acceptable use 63, 140

access control policy 59, 141

access rights 59, 166

access termination 141

add-ins and extensions 134, 147

administration rights usage 60

administrative policies 141–8

Adobe Acrobat Reader 145, 148

Amazon 17, 21, 28, 29, 55, 127

Amazon Web Services 19

antivirus software 61, 101, 121, 130, 131, 145, 153

Apple 28, 34, 85, 126, 129–31, 134, 135, 148, 151

applications 11, 19, 32, 59–62, 84, 85, 89, 116, 129–30

banking 128

control 141

email 125

insecure, 3, 5

layer attacks 89

mobile 128, 137, 146

security 11, 12, 179

social media 14

software 64

software updates 131, 145

user 117

VoIP 152

website 76

artificial intelligence (AI) 32

assets 85, 99, 100, 101, 104, 114, 115

information 74, 104, 139, 156

asymmetric encryption 134, 135

asymmetric warfare 23, 26

audit trails 62, 150

authentication 7, 8, 32, 47, 59, 84, 141, 152

AutoRun 147–8

availability 3, 7–8, 11, 12, 60, 84, 101, 114, 117

awareness 66, 67, 93, 115, 131, 146, 149, 150, 152, 155, 156–61

backdoors 55, 64, 90

backups 58, 61, 117, 118, 126, 144–5

bait and switch 88

banking applications 128

biometrics 8, 11, 141, 193

Bluetooth attacks 92–3

botnets 19, 89

brand and reputation impacts 72

bring your own device (BYOD) 60, 62, 146, 147

brute force attacks 84, 90, 92, 143

buffer overflow attacks 90

business continuity 110, 112, 114–16, 138, 149

institute (BCI) 114

management 114

Management Professional Practices 115

plan (BCP) 114, 116

standards 175, 182–4

strategy 41

Technical Professional Practices 115

timeline 115, 116

business email compromise (BEC) fraud 81

business targets 41

Cambridge Analytica 14, 28

capability maturity models 38

catch-all surveillance 27–9

cellular network attacks 93

Centre for the Protection of National Infrastructure (CPNI, UK) 42, 48, 49, 168, 170

change control 62, 141

change management 62, 141

chemical plant targets 42

Children’s Online Privacy Protection Act (COPPA, US) 27

civil nuclear targets 42–3

code of conduct 21, 82

cold standby systems 117

communal policies 148–9

communications targets 43

compromised systems 147

computer emergency response teams (CERTs) 169

computer security incident response teams (CSIRTs) 169

confidentiality 7, 8, 11, 60, 101, 134, 152, 166, 168

conflict of ideals 9

connectivity 3, 49, 56, 64, 92, 118

contingency planning 149

control types/implementation 109, 121, 122, 123

cookies 29–30, 31, 124, 128

copyright violation 19–20

credit cards 34

criminals 27, 32, 40, 47, 77, 80, 81, 83

cyber 16, 18, 40, 42, 56, 89, 95

critical infrastructure (CI) 23, 25, 42–53, 78, 164

customer expectations 36

cyber

attack types 85–95

crime 4, 16–21, 45, 74, 77

criminals 16, 18, 40, 42, 56, 89, 95

espionage 15, 24, 81, 82

harassment/cyber bullying 16, 21–2, 25

impacts 68–73

incursion 23

security see cyber security

stalkers/stalking 22

surveillance 16, 24, 27–35

targets 40–57

threats 74–96

trolls/trolling 22

vulnerabilities 58–68

warfare 16, 23–6, 44, 50, 78

Cyber Aware scheme 36, 187

Cyber Essentials scheme (UK) 36, 37, 39, 187

cyber security

actions 121, 122

advice 186–8 (Appendix B)

awareness 156–61

basic steps 120–37

capabilities 38

cybercrime 16–21

cyber harassment/cyber bullying 16, 21–2

cyber surveillance 16, 27–35

cyber warfare 16, 23–6

difficulty 37–9

financial burden 38

key issues 13–39

knowledge and skills 37–8

law 189–93 (Appendix C)

main principles 38

National Cyber Security Centre (NCSC) 48, 49, 56, 122, 132, 143, 186, 188

organisational security 138–54

relationships with other security 11–12

SANS Institute Sliding Scale 122–3

solutions 97–170

standards 38–9, 174

strategy 38, 53, 188, 191

training 161–2, 194–6 (Appendix D)

Cyber Security Information Sharing Partnership (CiSP) 168, 169

dark patterns 20–1, 33, 66, 87–9

data

aggregation 9, 10–11, 35, 95

analytics 35

big 9–10

biometric 11

breach 68, 193

centre 54, 59, 67, 68, 108, 116, 119

collection 5, 27

controller 192–3

database 8, 9, 29, 32, 41, 91, 130

exif 32

GDPR 5, 11, 30, 31, 33, 36, 37, 64, 174, 192–3

genetic 11

journey 6

location 10, 85

metadata 32, 166

mining 9–10

packet 43, 84

personal 5, 7, 10, 37, 64, 90, 193

protection 7, 27, 36, 37, 64, 72, 138–40, 160, 174

retention 140

sets 10

sources 6, 9, 10

storage 27, 148, 180

use 27

user 61

value 5, 10

Data Protection Act (DPA) 11, 140, 190

deception 26

decision-making 5

defence targets 43–5

Defense Advanced Research Projects Agency (DARPA) 56

denial of service (DoS) 18–19, 48

device locking 129

Diamond Model of Intrusion Analysis 123

digital certificates 141, 152

Digital Operational Resilience Act (DORA) 64, 65

Digital Services Act (EU) 21

directive policies 138, 139, 140–1

disaster recovery 112, 114, 116–19, 120, 138, 149

distributed denial of service (DDoS) 18–19

email 31, 91–2, 125–6, 150, 152–3

email-borne attacks 91–2

emergency services targets 45

encryption 28, 93, 126, 129, 134–6, 146, 151–2

‘end of life’ storage media 62

end point devices 65

end-to-end encryption 28

energy sector targets 45–7

enforced subscriptions 88

espionage 15, 20, 23–4, 56, 75, 79, 81–2

exif data 32

exploitation 18, 86, 95

Facebook/Meta 6, 7, 15, 27, 35, 37, 69, 88, 94, 127

facial recognition 32, 34

failures 7, 8, 38, 58, 60, 63, 73, 103, 112–14

Federal Bureau of Investigation (FBI) 28

file sharing 19, 50, 127, 173

financial impacts 72, 72, 161

financial sector targets 47–8

financial theft 16–17

fire prevention 119

firewalls 64, 84, 89, 108–9, 118, 121, 122, 130–1, 143, 150–1, 153, 154

food production targets 48

forms of payment 34

fraud 4, 79, 80–1, 144, 155

freedom 15

freedom of information 139, 140

friend spam 88

F-Secure 4

General Data Protection Regulation (GDPR) 5, 11, 30, 31, 33, 36, 37, 64, 174, 192–3

good practice 36, 60, 63, 66, 123, 139, 150, 151, 168, 186–8 (Appendix B)

government targets 48–9

Great Firewall of China 26

hacking 5, 17–18, 56, 59, 61, 76, 77, 82–5, 101, 103

tools 83–5

hacktivism 18, 76

Health Insurance Portability and Accountability Act (HIPAA, US) 36

health sector targets 49–50

heating, ventilation and air conditioning (HVAC) 54, 67, 100

Herod clause 4

home entertainment systems 35, 63

hot standby systems 117

identity theft 71

impact scales 102

implied consent 30

incident response 41, 49, 149, 168, 169

individual internet user steps 124, 133–4

individual targets 40

industrial espionage 20, 56, 81, 82

infiltration 24–5

information

acquired 29

assets 74, 104, 139, 156

business 63

classification 140, 151, 163, 165, 166

confidential 66

credit card 3

critical 7, 9, 12

false 14, 15

organisation’s 122, 138, 139, 148, 155, 161

personal 3, 4, 29, 33, 35, 68–70, 83, 94, 126–7, 140, 146

PII 10, 27, 37, 93, 94

retention 140

risk management 99–111

security 7–12, 38, 59, 72, 110, 139, 158

security policy 59, 142

security triad 7

sharing 9, 128, 163–70

Information Commissioner’s Office (UK) 30

information sharing and analysis centres (ISACs) 169–70

injection attacks 90–1

Instagram 6, 69, 94, 127

integrity 7, 8, 11, 60, 71, 101, 134, 135, 139, 152, 164, 166

intellectual property (IP) 41, 71, 72, 146

theft 4, 19–20, 44, 50, 82, 126

internal attackers 78–9

international standards 36, 38–9, 139, 173

Internet Protocol cameras 65

internet search 27, 28, 29, 34, 55

Internet Service Providers’ Association 29

intrusion detection systems (IDSs) 18, 61, 79, 85, 86, 153–4

investigative journalists 76–7, 82–3

Investigatory Powers Act (UK) 29, 190–1

iPhone 28, 31, 85

iRobot 28

ISO/International Electrotechnical Commission (IEC) 27001 36, 39, 167, 174–8

Java 131

knowledge 7, 9, 17, 23, 29, 37, 89

knowledge hierarchy 5, 6

legal compliance 36

likelihood or probability 101–2

likelihood scales 103

LinkedIn 6, 69, 94, 127

location 3, 4, 6, 10, 32, 33, 52, 59, 85, 108, 124, 137

lone wolves 75, 76

malicious damage 81

Management Professional Practices 115

metadata 32, 166

misdirection 88

mobile devices 60, 93, 137, 146, 147

mobile working 120, 135–7

motives 79–83

National Cyber Security Centre (NCSC) 48, 49, 56, 122, 132, 143, 186, 188

National Security Agency (NSA) 27, 83

network protocol attacks 91

network security 11, 12, 153

network segregation 60, 153

non-repudiation 7, 8, 62

operating systems 11, 61, 64, 84, 87, 117, 126, 129–30, 134, 145, 147, 151

operational failures 73

organisational impacts 58, 71–3

outsourcing 38, 148

password management 59, 66, 132, 142, 143

Payment Card Industry Data Security Standard (PCI DSS) 36

peer-to-peer (P2P) networking 19, 140–1

people-related vulnerabilities 66–7

peripherals 147

personal impacts 58, 68–71

personally identifiable information (PII) 10, 27, 37, 93, 94

physical access 6, 67, 85, 123, 153

physical and environmental vulnerabilities 67–8

physical security 111, 123–4, 153, 175

pirated software 126

Plan–Do–Check–Act cycle 110–11, 110, 114

planting the flag 17–18

policy, process and procedure vulnerabilities 59–63

poor coding practice 63, 64, 101

power 68, 118–19

privacy 3, 8–9, 24, 29, 33, 37, 81, 124, 139

private house targets 54–5

psychological cyber warfare 25–6

public networks 43, 61

qualitative and quantitative assessments 102–3

quality assurance 64

ransom/ransomware 48, 49, 56, 72, 79, 80, 87, 91, 92, 94

remote access 63, 146, 153

removable media 143–4

retention of emails 31

right to be forgotten 36

risk

acceptance 108, 121

analysis 104, 105–6, 114

appetite 107, 108

assessment 62, 103, 104, 106, 108, 114, 115

avoidance 108, 121

cyber-attackers, for 16, 24, 25, 47, 95–6

environment 99

evaluation 104, 106, 114

identification 104, 105, 114

management 36, 38, 99–111, 114, 121

management process 103–11

matrix 105, 106, 106

modification 108, 121

reduction 108

residual 107, 108–9

sharing 108, 121

treatment 108, 109–11, 114

roach motels 88

roadblocks 88

rogue update attacks 91

Roomba 28

rule of least privilege 133

sabotage 25

Safe EU–US Privacy Shield agreement 37

SANS Institute Sliding Scale of Cyber Security 122–3

scams 4, 14, 40, 77, 80, 94, 125, 128

Schrems, Max 37

screen locking 133

script kiddies 17, 18, 75, 76, 84, 100

Secure Socket Shell (SSH) key 152

security

application 11, 12, 179

breach 47, 64

cyber see cyber security

domains 12, 38, 150

information 7–12, 38, 59, 72, 110, 139, 158

measures 18, 55, 100, 139

network 11, 12, 153

password 143, 156

physical 111, 123–4, 153, 175

policy 59, 133, 138–54

practices 18, 36, 38, 149, 155

services 4, 24, 27, 28, 31, 32, 34, 81, 123, 190

strategy 38, 53

technical 18, 111, 129–35

security agency surveillance 79

Security information exchanges (SIEs) 168, 169–70

security triad 7

segregation of duties 38, 144

service set identifiers (SSIDs) 59, 92, 136, 146

shared information

anonymisation 166–7

encryption 134–5

protection 165–6

shared network resources 144

single points of failure (SPoFs) 64

small-to-medium enterprise (SME) 36–9, 48, 68, 120, 122, 140, 157

smartphones 4, 5, 8, 31–3, 40, 85, 93, 123, 125, 143

smoke detection 119

Snowden, Edward 27, 83

social engineering 18, 66, 67, 90, 94, 103, 125, 159

social media 14, 15, 21, 22, 41, 86, 93–4, 128, 191

social media attacks 93–4

social networks 6, 63, 69, 127–8

software updates 131, 145

spam 31, 89, 92, 125, 150

stages of a cyber-attack 86–7

standards 38–9, 173–85 (Appendix A)

standby systems 116–18

storage area networks (SANs) 145, 153

store loyalty schemes 33

Stuxnet attack 25, 41, 57

Supervisory Control and Data Acquisition (SCADA) 25, 47, 57

surveillance 24, 27–35, 79 see also cyber surveillance

symmetric encryption 134, 135

symmetric warfare 23, 26

Target (chain store) 18

target(s) 16–19, 22, 25–7, 40–57, 75, 78, 80–2, 85–7, 94

academia and research 56

audience 158, 160, 161

Bluetooth 93

building 53–5

business 41

cellular network 93

chemical plant 42

civil nuclear 42–3

communications 43

critical national infrastructure (CNI) 42–53

defence 43–5

emergency services 45

energy sector 45–7

financial 47–8

food production 48

government 48–9

health sector 49–50

individual 40

manufacturing and industry 56–7

networks 59, 86

transport sector 51–3

water 53

targeted surveillance 27

technical policies 149–54

Technical Professional Practices 115

technical security 18, 111, 129–35

technical vulnerabilities 63–5

terms and conditions 4, 5, 32–4, 192

terrorists 4, 24, 27, 32, 75, 77–8, 81

text messaging/messages 21

threats 74–96, 100

Traffic Light Protocol (TLP) 163, 165

training 38, 67, 117, 149, 152, 155, 156, 158–62

Transport Layer Security (TLS) key 152

transport sector targets 51–3

travel cards 6, 34, 34

trolling 22

Trump, President Donald 22, 31, 32, 34, 47, 69, 85, 125

trust 9, 70, 83, 135, 163, 164, 166, 167

Trust Master 164, 166, 167

Twitter 6, 15, 22, 69, 88, 94, 127

types of cyber-attack 87–95

unacceptable use 63

untested software 60, 61

USB sticks 128, 143

user access rights 59

User Account Control (UAC) 130

virtual private networks (VPNs) 136, 153

viruses 130, 141, 145, 153

Voice over Internet Protocol (VoIP) applications 152

Vtech 5

vulnerabilities 99–101, 104, 115, 147, 156, 163, 169

Bluetooth 137

cyber 58–68

hacktivists 76

Java 131

people-related 66–7

physical and environmental vulnerabilities 67–8

policy, process and procedure 59–63

technical vulnerabilities 63–5

testing for 84, 85, 86

‘zero-day’ 145

warm standby systems 117

warning, advice and reporting points (WARPs) 168

‘watering holes’ 86, 93, 94

website defacement 17

‘Weeping Angel’ 35

WhatsApp 28

whistleblowing 83

Wi-Fi 4, 6, 55, 84, 135, 136

Wi-Fi attacks 92, 93

WikiLeaks 35, 81, 83

wireless network attacks 92–3

‘zero-day’ vulnerabilities 101, 145