ensure that each of the incident response steps is followed during an incident.

  • (US DHS 2009) Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability

    US Dept. of Homeland Security (2009). PDF. Recommendations to help companies that use industrial control systems prepare for and respond to a cybersecurity incident.

Insider Threat by Thomas Carey

  • (US DHS 2016) Insider Threat Tip Card

    US Dept. of Homeland Security (2016). PDF. Best practices for addressing organizational, behavioral, and technical security issues and mitigating insider threats.

  • (Wallbank 2017) Businesses warned of insider cyber threat

    Wallbank, Paul (2017). Financial Review. Discussion of insider threats and how financial gain, revenge, and desire for recognition drive insiders to intentionally disclose sensitive or personal information or take malicious actions against the organizations for which they work.

  • (Tynan 2011) IT admins gone wild: 5 rogues to watch out for

    Tynan, Dan (2011). InfoWorld. Advice on how to detect rogue insiders and minimize the damage they can do.

  • (Verizon 2017a) Data Breach Digest: Perspective is Reality

    Verizon (2017). PDF. Statistics, metrics, and insight into the who, what, where, when, and how of data breaches and cybersecurity incidents. The case study titled Partner Misuse -- the Indignant Mole, is on page 24.

  • (Disley 2001) Exclusive: Poo listed on ham ingredients

    Disley, Jan (2001). Real-world example of an insider intentionally altering the content of a luncheon meat product label.

  • (Papenfuss 2017) Washing Instructions On U.S.-Made Bag Apologize For ‘Idiot’ President

    Papenfuss, Mary (2017). Huffington Post. Real-world example of an insider intentionally altering the care instructions label on a handbag.

Integrity by Daniel Ziesmer

Kill Chain by Simon Puleo

Metrics by Keyaan Williams

Multi-factor Authentication by Dovell Bonnett

Non-repudiation by John Falkl

Payment Card Industry Data Security Standard (PCI DSS) by John Elliott

Penetration Testing by Clarence Cromwell

Phishing by Jeffrey Rogers

Physical Access Control by Chris Wynn

  • (Norman 2017) Electronic Access Control

    Norman, Thomas L. (2nd ed. 2017). Butterworth-Heinemann. Book. Covers virtually every aspect of electronic alarm and access control systems and includes insights into the challenges associated with installing, maintaining, and designing them, including valuable information on how to overcome those challenges.

  • (Fennelly 2016) Effective Physical Security

    Fennelly, Lawrence J. (5th ed. 2016). Butterworth-Heinemann. Book. Covers the latest international standards for risk assessment and risk management, physical security planning, network systems infrastructure, and environmental design.

Policy by Rodney Richardson

  • (Wikihow Procedures) How to Write Policies and Procedures for Your Business

    WikiHow. Discusses at a high level how to craft written policies and procedures and to provide them in a format accessible to all employees.

  • (PLAIN) Why Use Plain Language?

    US Government. The Plain Language Action and Information Network (PLAIN) is a group of federal employees from different agencies and specialties who support the use of clear communication in government writing.

Privacy by Jay Beta

Privilege by Emma Lilliestam

  • (Rouse 2008) Principle of least privilege (POLP)

    Rouse, Margaret (2008). TechTarget. Discusses the principle of least privilege and its application to restricting access rights for people, systems, software applications, and devices connected to the Internet of Things. Includes video on how to address privileged user access.

  • (Seltzer 2013) Excess privilege makes companies and data insecure

    Seltzer, Larry (2013). ZDNet. Research results that show most companies do a poor job of managing the permissions and privileges of users on their computers and networks.

  • (Prince 2015) Excessive User Privileges Challenges Enterprise Security: Survey

    Prince, Brian (2015). Security Week. Research results from the Privilege Gone Wild 2 survey that shows 47 percent of employees say they have elevated privileges not necessary for their roles.

Ransomware by Dave Kartchner

  • (WannaCry 2017) WannaCry ransomware attack

    Wikipedia. Describes the May 2017 WannaCry ransomware attack and provides details about the attack, the alleged attackers, the response, and the affected organizations.

  • (Symantec 2017) Internet Security Threat Report (2017)

    Symantec (2017). Digicert. Infographic. Discusses website vulnerabilities, attack types, and covers the estimated costs of responding to cyber attacks.

  • (Symantec 2018) Internet Security Threat Report (2018)

    Symantec (2018). Report covering known cyberattacks during 2017. Includes useful statistics, infographics, and links to ancillary materials. Registration required.

  • (Verizon 2018) 2018 Data Breach Investigations Report

    Verizon (2018). PDF. Detailed analysis of 53,000 cybersecurity incidents in 2017, including 2,216 confirmed data breaches.

Regulation by Vanessa Harrison

Risk Register by Bob Trosper

Sandboxing by Keirsten Brager

Security Awareness by Justin Orcutt

  • (Knowbe) Knowbe4

    Library of best practices, white papers, and free tools to help those attempting to develop cybersecurity awareness training programs.

  • (Sans 2017) SANS 2017 Security Awareness Report

    SANS Institute (2017). PDF. Registration required.

  • (Amoroso) NIST Framework Overview

    Amoroso, Edward G. New York University Tandon School of Engineering. Video. An introduction to the NIST framework and to many practical aspects of modern cybersecurity including awareness, compliance, assessments, and risk management. Registration required for the full course on Coursera.

  • (Mediapro 2016) NIST Cybersecurity Framework Improves Security Awareness

    Mediapro (2016). PDF. Registration required.

Security Fatigue by Mary Frances Theofanos

Separation of Duties by Ron LaPedis

Shadow Security by Iacovos Kirlappos

  • (Kirlappos 2014) Learning from “Shadow Security”: Why understanding noncompliant behaviors provides the basis for effective security.

    Kirlappos, Iacovos, Simon Parkin, and M. Angela Sasse (2014). Workshop on Usable Security, San Diego, CA. PDF. Proceedings Paper. doi:10.14722/usec.2014.23. Analysis of in-depth interviews with employees of multinational organizations about security noncompliance. Reveals instances in which employees created alternative shadow security mechanisms that allowed them to complete their work and feel like they were working securely, despite not following official policies and procedures. Suggests that lessons learned from shadow security workarounds can be used to create more workable security solutions in the future.

  • (Kirlappos 2015) “Shadow Security” as a tool for the learning organization.

    Kirlappos, Iacovos, Simon Parkin, and M. Angela Sasse (2015). ACM SIGCAS Computers and Society, 45 (1), 29-37. PDF. doi:10.1145/2738210.2738216.

  • (Jon L 2017) People: the unsung heroes of cyber security

    Jon L. (2017), National Cyber Security Centre. Video. Discusses the need to make cybersecurity people-centered in order to defeat cybercriminals. Argues for the importance of exceptional user experiences to help make it easy for employees to comply with cybersecurity guidelines, rules, and regulations.

Situational Awareness by Danyetta Fleming Magana

Social Engineering by David Shipley

Standards by Ulf Mattsson

  • (ISO/IEC 27000) ISO/IEC 2700 family – Information security management systems.

    International Organization for Standardization (ISO) (2013). Home to the ISO/IEC 27000 family of standards, which provides a model for setting up and operating an information security management system.

  • (CISQ) Consortium for IT Software Quality (CISQ)

    CISQ (2017). IT leadership group that develops international standards that enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership.

  • (SoGP) The ISF Standard of Good Practice for Information Security

    Information Security Forum (2016). Executive summary of the standard and information about topics including threat intelligence, risk assessment, security architecture, and enterprise mobility management. Registration required.

  • (ISO 15408) Common Criteria

    Home for Common Criteria for Information Technology Security Evaluation and the companion Common Methodology for Information Technology Security Evaluation standards. Common Criteria standards are used to eliminate redundant evaluation activities, clarify terminology to reduce misunderstanding, and restructure and refocus evaluation activities to those areas where security assurance is gained.

  • (FIPS) FIPS General Information

    FIPS (2017). National Institute of Standards and Technology (NIST). Home of US Federal Information Processing Standards that includes a variety of online resources, publications, and access to a keyword searchable publication database.

Static Application Security Testing by Lucas von Stockhausen

Threat Modeling by John Diamant

Vulnerability Assessment by Jeff Schaffzin

  • (ITBusinessEdge 2014) 10-Step Security and Vulnerability Assessment Plan

    ITBusinessEdge (2014). Slide deck. Suggests security and vulnerability assessments be performed against all information systems on a pre-determined, regularly scheduled basis. Recommends third parties be retained periodically to ensure appropriate levels of coverage and oversight. (source: Info-Tech Research Group).

  • (HIPAA) HIPAA Overview

    US Department of Health and Human Services (2015). Answers general questions regarding the Standards for Privacy of Individually Identifiable Health Information and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

  • (PCI-DSS) PCI DSS (Payment Card Industry Data Security Standard) Compliance Overview

    TechTarget (2017). Overview of policies and procedures developed to protect credit, debit, and cash card transactions and prevent the misuse of cardholders’ personal information.

  • (General Data Protection Regulation) GDPR (EU General Data Protection Regulation)

    Frequently asked questions regarding GDPR.

Zero-day Vulnerability by James McQuiggan