As a consequence of the growth in criminal monetization of cybersecurity attacks and increased legislated compliance requirements, not to mention plain old business risk management, information and communications technology (ICT) systems security has grown to become a significant area of focus for most organizations.
To help protect against increasingly sophisticated cybersecurity attacks, a number of frameworks and standards have been developed as blueprints for sustainable security programs to successfully manage cybersecurity risks. Viegas and Kuyucu provide a reference guide for the major standards and frameworks for ICT security, summarizing the steps, controls, and processes needed to implement them. Simple security technical controls and process maturity matrices to assess security posture are also explained and described.
Chapter 1 provides a short background on cybersecurity threats, including the type of people behind the threats and what can be done to counter them, and introduces several standards and frameworks that have been developed to assist in securing ICT systems. Chapter 2 looks at several international standards, including the International Organization for Standardization’s ISO 27001 and ISO 27002 standards, the Payment Card Industry Data Security Standard (PCI DSS), and the Society for Worldwide Interbank Financial Telecommunications (SWIFT) framework. Details of these standards, particularly Annex A of ISO 27001 and the goals of PCI DSS, are discussed. Chapter 3 describes several common information security frameworks, including those of the National Institute of Standards and Technology (NIST), the Information Systems Audit and Control Association’s Control Objective for Information Technologies (COBIT) version 5 framework, and the Centre for Internet Security (CIS) Critical Security Controls for Effective Cyber Defence, as well as a number of other international frameworks. Two of NIST’s special publications, NIST SP 800-53 and NIST SP 800-37, are covered in good detail.
Chapter 4 considers the technical controls available to secure, manage, and monitor ICT assets--particularly mobile devices. Mobile device management (MDM), network access control (NAC), multi-factor authentication (MFA), single sign-on (SSO), and runtime application self-protection (RASP) are discussed along with secure connections using Internet protocol security (IPsec), secure shell (SSH), and transport layer security (TLS). Securing the domain name system (DNS), time and directory services, virtual private networks (VPNs), firewalls, and intrusion detection and protection systems are also discussed. Chapter 5 describes security governance and information security processes that should ideally be in place within an organization. The basic cybersecurity policies, procedures, organizational structures, and compliance checking programs that should be in place are described in detail. Chapter 6 discusses the generally accepted weakest link in an organization’s cybersecurity posture--its people. Viegas and Kuyucu highlight the necessity for a good cybersecurity awareness training regime with regular reinforcement.
As management expert Peter Drucker is apocryphally supposed to have said, “If you can’t measure it, you can’t manage it.” Chapter 7 presents metrics that can be used to monitor, assess, and manage an organization’s cybersecurity environment. Frameworks for testing and compliance assurance are considered. General governance, oversight, and sources of information, metrics, logging, and reporting from network and boundary devices such as firewalls and anti-malware tools, as well as testing regimes, are discussed. The benefits of vulnerability management programs for patching and upgrades, along with centralized security information and event management (SIEM) systems for logging, managing, and responding to security incidents, are covered.
Chapter 8 contains case studies of three recent and well-known attacks. Each scenario is discussed and analyzed in detail; the authors then propose and discuss controls that, in their opinion, may have prevented or reduced the impact of these attacks. Chapter 9 provides a quite detailed list of security testing and simulation tools that may assist organizations in securing their computing and network environments. It covers tools for scanning systems and applications for cybersecurity vulnerabilities, cybersecurity attack simulation, and logging, and discusses the need for caution when using them.
The book includes a detailed table of contents and good index, and the chapters conclude with succinct summaries. Appendices provide additional tools for mapping security controls, available cybersecurity certifications, and sources of additional information and resources, including a uniform resource locator (URL) link to an extensive GitHub repository of relevant documents. This is an excellent reference for anyone working in the area of ICT security; it summarizes the major standards and frameworks in one publication, with useful case studies as examples to explain how things can go wrong and what steps can be taken to protect and minimize the impact of attacks.