88 What Every Engineer Should Know About Cyber Security
The IT staff also needs to be trained to be able to maintain the hosts, net-
works, and applications in accordance with the security standards of
the organization (Mandia et al. 2003). One training option is live test-
ing. An example of live testing could entail simulating a cyber secu-
rity incident and evaluating the reaction and processes of the incident
response team. This technique is often used in educational settings.
The following is a simplied view of the priority 1 recommendations by NIST
for the awareness and training baseline:
Control Name
Impact Level
Low Moderate High
Formal documentation to facilitate the implementation
of the security awareness and training policy and
procedure
✓ ✓ ✓
Provide security awareness training for new employees
and when changes occur in the system
✓ ✓ ✓
Provide security training covering technical, physical,
and personal safeguards and countermeasures
required prior to access
✓ ✓ ✓
The Top 10 Ways to Shut Down the No-Tech Hacker
1. Go undercover: Be a little paranoid. Some hackers are looking
for the company logo on your PC while you are working at the
coffee shop, or waiting for you to discuss company secrets at
the lunch hangout near your ofce. So cover up the company
logos and keep the conversation light.
2. Shred everything: Some laws require the proper disposal of
private information (HIPAA). There are people that may look
through your trash hunting for personal information as well. If
you do not have a shredder, you can use scissors, burn the doc-
uments outside in an open area, or submerge papers in water
overnight.
3. Get decent locks: Install or use the locks that the professionals
recommend—the locks that cannot be tampered with easily. It
is also recommended that the keys be hidden.
4. Put that badge away: If a hacker gets one look at your badge,
he or she will probably have no problem duplicating it.
5. Check your surveillance gear: Install quality cameras to mini-
mize tampering, use multiple cameras for the same view,
protect the camera from physical attack with housing, and con-
sider hidden cameras.
89Preparing for an Incident
References
Brading, A. 2012. Yahoo Voices hacked, nearly half a million emails and passwords
stolen. naked security.sophos.com (July 12, 2012).
Bradley, T. 2011. Pros and cons of bringing your own device to work. PCWorld,
12/20/11.
Brezinski, D., and Killalea, T. 2002. Guidelines for evidence collection and archiving.
Network Working Group RFC 3227, February 2002.
Brownlee, N., and Guttman, E. 1998. Expectations for computer security incident
response. Network Working Group RFC 2350, June 1998.
Carlton, G., and Worthley, R. 2009. An evaluation of agreement and conict among
computer forensics experts. 42nd Hawaii International Conference on System
Sciences, pp. 1–10.
Cichonski, P., Millar, T., Grance, T., and Scarfone, K. 2012. Computer security incident
handling guide. NIST special publication 800-61, revision 2, August 2012.
Cluley, G. 2012. The worst passwords you could ever choose exposed by Yahoo Voices
hack. Sophos nakedsecurity.sophos.com (July 13, 2012).
Cox, A. 2012. Stalking the kill chain: The attacker’s chain. RSA FirstWatch, August
16, 2012.
Cyber-Ark. 2012. 2012 Trust, security & passwords survey (http://www.websecure.
com.au/blog/2012/06/cyber-ark-2012-trust-security-and-passwords-survey).
Dale, M. 2010. Secret of English mufn “nooks & crannies” is safe for now. USA Today,
July 29, 2010.
6. Shut down shoulder surfers: No-tech hackers also like to
watch what you are working on from afar (or over your shoul-
der). If you are working on something sensitive, be cognizant
of your angle (e.g., sit with your back against the wall). When
punching in pass codes, shield with your hand. If you suspect
that someone is watching, stop what you are doing, close your
screen, and determine if anything sensitive was compromised.
7. Block tailgaters: This is referring to people that walk in
behind you after you have been cleared for entrance. Do not let
them in! Challenge people you cannot identify and/or notify
security.
8. Clean your car: Stickers on your car (e.g., parking permits) and
personal papers in your car give away a lot of information.
9. Watch your back online: Never enter your personal informa-
tion in an instant messenger or web browser.
10. Beware of social engineers: They are eliciting sensitive infor-
mation from you. See Chapter 1 for more on social engineering.
Taken from Long (2008).
90 What Every Engineer Should Know About Cyber Security
DeFranco, J., and Laplante, P. 2011. Preparing for incident response using the Zachman
framework. IA Newsletter 14 (3).
Grance, T., Kent, K., and Kim, B. 2004. Computer security incident handling guide.
National Institute of Standards and Technology, special publication 800-61,
http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
(retrieved January 19, 2010).
Grimes, R. 2010. How advanced persistent threats bypass your network security.
InfoWorld, October 19, 2010.
———. 2012. 5 signs you’ve been hit with an advanced persistent threat. InfoWorld,
October 16, 2012.
Hassell, J. 2012. 7 Tips for establishing a successful BYOD policy. CIO Magazine, May
17, 2012.
Leong, R. 2006. FORZA—Digital forensics investigation framework that incorporates
legal issues. Digital Investigation 3S:29–36.
Lewis and Roca, LLP. 2011. Protecting “nooks and crannies” Bimbo Bakeries USA,
INC. V. Chris Botticella, http://www.lrlaw.com/ipblog/blog.aspx?entry=260
(retrieved January 14, 2013).
Long, J. 2008. No tech hacking: A guide to social engineering, dumpster diving, and shoulder
surng. Burlington, MA: Syngress Press.
Mandia, K., Prosise, C., and Pepe, M. 2003. Incident response & computer forensics,
2nded. New York: McGraw–Hill.
Mell, P., Kent, K., and Nusbaum, J. 2005. Guide to malware incident prevention and
handling. NIST special publication SP800-83, November 2005.
National Security Agency. 2009. Manageable network plan.
NTT. 2009. Communications white paper, 8 elements of complete vulnerability man-
agement. September 2009.
Ponemon Institute. 2012. Cost of cyber crime study: United States” http://www.
ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_
FINAL6%20.pdf (retrieved January 10, 2013).
SANS Institute. 2009. The importance of security awareness training, http://www.
sans.org/reading_room/whitepapers/awareness/importance-security-aware-
ness-training_33013 (retrieved January 20, 2013).
Scarfone, K. and Mell, P. 2007. Guide to intrusion detection and prevention systems.
NIST special publication 800-94.
Sophos. 2013. Security threat report 2013, http://www.sophos.com/en-us/security-
news-trends/reports/security-threat-report.aspx (retrieved January 9, 2013).
Souppaya, M., and Scarfone, K. 2012. Guidelines for managing and securing mobile
devices in the enterprise. NIST special publication 800-124, July 2012.
Stoneburner, G., Goguen, A., and Feringa, A. 2002. Risk management guide for
information technology systems. NIST special publication 800-30, http://csrc.
nist.gov/publications/nistpubs/800-30/sp800-30.pdf (retrieved on January 23,
2010).
Vance, A. 2012. Data security: Most nders of lost smartphones are snoops. Bloomberg
Businessweek, March 8, 2012.
Zachman, J. 1987. A framework for information systems architecture. IBM Systems
Journal 26 (3): 276–292.
Zhang, X., Li, C., and Zheng, W. 2004. Intrusion prevention system design. The 4th
International Conference on Computer and Information Technology.
Zimmerman, S., and Glavach, D. 2011. Cyber forensics in the cloud. IA Newsletter 14 (1).
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.